Skip to main content
NNexvendo
Back home

Privacy Policy

Last updated 2026-06-03

This Privacy Policy explains how Nexvendo ApS (CVR pending; "Nexvendo," "we," "us") collects, uses, and protects personal data when you visit nexvendo.com or use the Nexvendo platform. We operate in the European Union and apply the General Data Protection Regulation (GDPR).

1. Roles

We act as a controller for personal data we collect directly from website visitors and signed-in users (e.g. contact details, login data, account metadata). When you use Nexvendo to manage customer information, build quotes, or import distributor pricefiles, we act as a processor on behalf of your organisation — the subject matter of that processing is governed by our Data Processing Addendum.

2. Personal data we collect

Account data. Name, work email address, role, organisation name, country, IP address at sign-up, last sign-in timestamp.

Communication data. Messages you send us by email or through support channels.

Usage data. Pages visited, features used, error logs, performance telemetry. Tied to your account where you are signed in.

Billing data. Subscription plan, invoice history. Card details are handled by Stripe; we never receive or store payment card numbers.

Cookies and similar technologies. Strictly necessary cookies for the session and a small set of preference cookies. We do not use third-party advertising or cross-site tracking cookies. See our Cookie Policy for details.

3. Why we process personal data and on what legal basis

To operate the Service (account creation, authentication, providing platform features). Legal basis: performance of a contract with you (Art. 6(1)(b) GDPR).

To send transactional emails (magic-link invitations, password resets, billing receipts, import notifications, weekly digests). Legal basis: performance of a contract (Art. 6(1)(b)).

To improve the Service (aggregated usage analysis, performance monitoring, bug investigation). Legal basis: legitimate interest in operating a reliable product (Art. 6(1)(f)). You can object at any time.

To respond to support requests. Legal basis: legitimate interest (Art. 6(1)(f)) or contract performance (Art. 6(1)(b)).

To comply with legal obligations (tax, accounting, anti-money-laundering, lawful requests from authorities). Legal basis: legal obligation (Art. 6(1)(c)).

4. Data residency and storage

Personal data is stored in the European Union (Frankfurt, Germany) on infrastructure provided by Supabase (Postgres database, file storage) and Vercel (application hosting). Transactional emails are sent via Resend with delivery infrastructure in the EU. We do not transfer personal data outside the European Economic Area (EEA) for routine operations.

5. Sub-processors

We rely on a short list of vetted sub-processors to operate the Service:

  • SupabasePostgres database, file storage, authentication (Frankfurt, Germany (eu-central-1))
  • VercelApplication hosting, serverless functions, cron jobs (EU regions)
  • ResendTransactional email delivery and inbound email webhook (EU regions)
  • StripePayment processing and subscription billing (EU regions (Ireland for EU customers))
  • NordicwayDNS hosting and domain registration (Denmark)

Sub-processor changes are notified to all customers at least 30 days in advance under GDPR Art. 28(2). You can object to any change by replying to the notification or contacting info@nexvendo.com before the effective date.

Each sub-processor processes personal data under a Data Processing Agreement and applies appropriate technical and organisational measures.

6. Retention

We retain account data for as long as your subscription is active and for up to 30 days after termination to support reactivation. Backups containing personal data are retained for up to 35 days. Billing records and accounting data are retained for the period required by Danish bookkeeping law (currently 5 years). Communication data is retained for as long as needed to handle your request, up to 2 years.

7. Your rights under the GDPR

You have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data; to withdraw consent where processing is based on consent; and to lodge a complaint with a supervisory authority (in Denmark: Datatilsynet).

Signed-in users can exercise the right to data portability (Art. 20) and the right to erasure (Art. 17) directly from /portal/privacy. Other rights (rectification, restriction, objection) and requests from users without an account are handled by emailing info@nexvendo.com. We will respond within 30 days as required by Art. 12(3).

8. Security

We apply industry-standard security controls: encrypted transport (TLS 1.2+), encryption of distributor credentials at rest (AES-256-GCM), tenant data isolation enforced by Postgres Row-Level Security, restricted internal access, and audited deployment infrastructure. No method of transmission or storage is fully secure; we cannot guarantee absolute security.

9. Children

Nexvendo is a B2B platform and not directed at children. We do not knowingly collect personal data from anyone under 18. If you become aware that a child has provided us with personal data, please contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to active users at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

11. Contact

Data protection enquiries: info@nexvendo.com.


This policy is a starting point. Before relying on it in production, have it reviewed by qualified privacy counsel — particularly if you handle special categories of personal data, operate in regulated sectors, or onboard public-sector customers requiring additional documentation.