Privacy Policy

We collect the minimum data needed to run the product.

• Account info: your email address and password (hashed) when you sign up
• Outreach data: company names, job titles, and email addresses you use in campaigns
• Business signals: funding news, hiring data, and other signals you provide or import
• Usage data: which features you use and how often, to improve the product
• Payment info: handled entirely by Stripe - we never see or store your card number
• Gmail tokens: OAuth tokens used to send emails on your behalf, stored encrypted

• To generate AI-powered outreach campaigns from your prompts
• To send emails and follow-ups through your connected Gmail account
• To show you analytics on opens, clicks, and replies
• To improve Nexora's AI models (using anonymized, aggregated data only)

We never sell your data to third parties. We never use your campaign content or lead data to train AI models without your consent.

Your data is stored on Supabase (PostgreSQL), with servers in the US and EU. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Gmail OAuth tokens are stored server-side and never exposed to the browser or included in API responses.

We retain your data for as long as your account is active. When you delete your account, your data is permanently removed within 30 days.

If you are in the EU or UK, you have the following rights under GDPR:

• Access: request a copy of all data we hold about you
• Deletion: delete your account and all associated data at any time from Settings
• Export: download your leads and campaigns as CSV from the dashboard
• Correction: update your account information at any time
• Portability: receive your data in a machine-readable format
• Object: opt out of data processing for AI model improvement

To exercise any of these rights, email us at privacy@nexoraoutreach.com. We respond within 30 days.

Every email sent through Nexora includes your company name, a physical mailing address, and a working unsubscribe link. Unsubscribe requests are processed immediately. The sender is identified in every message.

As the account holder you are responsible for ensuring your physical mailing address is kept up to date in Settings > Compliance. Sending is blocked if no address is on file.

If you send emails to recipients in Canada, you are responsible for obtaining express or implied consent as required by the Canadian Anti-Spam Legislation (CASL) before sending.

Nexora provides the unsubscribe mechanism required by section 11 of CASL. Unsubscribe requests are honoured within 10 business days.

• Supabase - database and authentication (supabase.com/privacy)
• Stripe - payment processing (stripe.com/privacy)
• Anthropic / OpenAI - AI model providers (data is not used to train their models per our agreements)
• Google OAuth - Gmail integration (subject to Google's privacy policy)

For privacy requests or questions, email privacy@nexoraoutreach.com. We aim to respond within 30 days.