Privacy Policy

Version 3.0 — Effective 18 March 2026

Data Controller

The data controller responsible for the processing of your personal data under this policy is:

Next Sight d.o.o.

Brnciceva ulica 13, 1231 Ljubljana - Crnuce, Slovenia

Registration number: 9680390000

VAT ID: SI42908159

Email: info@next-sight.com

Scope

This Privacy Policy explains how Nexus ("the Platform"), operated by Next Sight d.o.o. ("we", "us", "our"), collects, uses, stores, and protects personal data when you access the Platform, including account registration, subscription management, investigation case workflows, OSINT tool usage, chat interactions, file uploads, and support requests.

This policy applies to all users of the Platform, including visitors to our public-facing pages. It does not apply to third-party websites or services linked from the Platform.

Categories of Personal Data

We may process the following categories of personal data:

  • Account and identity data. Name, email address, and authentication identifiers provided during registration and sign-in via our identity provider.
  • Subscription and billing data. Subscription tier, billing status, credit balances, and payment transaction identifiers. Payment card details are collected and processed directly by our payment processor and are not stored on our systems.
  • Case and investigation content. Messages, notes, case metadata, entity graphs, audit trail logs, findings, tasks, and file attachments you create within your case files. Investigation notes are encrypted client-side before being stored.
  • Search and tool inputs. Queries, IP addresses, domain names, email addresses, phone numbers, names, and other identifiers you submit when using OSINT and intelligence tools.
  • Documents and files. Files uploaded to case conversations, stored in encrypted storage with automatic expiration (default 7 days).
  • Service and reliability data. Error logs, client-side telemetry events, performance metrics, page view data, and operation traces collected for monitoring, debugging, and service improvement.
  • Terms acceptance records. Timestamps, terms version, and encrypted IP addresses recorded when you accept the Terms of Service. IP addresses are encrypted at rest and are not stored in plaintext.
  • OSINT results and analytics. Hashed search query identifiers, breach counts, and aggregated analytics derived from OSINT tool results. Raw search queries are not stored in analytics tables; only cryptographic hashes are retained.

How Data Is Collected

  • Directly from you — when you create an account, subscribe, submit searches, upload files, create case content, or contact us.
  • From your identity provider — authentication claims (email, name, identifiers) are received from our enterprise identity provider during sign-in.
  • Automatically from your device — browser type, page views, performance data, and error information collected via our telemetry systems. See "Cookies and Browser Storage" below.
  • From third-party data sources — when you use OSINT tools, results are returned from external providers. These results relate to the subjects of your searches, not to you as the user.

Purposes of Processing

  • To authenticate your identity and manage your account.
  • To provide and maintain your subscription and credit balance.
  • To deliver Platform features, including AI-assisted chat, OSINT searches, entity correlation, investigation reports, and case management.
  • To process payments and prevent billing fraud via our payment processor.
  • To maintain service reliability, diagnose errors, and monitor performance.
  • To enforce our Terms of Service and maintain audit trails for compliance.
  • To communicate service updates and respond to support requests.
  • To comply with applicable legal obligations.

Data Hosting and Location

Nexus primarily stores application data in the European Economic Area. Our primary database is deployed in AWS eu-north-1 (Stockholm, Sweden). We also use additional cloud services within the Europe geography for certain processing and customer-tenant related operations, including identity management and application monitoring.

File storage (case documents and note attachments) is hosted within the same AWS eu-north-1 region.

Some third-party service providers used by the Platform may process data in locations outside the EEA. See "International Transfers" below.

Service Providers and Subprocessors

We use the following categories of service providers to operate the Platform. A detailed list of specific providers is available on request.

CategoryRegionPurpose
Database and hostingEU (Stockholm, Sweden)Primary data storage, authentication relay, file storage
Identity and authenticationEuropeUser authentication, identity management, token issuance
Payment processingEEA / InternationalSubscription billing, checkout, payment method handling
AI and language modelEEA / InternationalAI-assisted chat, investigation planning, content analysis
Application monitoringNorth EuropeError tracking, performance monitoring, distributed tracing
Investigation and enrichment servicesVariousWeb search, content retrieval, domain intelligence, data enrichment, and other investigative capabilities
Contact and supportEEA / InternationalContact form hosting on public pages

International Transfers

While our primary database and identity infrastructure are located within the EEA, certain third-party service providers may process data outside the EU/EEA. This may include providers of AI services, web search, data enrichment, payment processing, content retrieval, and contact form services.

Where personal data is processed by third-party service providers or transferred outside the EU/EEA, we apply appropriate safeguards as required by applicable data protection law, which may include Standard Contractual Clauses, adequacy decisions, or other recognized transfer mechanisms.

All external OSINT and intelligence API requests are routed through our corporate infrastructure so that third-party providers cannot identify or track individual Platform users.

How Data Is Shared

We do not sell personal data. We share data only when necessary to operate the Platform, process payments, deliver requested functionality, or comply with law.

  • Service providers — as listed in the subprocessors table above, strictly to the extent necessary for their designated functions.
  • OSINT providers — when you use an OSINT tool, your search query (e.g. a domain, IP address, or name) is transmitted to the relevant provider. Queries are routed through our servers; your identity is not disclosed to these providers.
  • Legal authorities — where required by applicable law, regulation, or legal process.

Next Sight d.o.o. operates under a strict zero-knowledge principle. Our employees and contractors are legally and technically prohibited from accessing or viewing customer investigation data, including case files, OSINT results, and chat conversations. This is enforced via database-level access control policies.

Data Retention

We retain personal data only as long as necessary to provide the Platform, support account operations, and meet legal and billing obligations.

  • Account data is retained for the duration of your account and deleted upon account deletion.
  • Uploaded documents expire automatically after 7 days and are deleted via scheduled cleanup processes.
  • Case content (messages, notes, findings, entity graphs, tasks, audit trail logs) is retained while your account is active and deleted upon account deletion.
  • Billing and credit records may be retained as required by applicable tax and accounting regulations.
  • Error logs and telemetry are subject to the retention policies of our monitoring providers and internal log management practices.
  • Terms acceptance records (encrypted IP, timestamp, version) are retained as a legal audit trail.

You can request complete account deletion through available account settings. Upon deletion, all user-linked data is permanently removed from active Platform systems, including all case files, messages, findings, entity graphs, uploaded documents, error logs, and the authentication record. This process is irreversible.

Security

We implement technical and organizational measures to protect your data, including:

  • Database-level access control policies ensuring users can only access their own data.
  • Client-side encryption for investigation notes, so note content cannot be read server-side.
  • Server-side encryption of IP addresses collected during terms acceptance.
  • HTTPS encryption in transit for all communications.
  • Sensitive data masking in OSINT tool outputs, with explicit user confirmation required before revealing full identifiers.
  • Authentication tokens validated server-side on every API request.
  • Rate limiting to prevent abuse.
  • Automated document expiration and cleanup.
  • Telemetry data redaction of authorization headers, API keys, and cookies before transmission to monitoring systems.

No system is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

Cookies and Browser Storage

The Platform uses the following browser storage mechanisms:

  • Authentication state — localStorage and cookies are used by our identity provider library to maintain your authenticated session, including token caching and session management.
  • UI preferences — localStorage is used to store interface preferences such as sidebar state. A small first-party cookie stores sidebar collapse state with a 7-day expiration.
  • Subscription status caching — localStorage is used to cache the timestamp of the last subscription status check to avoid redundant network requests.
  • Application monitoring — when enabled, our application monitoring service may store a small amount of telemetry correlation data in browser storage to support distributed tracing.

We do not use third-party advertising cookies or cross-site tracking technologies. We do not use third-party behavioral analytics services.

Your Rights and Choices

Depending on your jurisdiction, you may have rights regarding your personal data, including:

  • The right to access the personal data we hold about you.
  • The right to request correction of inaccurate data.
  • The right to request deletion of your data (you can delete your account directly through the Platform).
  • The right to data portability.
  • The right to restrict or object to certain processing.
  • The right to withdraw consent where processing is based on consent.
  • The right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec).

To submit a privacy request, contact us at info@next-sight.com. We will respond within the timeframe required by applicable law.

Children's Data

The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will take steps to delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will provide notice of material changes consistent with the notice provisions in our Terms of Service (minimum 30 days for material changes). The "Last Updated" date at the top of this page indicates when the policy was last revised.