Privacy Policy

Nexapp Technologies Private Limited
Effective Date: 1 January 2026 · Last Updated: 1 January 2026 · Version 1.0

1. Introduction

1.1 Nexapp Technologies Private Limited (“Nexapp”, “Company”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you access or use our SD-WAN platform, NexappOS, the Nexapp Controller, hardware appliances, websites, applications, APIs, and related managed and professional services (collectively, the “Services”).

1.2 This Privacy Policy is published in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and is designed to align with global data-protection standards, including the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), where applicable.

1.3 By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

1.4 This Privacy Policy is an electronic record under the Information Technology Act, 2000 and does not require any physical or digital signature.

2. Scope and Roles

2.1 This Policy applies to: (a) visitors to our websites; (b) representatives of our business customers and prospects; (c) Authorized Users of the Services; and (d) individuals whose personal data we process when providing the Services.

2.2 Roles under data-protection law:

When we determine the purposes and means of processing personal data (for example, account administration, marketing, and our own business operations), we act as a Data Fiduciary (under the DPDP Act) / Data Controller (under the GDPR).
When we process personal data on behalf of, and under the instructions of, a business customer who uses the Services (for example, network telemetry and configuration data within the customer’s tenant), we act as a Data Processor. In that case, the business customer is the Data Fiduciary/Controller and is responsible for the lawfulness of the processing.

3. Personal Data We Collect

3.1 Information You Provide Directly

Identity and contact data: name, job title, business email address, telephone number, organization name, and postal address.
Account credentials: usernames, passwords (stored in hashed form), API keys, and authentication tokens.
Commercial data: billing details, purchase orders, GST identification number, and transaction records.
Communications: correspondence, support tickets, feedback, and survey responses.

3.2 Information Collected Automatically

Usage and device data: IP address, browser type, operating system, device identifiers, log files, access times, and pages viewed.
Network and operational telemetry: device health metrics, configuration metadata, link-performance statistics, network flow metadata, event logs, and diagnostic data generated by the Services. Where this data relates to identifiable individuals, it is treated as personal data.
Cookies and similar technologies: as described in Section 11.

3.3 Sensitive Personal Data

We do not intentionally collect sensitive personal data (such as financial account passwords, biometric data, or health information) except where strictly necessary to provide the Services, and only with appropriate consent and safeguards as required under the SPDI Rules and the DPDP Act.

3.4 Children’s Data

The Services are intended for business use and are not directed at children. We do not knowingly collect personal data of children (individuals under 18 years of age under the DPDP Act). Processing of any child’s data, where it occurs, will be conducted only with verifiable parental or guardian consent as required by Applicable Law.

4. How We Use Personal Data

We use personal data for the following purposes:

To provide and operate the Services — including account provisioning, authentication, configuration, device management, monitoring, and support.
To process transactions — including billing, invoicing, and collection of fees.
To communicate with you — including service notifications, security alerts, technical updates, and responses to inquiries.
To maintain security and integrity — including fraud prevention, abuse detection, incident response, and protection of our systems and customers.
To improve and develop our products — including analytics, troubleshooting, research, and quality enhancement, using aggregated or de-identified data where feasible.
For marketing — to send you information about our products and services, where permitted by law and subject to your right to opt out.
To comply with legal obligations — including responding to lawful requests by public authorities, regulatory reporting, and meeting requirements under the DPDP Act, the IT Act, CERT-In directions, and other Applicable Law.

5. Legal Bases for Processing

Where required by Applicable Law (including the DPDP Act and the GDPR), we process personal data on one or more of the following bases:

Consent — where you have given clear, informed, and specific consent for a defined purpose (which you may withdraw at any time);
Performance of a contract — where processing is necessary to provide the Services you have requested;
Legitimate use / legitimate interests — for purposes such as security, fraud prevention, network management, and product improvement, provided these do not override your rights;
Legal obligation — where processing is required to comply with Applicable Law.

For consent-based processing under the DPDP Act, you may withdraw consent at any time, with effect for future processing, by contacting us as set out in Section 14.

6. Disclosure of Personal Data

We do not sell personal data. We may disclose personal data in the following circumstances:

Service providers and sub-processors — third parties who perform services on our behalf (such as cloud hosting, payment processing, analytics, and customer support), bound by contractual confidentiality and data-protection obligations and permitted to use the data only to provide services to us.
Affiliates — members of the Nexapp group of companies, for the purposes described in this Policy.
Business transfers — in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.
Legal and regulatory disclosures — where required to comply with Applicable Law, a court order, or a lawful request by a governmental, regulatory, or law-enforcement authority, including CERT-In and other competent authorities in India.
Protection of rights — to enforce our Terms of Service, protect our rights, property, or safety, or that of our customers or the public.
With your consent — for any other purpose disclosed to you at the time of collection, with your consent.

7. International Data Transfers

7.1 Personal data may be processed and stored in India or in other countries where we or our sub-processors operate.

7.2 Where personal data is transferred outside India, such transfer is conducted in accordance with the DPDP Act and any restrictions notified by the Central Government. Where personal data is transferred from the European Economic Area, the United Kingdom, or other regions with cross-border transfer restrictions, we implement appropriate safeguards, such as Standard Contractual Clauses or equivalent mechanisms recognized under Applicable Law.

8. Data Retention

8.1 We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to provide the Services, comply with legal, tax, and accounting obligations, resolve disputes, and enforce agreements.

8.2 Retention periods are determined by the nature of the data, the purpose of processing, and applicable statutory requirements. When personal data is no longer required, we securely delete, anonymize, or de-identify it.

8.3 Where we act as a Data Processor, retention and deletion of Customer Data are governed by our agreement with the relevant business customer.

9. Data Security

9.1 We implement reasonable security practices and procedures consistent with the SPDI Rules and the DPDP Act, and aligned with recognized standards such as ISO/IEC 27001. These measures include encryption in transit and at rest, access controls, network segmentation, secure development practices, logging and monitoring, and regular security assessments.

9.2 Notwithstanding our safeguards, no method of transmission or storage is completely secure. We cannot guarantee absolute security, but we maintain a documented incident-response process to detect, contain, and remediate security incidents.

9.3 Breach Notification. In the event of a personal data breach, we will notify affected individuals and the relevant authorities — including the Data Protection Board of India under the DPDP Act and the Indian Computer Emergency Response Team (CERT-In) within the timelines prescribed under the CERT-In directions (including the 6-hour reporting requirement for specified cyber incidents) — and, where applicable, supervisory authorities under the GDPR, in each case as required by Applicable Law.

10. Your Rights

Subject to Applicable Law, you have the following rights regarding your personal data:

Right to access — to obtain confirmation of, and access to, the personal data we hold about you and a summary of its processing.
Right to correction and updation — to request correction of inaccurate or incomplete data and updating of your data.
Right to erasure — to request deletion of your personal data where it is no longer necessary or where you withdraw consent, subject to legal retention requirements.
Right to withdraw consent — to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Right to grievance redressal — to register a grievance with our Grievance Officer (Section 14).
Right to nominate — under the DPDP Act, to nominate an individual to exercise your rights in the event of your death or incapacity.
Additional rights (where applicable under the GDPR/CCPA): the right to data portability, the right to restrict or object to processing, the right to lodge a complaint with a supervisory authority, and the right not to be subject to unlawful sale or discrimination for exercising your rights. We do not sell personal data.

To exercise any of these rights, contact us as described in Section 14. We will respond within the timelines prescribed by Applicable Law and may need to verify your identity before acting on your request.

11. Cookies and Tracking Technologies

11.1 Our websites and applications use cookies and similar technologies to operate the Services, remember preferences, analyze usage, and improve performance.

11.2 We use: (a) strictly necessary cookies required for the Services to function; (b) functional cookies that remember your preferences; and (c) analytics cookies that help us understand usage. Marketing cookies, where used, are deployed only with consent.

11.3 You can manage cookie preferences through your browser settings or our cookie-consent tools. Disabling certain cookies may affect the functionality of the Services.

12. Third-Party Links and Services

The Services may contain links to, or integrate with, third-party websites and services that are governed by their own privacy policies. We are not responsible for the privacy practices of such third parties, and we encourage you to review their policies.

13. Changes to This Privacy Policy

13.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or Applicable Law.

13.2 Material changes will be notified through the Services or by email before they take effect. The “Last Updated” date at the top of this Policy indicates when it was last revised. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

14. Contact Us and Grievance Redressal

14.1 For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact:

Data Protection / Privacy Office
Nexapp Technologies Private Limited
Email: privacy@nexapp.co.in

14.2 Grievance Officer. In accordance with the Information Technology Act, 2000, the rules thereunder, and the Digital Personal Data Protection Act, 2023, you may contact our Grievance Officer for any grievance regarding the processing of your personal data:

Grievance Officer
Nexapp Technologies Private Limited
Email: grievance@nexapp.co.in

We will acknowledge and address grievances within the timelines prescribed under Applicable Law.

14.3 Data Protection Board. If you are not satisfied with our response, you may have the right to lodge a complaint with the Data Protection Board of India under the DPDP Act, or with the relevant supervisory authority in your jurisdiction.