NextAiBot logoNextAiBot
Legal

Privacy Policy

Last updated: June 10, 2026

This privacy policy explains how NextAiBot (“NextAiBot”, “we”, “our”, “us”) collects, uses, discloses, and protects personal data when you visit nextaibot.in, sign up for an account, or use the NextAiBotplatform (the “Service”).

We act as a data controller for personal data we collect about you directly. When customers use the Service to communicate with their own end-users, we act as a data processoron those customers' behalf — see “Processor obligations”.

1. What we collect

  • Account data — name, email, password (hashed), organisation, role, login timestamps, IP address.
  • Billing data — billing address, tax IDs, plan choice. Card data is held by our PCI-compliant payment processor.
  • Service usage data — feature interactions, performance telemetry, error reports.
  • Customer content — messages, contact records, files, and configuration you upload or generate. We process this on your instructions.
  • Communications — emails, support tickets, demo recordings (with consent), survey responses.

2. How we use your data

  • To provide and operate the Service (account management, message routing, AI replies).
  • To bill you and prevent payment fraud.
  • To send transactional notifications (security, billing, service updates).
  • To improve the Service through aggregated analytics — never to train third-party AI models on your customer content without an opt-in.
  • To comply with legal obligations.
  • To send marketing emails — only when you've opted in.

3. Legal bases (GDPR / UK GDPR)

  • Contract — to provide the Service you signed up for.
  • Legitimate interests — to operate, secure, and improve the Service.
  • Consent — for marketing emails and optional analytics cookies.
  • Legal obligation — for tax, accounting, and law-enforcement requests.

4. Sharing your data

We share personal data only with:

  • Sub-processors we rely on (cloud hosting, payments, email delivery, analytics, AI models). List on request via info@nextaibot.in.
  • Service providers bound by confidentiality obligations.
  • Authorities when required by valid legal process.
  • Successors in a merger / acquisition / sale, with notice and the same protections.

We do not sell your personal data and we do not share it with advertising networks for cross-context behavioural advertising.

5. Where we store and process data

We host the Service in [primary region — e.g. EU (Frankfurt) for EU customers, India (Mumbai) for India customers, US (Virginia) for US customers]. Backups stay in the same region. Cross-border transfers, where they happen, are governed by the EU Standard Contractual Clauses (or equivalent UK / India safeguards) and a transfer-impact assessment.

6. How long we keep data

  • Account & billing data — for the life of your account, plus seven years after closure for tax / audit obligations.
  • Customer content — until you delete it, or 30 days after your account is closed (whichever comes first).
  • Logs & telemetry — typically 90 days, longer if a security event is being investigated.
  • Marketing contacts — until you unsubscribe; then we keep your email on a suppression list.

7. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, India DPDP Act, CCPA, others) you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (subject to lawful retention obligations).
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with your supervisory authority.

To exercise any of these, email info@nextaibot.in. We aim to respond within 30 days.

8. Cookies and tracking

We use a small number of essential cookies for authentication and security, and (with your consent) analytics cookies to understand product usage. We do not use advertising cookies.

9. Security

We protect your data with TLS 1.2+ in transit and AES-256 at rest, strict access controls, mandatory MFA for staff, regular penetration testing, and an incident-response runbook. We'll notify you and the relevant authority within 72 hours of confirming a breach that affects your data, in line with GDPR Article 33.

10. Processor obligations (when you're our customer)

When you use the Service to talk to your own end-users, you're the controller and we're your processor. We process personal data only on your documented instructions, ensure our staff are bound by confidentiality, assist you with data-subject requests, and delete or return all personal data at the end of our agreement. Our standard Data Processing Addendum is available on request.

11. Google API Services User Data Policy

When you connect a Google account to NextAiBot to use our Google Sheets integration, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request and why:

  • auth/spreadsheets and auth/spreadsheets.readonly — to read contact rows from spreadsheets you explicitly pick (via the Google Picker widget) and to append new lead rows into a spreadsheet you designate as the lead-sync target. We never modify, edit, or delete rows that already exist in your sheet; we only append.
  • auth/drive.file — per-file access. Limits our access to only the specific spreadsheets you pick via Google Picker. We cannot list, read, or modify any other file in your Google Drive.
  • openid, email, profile — to identify the Google account you connected. We store only your Google email address and basic profile (name, picture) so the dashboard can show which account is linked.
  • auth/business.manage — used when you connect a Google Business Profile location so NextAiBot can manage replies to reviews and messages on your behalf, only on the locations you explicitly grant access to.

What we do with Google user data:

  • Imported contacts — copied into your agency's isolated tenant in our database. Used solely to operate the Service for you (running messaging campaigns, the unified inbox, AI replies). Deletable through our UI at any time.
  • Appended lead rows — written into the sheet you picked. We retain an audit copy of the row we sent in our database so you can trace which lead landed in which sheet.
  • Account profile — kept only to display the connected-account email in your dashboard. Removed when you disconnect.

What we do NOT do with Google user data:

  • We do not use Google user data to train AI/ML models, our own or third-party.
  • We do not share Google user data with third parties except sub-processors strictly necessary to operate the Service (cloud hosting, encrypted backups). Any such transfer stays within the bounds of the Limited Use policy.
  • We do not show Google user data to humans except NextAiBot engineers troubleshooting a specific support ticket you raised, and only with your consent or where strictly required to operate the Service.
  • We do not sell Google user data.

Revoking access: you can disconnect your Google account from NextAiBot at any time via Dashboard → Integrations → Google Sheets → Disconnect, or by visiting myaccount.google.com/permissions. Revocation removes our ongoing access immediately.

Questions about Google data handling: info@nextaibot.in.

12. Children's data

The Service isn't directed at children under 16 (or the equivalent age in your jurisdiction). If you believe a child has given us their data, contact info@nextaibot.in and we'll delete it.

13. Changes to this policy

We may update this policy as the Service evolves or the law changes. We'll post the new version here with a fresh “Last updated” date and notify you of material changes by email and in-app at least 30 days in advance.

14. Contact us

See our Terms of Service for the full agreement governing your use of the Service.