Privacy Policy

1. Scope

This Policy applies to personal data we process about visitors, registered users, and customers of the Service. It does not apply to third-party websites, services, or applications that we do not operate, even if they are accessible through the Service.

When you follow links from the Service to third-party websites or services, those sites and services are governed by their own privacy practices. We do not control, and we are not responsible for, the privacy practices or content of third parties.

2. Personal data we collect

We collect the following categories of personal data:

• Account data — name or display name, email address, password (stored as a hash), language and interface preferences, account status.
• Authentication data — log-in events, IP address, device and browser information, security events.
• Subscription and billing metadata — plan, status, processor customer and subscription identifiers, invoice and receipt data, tax indicators, payment outcomes, refund and chargeback events. We do not store full payment card numbers or CVV codes.
• Usage data — features used, pages viewed, requests made to the Service, interaction events, error and performance logs.
• User Content — prompts, uploads, configurations, and generated Outputs, as further described in our Terms of Service.
• Communications — messages you send to support, feedback, and other correspondence.
• Cookies and similar technologies — see Section 9.

3. Why we process personal data and legal bases

We process personal data for the following purposes and on the following legal bases under Georgian law:

• to provide the Service (performance of contract with you);
• to operate billing and subscription management (performance of contract);
• to comply with our legal obligations, including tax, accounting, anti-fraud, and data-protection requirements (legal obligation);
• to maintain security, prevent abuse, and protect our rights and the rights of users (legitimate interests of the controller and third parties, balanced against your rights);
• with your consent, where consent is the appropriate legal basis (for example, certain optional features or communications). You may withdraw consent at any time without affecting prior processing.

We may send you transactional communications (such as account confirmations, password resets, billing notifications, and security alerts) that are necessary to operate the Service. We may also, where permitted by applicable law and where you have not opted out, send you product updates, new-feature announcements, tips, and other marketing or promotional communications. You can opt out of marketing communications at any time by using the unsubscribe link in the relevant message or by contacting us at [email protected]. Opting out of marketing does not affect transactional communications that are necessary to provide the Service.

4. Sharing and subprocessors

We share personal data with selected service providers ("subprocessors") that help us operate the Service. By category, these include:

• Hosting and infrastructure — cloud computing and storage providers used to run our application and store data;
• Email delivery — transactional email providers used to send confirmations, password resets, and similar messages;
• Payment processing — Stripe for users outside Russia, and CloudPayments for users in Russia (or other payment providers identified at checkout);
• AI model and routing providers — third-party providers that host and run AI models we use to generate Outputs;
• Analytics, support, and security tools — providers that help us monitor performance, respond to support requests, and protect the Service.

We use only providers that we consider to provide an adequate level of protection, and we enter into appropriate data-processing agreements with them where required.

A current list of named subprocessors is available on request at [email protected]. We may update this list as our infrastructure evolves, and material changes will be reflected in this Policy.

We do not sell personal data.

5. Payment data

We do not store full payment card numbers, CVV codes, or other low-level authentication data. Full card details are processed by the relevant payment processor:

• For users outside Russia — by Stripe or another non-Russian payment provider identified at checkout;
• For users in Russia — by CloudPayments or another Russian payment provider identified at checkout.

Payment processors act as independent controllers or as our processors for payment data, depending on the role; their processing is governed by their own terms and privacy notices.

6. International transfers

The Service is operated from Georgia and uses subprocessors located in various jurisdictions, including outside Georgia. Personal data may therefore be transferred to and processed in countries other than your country of residence.

Where required by Georgian law or other applicable law, we put in place appropriate safeguards for cross-border transfers (such as standard contractual clauses, decisions of competent authorities, or other lawful mechanisms) and notify competent authorities where required.

7. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to:

• maintain your account while it is active;
• comply with legal obligations (for example, accounting and tax retention periods);
• resolve disputes and enforce our agreements;
• maintain security logs for a reasonable period.

When personal data is no longer required, we delete or anonymize it. Specific retention periods are defined in our internal retention schedule and may be updated from time to time.

8. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction, including encryption in transit, access controls, logging, and provider due diligence. No system is completely secure; we cannot guarantee absolute security.

If we determine that a personal-data incident has occurred that is likely to result in significant harm or risk to data-subject rights, we will document it and notify the competent supervisory authority and, where required, affected users, in accordance with applicable law and within the timeframes it prescribes.

9. Cookies and similar technologies

Nexvy currently uses only strictly necessary and functional cookies and similar technologies for purposes such as authentication, session continuity, security and fraud prevention, and user-interface preferences (for example, language).

Nexvy does not use optional analytics or advertising cookies unless and until those technologies are deployed and the relevant notices and controls are updated. If we add such tools in the future, we will update this Policy and provide appropriate consent and opt-out mechanisms where required by law.

10. Your rights

Subject to applicable law, you have the following rights in relation to your personal data:

• to receive information about the processing of your personal data;
• to access your personal data and obtain a copy;
• to request correction or completion of inaccurate or incomplete data;
• to request blocking or erasure of your data in the cases provided by law;
• to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible;
• to object to processing based on legitimate interests and to object to fully automated decisions that produce legal or similarly significant effects on you;
• to withdraw consent at any time, where processing is based on consent;
• to lodge a complaint with a competent supervisory authority or court.

To exercise your rights, contact us at [email protected]. We may need to verify your identity before responding.

11. Complaints

If you believe that Nexvy has infringed your data-protection rights, you may lodge a complaint with the State Audit Office of Georgia — the supervisory authority for personal-data protection in Georgia from 2 March 2026, as the successor of the Personal Data Protection Service — or apply to a competent court or other body in accordance with applicable law.

12. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided personal data to us, please contact [email protected] and we will take steps to delete it.

13. Data Protection Officer and impact assessments

Where required by Georgian law (in particular for processing activities involving systematic large-scale monitoring, large-scale processing of special-category data, or other high-risk scenarios), we designate a personal data protection officer and carry out data protection impact assessments before starting the relevant processing.

You can reach our data-protection contact at [email protected].

14. AI models and User Content

Nexvy does not train Nexvy-owned models on User Content. Nexvy will not use Private Content (as defined in our Terms of Service) to train, improve, or fine-tune Nexvy-owned models, or to develop new products, without your express written consent.

When you use generation features, your prompts, uploads, and other materials necessary to fulfil your request may be transmitted to upstream third-party providers (for example, AI model providers and hosting providers). Those providers have their own terms and policies that may apply to that processing.

15. Contact

Global Data Labs LLC, Registration no. 402363321, Tbilisi, Georgia. [email protected]