Legal

Privacy Policy

Last updated: May 25, 2026

1. Data Controller

Napsix Corp (Delaware, USA) and Napsix S.A.S. (Argentina, Mendoza) are joint controllers of the personal data collected through the Platform. We apply the corresponding local regulations according to the data subject's jurisdiction:

  • 🇦🇷 Argentina: Personal Data Protection Act No. 25,326 (AAIP).
  • 🇧🇷 Brazil: LGPD — Lei Geral de Proteção de Dados (ANPD).
  • 🇲🇽 Mexico: LFPDPPP — Federal Law on the Protection of Personal Data Held by Private Parties (INAI).
  • 🇨🇴 Colombia: Law 1581 of 2012 (SIC).
  • 🇨🇱 Chile: Law 19,628 on the Protection of Private Life.
  • 🇪🇺 European Union / United Kingdom: GDPR / UK-GDPR.
  • 🇺🇸 USA: CCPA (California) and applicable federal regulations.

Privacy officer contact: privacy@napsix.ai.

2. Data We Collect

  • Registration data: legal business name, local tax ID (CUIT/CNPJ/RFC/RUT/NIT), email, phone, country, province/state.
  • Usage data: interactions on the platform, listings, quotes sent, XIA agents created, automations configured.
  • Technical data: IP address, browser, device. The IP address is stored as a truncated SHA-256 hash (16 characters), never in plain text.
  • Conversations with XIA Assistant: messages you send to the assistant, together with session metadata (model used, tokens, optional satisfaction). These conversations are stored associated with your user.
  • Feedback content: bugs, ideas, and reports you submit through XIA Assistant or the Quick Report widget (page, browser, message, estimated severity, optional attachments).
  • Data originating from third-party e-commerce and SaaS integrations (see section 13).

3. Purpose of Processing

  • Manage your account and commercial profile.
  • Facilitate the connection between buyers and suppliers.
  • Operate your online store (Tiendanube/Nuvemshop, Shopify, etc.) through XIA agents according to the OAuth permissions you explicitly grant.
  • Send notifications related to quotes, messages, tenders, and operational events of your store.
  • Improve the user experience and the security of the Platform.
  • Process and follow up on the feedback you submit to improve the product. The XIA conversations associated with a report are visible to Napsix administrators to understand the context of the issue. They are NOT visible to other users nor shared with third parties.

4. Legal Basis

Processing is based on (a) the consent given when registering and when approving each OAuth integration, (b) the performance of the contracted service, and (c) the legitimate interest in improving the platform and preventing fraud. The specific legal basis depends on the data subject's jurisdiction (see section 1).

5. Data Sharing

  • Your public profile data (legal business name, sector, province, rating) is visible to other users of the Platform.
  • We do not sell or share personal data with third parties for commercial purposes unrelated to the Platform.
  • Active sub-processors (with signed DPA agreements): Supabase (database + storage + auth), Vercel (hosting), AWS Bedrock + Anthropic + OpenAI + Google (AI models), Resend (transactional email), Composio (1,000+ SaaS integrations), Pusher (push notifications), Cloudflare (CDN + DNS), Commet (billing).
  • We may share data when required by a competent judicial authority.

6. Data Subject Rights

You may exercise your rights of access, rectification, erasure, objection, portability, and restriction of processing by writing to privacy@napsix.ai. We process requests within a maximum of 30 days. The applicable supervisory bodies by jurisdiction are: AAIP (AR), ANPD (BR), INAI (MX), SIC (CO), Council for Transparency (CL), GDPR Supervisory Authorities (EU), Privacy Rights Clearinghouse (USA).

7. Security

We implement technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.3) and encryption at rest (AES-256).
  • Integration OAuth tokens stored in Supabase Vault with AEAD encryption and access restricted by SECURITY DEFINER functions. The plaintext is NEVER accessible from the frontend.
  • Row-Level Security (RLS) on all tables: each tenant sees only its own data.
  • Full auditing: an audit_log table with all sensitive operations traced.
  • Optional MFA for accounts with elevated privileges.
  • Daily automatic backups with 7-30 day retention depending on the plan.
  • 24/7 monitoring of security and availability.

8. Cookies

We use technical cookies (essential for operation), analytics cookies (GA4, Vercel Analytics), and marketing cookies (Facebook Pixel, Google Ads). You can configure your browser to reject them or manage them from your account's cookie settings.

9. Public Feedback (Roadmap)

When the Napsix team decides to publish a piece of feedback on the public roadmap (/dashboard/feedback), we publish ONE rewritten title and a response from the team. We do NOT publish any identifying data of the original author (email, name, IP, the literal content of the original message). Other tenants can vote on public items.

If at any time you want a specific feedback submission to be completely deleted from our systems, write to us at privacy@napsix.ai indicating the report ID and we will proceed with permanent deletion within a maximum of 30 days.

10. Data Retention

  • Account and profile data: for the duration of your account + 12 months after closure (legal audit).
  • XIA Assistant conversations: maximum retention of 24 months from the last interaction.
  • Submitted feedback: retained for the duration necessary to process the report + an additional 12 months (internal audit). Feedback marked public on the roadmap is kept as long as it is published.
  • Admin internal comments on a piece of feedback: deleted when the feedback is deleted.
  • Data originating from e-commerce integrations (Tiendanube, Shopify, etc.): deleted or anonymized according to section 14 when you uninstall the app.
  • Audit logs: 12 months (operational logs), 5 years (financial / billing logs).

11. Modifications

We reserve the right to update this policy. We will notify you of significant changes by email at least 30 days in advance.

12. General Contact

info@napsix.ai — Mendoza, Argentina · Delaware, USA.

13. Data Accessed via Third-Party E-commerce and SaaS Integrations

When you connect an OAuth integration (Tiendanube/Nuvemshop, Shopify, Gmail, HubSpot, Slack, Google Drive, etc.) through the Napsix Integrations catalog, you grant explicit consent for Napsix to access certain data from the third-party service with the permissions (scopes) you approve in the OAuth flow.

13.1 Tiendanube / Nuvemshop

When you connect your Tiendanube/Nuvemshop store to Napsix, we access the following data according to the approved scopes:

  • read_products / write_products: catalog (products, variants, prices, stock, images, categories).
  • read_orders / write_orders: orders (status, items, totals, shipping, billing).
  • read_customers / write_customers: customers (name, email, phone, shipping and billing address).
  • read_coupons / write_coupons: discount coupons.
  • read_shipping / write_shipping: shipping and carrier configuration.
  • read_scripts / write_scripts: scripts injected into the storefront.
  • read_content / write_content: pages, blog posts, redirects.
  • read_store / write_store: general store configuration.

This data is processed exclusively to perform the tasks that your XIA agent decides or that you explicitly request from the chat. It is not shared with third parties, not sold, and not used to train general-purpose AI models.

The personal data of your end customers (buyers from your store) is processed by Napsix solely as a data processor following the instructions of the merchant (you), who is the data controller for that data with respect to its own customers.

13.2 Other Integrations (Composio, Gmail, Slack, HubSpot, etc.)

The same principle applies: we only access data according to the OAuth scopes you approve, and we only use it to perform the tasks that your XIA agent or you request.

14. GDPR Webhooks and Data Deletion upon Uninstall

We comply with the privacy requirements of the e-commerce platforms we connect to. Specifically, Tiendanube/Nuvemshop subscribes us to three mandatory GDPR webhooks:

  • app/uninstalled (POST /api/webhooks/tiendanube): when you uninstall the Xia by Napsix app from the Tiendanube admin, we receive the event, delete the OAuth token from Supabase Vault, mark the connection as revoked, anonymize the analytics snapshots, and delete the associated scheduled jobs. Any raw data (products, orders, customers) we may have cached is deleted within a maximum of 30 days.
  • store/redact (Tiendanube removes you as a merchant): we receive the event and delete all information about your store from our systems within 30 days.
  • customers/redact (one of your end customers requests deletion): we receive the event and anonymize any personal data of that customer we have cached.
  • customers/data_request (one of your end customers requests access to their data): we forward the request to you so that you, as the data controller, respond within the legal timeframe.

If you want to manually request the complete deletion of all your data (not just the data originating from an integration), write to us at privacy@napsix.ai and we will proceed within a maximum of 30 days, with a confirmation by email.

XIA
XIAby Napsix.AI
public