Legal
Privacy Policy & Data Processing Agreement
Effective date: 26 June 2026 · Applies to NexaOne CRM and all PS NEXA LABS services
1. Overview
PS NEXA SOLUTIONS LIMITED (trading as PS NEXA LABS) ("we", "us", "our") operates the NexaOne CRM platform and this marketing website. We are committed to protecting your personal information in accordance with the New Zealand Privacy Act 2020 and, where applicable, the EU General Data Protection Regulation (GDPR) 2016/679.
Registered Company: PS NEXA SOLUTIONS LIMITED, New Zealand.
IT Brand: PS NEXA LABS.
Contact: admin@psnexalabs.co.nz(will update to a domain-specific address once our new domain is live)
2. What We Collect
| Category | Examples | Source |
|---|---|---|
| Contact data | Name, email, phone, address | Contact form, chat widget |
| Usage data | Pages visited, device type, browser, anonymised IP | Analytics cookies (with consent) |
| Technical data | HTTP headers, referrer URL, session tokens | Web server logs (Vercel) |
| Customer data | Data you input into the NexaOne CRM product | You (as data controller) |
We do not collect sensitive categories of data (health, biometric, financial account details) through this marketing website. The NexaOne CRM product collects only what you explicitly enter as a paying customer.
3. Legal Basis for Processing
Under GDPR Art. 6 and NZ Privacy Act 2020 Principle 1, we only process personal data where we have a lawful basis:
- Consent — marketing emails, analytics cookies. You may withdraw consent at any time.
- Legitimate Interests — security logs, fraud prevention, basic site functionality analytics.
- Contractual Necessity — processing required to deliver the NexaOne CRM subscription you purchased.
- Legal Obligation — tax records, AML/CFT obligations under the NZ Anti-Money Laundering and Countering Financing of Terrorism Act 2009.
4. How We Use Your Data
- Respond to enquiries submitted via contact form or chat widget
- Provide and support the NexaOne CRM software subscription
- Send transactional emails (account, billing, security notices)
- Send product updates and marketing — only with your explicit consent
- Improve site performance and user experience via anonymised analytics
- Detect and prevent fraud, abuse, and security incidents
- Meet legal and regulatory obligations (Privacy Act 2020, CCCFA, FMC Act)
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Enquiry / lead records | 24 months | Sales follow-up lifecycle |
| Customer account data | 7 years post-termination | NZ business record-keeping requirements |
| Server / access logs | 90 days | Security and incident investigation |
| Analytics data | 26 months | Trend analysis (anonymised) |
| Cookie consent records | 12 months | Proof of consent (GDPR Art. 7) |
6. Third-Party Processors
We share data only with trusted processors under binding data processing agreements. No data is sold to third parties.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Vercel Inc. | Web hosting & edge delivery | USA / EU edge | SCCs, SOC 2 Type II |
| Resend Inc. | Transactional email delivery | USA | SCCs, SOC 2 |
| Google Analytics | Site usage analytics (with consent) | USA | SCCs, IP anonymisation enabled |
| Supabase | CRM product database | AWS ap-southeast-2 (Sydney) | SOC 2, data residency NZ/AU |
7. Your Rights
Under the NZ Privacy Act 2020 and GDPR you have the following rights:
Access
Request a copy of personal data we hold about you.
Correction
Request correction of inaccurate or incomplete data.
Erasure (GDPR)
Request deletion where no lawful basis exists for continued processing.
Restriction (GDPR)
Request we limit processing while a dispute is resolved.
Portability (GDPR)
Receive your data in a machine-readable format.
Object
Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent
Withdraw any consent you have given at any time without penalty.
Complaint (NZ)
Lodge a complaint with the Office of the Privacy Commissioner (OPC) at privacy.org.nz.
To exercise any right, email admin@psnexalabs.co.nz. We will respond within 20 working days (NZ Privacy Act 2020 requirement) and within 30 days for GDPR requests.
9. Data Processing Agreement (DPA)
When you use the NexaOne CRM product to store and process your clients' personal information, you act as the data controller and PS NEXA SOLUTIONS LIMITED (trading as PS NEXA LABS) acts as your data processor (GDPR Art. 28; NZ Privacy Act 2020 s. 22).
Key DPA Terms
- Processing scope: Only on your documented instructions. We will not process your clients' data for our own purposes.
- Sub-processors: Supabase (database, Sydney AU), Vercel (hosting), Resend (transactional email). Full sub-processor list available on request.
- Security: TLS 1.3 in transit, AES-256 at rest, role-based access control, regular penetration testing.
- Breach notification: We will notify you within 72 hours of becoming aware of a personal data breach (GDPR Art. 33; NZ Privacy Act 2020 s. 113).
- Data return / deletion: On contract termination we will provide a full export within 30 days and securely delete all copies within 90 days.
- Audit rights: Enterprise plan customers may request an annual audit or a copy of our latest SOC 2 / ISMS report.
- Cross-border transfers: Data stored in AWS ap-southeast-2 (Sydney). EU transfers covered by Standard Contractual Clauses (SCCs) 2021/914/EU.
A signed DPA is available to all paying customers on request. Email admin@psnexalabs.co.nz with subject "DPA Request".
10. Contact & Complaints
For any privacy enquiry, right request, or DPA request:
PS NEXA SOLUTIONS LIMITEDtrading as PS NEXA LABSPrivacy Officer
New Zealand
admin@psnexalabs.co.nz
If you believe we have breached your privacy rights you may lodge a complaint with the Office of the Privacy Commissioner (OPC) at privacy.org.nz. EU residents may also lodge a complaint with your local supervisory authority.
This policy was last updated on 26 June 2026. We will post changes here and, where material, notify active customers by email.