Privacy Policy

NexLink, Inc. ("NexLink US", "we", "our", or "us"), a corporation incorporated under the laws of Delaware, USA, and its affiliated entity NexLink Tecnologia Ltda. ("NexLink BR"), a company incorporated under Brazilian law (together referred to as "NexLink", "we", "our", or "us"), operate the websites nexlink.ai and nexlink.com.br, as well as any associated platforms, applications, portals, and services made available thereunder (collectively, the "Services"). This Privacy Policy explains how NexLink collects, uses, stores, shares, and protects personal information and data obtained from individuals who access or use the Services, including clients, end users, business partners, and visitors (collectively, "you" or "Users"). By accessing or using the Services in any capacity, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, you must discontinue use of the Services. This Policy is intended to satisfy the requirements of applicable privacy laws, including but not limited to: the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); the General Data Protection Regulation (GDPR) as applicable to international users; the Brazilian Lei Geral de Proteção de Dados (LGPD — Federal Law No. 13.709/2018); and any other applicable federal, state, or local privacy regulations.

Depending on where you are located and which Services you access, your personal data may be processed by one or both of the following entities: Entity: NexLink, Inc. - Jurisdiction: United States (Delaware) - Role: Data Controller for users accessing Services from the United States and internationally - Contact: legal@nexlink.ai Entity: NexLink Tecnologia Ltda. - Jurisdiction: Brazil - Role: Data Controller for users accessing Services from Brazil and Latin America - Contact: legal@nexlink.ai Both entities operate under a unified privacy governance framework and are committed to upholding equivalent standards of data protection regardless of user location. References to "NexLink" throughout this Policy refer to whichever entity or entities serve as controller for the applicable processing activity.

We collect information in several ways: directly from you, automatically through your use of the Services, and from third parties with whom we have authorized relationships. 3.1 Information You Provide Directly - Identity and contact data: name, email address, phone number, company name, job title, and mailing address. - Account credentials: username, password (stored in hashed form), and authentication tokens. - Billing and payment information: credit or debit card details, billing address, and transaction identifiers. Full payment card data is processed by third-party payment processors and is not stored by NexLink. - Communications: messages, support requests, feedback, and any other content you submit when contacting us or using our platforms. - Business information: information about your organization, services, or operations provided in the context of using our business-facing tools and platforms. - User-generated content: any text, images, documents, configurations, or data that you upload or create through the Services. 3.2 Information Collected Automatically - Device and technical data: IP address, device type, operating system, browser type and version, screen resolution, and device identifiers. - Usage data: pages and features accessed, time and duration of visits, links clicked, search queries, and interaction logs. - Log data: server logs, error reports, performance data, and access timestamps. - Location data: approximate geographic location derived from your IP address or, where you have granted permission, precise location from your device. - Cookies and tracking technologies: identifiers and preferences stored via cookies, web beacons, pixels, local storage, and similar technologies. See Section 10 (Cookie Policy) for more detail. 3.3 Information from Third Parties - Authentication providers: if you log in using a third-party account (such as Google OAuth or similar), we receive basic profile information from that provider in accordance with your authorization. - Business partners and integrations: data shared via platform integrations you authorize, such as communication tools, CRM systems, or marketing platforms. - Publicly available sources: professional profiles and business contact information from public directories, where relevant to providing our B2B services. - Analytics providers: aggregated behavioral data from third-party analytics services, used solely for product improvement.

We use the information we collect for the following purposes: 4.1 To Provide and Operate the Services - Creating and managing your account. - Delivering the features, tools, and functionalities of the Services. - Processing transactions and sending related communications such as confirmations and invoices. - Enabling authentication and access control, including via OAuth and similar mechanisms. - Maintaining the technical infrastructure required to run the Services. 4.2 To Communicate With You - Responding to inquiries, support tickets, and feedback. - Sending transactional communications (e.g., password resets, account notifications). - Sending service updates, security alerts, and policy change notices. - With your consent, sending marketing or promotional communications. You may opt out at any time. 4.3 To Improve and Develop the Services - Analyzing usage patterns and performance metrics to enhance functionality. - Conducting research and testing to develop new features. - Monitoring and improving platform reliability and security. 4.4 For Legal and Compliance Purposes - Complying with applicable laws, regulations, and governmental requests. - Enforcing our Terms of Service and other agreements. - Preventing, detecting, and responding to fraud, abuse, and security incidents. - Establishing, exercising, or defending legal claims. 4.5 Legal Bases for Processing (GDPR and LGPD) Where applicable under GDPR or LGPD, we process personal data on the following legal bases: - Performance of a contract: processing necessary to provide the Services you have requested. - Legitimate interests: processing for our legitimate business purposes, such as fraud prevention, security, and product improvement, where not overridden by your interests or rights. - Legal obligation: processing required to comply with applicable laws. - Consent: processing based on your explicit consent, which you may withdraw at any time without affecting the lawfulness of prior processing.

NexLink does not sell, rent, or trade your personal data to third parties for their own marketing purposes. We may share your information only in the following circumstances: 5.1 Service Providers and Subprocessors We engage trusted third-party vendors and service providers who process personal data on our behalf, subject to contractual data protection obligations. These include providers of cloud hosting, payment processing, email delivery, customer support tooling, analytics, security monitoring, and communication infrastructure. All such providers are required to maintain confidentiality and process data only as instructed by NexLink. 5.2 Business Clients If you access the Services through a NexLink business client (e.g., as an end user of a platform we have built or operate for that client), we may share data with that client to the extent necessary to provide the contracted service, and as directed by the client in their capacity as a data controller. 5.3 Legal Requirements and Protection of Rights We may disclose your information if we believe in good faith that such disclosure is necessary to: comply with a legal obligation or valid legal process; protect the rights, property, or safety of NexLink, our users, or the public; detect, prevent, or address fraud or security issues; or respond to emergencies. 5.4 Business Transfers In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the successor entity. We will notify you of any such transfer that results in material changes to the handling of your personal data. 5.5 With Your Consent We may share your information for any other purpose with your explicit prior consent. 5.6 Aggregated or De-identified Data We may share aggregated or de-identified data that cannot reasonably identify you for analytics, research, reporting, or business development purposes.

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. - Account data is retained for the duration of your active account, plus a reasonable period thereafter to allow for account reactivation or dispute resolution. - Transaction and billing records are retained as required by applicable tax and accounting regulations (typically five to ten years depending on jurisdiction). - Support and communication records are retained for the period necessary to resolve your inquiry and for a reasonable time thereafter. - Analytics and log data may be retained in aggregated or anonymized form for up to three years. - Data subject to legal hold may be retained for the duration of any pending legal proceeding or regulatory inquiry. When personal data is no longer required, we securely delete or anonymize it in accordance with our internal data retention procedures.

NexLink implements and maintains appropriate technical and organizational security measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Our security practices include: - Encryption of data in transit using TLS/SSL protocols. - Encryption of sensitive data at rest. - Access controls and role-based permissions limiting data access to authorized personnel. - Secure authentication mechanisms including support for multi-factor authentication. - Regular security assessments, monitoring, and incident response procedures. - Employee training and confidentiality obligations. No method of data transmission or storage can be guaranteed to be completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and relevant authorities as required by applicable law and without undue delay.

NexLink operates across the United States and Brazil, and may engage service providers located in other jurisdictions. As a result, your personal data may be transferred to, stored, and processed in countries other than your country of residence. When transferring personal data internationally, we take appropriate safeguards to ensure that your data is protected in accordance with this Privacy Policy and applicable law, including: - Relying on adequacy decisions issued by competent authorities. - Implementing Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms. - Entering into data processing agreements that reflect applicable legal requirements. Users in Brazil are afforded protections under the LGPD, and transfers of their data outside Brazil are subject to the conditions established under that law. Users in the European Economic Area are afforded protections under the GDPR.

Depending on your jurisdiction, you may have certain rights regarding your personal data. NexLink respects and supports the exercise of these rights. 9.1 Rights Under U.S. Privacy Laws (including CCPA/CPRA) - Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for which it is used, and the categories of third parties with whom it is shared. - Right to delete: you may request deletion of personal information we hold about you, subject to certain exceptions. - Right to correct: you may request correction of inaccurate personal information. - Right to opt out: we do not sell personal information. If this practice changes, you will have the right to opt out. - Right to non-discrimination: we will not discriminate against you for exercising your privacy rights. 9.2 Rights Under GDPR (EU/EEA Users) - Right of access: you may request a copy of the personal data we hold about you. - Right to rectification: you may request correction of incomplete or inaccurate data. - Right to erasure ("right to be forgotten"): you may request deletion of your personal data in certain circumstances. - Right to restriction of processing: you may request that we limit how we use your data in certain circumstances. - Right to data portability: you may request a machine-readable copy of your personal data. - Right to object: you may object to processing based on legitimate interests or for direct marketing. - Right to withdraw consent: you may withdraw consent at any time without affecting the lawfulness of prior processing. - Right to lodge a complaint with your local supervisory authority. 9.3 Rights Under LGPD (Brazilian Users) - Confirmation of the existence of processing; access to your data. - Correction of incomplete, inaccurate, or outdated data. - Anonymization, blocking, or deletion of unnecessary or excessive data. - Portability of your data to another service provider. - Deletion of data processed with your consent. - Information about entities with whom your data is shared. - Information about the possibility of denying consent and the consequences of denial. - Revocation of consent. 9.4 How to Exercise Your Rights To exercise any of the rights described above, please submit a request to legal@nexlink.ai. We will respond to verified requests within the timeframe required by applicable law (generally 30 days, with the possibility of a single extension where permitted). We may need to verify your identity before fulfilling your request.

10.1 What Are Cookies Cookies are small text files placed on your device by a website. They are widely used to make websites work efficiently and to provide information to website operators. Similar technologies include web beacons, pixels, local storage, and session storage. 10.2 Types of Cookies We Use - Strictly Necessary Cookies: Essential for the Services to function and cannot be switched off. They include cookies that enable authentication, session management, security, and load balancing. - Functional Cookies: Enable enhanced functionality such as remembering your preferences, language settings, and interface customizations. - Analytics Cookies: Allow us to measure traffic and usage patterns in order to improve the Services. Data collected is aggregated and does not identify individuals. - Marketing and Advertising Cookies: Where deployed, these may be used to measure the effectiveness of campaigns and display relevant information. We do not sell data collected through these cookies. 10.3 Third-Party Cookies Some cookies may be set by third-party service providers acting on our behalf, including analytics providers, authentication services, and infrastructure providers. These providers are bound by their own privacy policies and by contractual obligations with NexLink. 10.4 Your Cookie Choices You may manage your cookie preferences through our cookie consent interface where provided, or through your browser settings. Note that disabling certain cookies may affect the functionality of the Services.

The Services are not directed to individuals under the age of 16 (or under the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us immediately at legal@nexlink.ai so that we may take steps to delete such information.

The Services may contain links to or integrations with third-party websites, platforms, or services that are not operated or controlled by NexLink. This Privacy Policy applies solely to the Services. We strongly encourage you to review the privacy policies of any third-party services you access through or in connection with our Services. NexLink is not responsible for the privacy practices or content of third parties.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the Services. When we make material changes, we will update the "Last Revised" date at the top of this document and, where required by law or warranted by the significance of the change, provide more prominent notice (e.g., by email or in-app notification). Your continued use of the Services after the effective date of any revised Policy constitutes your acceptance of the updated terms.

Legal & Privacy: legal@nexlink.ai General Inquiries: hello@nexlink.ai Website: nexlink.ai · nexlink.com.br Entity (US): NexLink, Inc., incorporated in Delaware, USA Entity (BR): NexLink Tecnologia Ltda., Brazil We are committed to resolving any privacy-related concerns promptly and in good faith. If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection authority in your jurisdiction.