Legal

Privacy Policy & Data Processing Agreement

Effective date: 26 June 2026 · Applies to NexaOne CRM and all PS NEXA LABS services

1. Overview

PS NEXA SOLUTIONS LIMITED (trading as PS NEXA LABS) ("we", "us", "our") operates the NexaOne CRM platform and this marketing website. We are committed to protecting your personal information in accordance with the New Zealand Privacy Act 2020 and, where applicable, the EU General Data Protection Regulation (GDPR) 2016/679.

Registered Company: PS NEXA SOLUTIONS LIMITED, New Zealand.
IT Brand: PS NEXA LABS.
Contact: admin@psnexalabs.co.nz(will update to a domain-specific address once our new domain is live)


2. What We Collect

CategoryExamplesSource
Contact dataName, email, phone, addressContact form, chat widget
Usage dataPages visited, device type, browser, anonymised IPAnalytics cookies (with consent)
Technical dataHTTP headers, referrer URL, session tokensWeb server logs (Vercel)
Customer dataData you input into the NexaOne CRM productYou (as data controller)

We do not collect sensitive categories of data (health, biometric, financial account details) through this marketing website. The NexaOne CRM product collects only what you explicitly enter as a paying customer.



4. How We Use Your Data

  • Respond to enquiries submitted via contact form or chat widget
  • Provide and support the NexaOne CRM software subscription
  • Send transactional emails (account, billing, security notices)
  • Send product updates and marketing — only with your explicit consent
  • Improve site performance and user experience via anonymised analytics
  • Detect and prevent fraud, abuse, and security incidents
  • Meet legal and regulatory obligations (Privacy Act 2020, CCCFA, FMC Act)

5. Data Retention

Data TypeRetention PeriodReason
Enquiry / lead records24 monthsSales follow-up lifecycle
Customer account data7 years post-terminationNZ business record-keeping requirements
Server / access logs90 daysSecurity and incident investigation
Analytics data26 monthsTrend analysis (anonymised)
Cookie consent records12 monthsProof of consent (GDPR Art. 7)

6. Third-Party Processors

We share data only with trusted processors under binding data processing agreements. No data is sold to third parties.

ProcessorPurposeLocationSafeguard
Vercel Inc.Web hosting & edge deliveryUSA / EU edgeSCCs, SOC 2 Type II
Resend Inc.Transactional email deliveryUSASCCs, SOC 2
Google AnalyticsSite usage analytics (with consent)USASCCs, IP anonymisation enabled
SupabaseCRM product databaseAWS ap-southeast-2 (Sydney)SOC 2, data residency NZ/AU

7. Your Rights

Under the NZ Privacy Act 2020 and GDPR you have the following rights:

Access

Request a copy of personal data we hold about you.

Correction

Request correction of inaccurate or incomplete data.

Erasure (GDPR)

Request deletion where no lawful basis exists for continued processing.

Restriction (GDPR)

Request we limit processing while a dispute is resolved.

Portability (GDPR)

Receive your data in a machine-readable format.

Object

Object to processing based on legitimate interests or for direct marketing.

Withdraw Consent

Withdraw any consent you have given at any time without penalty.

Complaint (NZ)

Lodge a complaint with the Office of the Privacy Commissioner (OPC) at privacy.org.nz.

To exercise any right, email admin@psnexalabs.co.nz. We will respond within 20 working days (NZ Privacy Act 2020 requirement) and within 30 days for GDPR requests.


8. Cookies

Cookies are small text files stored in your browser. We use them to make the site work and (with your consent) to improve it over time.

CategoryExamplesConsent Required
EssentialSession management, CSRF protection, cookie consent recordNo — always on
AnalyticsGoogle Analytics (_ga, _gid) — anonymised page views, traffic sourcesYes — opt-in
MarketingNone currently deployedN/A

You can change your cookie preferences at any time by clearing your browser storage and revisiting the site, or via your browser's cookie settings.


9. Data Processing Agreement (DPA)

When you use the NexaOne CRM product to store and process your clients' personal information, you act as the data controller and PS NEXA SOLUTIONS LIMITED (trading as PS NEXA LABS) acts as your data processor (GDPR Art. 28; NZ Privacy Act 2020 s. 22).

Key DPA Terms

  • Processing scope: Only on your documented instructions. We will not process your clients' data for our own purposes.
  • Sub-processors: Supabase (database, Sydney AU), Vercel (hosting), Resend (transactional email). Full sub-processor list available on request.
  • Security: TLS 1.3 in transit, AES-256 at rest, role-based access control, regular penetration testing.
  • Breach notification: We will notify you within 72 hours of becoming aware of a personal data breach (GDPR Art. 33; NZ Privacy Act 2020 s. 113).
  • Data return / deletion: On contract termination we will provide a full export within 30 days and securely delete all copies within 90 days.
  • Audit rights: Enterprise plan customers may request an annual audit or a copy of our latest SOC 2 / ISMS report.
  • Cross-border transfers: Data stored in AWS ap-southeast-2 (Sydney). EU transfers covered by Standard Contractual Clauses (SCCs) 2021/914/EU.

A signed DPA is available to all paying customers on request. Email admin@psnexalabs.co.nz with subject "DPA Request".


10. Contact & Complaints

For any privacy enquiry, right request, or DPA request:

PS NEXA SOLUTIONS LIMITEDtrading as PS NEXA LABS
Privacy Officer
New Zealand
admin@psnexalabs.co.nz

If you believe we have breached your privacy rights you may lodge a complaint with the Office of the Privacy Commissioner (OPC) at privacy.org.nz. EU residents may also lodge a complaint with your local supervisory authority.

This policy was last updated on 26 June 2026. We will post changes here and, where material, notify active customers by email.