Privacy Policy

Who we are

Nexley AI (“Nexley”, “we”) is the data controller for the account data of the business owners who sign up, and a data processoracting on a business owner’s behalf for the messages their customers send to their AI Employee. We are a UK data controller subject to the UK GDPR and the Data Protection Act 2018. Contact: hello@nexley.ai.

What we collect

• Account data - your name, email, phone, business details, and authentication identifiers (we use passwordless magic-link / Apple sign-in; we never store a password).
• Content you create - messages you send your AI Employee, photos you capture (receipts, job-site images), contacts, estimates and notes you store.
• Your customers’ messages - when a customer messages your AI Employee (via WhatsApp or the web chat), we process that message and any contact details it contains, on your behalf, so the AI can reply.
• Diagnostics - crash and error reports, and basic usage events, to keep the app working. These are not used to track you across other apps or for advertising.

How we use it & our lawful basis

• To provide the service (generate AI replies, extract data from photos, manage your inbox) - lawful basis: performance of our contract with you.
• To keep it secure and reliable (rate-limiting, error tracking, content moderation of AI output) - lawful basis: our legitimate interests in a safe, working service.
• To meet legal obligations (financial records, responding to data-rights requests) - lawful basis: legal obligation.

We do not sell your data, and we do notuse your data or your customers’ data to train AI models.

AI processing

Your AI Employee is powered by large-language-model providers. The text of a message (and, for photo capture, the image) is sent to those providers to generate a reply or extract data. AI output shown to your customers is scanned by an automated moderation step and can be reported in-app for review. Before your AI Employee is enabled, the app shows a consent screen naming the AI provider; you can decline.

Who we share it with (sub-processors)

We share data only with the infrastructure providers needed to run the service, each under a data-processing agreement:

• Anthropic - the Claude model behind the AI Employee (message text).
• OpenAI - automated moderation of AI output (text only; free moderation endpoint).
• Supabase - database + authentication (account data, contacts, messages). EU region.
• Amazon Web Services - per-customer compute, UK (London) region.
• Vercel - hosts the dashboard + API.
• Stripe - subscription billing (handled by Stripe; we never see full card details).
• Composio - brokers your connected-integration authorisations and custodies the OAuth tokens (Gmail, Calendar, etc.) your AI Employee uses; we hold only a connection reference.
• OneSignal - push notifications (device token only).
• Sentry - crash/error diagnostics (EU region).
• Twilio / WhatsApp - message delivery for the channels you connect.

How long we keep it

• Captured photos: source image deleted after 30 days; extracted data kept while your account is active.
• Chat attachments: up to 90 days.
• Account & business data: for the life of your account, then deleted within 14 days of account deletion.
• Financial records: retained as required by UK law (up to 6 years).
• Diagnostics / error logs: 14 days. Moderation reports: up to 1 year.

Your rights

Under UK GDPR you can request access to, correction of, export of, or deletion of your personal data, and you can object to or restrict certain processing. You can delete your account and all associated data from within the app (Settings → Delete account), or export your data (Settings → Data export). To exercise any other right, email hello@nexley.ai. You also have the right to complain to the ICO (ico.org.uk).

Children

Nexley AI is a business tool and is not directed at children. We do not knowingly collect data from anyone under 16.

Changes & contact

We’ll update this page and the date above when this policy changes materially. Questions or requests: hello@nexley.ai.