Privacy Policy
Last updated: 2026-04-08
1. Introduction
This Privacy Policy describes how CURUBA SARL ("we", "our", "Nexom") collects, uses, stores, and protects your personal data when you use the Nexom.ai platform and visit our website.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR — Regulation EU 2016/679), the French Data Protection Act (Loi Informatique et Libertés, Law No. 78-17 as amended), the ePrivacy Directive (2002/58/EC), and the EU Artificial Intelligence Act (Regulation EU 2024/1689).
2. Data Controller
CURUBA SARL
18 rue Voltaire, 78640 Neauphle-le-Château, France
Share capital: €2,500
RCS: 519 818 785 R.C.S. Versailles
Contact: privacy@nexom.ai
CURUBA SARL is the data controller within the meaning of Article 4(7) of the GDPR for data collected via the nexom.ai website and the Nexom platform. For data you enter into the platform (notes, contacts, messages), CURUBA acts as a data processor on behalf of your organization.
3. Data We Collect
We collect the following categories of data:
3.1 Identity and account data
Name, email address, password (hashed), profile photo, job title, account settings and preferences.
3.2 User content
Notes, documents, files, knowledge base, tasks, projects, stored contacts, workspaces, and all data you create or import into the platform.
3.3 Communication data
Instant messages, connected email content, video conference recordings and transcriptions (if enabled by you), attachments.
3.4 Technical data
IP address, device identifier, browser type, operating system, login timestamps, performance data, and security logs.
3.5 Billing data
Payment information (processed by Stripe — we do not store your card numbers), invoice history, subscription details.
3.6 Usage data
Features used, platform interactions, aggregated usage statistics via Umami (privacy-friendly analytics, no cookies).
4. Purposes and Legal Bases for Processing
| Purpose | Legal basis (GDPR) | Retention period |
|---|---|---|
| Providing the service (notes, tasks, messaging, video) | Contract performance (Art. 6(1)(b)) | Duration of contract + 30 days |
| Account creation and management | Contract performance (Art. 6(1)(b)) | Duration of contract |
| AI features (summaries, suggestions, analysis) | Contract performance (Art. 6(1)(b)) | Duration of processing session |
| Billing | Legal obligation (Art. 6(1)(c)) | 10 years (commercial law) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) | 1 year for logs |
| Platform improvement and analytics | Legitimate interest (Art. 6(1)(f)) | Aggregated data only |
| Marketing communications | Consent (Art. 6(1)(a)) | Until consent is withdrawn |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | As required by applicable law |
5. Artificial Intelligence Features
Nexom integrates AI-powered features (summaries, suggestions, deep analysis, AI apps). AI interactions happen either within conversations (AI assistant) or through autonomous agents that execute tasks on your behalf. Here is how we handle your data in this context:
- AI providers used: Mistral AI (France/EU), OpenAI (USA), Google (USA), Anthropic (USA). You can disable any provider from your settings.
- Data transmitted: When you use an AI feature, the relevant content (note, message, document) is sent to the selected provider for processing. Only the necessary content is transmitted.
- No training on your data: Your data is never used to train or improve AI models. Our API contracts with each provider explicitly prohibit this.
- Transparency: In accordance with Article 50 of the EU AI Act, you are informed when interacting with an AI system. AI features are clearly identified in the interface.
- Autonomous agents: Some features use autonomous AI agents that process your data to perform tasks (email summaries, task identification, etc.). These agents can be disabled at the organization level and at the user level in preferences.
- Limitation: AI-generated results may be inaccurate or incomplete. They do not constitute professional advice and should be verified by the user.
- Opt-out: You can disable AI features, autonomous agents, or specifically choose which providers are authorized, at the organization and user level.
6. Video Conferencing and Messaging
6.1 Instant messaging
Messages exchanged via Nexom are stored on our servers to provide the service. Your organization's administrators only have access to conversation groups they are explicitly members of.
6.2 Video conferencing
Video and audio calls are processed in real time and are not recorded on the platform. Metadata (participants, duration, timestamps) is retained.
6.3 Email integration
When you connect your email, Nexom accesses your messages to provide AI summary and task management features. Your emails are encrypted in transit (TLS).
7. Cookies and Tracking
Our website uses a minimal number of cookies:
- Strictly necessary cookies: Session, authentication, CSRF, language preference. No consent required.
- Analytics: We use Umami, a privacy-friendly analytics solution that does not set cookies and does not perform cross-site tracking.
We do not use advertising cookies or third-party trackers for marketing purposes.
8. Data Sharing and Sub-processors
We never sell your personal data. We share your data only with the following categories of sub-processors, under contracts compliant with Article 28 of the GDPR:
| Sub-processor | Purpose | Location |
|---|---|---|
| OVHcloud | Data hosting and infrastructure | France (Roubaix) |
| Stripe | Payment processing | EU / USA (DPF certified) |
| Mistral AI | AI processing (can be disabled) | France / EU |
| OpenAI | AI processing (can be disabled) | USA (SCCs) |
| AI processing (can be disabled) | USA (DPF certified) | |
| Anthropic | AI processing (can be disabled) | USA (SCCs) |
We will notify you at least 30 days before adding any new sub-processor.
9. International Data Transfers
Your data is hosted at OVHcloud in Roubaix, France, entirely under European jurisdiction.
When you use non-European AI providers (OpenAI, Google, Anthropic), the data necessary for processing is transferred to the United States under the protection of Standard Contractual Clauses (SCCs) in accordance with EU implementing decision 2021/914, and where applicable, the EU-US Data Privacy Framework (DPF) when the provider is certified.
You can avoid any transfer outside the EU by selecting Mistral AI as your only provider in your settings.
10. Data Retention
| Data category | Retention period |
|---|---|
| Account data | Duration of contract, then deleted within 30 days |
| User content (notes, tasks, contacts) | Duration of contract + 30 days for export |
| Messages and communications | Duration of contract + 30 days |
| Video conferencing metadata | Duration of contract + 30 days |
| Billing data | 10 years (legal obligation) |
| Security logs | 1 year |
| Marketing prospects | 3 years from last contact |
11. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): Obtain a copy of your personal data.
- Right to rectification (Art. 16): Correct inaccurate data.
- Right to erasure (Art. 17): Request deletion of your data.
- Right to restriction (Art. 18): Restrict the processing of your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right not to be subject to automated decision-making (Art. 22): Including profiling.
- Right to withdraw consent (Art. 7(3)): At any time, without affecting the lawfulness of prior processing.
To exercise your rights, contact us at privacy@nexom.ai. We respond within 1 month (extendable by 2 months for complex requests, per Article 12(3) GDPR).
Complaints: You have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés): www.cnil.fr
12. Target Audience
Nexom is a service exclusively intended for professionals (B2B). The Service is not intended for consumers or minors.
13. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS 1.2+)
- Strict access controls and enhanced authentication
- Secure hosting at OVHcloud (ISO 27001 certified)
- Regular backups and disaster recovery plan
- Intrusion monitoring and detection
14. Data Breach Notification
In the event of a personal data breach, we commit to:
- Notifying the CNIL within 72 hours of becoming aware of the breach (Art. 33 GDPR).
- Informing you without undue delay if the breach poses a high risk to your rights and freedoms (Art. 34 GDPR), via email and in-app notification.
- Documenting all breaches, their effects, and corrective measures taken.
15. Post-mortem Data Directives
In accordance with Article 85 of the French Data Protection Act (Loi Informatique et Libertés), you may define general or specific directives regarding the retention, deletion, and communication of your personal data after your death.
In the absence of directives, heirs may exercise the rights necessary to close the account and access data. To define your directives, contact privacy@nexom.ai.
16. Changes to This Policy
We may update this privacy policy. For any material changes, we will notify you by email or via an in-app notification at least 30 days before the changes take effect. Previous versions remain available upon request.
17. Contact
For any questions about this privacy policy or the protection of your data, contact us:
CURUBA SARL
18 rue Voltaire, 78640 Neauphle-le-Château, France
Email: privacy@nexom.ai