Privacy Policy
Last updated: June 2026
This Privacy Policy explains how Nexora Technologies ("Nexora", "we", "us") collects, uses, shares, and protects personal data when you use Super CRM (the "Service") at supercrm.nexoratechnologies.cloud. It applies to customers and visitors in India, the United Kingdom, the European Economic Area, the United States, and elsewhere. If you connect the optional Facebook/Instagram advertising features (built on Meta's Marketing API), those are additionally covered by our Ads & Marketing Privacy Policy, which runs on a separate Meta app and does not affect the WhatsApp messaging features.
1. Our role — controller vs. processor
- We are the "controller" of the account data of the businesses and individuals who sign up for and administer Super CRM (e.g. your login, billing, and usage data).
- We are a "processor" / "service provider" for the end-customer data you load into or generate through the Service — your contact lists and the WhatsApp messages sent and received through your connected number. For that data you are the controller and you decide how it is used; we process it only on your documented instructions to provide the Service. A Data Processing Agreement (DPA) governs this relationship and is available on request.
2. Information we collect
- Account information: your name, email address, and authentication details (via Google or email/password).
- WhatsApp Business credentials: the access token, WhatsApp Business Account ID, and phone number ID you connect — stored encrypted at rest and used only to operate the Service for you.
- Contacts & messages: the contact lists you import and the WhatsApp messages sent and received through your connected number, processed to provide campaign, inbox, and (if enabled) AI-reply features. You are the controller of this data.
- Payment information: processed by our payment provider (Razorpay). We receive transaction status and limited billing details; we do not store full card numbers.
- Usage & technical data: logs, device/browser information, and security events needed to operate, secure, and debug the Service.
3. How we use information & our legal bases
We use personal data to provide and improve the Service — to send campaigns, display your inbox, manage templates, run optional AI replies, process payments, secure the platform, and support your account. Where UK/EU law applies, our lawful bases are:
- Performance of a contract — to deliver the Service you sign up for.
- Consent — where you provide it (e.g. optional features); you may withdraw it anytime.
- Legitimate interests — to secure, debug, and improve the Service, and prevent abuse, balanced against your rights (including "recognised legitimate interests" under the UK Data (Use and Access) Act 2025 where applicable).
- Legal obligation — to meet accounting, tax, and regulatory duties.
4. We do not sell or share your personal information
We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined under the CCPA/CPRA). We have not done so in the preceding 12 months. We do not use third-party advertising cookies or trackers. We ourselves do not use your data to train our own AI models — see Section 5 for how the optional AI assistant and Google Gemini process your messages.
5. Sharing & sub-processors; international transfers
We share data only with vetted providers who process it under contract on our behalf, and where required by law. Our key sub-processors are:
- Meta Platforms (WhatsApp Business Platform) — to deliver and receive WhatsApp messages.
- Supabase — database, authentication, and storage, with row-level security so each customer can access only their own data.
- Razorpay — payment processing.
- Google (Google Sheets & Google Gemini AI) — only for customers who enable the optional AI assistant. To generate and frame replies, the AI necessarily reads the incoming customer message (and relevant Google Sheet content). That content is processed by Google. Because we use Google's paid Gemini API tier, under Google's API terms this content is not used by Google to train or improve its models. We do not control Google's terms, which Google may change.
- Self-hosted automation (n8n) — runs on infrastructure we control to power campaigns and AI replies.
Your core account, contact, and message data is stored in our primary database region —Supabase, Singapore. Data may also be processed in other countries (including the United States, the EEA, and India) by the sub-processors above. Where data is transferred internationally, we rely on appropriate safeguards — such as Standard Contractual Clauses, the UK International Data Transfer Agreement/Addendum, the EU-US and UK-US Data Privacy Framework, or an adequacy decision — under the applicable "data protection test".
6. Data retention
We retain account data while your account is active and as required for legal, tax, and security purposes. WhatsApp access tokens are retained (encrypted) until you disconnect or delete them. Message history is retained subject to your plan's storage tier and may be automatically purged after a defined period (e.g. inactive chats on entry-level plans). When you close your account, we delete or anonymize personal data within a reasonable period, except where retention is legally required.
7. Security
Data is stored on managed cloud infrastructure with row-level security so each customer can access only their own data. WhatsApp access tokens are encrypted at rest, access is restricted on a need-to-know basis, and all traffic is transmitted over HTTPS. No method of transmission or storage is perfectly secure, but we maintain safeguards appropriate to the risk.
8. Your privacy rights
United Kingdom & European Economic Area
Under the UK GDPR and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), and the EU GDPR, you have the right to: access; rectification; erasure; restriction; data portability; object to processing; rights in relation to automated decision-making(including to contest a significant automated decision and obtain human review); and to withdraw consent at any time. You also have a right to complain directly to us, and to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.
United States (California & other states)
Depending on your state of residence (e.g. California, Virginia, Colorado, Connecticut, Texas, Oregon, and other states with comprehensive privacy laws), you may have the right to: know/accessthe personal information we hold; correct it; delete it; data portability; opt out of the sale or sharing of personal information and of targeted advertising and certain profiling; limit the use of sensitive personal information; and to not be discriminated against for exercising these rights. We do not sell or share personal information, so there is nothing to opt out of — but you may still exercise the rights above. We honor browser-based opt-out signals such as Global Privacy Control (GPC). You may use an authorized agent, and you may appeal a decision by replying to our response. We aim to respond within 45 days (extendable as permitted by law). California residents may also contact the California Privacy Protection Agency or Attorney General.
India
Under the Digital Personal Data Protection Act, 2023, you have the right to access, correct, update, and erase your personal data, to grievance redressal, and to nominate another person to exercise your rights.
How to exercise your rights
Email info@nexoratechnologies.cloud. We may need to verify your identity. If the data relates to messages/contacts you loaded as a Super CRM customer (where we act as processor), we will refer the request to the relevant customer (controller) or assist them in responding.
9. Cookies & local storage
We use essential cookies and local storage only — to keep you signed in and operate the Service. We do not use third-party advertising cookies. Any limited security or analytics storage is used in line with the exemptions and opt-out requirements under PECR and the Data (Use and Access) Act 2025.
10. Children
Super CRM is a business tool not directed to children. We do not knowingly collect personal data from children under 16 (or the minimum age in your jurisdiction). If you believe a child has provided us data, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. Material changes will be posted here with a new "Last updated" date; significant changes affecting your rights will be notified where required by law.
12. Contact, Grievance Officer & representatives
- Controller: Nexora Technologies, West Bengal, India.
- General & privacy contact / Grievance Officer (India, per the IT Act 2000, the Consumer Protection (E-Commerce) Rules 2020, and the DPDP Act 2023):info@nexoratechnologies.cloud. We acknowledge complaints within 48 hours and aim to resolve them within 30 days.
- UK/EU representative (Art. 27 UK/EU GDPR): for individuals in the UK/EEA, our appointed representative can be reached at the contact email above (representative details available on request).
13. Acceptance, data integrity & use at your own risk
By purchasing, accessing, or using Super CRM, you confirm that you have read and accept this Privacy Policy and our Terms & Conditions in full. We confirm that the information described here about how data is handled is true and that your data is held securely on the infrastructure of our world-class provider, Supabase. We do not, and will not, sell your data.Please note that our optional AI assistant — and the app itself — necessarily read your incoming messages in order to frame and send accurate replies. You acknowledge that you buy and use the Service at your own risk, and that, to the maximum extent permitted by applicable law, Nexora Technologies shall not be liable for any discrepancy, loss, or claim arising from your purchase or use of the Service. Any and all disputes, settlements, or proceedings shall be brought only before the competent courts at Kolkata, West Bengal, India (including the Hon'ble High Court of Calcutta) and in no other court or forum anywhere (an exclusive-jurisdiction clause of the kind upheld in Swastik Gases Pvt. Ltd. v. Indian Oil Corporation Ltd., (2013) 9 SCC 32). (Nothing in this paragraph removes a right that cannot be waived under the mandatory law of your country.)
14. Primary market & international use
Nexora Technologies is established in West Bengal, India, and primarily offers the Service to customers in India. Where you access, purchase, or use the Service from outside India, you do so on your own initiative and at your own risk: Nexora does not actively solicit or target any particular foreign jurisdiction, and you are responsible for ensuring that your use of the Service — and your processing of your own customers' data through it — is lawful where you operate. For the data you load or generate (your contacts, your WhatsApp conversations, and the people who message you via Click-to-WhatsApp ads), you remain the controller and bear primary responsibility for the lawful basis, notices, and consents required in each recipient's jurisdiction. The optional Meta Ads features are used at your own risk and entirely on your own ad account; Nexora is not responsible for advertising results, ad spend, or any ad-account action Meta takes. To the maximum extent permitted by applicable law, you agree that disputes are governed by Indian law and shall be brought only before the competent courts at Kolkata, West Bengal, India and in no other court or forum anywhere, and that you will not require Nexora to defend or litigate in a foreign forum. Nothing here removes rights or remedies that cannot be waived under the mandatory law of your country, including your right to complain to your local data-protection authority.
