NexelioFlow
FeaturesAI Brand GeneratorExamplesPricingBlogAboutContact
Log inGet started
Legal · Version 2.4 · Effective January 1, 2026

Privacy Policy

How NexelioFlow collects, uses, shares, transfers, and protects personal information of visitors, account holders, and billing contacts.

Last reviewed by counsel · December 12, 2025 10 sections · ~425 words privacy@nexelioflow.com

1. Who We Are and Scope

NexelioFlow Inc. is the controller of personal data processed through the Service. This Privacy Policy explains what data we collect, why, how long we keep it, and the rights you have under applicable laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other state privacy laws.

2. Categories of Data We Collect

We collect the following categories of personal data:

  • Identity and account data: name, email address, password hash, preferred language, profile picture (optional).
  • Billing data: billing name, address, VAT ID where applicable, last four digits of the payment card and card brand (full card details are processed by Stripe and never stored on our servers).
  • Product data: briefs you submit, prompts, refinement instructions, generated assets, download history.
  • Technical data: IP address, browser type, device identifiers, operating system, referring URL, timestamps, and event logs.
  • Communications: support tickets, survey responses, and emails you send us.

3. Purposes and Legal Bases

We process personal data on the following legal bases under Article 6 GDPR:

  • Performance of a contract — to create your account, deliver the Service, process payments, and provide support.
  • Legitimate interests — to secure the Service, prevent fraud and abuse, improve our models in aggregate, and run service-related analytics.
  • Consent — for non-essential cookies, marketing emails, and any optional features that require it; you may withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, anti-money-laundering, and law-enforcement requests.

4. Sharing and Sub-processors

We share personal data only with vetted sub-processors who provide hosting, payment processing, transactional email, analytics, error monitoring, and customer support. Each sub-processor is bound by a written contract incorporating GDPR Article 28 obligations. A current list of sub-processors is available on request at privacy@nexelioflow.com. We do not sell personal data and do not share personal data for cross-context behavioral advertising as defined by US state privacy laws.

5. International Transfers

Personal data may be transferred to and processed in the United States, the European Economic Area, and the United Kingdom. Transfers from the EEA/UK to third countries that have not received an adequacy decision are protected by the European Commission's Standard Contractual Clauses (2021/914) together with supplementary technical, contractual, and organizational measures as documented in our Transfer Impact Assessment.

6. Retention

We retain personal data only as long as necessary for the purposes set out above. Account data is kept for the lifetime of the account and for ninety (90) days thereafter to handle disputes and backups. Generated assets are retained while your account is active so you can re-download them, then deleted within thirty (30) days of account closure. Billing records are retained for ten (10) years to satisfy accounting and tax obligations.

7. Your Rights

Depending on your jurisdiction you may have the right to:

  • Access the personal data we hold about you and obtain a copy in a portable format.
  • Request correction of inaccurate data or completion of incomplete data.
  • Request deletion of your data, subject to legal retention obligations.
  • Restrict or object to certain processing, including direct marketing.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with your local data protection authority.

8. Security

We apply industry-standard administrative, technical, and physical safeguards, including TLS 1.3 in transit, AES-256 at rest, role-based access controls, mandatory multi-factor authentication for staff, quarterly penetration testing, and continuous vulnerability scanning. While no system can be guaranteed secure, we maintain an incident response plan and will notify affected individuals and regulators within statutory deadlines in the event of a personal data breach.

9. Children

The Service is not directed to children under sixteen (16) and we do not knowingly collect personal data from them. If you believe a child has provided personal data to us, please contact privacy@nexelioflow.com and we will delete the information.

10. Contact and DPO

For privacy questions or to exercise your rights, contact privacy@nexelioflow.com. Our EU representative under GDPR Article 27 is NexelioFlow EU B.V., Herengracht 420, 1017 BZ Amsterdam, Netherlands. Our Data Protection Officer can be reached at dpo@nexelioflow.com.

Questions about this policy?
Contact privacy@nexelioflow.com or visit our contact page. We respond to legal inquiries within one business day (Mon–Fri, 09:00–18:00 CET).
Document control
NexelioFlow Inc. · 8th Ave W, Birmingham, AL 35204, USA · EU representative: NexelioFlow EU B.V., Amsterdam · This document is provided in English; translations are for convenience and the English version prevails in case of conflict.