This Privacy Policy explains what information NexSites ("we," "us," or "our") collects, how we use it, who we share it with, and the choices you have. It applies to nexsites.org, the client portal, and the Services we provide. For purposes of the GDPR/UK GDPR, NexSites is the data controller for account data and a processor for visitor data that flows through websites we host on your behalf.
/audit), we record the URL, the audit results we generate, your IP, your user-agent, and any UTM/campaign parameters in the link you arrived from. Audit URLs you submit are also sent to Google PageSpeed Insights (sub-processor) for performance / SEO / accessibility scoring.Where GDPR or UK GDPR applies, we rely on the following legal bases:
We share personal information only with the following categories of recipients, under written agreements where required:
| Vendor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payments, subscriptions, invoices | Name, email, billing address, card details (collected directly by Stripe) |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, tunnel | Visitor IPs, request metadata |
| Namesilo / Porkbun | Domain registration | WHOIS contact info (as required by ICANN) |
| Twilio, Inc. | SMS notifications, click-to-call, AI-assisted outreach (TCPA-consented only) | Phone number, message content, call recordings if applicable |
| SMTP email provider | Outbound transactional email | Recipient email, message content |
| Discord Inc. (internal) | Operational lead alerts | Business-level notifications only |
| Google LLC (PageSpeed Insights) | Site audit scoring (when you submit a URL via our audit tool) | Submitted URL only |
| Calendly, Inc. | Consultation booking (when you book a call) | Name, email, scheduling preferences, meeting details |
| Google LLC (Analytics 4 / Ads) | Aggregate funnel analytics + conversion tracking on marketing pages (when enabled) | Page views, anonymized client ID, conversion events — no PII |
| Meta Platforms, Inc. | Conversion tracking on marketing pages (when enabled) | Page views, conversion events — no PII |
We may also disclose information (a) to comply with law, a subpoena, or a lawful government request; (b) to enforce these Terms or protect rights, property, or safety; or (c) in connection with a merger, acquisition, or sale of assets — in which case we will notify you and honor the commitments in this Policy.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act. We do not engage in targeted advertising. California residents have rights listed in Section 9; we do not discriminate against you for exercising them.
We use a small number of essential cookies to keep you logged into the portal, carry a session, protect against CSRF, and remember basic preferences. Our marketing audit tool sets a 30-day nx_audit_arm cookie to keep you in the same A/B variant if you return — it is HTTP-only and not used for advertising. When marketing analytics or conversion pixels are enabled (currently disabled by default), we may also set Google Analytics / Google Ads / Meta cookies on the audit pages only — never inside the client portal. You can block cookies in your browser settings; some portal features may not work without them.
We retain account information for as long as your account is active. After cancellation, we retain your data for 30 days (absent a legal hold) so you can export it, then delete or anonymize it. Billing records are retained for 7 years as required by U.S. tax law. Backups are retained on a rolling 30-day window and overwritten automatically. Security logs (login attempts, access logs) are retained for up to 12 months for abuse investigation, then purged.
Marketing audit submissions (URL, scores, IP, user-agent) are retained for up to 24 months so we can analyze funnel performance, then deleted or anonymized. TCPA consent records are retained for 5 years as the TCPA statute of limitations is 4 years — kept solely as your evidentiary record. Lead records you submitted but never converted on are deleted on request via the DSAR process below.
Regardless of where you live, you may:
Residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other U.S. states with comprehensive privacy laws have additional rights, including the right to opt out of sale/sharing (we do neither), the right to limit use of sensitive personal information, and the right to non-discrimination. Residents of the EEA, UK, and Switzerland have additional rights under GDPR, including the right to object, restrict processing, and data portability.
Send requests to [email protected] with the subject line "Privacy Request." We will verify identity (typically by sending a confirmation to your account email) and respond within 30 days (extendable by an additional 45 days where permitted by law, with notice). If you disagree with our decision, you may appeal by replying to our response; an appeal will be reviewed by a separate team member within 45 days. You may also lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, your state Attorney General in the U.S.).
You may designate an authorized agent to make a request on your behalf by providing signed written authorization; we will still verify your identity directly.
We protect your data using: TLS 1.2+ for all traffic, encrypted storage at rest, password hashing with bcrypt (cost ≥12), least-privilege access for staff, key-only SSH to our servers, rate limiting, account lockout, hardware-isolated secrets, and logging of administrative actions. No system is perfectly secure, but we work hard to keep yours safe.
Breach notification. If we become aware of a confirmed security breach involving your personal information, we will notify affected customers without undue delay and in any event within 72 hours of confirmation, along with the steps we're taking to contain the incident, where allowed by law enforcement. If you suspect unauthorized access to your account, contact [email protected] immediately.
NexSites is not directed to children under 13 (or under 16 in the EEA), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.
Our servers and primary vendors are located in the United States. If you access our Services from outside the U.S., your information will be transferred to, stored, and processed in the U.S. Where required (e.g., EEA/UK transfers), we rely on Standard Contractual Clauses or equivalent transfer mechanisms with our sub-processors.
We do not engage in automated decision-making that produces legal or similarly significant effects on you (e.g., automated credit, insurance, or employment decisions). Our marketing audit tool runs Google PageSpeed Insights against the URL you submit and produces an automated score / recommendations report — this is informational only, never determines pricing or eligibility, and you can request a human review by replying to the email or text we send.
Do-Not-Track: our site does not respond to DNT signals because there is no uniform industry standard for interpreting them. However, we do not track you across third-party sites regardless of DNT setting.
We may update this Policy. Material changes will be communicated by email or portal notice at least 14 days before taking effect. The "Last updated" date at the top reflects the current version. Prior versions available on request.
Questions about privacy, data requests, or this Policy: [email protected] (subject: "Privacy").