Privacy Policy

This Privacy Policy explains how we collect, use, store and disclose personal information when you visit our website, sign up for or use the Service, communicate with us, or otherwise interact with Nexpura. "Personal information" has the meaning given in the Privacy Act 1988 (Cth) and includes information or an opinion about an identified or reasonably identifiable individual. Where you use Nexpura to manage your own End Customers' data, you are the controller of that data and Nexpura processes it on your behalf — your own privacy policy will govern how you collect and use that data.

We collect personal information that you provide directly — such as your name, email address, phone number, business name, billing address, account credentials and (via our payments provider) payment details — when you register for, configure or use the Service, contact support, or respond to communications. We collect business and operational data you enter into the Service, including inventory, customer records, repair and bespoke jobs, invoices, quotes and related records ("Customer Data"), and information you submit about your own customers ("End Customer Data"). We also collect technical and usage information automatically when you use the Service, including IP address, device and browser identifiers, referring/exit pages, dates and times of access, and aggregated usage patterns.

We use information to provide, operate, maintain, secure, support and improve the Service; process subscriptions, payments and billing; authenticate users and prevent fraud or abuse; respond to enquiries and support requests; send transactional and product communications (such as receipts, invoices, security alerts and important Service notices); detect and resolve technical issues; comply with legal, regulatory and tax obligations; and enforce our Terms of Service. We do not sell personal information. We do not use business data or End Customer Data for third-party advertising.

Customer Data and End Customer Data remain yours. We process them on your instructions in order to provide the Service to you. You are responsible for ensuring you have the necessary rights and lawful basis to provide End Customer Data to us, and for handling End Customer rights requests under the privacy laws applicable to you. We will reasonably assist you with such requests where the Service makes that practical.

Some Service features use AI provided by third-party AI providers (currently Anthropic and OpenAI) to assist with tasks such as drafting, summarising, parsing or formatting content. When you use these features, the relevant inputs may be sent to the AI provider for processing in accordance with their terms. We choose providers that contractually agree not to use API inputs to train their general-purpose models, where that option is available. AI outputs may contain errors and should be reviewed before relying on them.

We use a small, named set of third-party service providers (subprocessors) to operate, secure and support the Service. Each maintains its own privacy and security commitments, and we limit what we share with each provider to what is reasonably required to deliver the Service. We do not sell your data or share it with third parties for advertising. We disclose limited information to service providers and subprocessors only as needed to operate, secure and support Nexpura.

Vercel

Application hosting, deployment and edge delivery.

Supabase

Database, authentication and file storage.

Stripe

Payments, billing, subscriptions and invoices.

Resend

Transactional email (receipts, invoices, password resets, notifications).

Twilio

SMS, WhatsApp and phone notifications where enabled by you.

Anthropic

AI-assisted features where enabled.

OpenAI

AI-assisted features where enabled.

Some of our subprocessors are located, or may process data, outside Australia (for example, in the United States or the European Union). Where we disclose personal information overseas, we take reasonable steps to ensure the recipient handles the information in a manner consistent with the Australian Privacy Principles or equivalent obligations.

We use cookies, local storage and similar technologies to maintain your authentication session, remember preferences (such as your selected pricing-page currency), keep the Service secure, and analyse aggregate usage patterns. Essential cookies are required for the Service to function; you can manage non-essential cookies through your browser settings. Some preferences are held only on your device and are not transmitted to or stored on our servers.

When you visit our pricing page we read an approximate country signal provided by our hosting platform's edge headers (derived from your IP address) to suggest an appropriate default currency for display. This signal is processed transiently at request time, is not linked to your account or identity, and is not retained. You can manually change the displayed currency at any time, and your selection takes precedence over the auto-detected default.

We use reasonable and appropriate technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, alteration or disclosure. These measures include encryption in transit, encryption of selected sensitive fields at rest, role-based access controls, audit logging on critical actions, automated backups managed by our hosting platform, and ongoing monitoring. No platform can guarantee absolute security, and we encourage you to use strong, unique passwords and to enable any available account-protection features.

We retain personal information for as long as your account is active or as needed to provide the Service. If your account is cancelled, we retain account and Customer Data for a limited reactivation window before deletion (see §14). Anonymised, aggregated statistical data may be retained indefinitely. Records that we are legally required to keep — for example tax invoices and payment records — are retained for the period required by applicable law.

Account owners and managers can export a copy of their tenant's Customer Data — customers, inventory, invoices, repairs, bespoke jobs and related records — from inside the application. The export covers the data you have entered into Nexpura and is available on demand from your account settings.

Account owners can submit a deletion request from within the application or by writing to hello@nexpura.com. Deletion is processed as a 30-day soft-delete window during which the request can be cancelled and the account restored. After the window closes, tenant data is permanently and irreversibly deleted from our active systems. Routine encrypted backups follow a separate, time-limited retention schedule before being purged.

Subject to applicable law, you may have the right to access the personal information we hold about you, request correction of inaccurate information, request deletion, request a portable copy, restrict or object to certain processing, and withdraw consent where processing is based on consent. To exercise any of these rights, contact us at hello@nexpura.com. We may need to verify your identity before acting on a request, and we will respond within the timeframe required by applicable law. If you are unhappy with how we have handled your personal information, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local data protection authority.

We may send you product updates, tips and other marketing communications about Nexpura. You can opt out at any time using the unsubscribe link in those messages or by emailing hello@nexpura.com. Even if you opt out of marketing, we will still send transactional and Service-related communications (such as billing notices, security alerts and important Service notices).

We comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). If we become aware of an eligible data breach involving personal information that is likely to result in serious harm to affected individuals, we will notify the OAIC and affected individuals as required by the scheme, and we will reasonably assist Customers with their own notification obligations where the breach involves data we process on the Customer's behalf.

The Service is intended for use by businesses and the adult professionals operating them. It is not directed to children, and we do not knowingly collect personal information from children. If you believe a child has provided personal information through the Service, please contact us at hello@nexpura.com so we can take appropriate action.

We may update this Privacy Policy from time to time. Where changes are material, we will give reasonable advance notice by email or in-app notification before they take effect. The date at the top of this page indicates when this Privacy Policy was last updated.

Nexpura is operated by NEXPURA PTY LTD (ACN 696 370 171 · ABN 93 696 370 171), registered in New South Wales, Australia. For questions about this Privacy Policy or to exercise your privacy rights, contact us at hello@nexpura.com.