Nexyvora™

Privacy Policy

Last updated: May 31, 2026

1. Who we are

Nexyvora is a trading name of [Your full legal name], a sole trader (Einzelunternehmer) based in Austria. For the purposes of the EU General Data Protection Regulation (GDPR), the operator is the data controller for the personal data processed via the Nexyvora website and service (the "Service"). To contact us about privacy or your rights, please use our contact form and select the "Privacy / GDPR request" topic.

2. Data we collect

  • Account data: name, email address, hashed login credentials, OAuth provider identifiers (e.g. Google sign-in).
  • Generated content: product details, descriptions, images, and other inputs you provide, plus the listings, ad copy, and pricing suggestions our AI generates from them.
  • Usage and analytics: generations performed, features used, pages viewed, timestamps, device and browser information, and IP address.
  • Cookies and similar technologies: essential cookies for authentication and session management, plus limited analytics cookies to understand product usage.
  • Support data: messages, screenshots, and attachments you send to us.
  • Billing data: plan, status, country, and last four digits of your payment method — handled by our payment processors. We do not store full card details.

3. How we use your data (purposes and legal bases)

  • Provide the Service (account creation, generating listings, history, exports) — performance of contract.
  • Process payments and manage subscriptions — performance of contract and legal obligation (tax, accounting).
  • Security, abuse prevention, and fraud detection — legitimate interests and legal obligation.
  • Product analytics and improvement — legitimate interests.
  • Customer support — performance of contract and legitimate interests.
  • Marketing communications — consent, which you can withdraw at any time.

4. Who we share data with

We rely on trusted subprocessors to operate Nexyvora. We share only the data each subprocessor needs to perform its function:

  • Supabase — hosts our database, authentication, and file storage in line with their security standards.
  • Paddle.com — our Merchant of Record. Paddle processes payments, manages subscriptions, calculates and remits taxes, and issues invoices on our behalf.
  • Stripe — used as an alternative payment processor where applicable.
  • AI model providers — process your inputs to generate listings, ad copy, and pricing suggestions.
  • Analytics and customer support tooling — to understand usage and respond to your messages.
  • Professional advisers (legal, accounting) and authorities where required by law.

5. International transfers

Our providers may process data outside your country, including in the EEA, UK, and US. Where required, transfers are protected by appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

6. Retention

We retain personal data for as long as your account is active and for a reasonable period afterwards to comply with legal obligations, resolve disputes, and enforce our agreements. Data that is no longer needed is deleted or anonymised. You can request earlier deletion at any time.

7. Your rights (GDPR)

If you are in the EEA or UK, you have the right to:

  • access the personal data we hold about you (Art. 15 GDPR);
  • request correction of inaccurate data (Art. 16);
  • request deletion of your data — "right to be forgotten" (Art. 17);
  • restrict or object to processing (Arts. 18 and 21);
  • request portability of your data in a machine-readable format (Art. 20);
  • withdraw consent at any time, where processing is based on consent (Art. 7);
  • lodge a complaint with your local supervisory authority. For users in Austria, this is the Austrian Data Protection Authority (Datenschutzbehörde, https://www.dsb.gv.at).

To exercise any of these rights, use our contact form and select "Privacy / GDPR request". We aim to respond within 30 days.

8. Security

We use appropriate technical and organisational measures including encryption in transit (TLS), access controls, hashed credentials, row-level security on our database, and audit logging. No system is completely secure, but we take reasonable steps to minimise risk. In the event of a personal-data breach likely to result in a risk to your rights, we will notify the supervisory authority within 72 hours as required by Art. 33 GDPR.

9. Cookies

See our Cookie Policy for the categories of cookies we use and how you can manage them.

10. Children

The Service is not directed at children under 18 and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.

11. Contact

To exercise your rights or ask about this policy, please use our contact form. Billing-related privacy queries can also be sent to Paddle at paddle.net.