Privacy Policy

Last Updated: April 16, 2026

1. Introduction

Nesion Engineering ("we", "us", "our", or the "Company") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, retain, and protect your information when you use our software, website (nesion.net), APIs, and related services (the "Services").

This policy applies to all users worldwide, including those protected by the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Data Controller

The data controller responsible for your personal data is:

Nesion Engineering — Carlos Costa Garcia
Madrid, Spain
Email: license@nesion.net

3. Information We Collect

We collect the minimum information necessary to provide and secure our Services:

3.1 Information You Provide

Account Information: Corporate email address and company name provided during signup.
Billing Information: Payment data processed through third-party providers (PayPal, Stripe). We never store full credit card numbers on our systems.
Support Communications: Emails, messages, or other correspondence you send to us.

3.2 Information Collected Automatically

License Telemetry: When the Nesion engine is active, it reports cryptographic license keys, hostname, GPU count, engine version, and IP address to our license server for validation purposes.
Website Analytics: Standard server logs including IP address, browser type, referring pages, access times, and pages viewed.
Cookies: As described in our Cookie Policy.

3.3 Information We Do NOT Collect

We do not collect, inspect, store, or process the content of your prompts, model inputs, or model outputs.
We do not access or transmit your model weights, training data, or inference results.
We do not use any form of keylogging, screen capture, or background surveillance.

4. How We Use Information

We use the collected information strictly for the following purposes:

Purpose	Legal Basis (GDPR)
Authenticating and validating license keys	Contractual necessity
Processing payments and issuing invoices	Contractual necessity
Providing technical support and issue resolution	Contractual necessity
Analyzing aggregate usage patterns to improve engine performance	Legitimate interest
Detecting and preventing license abuse or fraud	Legitimate interest
Sending critical service notifications (outage alerts, security patches)	Legitimate interest
Complying with legal and regulatory obligations	Legal obligation

We do not use your personal data for marketing, advertising, profiling, or selling to third parties.

5. Information Sharing & Third Parties

We do not sell, rent, trade, or otherwise disclose your personal data to third parties for their own marketing purposes. We share information only with the following trusted service providers, strictly necessary for our operations:

Provider	Purpose	Location
Vercel Inc.	Website hosting and serverless API infrastructure	United States
Supabase Inc.	Database hosting and authentication	United States
PayPal / Stripe	Secure payment processing	United States / EU

These providers are bound by their own privacy policies and data processing agreements. We may also disclose information if required by law, subpoena, or court order.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Account data: Retained for the duration of your subscription plus 12 months after cancellation for billing dispute resolution.
License telemetry logs: Retained for 90 days, then automatically purged.
Server access logs: Retained for 30 days.
Support correspondence: Retained for 24 months after ticket closure.
Financial records: Retained for 7 years as required by applicable tax and accounting regulations.

7. Data Security

We implement industry-standard security measures to protect your data, including:

All API communications are encrypted via TLS 1.2+.
License keys are cryptographically signed using RSA-256.
Passwords are never stored — we use JWT-based authentication.
Database access is restricted by role-based access controls.
Infrastructure is monitored for unauthorized access attempts.

While we take commercially reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. International Data Transfers

Your data may be transferred to and stored in servers located in the United States, where our infrastructure providers (Vercel, Supabase) operate. These transfers are conducted in accordance with applicable data protection laws, including:

EU Standard Contractual Clauses (SCCs) where applicable.
The EU-US Data Privacy Framework, where certified.

By using our Services, you consent to the transfer of your data outside of your country of residence.

9. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure: Request deletion of your personal data ("right to be forgotten").
Right to Restrict Processing: Request that we limit how we use your data.
Right to Data Portability: Request your data in a structured, machine-readable format.
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, please contact license@nesion.net. We will respond within 30 days.

10. Your Rights (CCPA — California Residents)

If you are a California resident, you have additional rights under the CCPA:

Right to Know: You may request details about the categories and specific pieces of personal information we have collected.
Right to Delete: You may request deletion of your personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.

11. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such information.

12. Data Breach Notification

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33).
Notify affected users without undue delay, describing the nature of the breach, likely consequences, and measures taken.

13. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. License validation and abuse detection are rule-based systems (GPU count checks, key expiry) and do not involve AI-based profiling.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Your continued use of the Services after the posting of changes constitutes your acceptance of the updated policy.

15. Contact

For any questions, concerns, or requests related to your privacy or this policy, please contact:

Nesion Engineering — Data Protection
Email: license@nesion.net
Madrid, Spain