Privacy & data handling — in plain English

Who we are

NexFlow is a trading name of Bridge Base LLC, a limited liability company registered in Wyoming, USA, operating remotely worldwide and serving Australian SMBs. The company is the data controller of any personal information you provide through nex-flow.io and app.nex-flow.io, and is the data processor for any data you cause to flow through workflows we build for you.

What we collect

From the marketing site (nex-flow.io)

• What you submit on the booking form — name, work email, company, brief description, chosen consultation slot.
• Server-side request logs (IP, user-agent, timestamp) retained for 30 days for security analysis. Not joined to identifiable accounts unless you submit a form.
• If you use the AI concierge (Nex), your chat messages, short pre-chat answers, session identifier, and bot-check token are sent to our chat backend and configured AI provider for response generation. Recent chat history may be stored in your browser's localStorage so the conversation can continue if you refresh. We do not use public chat messages to train AI models.

From the portal (app.nex-flow.io)

• Account: email, display name, locale, timezone, passkey public-key material (no biometrics, no secrets), optional TOTP secret (encrypted), OAuth provider links if you connect Google / Microsoft / GitHub.
• Workspace: name, slug, billing currency, address, tax identifiers, plan tier, billing contacts.
• Vendor credentials: API keys you paste in for OpenAI, Anthropic, Ollama, n8n, etc. Always encrypted at rest using AWS KMS-backed envelope encryption (see § "How we protect" below). Never displayed back to you in full after the initial save.
• Usage and cost metadata: periodic snapshots polled from your vendors — token counts, request counts, cost figures, model mix. We never poll or store the body of any individual request or response.
• Workflow run metadata: success/error, duration, cost, error message and node. We never store the payload bodies that flowed through your workflows.
• Billing data: invoice numbers, line items, timestamps, payment-rail references. Card numbers never touch our systems; Stripe Elements, PayPal SDK, and Coinbase Commerce hosted checkout handle every payment instrument.
• Audit log: every meaningful action by every actor in your workspace — what, when, from where, on behalf of whom.

Why we collect it

• To deliver the service you signed up for.
• To bill correctly and produce tax invoices.
• To detect and respond to security incidents.
• To improve the product (in aggregate; never identified to you).
• To comply with legal obligations (Australian tax law, anti-fraud, lawful access requests).
• To respond to privacy, security, billing, and support requests.

We do not collect data to train AI models. We do not sell, rent, or licence your data to third parties. We do not use your data to advertise to you.

Legal bases for EU/UK visitors and customers

• Contract: to provide consultations, workflow builds, account access, support, billing, and agreed deliverables.
• Legitimate interests: site security, fraud prevention, product reliability, abuse prevention, and limited product analytics.
• Legal obligation: tax, accounting, corporate record, and lawful-access duties.
• Consent: optional marketing communications and any optional cookies or integrations that require consent. You can withdraw consent at any time.

How we protect it

Encryption at rest

Every vendor API key you store is encrypted with envelope encryption: a per-workspace Data Encryption Key (AES-256-GCM) wraps the key, and a KMS-held Key Encryption Key wraps the DEK. The KEK never leaves AWS KMS. Plaintext keys exist in memory only during the outbound HTTPS request to your vendor — typically under one second.

Encryption in transit

TLS 1.3 enforced everywhere. HSTS with one-year max-age preload. We refuse connections that downgrade to TLS 1.1 or earlier.

Access controls

Passkey-first authentication (WebAuthn). Step-up re-authentication required for sensitive operations (rotating keys, changing payment methods, deleting workspaces). Row-level security on every tenant table enforced by Postgres, not just by application code.

Audit logging

Append-only, seven-year retention, exportable to your bookkeeper or auditor on demand from /settings/audit-log.

Where it lives

• Primary database: Neon (Postgres), region ap-southeast-2 (Sydney, Australia). Replicated read-only to us-east-1 for disaster recovery.
• Object storage (invoice PDFs, exports): Cloudflare R2, multi-region.
• Encryption keys: AWS KMS, ap-southeast-2 with cross-region replication.
• Backups: encrypted snapshots, 35-day point-in-time recovery on Postgres; weekly full snapshots stored 13 months.

Who has access

Your data, by us

Only the people who need to see it to do their job, with audit logging on every access. NexFlow employees access customer workspaces only when: (a) explicitly invited as an agency-mode role by you, or (b) responding to a support ticket you have opened, or (c) responding to a security incident that may affect you. All three are logged in your audit log with the attribution "acting on behalf of."

Your data, by third parties

Sub-processors we use to deliver the service:

• Stripe · payment processing (cards, ACH, BPAY).
• PayPal · payment processing (PayPal balance).
• Coinbase Commerce · cryptocurrency payment processing.
• Neon · Postgres hosting.
• AWS · KMS, object storage backup, secret management.
• Cloudflare · CDN, WAF, R2 object storage, Turnstile (bot detection for the public chat concierge — no cookies, no tracking).
• Vercel · portal application hosting.
• Upstash · Redis for rate limiting and queues.
• Postmark · transactional email delivery.
• Sentry · error monitoring (PII scrubbed before send).
• PostHog · product analytics (self-hosted; opt-out available).
• OpenAI · for the public Nex concierge on the marketing site only.

Each sub-processor is reviewed for security and privacy posture. Where required, we put a Data Processing Agreement and transfer safeguards in place. The current list lives at /legal/subprocessors and material changes are announced 30 days in advance for customers on Flow or Fleet plans.

Your rights

Under the Australian Privacy Act 1988

You have the right to access and correct personal information we hold about you, request deletion where we no longer need it, use a pseudonym where practical, and lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC) if we fail to handle your information appropriately. If a notifiable data breach occurs, we follow the Australian Notifiable Data Breaches scheme.

Under the GDPR (EU/UK customers)

You have rights of access, rectification, erasure, portability, restriction of processing, objection, withdrawal of consent, and complaint to your local supervisory authority. You also have the right not to be subject to solely automated decisions with legal or similarly significant effects. NexFlow does not use public-site chat or workflow telemetry for that kind of automated decision-making.

Under the CCPA / CPRA (California)

California residents have the right to know the categories and specific pieces of personal information we collect, delete, correct, opt-out of sale or sharing, limit use of sensitive personal information where that right applies, use an authorised agent, and receive non-discriminatory service for exercising these rights. We do not sell personal information and do not share it for cross-context behavioural advertising.

How to exercise any of these rights

From inside the portal: /settings/danger exports everything we hold about your workspace as JSON, and deletes everything with a 7-day grace period. From outside: email privacy@nex-flow.io. We may need to verify your identity or authority before acting. We respond within 30 days where practical, and within the timelines required by applicable law (for example, 45 days for many California requests). If we deny a request, we explain why and how to challenge the decision.

Automated decision-making (ADM) transparency

Under the Privacy and Other Legislation Amendment Act 2024 (Cth), Australian Privacy Principle entities must publish information about the use of personal information in computer programs that make, or substantially assist in making, decisions that significantly affect individuals. These provisions commence in December 2026; NexFlow publishes this disclosure now to satisfy the obligation in advance.

NexFlow uses AI-assisted automation to support decisions in the following areas:

• Routing inbound enquiries. The Nex chat concierge classifies enquiries and may route to the most appropriate human contact. Personal information used: name, email, company, and the content of your message.
• Drafting first-pass replies. The chat concierge may draft a response that a human team member reviews and sends. Personal information used: the content of your message.
• Prioritising leads for follow-up. Inbound leads are scored on intent so the team contacts the most engaged prospects first. Personal information used: name, email, company, and the source / referral path.
• Internal workflow automation (client engagements). For clients with active builds, the workflows NexFlow operates may perform AI-assisted classification or extraction on data the client has authorised. Scope, retention, and human-review thresholds are defined in the client's signed Statement of Work.

A NexFlow team member reviews any decision with material impact (for example, refunds, contract changes, or any communication that significantly affects a customer relationship) before action is taken. You may request human review of any AI-assisted decision affecting you by emailing privacy@nex-flow.io — we respond within 30 days.

NexFlow follows the National AI Centre's Voluntary AI Safety Standard (September 2024) as its operating baseline. Our specific controls include: a written purpose and named accountable owner per AI system, a documented data flow map, a decision audit log capturing input, model, version, output and action, PII redaction before any prompt leaves Australian infrastructure where the data sensitivity warrants it, model-version pinning, and a quarterly review of every AI system in use.

Retention

• Account & workspace data: retained while your account is active. Deleted 7 days after the deletion request is confirmed (the 7-day window is for accidental-deletion recovery).
• Vendor API keys: deleted synchronously on workspace deletion. Vendor-side revocation is attempted and verified before our deletion completes.
• Invoices and tax records: 7 years (Australian tax-law requirement). These survive workspace deletion in pseudonymised form.
• Audit log: 7 years for compliance; available to you for export at any time.
• Marketing-site server logs: 30 days.
• Backups: 35 days point-in-time, 13 months weekly snapshots.

Children

NexFlow is a B2B service. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a child, email privacy@nex-flow.io and we will delete it.

Cookies and tracking

Marketing site: a single session-scoped cookie if you fill the booking form (CSRF), and a privacy-respecting Plausible analytics ping with no cross-site tracking, no personal identifiers, no advertising. No third-party tracking pixels. No Google Analytics.

The public Nex chat concierge may use Cloudflare Turnstile to filter automated traffic. Turnstile is invoked only when the chat panel is open and may process technical signals such as IP address, browser data, and challenge outcome for bot detection. A short pre-chat questionnaire is stored in your browser session and sent with your chat so Nex can tailor responses; recent chat history may also be kept in localStorage until you clear it or use the chat's reset control.

Portal: session cookie (HttpOnly, Secure, SameSite=Lax), preference cookies for theme and timezone, and product analytics via self-hosted PostHog with opt-out at /settings/privacy.

International transfers

NexFlow is Australian-headquartered. Some sub-processors operate globally; data may transit or be stored in Australia, the United States, the European Union, Singapore, or other regions listed by our sub-processors. For EU/UK personal data, we rely on adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards where required. Data residency at rest is configurable per-workspace on Fleet plan.

Security incidents and breach notices

If we become aware of a security incident involving personal information, we investigate promptly, contain the issue, document the facts, and notify affected customers or regulators where required by law, including the Australian Notifiable Data Breaches scheme and GDPR/UK GDPR timelines. Report suspected incidents to security@nex-flow.io.

Changes to this policy

We post material changes here with at least 30 days' notice for customers on Flow or Fleet plans. The "effective" date at the top of this page reflects the most recent version. Prior versions are archived at /legal/privacy/archive.

Contact

Privacy questions: privacy@nex-flow.io
Security incidents: security@nex-flow.io (see also /.well-known/security.txt)
General support: support@nex-flow.io

Mailing address:
Bridge Base LLC (trading as NexFlow)
Wyoming, USA (full postal address available on request)