Privacy Policy
Last updated: July 3, 2026
NEXTOSA (“NEXTOSA,” “we,” “us,” or “our”) provides an AI-powered CRM and WhatsApp automation platform (the “Service”) to businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our website (https://nextosa.com), our web application, and any related services, including our integration with the WhatsApp Business Platform operated by Meta Platforms, Inc. (“Meta”).
1. Introduction
We are committed to protecting the privacy and security of personal data belonging to our business customers (“Customers,” “you”) and the end clients that Customers communicate with through NEXTOSA (“End Users”). This Policy is designed to comply with the EU General Data Protection Regulation (GDPR), and describes the categories of data we process, the purposes and legal bases for processing, and the rights available to data subjects.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use the Service.
2. Data Controller
For the purposes of GDPR, NEXTOSA acts as the data controller for account and platform data, and as a data processor on behalf of our business Customers for the client and message data they manage through the Service.
- Business name: NEXTOSA
- Owner/Operator: Harsh Soni
- Contact email: nextosa7@gmail.com
For any privacy-related requests or questions, contact us using the details above or in Section 19 (Contact Us).
3. Information We Collect
We collect the following categories of information:
a) Account & Business Information
- Name, email address, and phone number
- Business name, industry, and business address
- Login credentials (passwords are stored using industry standard hashing and are never stored in plain text)
- Billing and subscription information
b) WhatsApp & Communication Data
- WhatsApp Business phone numbers connected to your account
- Message content, timestamps, delivery status, and media (images, documents, audio) exchanged between you and your End Users via the WhatsApp Business Platform
- End User phone numbers, names, and profile information made available through WhatsApp
- Message templates you create for sending on WhatsApp
c) Client & CRM Data
- Client records, notes, tags, and interaction history you create or import into NEXTOSA
- Documents you upload (contracts, invoices, price lists, FAQs, knowledge-base files) for storage or for training the AI Q&A assistant
d) Technical & Usage Data
- IP address, browser type, device identifiers, and operating system
- Log data such as pages visited, features used, and timestamps of activity
- Cookies and similar tracking technologies (Section 14)
e) Payment Information
Payments are processed by third-party payment providers. NEXTOSA does not store full credit card or bank account numbers on its own servers.
4. WhatsApp Business API & Meta Data
NEXTOSA integrates with the WhatsApp Business Platform (WhatsApp Business API) provided by Meta to enable messaging automation. When you connect a WhatsApp Business number to NEXTOSA, the following applies:
- Messages, media, and contact information you send or receive through WhatsApp are transmitted through Meta's infrastructure and are subject to Meta's own Privacy Policy and WhatsApp Business Messaging Policy, in addition to this Policy.
- NEXTOSA accesses WhatsApp data (messages, phone numbers, templates, delivery/read receipts) solely to provide the Service you have requested — including AI-generated responses, reminders, template delivery, client organization, and Away Mode automation.
- We do not use data obtained through the WhatsApp Business Platform for advertising purposes, and we do not sell WhatsApp data to third parties, in accordance with Meta's Platform Terms and WhatsApp Business Data Processing Terms.
- We retain WhatsApp conversation data only for as long as necessary to provide the Service, comply with legal obligations, or as configured by the business Customer (Section 10).
- Businesses using NEXTOSA are responsible for ensuring they have appropriate consent or opt-in from End Users before messaging them via WhatsApp, in line with WhatsApp's Business Messaging Policy and applicable law.
For more information on how Meta handles data on the WhatsApp Business Platform, please refer to Meta's Privacy Policy and WhatsApp's own Privacy Policy directly.
5. Legal Basis for Processing
Where GDPR applies, we rely on the following legal bases to process personal data:
- Performance of a contract— to provide the Service you signed up for, including CRM features, WhatsApp automation, and AI Q&A.
- Legitimate interests — to improve, secure, and support the Service, prevent fraud, and communicate with Customers about their accounts.
- Consent — where required, such as for optional marketing communications or specific End User opt-ins for WhatsApp messaging.
- Legal obligation — to comply with applicable laws, regulations, or lawful requests from authorities.
6. How We Use Your Information
- Provide, operate, and maintain the NEXTOSA platform
- Enable WhatsApp messaging automation, reminders, templates, and Away Mode
- Power the AI Q&A assistant and AI customer support features using your uploaded documents and business data
- Process transactions and manage subscriptions
- Provide customer support and respond to inquiries
- Monitor, detect, and prevent fraud, abuse, or security incidents
- Send service-related notifications and, with consent, product updates or marketing communications
- Comply with legal obligations and enforce our Terms
7. AI & Automated Processing
NEXTOSA uses artificial intelligence and machine learning models to power features such as AI Q&A, AI customer support, and automated WhatsApp replies. This involves processing message content and uploaded documents to generate relevant, automated responses.
- Some AI processing may be performed by trusted third-party AI service providers under contractual data protection terms; these providers do not use your data to train their general-purpose models except where explicitly disclosed.
- NEXTOSA's automated responses assist with customer communication and do not make decisions that produce legal effects or similarly significant effects on End Users within the meaning of GDPR Article 22.
- Business Customers can review, edit, or disable AI-generated automation at any time from their dashboard.
8. Data Sharing & Third Parties
We do not sell your personal data. We may share information with the following categories of recipients, solely as necessary to provide the Service:
- Meta / WhatsApp Business Platform — to send and receive WhatsApp messages on your behalf.
- Cloud hosting & infrastructure providers — to store and process data securely.
- AI service providers— to generate AI-powered responses and Q&A functionality.
- Payment processors — to process subscription payments securely.
- Analytics providers — to help us understand usage and improve the Service.
- Legal & regulatory authorities — when required by law, court order, or to protect our rights, users, or the public.
- Business transfers — in connection with a merger, acquisition, or sale of assets, subject to continued protection of your data under this Policy.
9. International Data Transfers
Your data may be processed and stored on servers located outside your country of residence, including in countries that may not have data protection laws equivalent to those in your jurisdiction. Where we transfer personal data outside the European Economic Area (EEA), we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms, to ensure your data remains protected.
10. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, including:
- For as long as your account remains active, plus a reasonable period afterward to comply with legal, tax, or accounting obligations
- WhatsApp conversation data is retained according to your account settings or until you request deletion, whichever is earlier
- Uploaded documents remain stored until you delete them or close your account
Upon account closure or a valid deletion request, we will delete or anonymize your personal data within a commercially reasonable timeframe, unless retention is required by law.
11. Data Security
We implement industry-standard technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Access controls and role-based permissions
- Regular security reviews and monitoring
- Secure cloud infrastructure with reputable hosting providers
While we take data security seriously, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
12. Your Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), UK, or other jurisdictions with similar protections, you have the following rights regarding your personal data:
- Right to access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of your personal data, subject to legal exceptions
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent — where processing is based on consent, at any time
- Right to lodge a complaint — with your local data protection supervisory authority
To exercise any of these rights, contact us at nextosa7@gmail.com. We will respond within the timeframe required by applicable law.
13. Other Regional Rights
Depending on your location, you may have additional rights under local law (for example, the California Consumer Privacy Act (CCPA) or similar state privacy laws in the United States), including the right to know what personal information is collected, the right to request deletion, and the right to non-discrimination for exercising your privacy rights. We do not sell personal information as defined under CCPA. Contact us to exercise any applicable regional rights.
15. Children's Privacy
The Service is intended for use by businesses and individuals who are at least 18 years old. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.
16. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected Customers and relevant supervisory authorities without undue delay, in accordance with GDPR and other applicable data breach notification laws.
17. Third-Party Links
Our website may contain links to third-party websites or services, including Meta/WhatsApp. We are not responsible for the privacy practices of third parties, and we encourage you to review their privacy policies separately.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Policy on this page with a revised “Last updated” date. Material changes will be communicated via email or a notice within the Service.
19. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:
- Email: nextosa7@gmail.com
- Attn: Harsh Soni, NEXTOSA