1. Basic Information and Definitions of Terms
1.1. Controller The company Nabu technologies s.r.o., with its registered office at Kremnička 5A, 974 05 Banská Bystrica, ID No.: 56 444 508, registered in the Commercial Register of the District Court Banská Bystrica, Section: Sro, Insert No.: 49927/S. Our contact details are: email: [email protected], tel.: +421 910 572 595. In accordance with the GDPR Regulation and the Personal Data Protection Act, we are the controller of your personal data when providing the services of the Nexana.ai application (hereinafter referred to as “the Application”).
1.2. Data Subject Any natural person whose personal data we process. In the context of our Application, this may primarily be the Account Owner or a Subordinate User.
1.3. Account Owner (Owner) A natural or legal person who enters into a contract with the Controller for the use of the Application, registers the main user account, manages the subscription, and is responsible for paying fees.
1.4. Subordinate User A natural person (including roles such as Manager or User within the Application) nominated and authorized by the Account Owner to use the Application within the purchased and assigned subscription. The assigned user may have different levels of permissions in the Application, which are defined by the Account Owner.
1.5. Personal Data Any information relating to an identified or identifiable natural person (Data Subject).
1.6. Processing of Personal Data Any operation or set of operations performed on personal data (e.g., collection, recording, storage, use).
1.7. Processor A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller. The identification of our key Processors is listed in point 5 of these Policies.
1.8. GDPR Regulation Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.9. Personal Data Protection Act Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts as amended.
1.10. Processing Principles The Controller has adopted appropriate technical and organizational measures to ensure the protection of personal data in accordance with the GDPR Regulation and the Personal Data Protection Act, taking into account the principles of legality, fairness, transparency, purpose limitation, data minimization, accuracy, pseudonymization, encryption, integrity, confidentiality, and accountability.
2. What Personal Data We Process
Depending on your settings in the Application and the actions you perform, we may process the following categories of personal data:
2.1. Data provided by the Account Owner: Upon registration and account management: name, surname, company name, ID No., Tax ID, VAT ID, registered office/business address, contact email, phone number, user role. When purchasing a subscription: billing information, information about the purchased subscription. (Payment card data is processed by the payment gateway provider). Communication between the Controller and the Application user (emails, support records). Data that you upload or create within the Application (e.g., documents in data storage – we process the content of these documents only for the purpose of providing the functionality of the Application's services according to your instructions and we do not analyze it for other purposes, unless it is necessary for technical support or problem resolution at your request).
2.2. Data of Subordinate Users (Managers, Users): Name, surname. Email address (serving as login credentials). This data is provided to the Controller by the Account Owner or a Manager authorized by them for the purpose of creating access to the Application for Subordinate Users. The Account Owner is responsible for informing Subordinate Users about the processing of their personal data by the Controller in accordance with these Policies and for ensuring a valid legal basis for such provision and subsequent processing. The subordinate user's role and contact phone number are provided by the subordinate user themselves upon accepting the registration, for which they received an email invitation from the Account Owner under which the subordinate user is managed and registered.
2.3. Automatically obtained data when using the website and the Application: IP address, browser type, device type, operating system, date and time of access. Data on interaction with the Application (e.g., logs on function usage, clicks) – these data are anonymized or aggregated to the maximum extent possible. **Cookies and similar technologies:** **Technical (essential) cookies:** For the basic functionality of the website and Application. **Functional cookies:** To remember your preferences (e.g., language). **Analytical cookies:** To improve our services (usually anonymized). More detailed information about the cookies used, their purposes, and your setting options can be found in our [Information on the use of cookies](https://nexana.ai/cookies).
3. Why We Collect and Process Your Personal Data (Purposes of Processing)
We process personal data for the following purposes:
Provision and administration of Application services: Creation and management of the Account Owner's account and the accounts of the Subordinate Users added by them. Processing of subscription orders placed by the Owner. Ensuring the functionality of the Application for all authorized users (Owner and Subordinate Users) in accordance with the purchased Subscription. Providing customer support to all Application users.
Invoicing and accounting: Issuing invoices and keeping accounts related to the payments of the Account Owner.
Communication: Sending important information regarding services, changes to GTC, Price List, planned downtimes, etc. (primarily to the Account Owner, and in necessary cases also to Subordinate Users).
Marketing activities (with your consent or based on legitimate interest): Sending news, information about new features or special offers by email or other electronic means (primarily to the Account Owner).
Improving and developing the Application: Analysis of Application usage (usually based on aggregated or anonymized data) to identify areas for improvement, develop new features, and optimize the user experience.
Security and protection of rights: Securing the Application, protecting our rights and legitimate interests, as well as the rights and legitimate interests of our users.
Fulfilling legal obligations: For example, in the area of accounting, taxes, or based on the requirements of public authorities.
4. On What Legal Grounds We Process Personal Data
The processing of your personal data is based on one of the following legal grounds:
Performance of a contract (Art. 6(1)(b) of the GDPR Regulation): This legal basis applies to the processing of personal data of the Account Owner necessary for the conclusion and performance of the contract for the provision of Application services (including the processing of orders, payments, and providing access). It also applies to the processing of personal data of Subordinate Users (name, email) entered by the Owner, as this processing is necessary for us to provide these individuals with access to the Application within the contract concluded with the Owner.
Legitimate interest (Art. 6(1)(f) of the GDPR Regulation): On this basis, we may process data for the purposes of direct marketing to existing customers (Account Owners) for similar services, for the purpose of analyzing Application usage to improve it (usually after anonymization or aggregation), for ensuring the security of our systems, and for protecting our legal claims. We always carefully consider whether your interests and fundamental rights and freedoms do not override our legitimate interests. You have the right to object to processing based on a legitimate interest.
Consent (Art. 6(1)(a) of the GDPR Regulation): For some specific purposes, such as sending marketing newsletters (if you are not an existing customer of ours, or if it concerns other products or services), or for the use of certain types of cookies, we will process your personal data only on the basis of your freely given consent. You can withdraw your consent at any time.
Fulfilling a legal obligation (Art. 6(1)(c) of the GDPR Regulation): In some cases, the processing of your personal data is directly required by legal regulations (e.g., accounting law, tax laws).
5. Transfer of Personal Data to Third Parties (Processors)
In necessary cases, we may provide or make your personal data accessible to third parties – our contractual partners who provide certain services for us (Processors). We only do so when it is necessary to achieve the purposes of processing mentioned above. We have a data processing agreement with each Processor, which obliges them to comply with personal data protection standards at least to the extent of the GDPR Regulation. Our main categories of Processors may be: Payment gateway providers (e.g., GoPay) – we do not process or store your payment card data, it is processed directly by the secure payment gateway. Providers of hosting and cloud services (e.g., for servers, databases, data storage). Providers of email communication and marketing tools. Providers of analytical tools (usually process anonymized or aggregated data). External consultants (e.g., legal, accounting, tax) if necessary. In certain cases, we may be required to provide your personal data to public authorities (e.g., courts, police) based on the law or their legitimate request. We do not transfer personal data to third countries outside the European Union or the European Economic Area unless an adequate level of protection is ensured in accordance with the GDPR Regulation (e.g., based on a Commission adequacy decision, standard contractual clauses, or other appropriate safeguards).
6. How Long Do We Process Your Personal Data?
We retain personal data only for the period necessary to achieve the purpose for which it was collected, or for the period stipulated by relevant legal regulations. Data of the Account Owner required for the performance of the contract is retained for the duration of the contractual relationship and subsequently for the period necessary for the enforcement or defense of legal claims (usually during the general limitation period) or for the period stipulated by special regulations (e.g., accounting law). Data of the Subordinate Users (name, surname, email, phone number, role) are retained as long as they are actively assigned to the Account Owner's account and use the assigned Subscription. After their removal by the Owner from the account or after the termination of the Owner's account, their personal data will be deleted or anonymized without undue delay, unless legal regulations require their further retention. Data processed on the basis of consent (e.g., for marketing) are processed until consent is withdrawn, but for a maximum period specified in the consent (5 years). Data from cookies are stored for the period specified in the cookie settings upon granting consent.
7. Security of Personal Data
We have adopted appropriate technical and organizational measures to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures include communication encryption, server security, access control, regular backups, and training of authorized persons. Details of our security measures are part of our internal documentation.
8. What are Your Rights in Connection with the Protection of Your Personal Data
As a Data Subject, you have the following rights in connection with the processing of your personal data:
- Right of access to your personal data (Art. 15 of the GDPR Regulation).
- Right to rectification of inaccurate or incomplete personal data (Art. 16 of the GDPR Regulation).
- Right to erasure ('right to be forgotten') of your personal data under the conditions set out in Art. 17 of the GDPR Regulation.
- Right to restriction of processing of your personal data under the conditions set out in Art. 18 of the GDPR Regulation.
- Right to data portability under the conditions set out in Art. 20 of the GDPR Regulation.
- Right to object to the processing of your personal data which is carried out on the basis of our legitimate interest or for direct marketing purposes (Art. 21 of the GDPR Regulation).
- Right to withdraw consent to the processing of personal data at any time, if the processing is based on consent, without affecting the lawfulness of processing before its withdrawal (Art. 7(3) of the GDPR Regulation).
- Right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, https://www.dataprotection.gov.sk.
You can exercise your rights in writing to our registered office address: Nabu technologies s.r.o., Kremnička 5A, 974 05 Banská Bystrica, or electronically to the email address: [email protected].
We will respond to your request without undue delay, no later than one month from its receipt (this period may be extended by another two months in justified cases, of which we will inform you).
When exercising your rights, we may require verification of your identity. If you have any questions or comments regarding the processing of your personal data, please do not hesitate to contact us.
These Privacy Policy are valid and effective from May 21, 2025. We reserve the right to update these Policies. We will inform you of all changes on our website or by other appropriate means.
See also our Terms of Service or Subscription Terms.