Privacy Policy

1. About This Privacy Policy

Lex Hub AI Internet Content Provider L.L.C S.O.C, trade licence No. 1589099, operating under the trade name “Nexala AI” (“Nexala”, “we”, “us”, or “our”), is the controller of personal data provided to, or collected by or for, the Service, and is responsible for the processing of such data as described in this Privacy Policy.

2. Information We Collect

We collect information about you in three ways: directly from your input, from your organization or other sources, and through your use of the Service, including cookies.

2.1 Data You Provide to Us

The types of personal data we collect directly from you include:

• Contact and account details, such as your email address, first name, and last name;
• Authentication information, such as your password, which is stored as a cryptographic hash and never in plain text;
• Any other information you choose to share with us, such as when you contact our support team.

2.2 Data from Your Organization

Where you access the Service as part of an organization’s subscription, we obtain or generate the following information in connection with that organization:

• the organization’s name, billing contact name and details, and billing address;
• information about the organization’s members, including their contact details and the roles assigned to them within the Service.

2.3 Data from Other Sources

If you choose to sign in to the Service using Google, we receive your Google account identifier and associated basic profile information from Google in order to authenticate you and create or access your account.

2.4 Data from Service Use, Including Cookies

The Service automatically collects information about how you and your device interact with the Service, including:

• Usage data, such as the actions you take within the platform, the features and sections you access, and your interaction with platform functionality;
• Technical data, such as your IP address, browser type and version, device type, and operating system.

We collect this data through our servers and through cookies and similar technologies. When you first access the Service, you will be presented with a cookie banner allowing you to manage your cookie preferences. We use the following categories of cookies:

• Necessary cookies – required for the Service to function, including authentication and session management;
• Functional cookies – used to remember your preferences and settings;
• Analytical cookies – used to help us understand how the Service is used, through Google Analytics (operated by Google LLC) and Amplitude (operated by Amplitude, Inc.).

We may engage additional or alternative analytics providers from time to time; where this occurs, we will update this Privacy Policy accordingly. Non-essential cookies, including analytical cookies, are placed only with your consent given through the cookie banner, which you may withdraw at any time through your cookie settings.

3. How We Use Your Information

Depending on how you interact with us and the Service, we use your personal data to:

• provide, activate, and manage your access to and use of the Service;
• process billing and manage your subscription;
• provide technical, product, and other support and help keep the Service working, safe, and secure;
• analyze usage in order to maintain, improve, and develop the Service and to develop new features;
• send transactional communications, such as invoices, subscription notices, and password-reset emails;
• send marketing communications by email, where you have given your consent; you may withdraw such consent and unsubscribe at any time (see Section 10);
• comply with our legal obligations, resolve disputes, and enforce our agreements.

If you are an administrator of an organization with a subscription to the Service, we will use your details to communicate with you about your organization’s subscription and related matters.

4. Sharing of Your Information

4.1 Your Organization

If you access the Service through a subscription administered by your organization, your account information, role, and certain usage data may be accessed by or shared with the administrators authorized by your organization, for purposes of managing the organization’s subscription, members, and roles.

4.2 Our Companies and Service Providers

We share personal data with the following categories of service providers, each of which processes personal data either as an independent controller or as our processor, as applicable to the relevant service, in order to provide the Service and complete the purposes described in this Privacy Policy:

• Google LLC — for OAuth-based sign-in and for analytics through Google Analytics;
• a payment processor (currently Stripe, Inc.) — for payment processing. Your full card details are entered directly into the payment processor's systems and are not stored by us; we retain only masked card information and your billing and transaction history;
• a product analytics provider — to help us understand how the Service is used;
• an email service provider — for sending transactional and, where applicable, marketing emails;
• our hosting, infrastructure, and security service providers, who process personal data on our behalf and on our instructions, subject to confidentiality and data protection obligations consistent with this Privacy Policy.

We may change the specific service providers within each category from time to time without amending this Privacy Policy, provided that the category, purpose, and applicable safeguards remain as described above.

4.3 Your Choices

We do not sell your personal data, and we do not share your personal data with third parties for their own independent marketing purposes. Marketing communications from Nexala are sent only where you have given your consent, which you may withdraw at any time (see Section 10).

4.4 For Legal Reasons

We will also disclose your personal data if we have a good-faith belief that such disclosure is necessary to:

• meet any applicable law, regulation, legal process, or other legal obligation;
• detect, investigate, and help prevent security, fraud, or technical issues;
• protect the rights, property, or safety of Nexala, our users, employees, or others;
• as part of a corporate transaction, such as a transfer of assets to, or an acquisition by or merger with, another company.

5. Grounds for Processing

When we collect or otherwise process your personal data, we do so on the following grounds under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its Executive Regulations (the “PDPL”):

• Performance of a contract – to provide the Service you have requested, to create and manage your account, and to administer your subscription;
• Consent – for marketing communications and for the placement of non-essential cookies;
• Legitimate interests – for usage analytics, product improvement, and maintaining the security of the Service, provided that such processing does not override your rights and interests as a data subject;
• Compliance with legal obligations – for example, the retention of financial and billing records in accordance with applicable UAE legal requirements.

Where we rely on your consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out before such withdrawal. Where we rely on legitimate interests, you may have the right to object to our processing.

6. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this Privacy Policy, or for other essential purposes such as complying with our legal obligations, maintaining business and financial records, resolving disputes, maintaining security, and enforcing our agreements.

• Account and profile data is retained for as long as your account remains active.

  If you request deletion of your account through the Service, your account is deactivated and your data is retained for a period of 30 days, during which you may request that your account be reactivated. Following the expiry of this period, your data is permanently deleted, except where its continued retention is required as described below.

• Financial and billing records are retained for a minimum of 7 years from the date of the relevant transaction, in accordance with applicable UAE legal and tax-record requirements, regardless of whether your account has been deleted.

7. Locations of Processing

The Service is hosted on servers located in Qatar. As a result, your personal data is transferred to, and stored and processed in, a jurisdiction outside the United Arab Emirates.

In addition, the service providers referred to in Section 4.2 (including Google, Amplitude, and Stripe) may process personal data in other countries in which they operate.

Where your personal data is transferred outside the UAE, we take steps intended to ensure that it continues to receive a level of protection consistent with the PDPL, including through contractual and organizational measures with the relevant service providers. Where such a transfer relies on your consent, we obtain your explicit consent through a separate affirmative action (such as a dedicated consent checkbox presented to you at the time of registration), in addition to your acknowledgment of this Privacy Policy.

8. Data Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration, including encryption and access controls appropriate to the risks associated with the relevant processing. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent authority in the UAE and, where required by applicable law, the affected individuals, without undue delay and in accordance with the timeframes prescribed under the PDPL.

9. Children’s Privacy

The Service is intended for use by individuals who have reached the age of legal majority and is not directed to children. We do not knowingly collect personal data from individuals below the age of legal majority. If we become aware that we have inadvertently collected personal data from such an individual, we will take steps to delete that information.

10. Your Communications Preferences

You can manage your communications preferences and cookie settings at any time, including through your account settings, the cookie banner or cookie settings tool, or by using the “unsubscribe” mechanism included in our marketing communications. Withdrawing consent to marketing communications or analytical cookies will not affect transactional communications necessary for the operation of your account and the Service.

11. Accessing and Updating Your Information

11.1 Your Account

You may access and review your account information and make corrections or updates through your account settings at any time. You may also delete your account directly through the Service, as described in Section 6, or by contacting us.

11.2 Your Rights

Subject to applicable law, including the PDPL, you may have the right to:

• access the personal data we hold about you;
• request the correction of inaccurate or incomplete personal data;
• request the deletion of your personal data;
• request the restriction of our processing of your personal data;
• object to the processing of your personal data for direct marketing purposes, including any related profiling;
• withdraw any consent you have previously given, including for marketing communications and for analytical cookies;
• request the portability of your personal data, where this is technically feasible.

You can exercise most of these rights directly through your account settings. For any other request relating to your personal data, please contact us at support@nexala.ai. We will respond to your request within the timeframe required by applicable law. To protect your privacy and security, we may require you to verify your identity.

12. Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. Any updated version will be posted on this page with a revised “Last updated” date. Where changes are material, we will provide additional notice through the Service or by other appropriate means.

13. Contact

If you have any questions, comments, or requests regarding this Privacy Policy or our processing of your personal data, please contact us at: