Privacy Policy
We are committed to protecting your personal information and respecting your privacy rights under Quebec's Law 25 and international data protection standards.
Quick Actions
Table of Contents
Company Information
Nixa
460 Rue St Gabriel, 3rd floor
Montréal, QC H2Y 2Z9
Canada
Data Protection Manager:
David Kristensen, CTO
David Kristensen, CTO
Email: david@nixa.ca
Last Updated: October 26, 2025
1. Information We Collect
Personal Information You Provide
We collect personal information that you voluntarily provide to us when:
- Creating an account or registering for our services
- Using our platform and entering data
- Contacting us for support or inquiries
- Subscribing to our newsletters or marketing communications
- Participating in surveys, contests, or promotional activities
This information may include:
| Category | Examples | Purpose |
|---|---|---|
| Identity Information | Name, email address, phone number | Account creation and communication |
| Professional Information | Job title, company name, industry | Service customization and support |
| Business Data | Documents, records, workflow data | Platform functionality and data processing |
| Communication Data | Support messages, feedback, survey responses | Customer support and service improvement |
Information Automatically Collected
We automatically collect certain information when you use our services:
- Usage Data: Pages visited, features used, time spent on platform
- Device Information: Browser type, operating system, IP address
- Log Data: Access times, error logs, performance metrics
- Cookies: Session cookies, preference cookies (see Section 6)
2. How We Use Your Information
We use your personal information for the following purposes, based on legitimate business interests and your consent where required:
Service Provision
- Providing and maintaining our platform services
- Processing your data and business workflows
- Authenticating users and managing accounts
- Enabling collaboration features
Customer Support
- Responding to your inquiries and support requests
- Troubleshooting technical issues
- Providing training and onboarding assistance
Service Improvement
- Analyzing usage patterns to improve our services
- Developing new features and functionality
- Conducting research and analytics
- Performance monitoring and optimization
Security & Compliance
- Detecting and preventing fraud and abuse
- Ensuring platform security and integrity
- Complying with legal obligations
- Protecting our rights and those of our users
Other Integrations (Personal Data)
This section focuses on personal data processed when you enable optional integrations. We transmit only what is necessary to provide the requested features.
Google Calendar
Scopes Requested
- https://www.googleapis.com/auth/calendar.readonly
- https://www.googleapis.com/auth/userinfo.email
- openid
We request only the minimum necessary scopes (read‑only calendar and basic identity) to display your events in the app.
Personal Data Processed (Read‑Only)
Calendar metadata and event details to display them in the app: calendar ID, summary/title, color, primary flag; and for events: ID, title/summary, description, start/end, all‑day status, status, location, attendees (names/emails), organizer/creator emails, meeting links, HTML link, created/updated timestamps, and visibility. Selected calendar IDs are stored to power your views.
Use of Personal Data
- Display your events and enable features like filtering and timelines.
- Maintain change notifications (Google push channels) to refresh views.
- No modification or deletion of your Google Calendar data.
Storage and Security
- OAuth tokens (access/refresh) are encrypted at rest (AES‑256‑GCM).
- Selected calendar IDs and non‑sensitive calendar metadata are retained; event content is fetched on demand and not persisted as records.
- Operational sync logs and webhook identifiers may be retained for reliability.
Data Sharing
We do not sell or share Google Calendar data with third parties. Data is only transmitted to Google to provide this integration. We do not use Google user data for advertising or marketing.
Retention and Deletion
- Tokens and selected calendar settings are retained while the integration is active.
- Disconnecting immediately deletes stored tokens, selected calendars, and webhook subscriptions. Operational logs may be retained for up to 12 months for security and troubleshooting, then deleted.
Controls and Revocation
- In‑app: Settings → Integrations → Google Calendar → Disconnect.
- Google Account: Revoke access in your Google Account permissions (Third‑party access).
International Transfers for this Integration
While core application data is hosted in Canada, connecting Google Calendar necessarily involves transmitting data to and from Google’s systems, which may process data outside of Canada.
Google Meet
- Personal data processed: meeting link/URI, participant display names, and counts; user email (for DWD impersonation); OAuth tokens (if per-user).
- Use: create meetings you request and display live status. No modification of personal content.
- Storage: tokens/credentials stored encrypted; operational logs retained for reliability.
- Controls: disconnect in app or revoke access in your Google Account.
Email Delivery (Mailgun/SMTP)
- Personal data processed: recipient email, name (if provided), delivery events (opened, clicked, bounced, unsubscribed).
- Use: send account and service emails; honor unsubscribes and suppressions.
- Storage: event logs and suppression lists retained to prevent unwanted emails.
- Controls: unsubscribe links in marketing emails; contact us for removal.
AI Features (OpenAI)
- Personal data processed: prompts and content you provide to AI features; optional file uploads for analysis.
- Use: generate responses/insights you request. We avoid sending sensitive data unless you submit it.
- Storage: conversation context retained to provide continuity; provider-side handling per OpenAI policies.
- Controls: do not use AI features or request deletion via privacy contact.
Maps & Geocoding (Google)
- Personal data processed: addresses or place queries you type; device IP (by Google) for service delivery.
- Use: autocomplete and converting addresses to coordinates.
- Storage: cached geocoding results; no persistent storage of your raw queries beyond logs.
- Controls: do not enable address features if you prefer not to use Maps/Geocoding.
3. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:
Service Providers
We may share data with trusted third-party service providers who assist us in operating our platform, conducting business, or serving our users. These providers are bound by strict confidentiality agreements and are only authorized to use your information as necessary to provide services to us.
Legal Requirements
We may disclose your information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, property, or safety, or that of our users or the public.
Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control of your personal information.
4. Data Storage and Security
Security Measures
We implement industry-standard security measures to protect your personal information:
- Encryption: Data is encrypted in transit and at rest using AES-256 encryption
- OAuth Tokens: Integration tokens (e.g., Google) are encrypted at rest (AES‑256‑GCM)
- Access Controls: Strict access controls and authentication mechanisms
- Regular Audits: Security audits and vulnerability assessments
- Staff Training: Regular privacy and security training for our team
- Infrastructure: Secure cloud infrastructure with Canadian data centers
Data Backup and Recovery
We maintain regular backups of your data to ensure business continuity and disaster recovery. All backups are encrypted and stored in secure Canadian facilities.
5. Your Privacy Rights
Under Quebec's Law 25 and other applicable privacy laws, you have the following rights regarding your personal information:
Right to Access
You have the right to request access to the personal information we hold about you, including the purposes for processing and the categories of data.
Right to Rectification
You have the right to request correction of inaccurate or incomplete personal information.
Right to Erasure
You have the right to request deletion of your personal information, subject to certain legal obligations and legitimate business interests.
Right to Data Portability
You have the right to receive your personal information in a structured, commonly used, and machine-readable format.
Right to Object
You have the right to object to the processing of your personal information for direct marketing purposes or based on legitimate interests.
How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Manager:
David Kristensen, CTO
Email: david@nixa.ca
Phone: Available through our contact page
We will respond to your request within 30 days as required by Quebec Law 25.
6. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to enhance your experience on our platform. Cookies are small text files stored on your device that help us provide and improve our services.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential Cookies | Necessary for site functionality | Session |
| Performance Cookies | Usage analysis and improvements | 1 year |
| Preference Cookies | Remember your settings | 6 months |
You can control cookie settings through your browser preferences. However, disabling certain cookies may affect the functionality of our platform.
7. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required by law.
Account Data
We retain your account information for the duration of your active subscription plus 90 days after account closure, unless you request immediate deletion.
Business Data
Your business data (documents, records, workflows) is retained according to your subscription terms and can be deleted upon request or account closure.
Support Communications
Support tickets and communications are retained for 3 years for quality assurance and training purposes.
Legal Requirements
Some information may be retained longer to comply with legal obligations, resolve disputes, or enforce our agreements.
8. International Data Transfers
Future GDPR Compliance
While we currently operate exclusively within Canada, we are preparing for GDPR compliance to support European clients in the future. Our data protection practices already align with many GDPR requirements, and we will implement additional safeguards as needed.
9. Contact Information
If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:
Data Protection Manager
David Kristensen, CTO
Email: david@nixa.ca
Company Address
Nixa
460 Rue St Gabriel, 3rd floor
Montréal, QC H2Y 2Z9
Canada
General Contact
For general inquiries: Contact Form
For support: Available through our platform
10. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify you by email if the changes are material
- Post the updated policy on our website
- Provide a summary of key changes where appropriate
We encourage you to review this privacy policy periodically to stay informed about how we protect your personal information.
Your Privacy is Protected
We are committed to protecting your personal data and complying with Quebec's Law 25. Core application data is hosted in Canada. When you enable integrations (e.g., Google), necessary personal data may be transmitted to those providers' systems to deliver the feature.