Overview
Neximark ("we," "us," or "our") operates an AI-powered marketing platform at neximark.polsia.app. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and your rights regarding it.
By using Neximark — including through our Shopify App — you agree to the practices described here. If you disagree, please discontinue use and contact us for data deletion.
Shopify App Store users: This policy covers all data accessed through our Shopify integration, including store products, orders, and customer information. We access only what is necessary to provide the marketing features you enable, and we never sell this data.
Data We Collect
Account & Profile Data
When you create a Neximark account:
- Name and email address
- Password (hashed using scrypt — we never store plain-text passwords)
- Plan tier and subscription status
- Onboarding preferences and settings
Content You Create
Data generated through normal product use:
- Email campaigns, subject lines, and AI-generated copy
- Social posts and scheduling queues
- Landing pages, website pages, and site themes
- CRM contacts, lists, and engagement scores
- SEO audit results and keyword data
- Automation workflows and trigger rules
- Templates you create or purchase
Usage & Analytics Data
- Pages visited and features used within the app
- AI feature usage counts (tracked per billing period)
- Campaign performance data (opens, clicks, conversions)
- Landing page views and lead form submissions
- UTM parameters from inbound traffic
- Session identifiers and approximate location (country-level)
Communication Data
- Support inquiries and responses
- Feedback submissions
- Email notifications you choose to receive
Shopify Store Data
When you install the Neximark Shopify App, we request access to your store to power marketing features. We access only the scopes you authorize during installation.
What We Access
| Data Type | Shopify Scope | How We Use It |
|---|
| Products & catalog | read_products | Populate store analytics dashboard; generate product-focused ad copy and social posts |
| Orders | read_orders | Calculate revenue metrics; identify abandoned carts for recovery automation |
| Customers | read_customers | Sync to CRM for segmentation and email campaigns (with your explicit configuration) |
| Marketing events | write_marketing_events | Record campaign send and conversion events back to Shopify for unified attribution |
How We Store Shopify Data
- OAuth tokens — Your Shopify access tokens are encrypted at rest using AES-256-GCM before being written to our database. Encryption keys are stored separately from the database.
- Product catalog — We cache product data locally to avoid repeated API calls. This cache is refreshed on demand and when Shopify sends product update webhooks.
- Order & customer data — Accessed via the Shopify GraphQL Admin API and used only to compute metrics shown in your dashboard. Raw order records are not permanently stored.
GDPR Compliance for Shopify
We implement all three mandatory Shopify GDPR webhooks:
- customers/data_request — We compile and can provide any customer data we hold on behalf of your store within 30 days.
- customers/redact — On receiving this webhook, we delete all customer-identifying data associated with the specified customer.
- shop/redact — When you uninstall the app, all data associated with your shop is scheduled for deletion within 30 days.
All GDPR webhook requests are logged for audit purposes in our shopify_gdpr_requests table.
How We Use Your Data
- Provide the service — Generate AI content, run automations, display analytics, and operate all platform features
- Improve AI quality — Aggregate usage patterns (never individual content) to improve prompt engineering and model selection
- Billing & account management — Track plan limits, process payments, send receipts
- Security — Detect fraud, abuse, and unauthorized access attempts
- Communications — Send transactional emails (password resets, usage alerts) and, where you opt in, product updates
- Legal compliance — Respond to lawful requests and enforce our Terms of Service
We do not use your data to train AI models for third parties. We do not sell your data to advertisers.
Data Sharing
We share data only as necessary to operate the platform:
| Recipient | What & Why |
|---|
| OpenAI | Content you submit for AI generation (campaigns, social posts, SEO copy). OpenAI processes this under their data processing agreement. We do not send personally identifiable customer data to OpenAI. |
| Stripe | Payment method and billing information for subscription processing. We store only a plan identifier — full card data goes directly to Stripe. |
| Twilio | Phone numbers and SMS/WhatsApp message content when you use the messaging features. You supply your own Twilio credentials — your data goes directly to Twilio under your account. |
| Neon (PostgreSQL) | Our database provider. All data at rest is stored in Neon's managed PostgreSQL with encryption. |
| Render | Our hosting provider. Application servers run on Render's infrastructure. |
| Law enforcement | If required by law, court order, or to prevent harm. We will notify you when legally permitted to do so. |
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
Storage & Security
- Encryption in transit — All connections to neximark.polsia.app use TLS 1.2 or higher (enforced via HSTS).
- Encryption at rest — Database is hosted on Neon PostgreSQL with AES-256 encryption at rest. Shopify OAuth tokens and sensitive credentials are additionally encrypted at the application layer using AES-256-GCM.
- Password hashing — Passwords are hashed using scrypt with per-user salts. We cannot recover your password.
- Access controls — Production database access is restricted to application servers. No human has standing access to production data without audit-logged approval.
- Sandbox isolation — AI-processing environments cannot access your production credentials or database.
No security system is perfect. If you discover a security vulnerability, contact us at security@neximark.polsia.app.
Data Retention & Deletion
Active Accounts
We retain your data for as long as your account is active. Usage data and content you create is retained to provide continuity of service.
After Account Deletion
When you delete your account:
- Account data, campaigns, contacts, and content are deleted within 30 days
- Anonymized aggregate analytics may be retained indefinitely (no personal identifiers)
- Billing records may be retained for up to 7 years for tax and legal compliance
Shopify App Uninstall
When you uninstall the Neximark Shopify App, your store data is deleted within 30 days in response to Shopify's shop/redact webhook. You can also request immediate deletion via email.
Requesting Deletion
To request deletion of your data before account closure, email privacy@neximark.polsia.app with your account email and "Data Deletion Request" in the subject. We will process your request within 30 days.
GDPR & Data Subject Rights
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:
- Access — Request a copy of the personal data we hold about you
- Rectification — Correct inaccurate or incomplete data
- Erasure ("right to be forgotten") — Request deletion of your personal data
- Restriction — Ask us to limit how we process your data
- Portability — Receive your data in a machine-readable format
- Objection — Object to processing based on legitimate interests
- Withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, email privacy@neximark.polsia.app. We will respond within 30 days. You may also lodge a complaint with your local supervisory authority.
Legal basis for processing: We process your data based on (a) contract performance — to provide the service you signed up for; (b) legitimate interests — platform security, fraud prevention, and product improvement; and (c) consent — for optional communications and analytics features.
Cookies & Tracking
Cookies We Use
| Cookie / Storage Key | Purpose | Duration |
|---|
| Session cookie (auth) | Keeps you logged in | Session / 30 days |
| polsia_vid (localStorage) | Anonymous visitor analytics (no personal data) | Persistent |
| UTM params (sessionStorage) | Attribution — remember how you found us | Session |
| _fbp (Meta Pixel) | Ad conversion tracking on public pages (not inside the app) | 90 days |
We use Google Analytics 4 on public marketing pages to understand traffic patterns. GA4 data is anonymized and not linked to your Neximark account. You can opt out via the Google Analytics Opt-out Browser Add-on.
We do not use tracking cookies inside the authenticated application.
Third-Party Services
- OpenAI — AI content generation. Privacy policy →
- Stripe — Payment processing. Privacy policy →
- Twilio — SMS and WhatsApp messaging. Privacy policy →
- Google Analytics 4 — Website analytics. Privacy policy →
- Meta Pixel — Ad conversion tracking (public pages only). Privacy policy →
- Shopify — When using our Shopify App, Shopify's own privacy policy applies to data processed within their platform. Privacy policy →
- Neon — Database hosting. SOC 2 Type II certified.
- Render — Application hosting. SOC 2 Type II certified.
Children's Privacy
Neximark is a business tool. We do not knowingly collect data from anyone under the age of 16. If you believe we have inadvertently collected data from a minor, contact us immediately at privacy@neximark.polsia.app and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy as our practices evolve or legal requirements change. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to all active account holders
- Display an in-app notice for 30 days after the change
Continued use of Neximark after a policy update constitutes acceptance of the revised terms.