Skip to main content
NEXUPIRA
AboutCustomersPlatform
PricingSecurityFAQ
Let's talk →
AboutCustomersPlatform
Solutions
ProductivityIndustrialAgriculture
PricingSecurityFAQ

Privacy Policy

Last updated: 2026-06-15

NEXUPIRA (operated by Lofty Mems Co., Ltd., Tax ID 54335019; "we", "us", or "the Service") is an AI-powered integration platform that lets users connect their productivity tools (Google Workspace, Slack, GitHub, Notion, Linear, and others) and automate workflows through natural-language instructions. This Privacy Policy describes what we collect, how we use it, and what control you have.

1. Information We Collect

When you use Nexupira, we collect:

  • Account information: email address, name, and (if you register with a password) a salted password hash.
  • OAuth tokens: access tokens and refresh tokens from services you choose to connect. These are encrypted at rest with AES-256-GCM and used only to call APIs on your behalf.
  • Content you upload: documents, images, and files you attach to chats. Encrypted at rest.
  • Chat messages and workflow definitions: stored to let you resume sessions and re-run automations.
  • Operational telemetry: error logs, performance metrics, and session replays triggered only when errors occur (used to diagnose bugs).

2. Google User Data

When you connect a Google account, you grant Nexupira access to a limited set of Google APIs. The scopes we request are:

  • calendar & calendar.events — read and manage your Google Calendar events when you ask an automation to do so.
  • drive.file — create, read, and modify only the files that Nexupira itself creates or that you explicitly open through Nexupira. We never read your entire Drive.
  • documents, spreadsheets, presentations — edit the Google Docs, Sheets, and Slides files that Nexupira creates on your behalf.
  • gmail.send — send emails from your account when your workflow asks us to.
  • gmail.compose — create draft emails.
  • gmail.labels — list your existing Gmail labels.

Limited Use disclosure

Nexupira's use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide or improve user-facing features that are visible in the Nexupira interface.
  • We do not transfer Google user data to third parties except as necessary to provide those features, comply with law, or prevent fraud.
  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read Google user data unless we have your explicit consent for specific messages, it is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or the data is aggregated and used for internal operations in line with these requirements.

3. How We Use the Data

  • To execute the automations and chat instructions you give us.
  • To route prompts and your explicitly selected context to the AI provider you have configured (e.g. OpenAI, Anthropic, Google, or a self-hosted model).
  • To debug crashes and improve reliability (error traces, anonymised session replays).
  • To authenticate you on subsequent sign-ins.

We do not sell your data, use it to train AI models, or share it with advertising networks.

4. Data Storage & Security

  • Each user's data lives in an isolated LibSQL namespace — one user's data is never co-mingled with another's.
  • OAuth tokens and uploaded documents are encrypted at rest with AES-256-GCM. Keys are held in a server-side KMS and never exposed to application logs.
  • Transport is HTTPS / TLS 1.2+ only.
  • We apply the principle of least privilege: OAuth scopes are the minimum needed for the feature you invoked.

5. Third-Party Services

To deliver the Service we send necessary data to:

  • AI model providers you have configured (OpenAI, Anthropic, Google Gemini, Groq, or any custom endpoint) — for the purpose of generating the response you asked for.
  • Connected service providers (Google, Slack, GitHub, Notion, Linear) — when you invoke a tool that touches them.
  • Cloud infrastructure (the hosting provider running our servers) — for execution.

We do not send your data anywhere you have not explicitly connected, except to our own operational infrastructure.

6. Your Choices

  • Disconnect a service at any time from the Connections page. This deletes our copy of the OAuth tokens and revokes our access.
  • Delete documents from the Documents page; deletion is immediate and permanent.
  • Delete your account by emailing the address below; we will remove your data within 30 days of the request.
  • Export your data on request.

You can also revoke our access directly from your Google Account settings at myaccount.google.com/permissions.

7. Data Retention

Chat messages are retained for 90 days for the session-resume feature and are then archived. Documents and automations persist until you delete them or close the account. OAuth tokens persist until you disconnect the service. Error logs are kept for 30 days.

8. Children's Privacy

Nexupira is not directed to children under 13 and we do not knowingly collect information from them.

9. Payment Data, PCI DSS & PDPA Notice

To process subscription, add-on, and custom transactions, the data collector is Lofty Mems Co., Ltd. (Tax ID 54335019). Notice under Article 8 of Taiwan's Personal Data Protection Act (PDPA):

  • Payment data collected: billing contact name, billing email, (business) tax ID and title, and transaction amounts/records.
  • Card data & PCI DSS: Full card data (number, expiry, CVV) is collected and processed directly by our PCI DSS Level 1 payment service providers — NewebPay (藍新金流科技股份有限公司) and ECPay (綠界科技股份有限公司) in Taiwan, and Paddle.com (acting as our Merchant of Record) internationally. We do not store, process, or transmit full card numbers on our own systems, so our environment falls under PCI DSS SAQ A scope; we retain only transaction identifiers/tokenized references for reconciliation and renewals. Payment pages use TLS encryption.
  • Legal basis: performance of our service contract with you (collection, provisioning, renewals, invoicing), compliance with legal obligations, and our legitimate interests in fraud prevention and reconciliation.
  • Purposes: billing, payment/collection, customer service, contract performance, invoicing, and legal compliance.
  • Retention: until the purpose ends or statutory accounting/tax retention periods expire.
  • Use region/recipients/method: within Taiwan and our cloud (AWS) regions, used electronically; recipients include the acquirer, payment provider, cloud provider (AWS), and lawful authorities.
  • Your rights: access, review, copies, correction, and to stop collection/processing/use and delete (subject to law). For international users we also honour GDPR/CCPA-style rights, including data portability, restriction of processing, and the right to object.
  • Effect of non-provision: without required payment/billing data, transactions and paid services cannot be provided.
  • Contact to exercise rights: [email protected].

10. Changes to this Policy

We will update the "Last updated" date above whenever this policy changes. Material changes will be announced by email or in-product notice before they take effect.

11. Contact

General privacy, data-deletion requests, or to exercise your rights: [email protected]. Account security and unauthorised-access reports: [email protected].

NEXUPIRA

One system, infinite personas.

01 Platform
  • Neural Spine
  • Autonomy ladder
  • Digital Twin ladder
  • MCP & BYO
02 Use cases
  • Customers
  • Productivity
  • Industrial
  • Agriculture
  • Templates
03 Trust
  • About
  • Security & Origin Policy
  • Common questions
  • Talk to us
  • Request early access

Lofty Mems Co., Ltd. (嶸惠有限公司) · Tax ID 54335019 · No. 75, Xing'er St., Taoyuan Dist., Taoyuan City 330074, Taiwan · [email protected]

© 2026 NEXUPIRA · Neural Spine for cross-industry autonomy Privacy Terms Refund