Legal

Privacy Policy

Last updated: March 2026

This Privacy Policy explains how NexoPad collects, uses, stores, and protects information when you use our website, dashboard, browser extension, and related services.

1. Data controller

The controller of personal data processing is NexoPad, a business activity operated by a natural person under the laws of the Republic of Colombia.

Contact email: support(at)nexopad.app
Country of operation: Colombia
Website: nexopad.app

2. Information we collect

We may collect different categories of information in order to operate and improve our services:

Account data: email address, user identifiers, core authentication data, and account preferences.
User content: notes, snippets, text fragments, links, captured CSS selectors, settings, and other content the user chooses to save or sync.
Usage data and statistics: number of text expansions, characters saved, links used, and other aggregated productivity metrics.
Payment data: processed exclusively by Lemon Squeezy. NexoPad does not store full credit card numbers or full banking details.
Support information: data that the user shares when contacting us for customer support.
Technical information: browser type, extension version, error logs, and service operation data.

Note about the Chrome extension: NexoPad does not monitor your browsing history, read your emails, or capture passwords. It only needs DOM access to insert your shortcuts into the active text field when you explicitly trigger them and to enable visual CSS selector capture.

3. How we obtain information

We may obtain information when you:

Create an account or sign in.
Save notes, snippets, links, or selectors inside the extension.
Sync content across devices.
Interact with our website or dashboard at dashboard.nexopad.app.
Make a payment or subscribe to a plan.
Contact us for support or inquiries.
Generate technical logs required to operate the service.

4. Use of NexoPad Desktop

NexoPad's desktop application may run in the background to provide global text expansion, system shortcuts, and screenshots.

It may detect operating-system-level keystrokes solely to identify shortcuts configured by the user.
It may temporarily access the clipboard to insert snippets and restore it locally after injection.
It may capture the screen only when the user explicitly activates the corresponding shortcut or command.
It may store captures, local history, settings, and diagnostics on the user's device.
It may query the active process name and window title locally for compatibility, app-specific rules, and security.
It does not transmit the full stream of keys typed by the user to our servers.
It does not capture screens or visual content unless the user explicitly requests it.

The user can control these functions from the app settings, including sync, startup behavior, per-app exclusions, local capture history, save folder, and sign-out.

5. Purposes of processing

We use information to:

Create and manage user accounts.

Store and sync user content.

Provide the cloud service and manage teams.

Process payments and manage subscriptions.

Maintain backup copies.

Prevent fraud, abuse, and breaches of the terms.

Improve stability, performance, and features.

Provide customer support.

Generate aggregated non-identifiable usage statistics.

Comply with applicable legal obligations.

6. Legal basis for processing

Personal data processing relies on the following legal bases, as applicable:

Colombia (Law 1581 of 2012): by registering or using NexoPad, you authorize the processing of your personal data for the purposes described in this policy.
European Union / GDPR (Regulation (EU) 2016/679): processing may rely on contractual necessity, consent, legitimate interest, and legal obligation, depending on the situation.

If we collect data subject to special rules, we will request any additional authorizations that may be required.

7. Analytics and cookies

The NexoPad website uses Vercel Analytics to collect aggregated and anonymous information about site performance and traffic. Vercel Analytics does not use tracking cookies and does not share information with third-party advertising platforms.

NexoPad does not use Google Analytics, Meta Pixel, or other advertising trackers. We do not display ads and we do not sell data to third parties.

We may use strictly necessary technical cookies for the operation of the service, such as session and authentication cookies. These cookies do not require additional consent because they are essential to provide the service.

8. Technology providers and subprocessors

To operate the service, NexoPad relies on the following technology providers, who may process user data as processors or subprocessors:

Supabase, Inc. (United States): database, authentication, and storage on Amazon Web Services (AWS) infrastructure.

Vercel, Inc. (United States): website hosting, admin dashboard hosting, and anonymous web analytics.

Lemon Squeezy (United States): payment processing, subscription management, and billing. NexoPad does not store payment card data; those details are handled directly by Lemon Squeezy.

These providers may process information only to the extent necessary to deliver their services to us and are subject to contractual obligations of confidentiality, security, and proper data handling. This list may be updated; the current version will always be available on this page.

9. International transfer and storage

NexoPad operates from Colombia, but the technological infrastructure is primarily located on servers in the United States through AWS via Supabase, Vercel, and Lemon Squeezy.

As a result, personal data and user content may be stored, transmitted, and processed outside Colombia. By using NexoPad, the user expressly authorizes the international transfer of data to the extent necessary to operate the service.

For users in the EU/EEA: transfers to the United States rely on European Commission Standard Contractual Clauses or other valid transfer mechanisms offered by our providers. If a transfer mechanism is invalidated, we will adopt reasonable supplementary measures or notify affected users.

10. User content

Users may voluntarily store content inside NexoPad, including notes, snippets, links, and captured CSS selectors. This content is processed and stored to enable syncing, cross-device access, team vault features, and management from the dashboard or extension.

Users are responsible for the content they choose to store and must not store unlawful, malicious, or unauthorized information.

11. Sensitive data and restricted content

NexoPad is not designed to store special categories of personal data, master passwords, full banking credentials, social security numbers, or classified third-party information without a sufficient legal basis.

If you choose to store that kind of information in NexoPad, you do so at your own risk. NexoPad does not assume additional custody duties or special regulatory compliance obligations such as HIPAA, PCI-DSS, or similar frameworks unless expressly agreed in writing.

12. Information security

We implement reasonable technical, administrative, and organizational safeguards to protect information against unauthorized access, loss, destruction, alteration, or improper disclosure, including:

HTTPS/TLS encrypted communications in transit.
Encryption at rest through infrastructure provided by AWS/Supabase.
Row Level Security policies in the database.
Authentication with JWT tokens and automatic refresh.
Optional local PIN or encryption in the browser extension.
Signature verification for payment webhooks.

However, no system is completely infallible, and we cannot guarantee absolute security. Users are responsible for keeping their access credentials secure.

13. Security breach notification

NexoPad undertakes to act with reasonable diligence in the event of any security incident involving personal data.

If a security breach affects users' personal data, NexoPad commits to:

Notify affected users by email within a reasonable period and, where applicable, within 72 hours after detecting the incident.
Notify the Colombian Superintendence of Industry and Commerce and any other competent authority when legally required.
Describe the nature of the incident, the categories of data affected, the measures adopted, and recommendations for users to protect their information.
Document the incident internally, including its effects and the corrective actions implemented.

14. Data retention

We retain personal data and user content according to the following criteria:

Active account: while the user keeps an active account and uses the service.
Account deletion: after an account deletion request, personal data and user content are removed within a maximum of 30 calendar days, unless a legal retention obligation applies.
Trash: notes moved to the trash are automatically deleted after 30 days.
Audit logs (TEAMS): retained for 12 months from creation for security and traceability purposes.
Backups: backup copies that may contain user data are deleted within 90 days after account deletion.
Billing data: retained for the period required under applicable tax law.

15. Data subject rights

Depending on your jurisdiction, you may exercise the following rights:

Colombia (Law 1581 of 2012)

Know, update, and correct your personal data.
Request proof of the authorization granted.
Be informed about how your data is used.
Request deletion of your data when appropriate.
Revoke authorization when legally possible.
File complaints with the Superintendence of Industry and Commerce (SIC).

European Union / EEA (GDPR)

Access: obtain confirmation and a copy of your processed personal data.
Rectification: correct inaccurate or incomplete data.
Erasure: request deletion of your data when it is no longer necessary.
Restriction: restrict processing in certain circumstances.
Portability: receive your data in a structured, commonly used, machine-readable format.
Objection: object to processing based on legitimate interest.
Withdraw consent: at any time, without affecting prior lawful processing.
Complaint: file a complaint with the data protection authority in your country.

16. Data portability and export

NexoPad supports the right to portability. Users can export their content at any time from their control panel at dashboard.nexopad.app in standard formats such as JSON or CSV.

If you need additional assistance exporting your data, you can contact us at support(at)nexopad.app and we will process your request within a reasonable timeframe.

17. Data Processing Agreement (DPA) for companies

If your company or organization requires a Data Processing Agreement (DPA) under Article 28 GDPR or another applicable data protection framework, you may request one by writing to support(at)nexopad.app.

The DPA sets out NexoPad's obligations and responsibilities as a processor when handling personal data on behalf of your organization, including security measures, breach notification, authorized subprocessors, audits, and data deletion at the end of the contract.

18. Procedure for requests and complaints

To exercise your rights, you may write to support(at)nexopad.app and include:

Name and identification of the data subject.
Email associated with the account, if applicable.
A clear description of the request or complaint.
Supporting documents, if any.

We will respond within a maximum of 15 business days under Colombian law. For users in the EU/EEA, the response period is 30 calendar days, extendable in justified cases of complexity.

19. Children

NexoPad is not intended for children under 16. We do not knowingly collect personal data from children under 16. By creating an account, the user represents and warrants that they are at least 16 years old.

If we discover that we collected personal data from a child under 16 without verifiable parental or guardian consent, we will delete that information as soon as possible. If you believe that a child has provided data to NexoPad without authorization, please contact us immediately at support(at)nexopad.app.

20. No sale of personal data

NexoPad does not sell, rent, or trade users' personal data to third parties for advertising, marketing, or any other unrelated purpose. User data is shared only with the technology providers identified in section 8 of this policy, exclusively to operate the service.

21. Changes to this policy

We may update this Privacy Policy at any time. We will publish the current version on this page and indicate the date of the latest update.

In the event of material changes, we will notify registered users by email at least 15 days in advance. Continued use of the services after that period constitutes acceptance of the updated version to the extent permitted by law.

22. International user rights (GDPR and CCPA)

If you live in the European Economic Area or in California, the law may grant you specific rights over your personal data:

Users in Europe (GDPR)

Access and portability: you may request an exportable copy of the data and notes we hold about you.
Rectification: you may update or correct inaccurate data from your control panel.
Erasure: you may request permanent deletion of your account, note vault, and associated data from our servers.
Objection: you may object to the processing of your data for analytics or marketing purposes.

Users in California, U.S. (CCPA)

Right to know and delete: you have the right to know what information we collect and to request its deletion.
No sale of information: NexoPad does not sell, rent, or trade your personal data or note content to third parties.
Non-discrimination: we will not deny service or change its quality because you exercise your privacy rights.

To exercise any of these rights, regardless of your country of residence, email us at support(at)nexopad.app from the email associated with your account. We will process your request free of charge within a maximum of 30 days.

23. Contact

If you have questions about this Privacy Policy or the processing of your personal data, you may contact us at:

NexoPad
Operated by a natural person under the laws of Colombia
Email: support(at)nexopad.app
Data panel: dashboard.nexopad.app
Country: Colombia

Documentation

Pros & Freelancers

Support & CX

Sales Teams

Talent & HR

Engineering & DevOps