Privacy Policy

Last updated: 26 May 2026

This privacy policy explains how nexsource ("we", "us") collects, uses, stores and protects personal data when you visit getnexsource.com and use the nexsource application at app.getnexsource.com. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data controller

Maximilian Budziat
Grüner Brink 14
37603 Holzminden, Germany
Email: maxx.budziat@gmx.de

2. What we collect

Account data

When you create an account we store your email address, a securely hashed password (using a modern password hashing function), your organization name and the date of registration. We never store your password in plain text.

Application data

Within nexsource you store data about your suppliers — contacts, addresses, contracts, certificates, materials, documents and notes. This data belongs to you. It is scoped to your organization and is not used by us for any purpose other than providing the service.

Payment data

Subscriptions are processed by Stripe Payments Europe, Ltd. (Ireland). We never see or store your full payment card details. We only store the Stripe customer ID, subscription status and plan tier required to operate the billing.

Technical data

When you visit our website or use the application we automatically receive technical information that is necessary to deliver the service: IP address, browser type, request timestamps and basic error logs. This data is processed on the basis of our legitimate interest in operating a secure, functional service (Art. 6 para. 1 lit. f GDPR).

3. Cookies and session storage

The application uses a strictly necessary session cookie (HttpOnly, Secure) to keep you signed in. We do not use third-party analytics or advertising cookies on the marketing site.

4. Processors and infrastructure

nexsource relies on the following processors to deliver the service:

• Cloudflare, Inc. — application hosting, database (D1) and file storage (R2), within the EU where available.
• Stripe Payments Europe, Ltd. — subscription billing and payment processing.
• Amazon Web Services, Inc. (SES) — transactional email delivery (verification, password reset, receipts).

Data processing agreements (Art. 28 GDPR) are in place with each processor.

5. International transfers

Where personal data is transferred outside the EU/EEA — in particular to providers based in the United States — such transfers are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

6. Retention

We retain your account data and content for as long as your account is active. Upon account deletion, content is removed within 30 days, except where we are required to retain certain data for legal or accounting reasons (typically up to 10 years for invoices).

7. Your rights

Under the GDPR you have the right to:

• access your personal data (Art. 15);
• request rectification (Art. 16) or erasure (Art. 17);
• request restriction of processing (Art. 18);
• data portability (Art. 20);
• object to processing (Art. 21);
• lodge a complaint with a supervisory authority.

To exercise these rights, contact us at maxx.budziat@gmx.de.

8. Security

All connections are encrypted via TLS. Passwords are hashed using a modern key-derivation function. Files are stored in a private bucket and delivered only via short-lived, signed URLs scoped to your organization.

9. Changes

We may update this policy. The current version is always available at /privacy.html. Material changes will be communicated through the application or via email.