Skip to content

Privacy policy

Effective: 2026-06-05. Last updated: 2026-06-05.

This Privacy Policy describes how NitroX Consulting SAS (“we”, “us”, “our”), registered in France, processes personal data through the NitroxBrain service (the “Service”). It applies to all users of the Service, regardless of the chat client (Slack, Google Chat, Microsoft Teams) they interact with NitroxBrain through.

1. Who we are and our role

  • Controller for our own data (account identifiers, billing, support communications): NitroX Consulting SAS.
  • Processor for the user data you connect via OAuth (Gmail messages, Drive files, Calendar events, Slack messages, etc.): NitroX Consulting SAS. You — or your organisation — remain the data controller.
  • Contact for data-protection matters: privacy@nitroxconsulting.com.
  • General support: support@nitroxbrain.com.
  • Security: security@nitroxconsulting.com.

2. What data we process, and why

The Service processes only what is necessary to deliver the conversational-assistant features you signed up for.

Account + routing data (controller role): your email address, the integrations you have connected, your routing metadata (per-user compute instance, encrypted-vault identifier), and your subscription status if you are on a paid plan. Source: you, when you sign up or connect a service.

OAuth tokens (processor role): encrypted refresh + access tokens for the third-party services (Google, Microsoft, Slack, Trello, HubSpot) you connect. Source: the vendor’s OAuth flow. Used to authenticate API calls on your behalf.

Conversation data (processor role): the messages you send to NitroxBrain and the replies it returns. Source: your Slack / Google Chat / Microsoft Teams workspace.

Vault content (processor role): files, notes, and memory the Service creates while serving you (e.g. drafted documents stored in your dedicated per-user vault). Source: derived from your conversations.

Third-party data accessed via OAuth (processor role, transient): the Gmail messages, Drive files, Calendar events, etc. that the Service reads to answer a specific question or perform a specific action. This data is loaded into the AI model’s context for one conversation turn, then discarded. It is not indexed, cached, or stored beyond the turn.

Operational logs (controller role): timestamps, error traces, deploy events, performance metrics. Message content is redacted from these logs at the source. Source: our infrastructure.

Audit log (controller role): a tamper-evident, hash-chained log of every operator-side access to user data via the impersonation surface (support escalation, debugging, lawful-access request). Records actor, target, timestamp, and reason. Retained on write-once-read-many (WORM) storage for 7 years.

We do not collect: location data, device fingerprints, advertising identifiers, or cross-site tracking cookies.

Website analytics (cookies). The public website at nitroxbrain.com uses Google Analytics 4 (measurement ID G-9MWSFJ62WM) to measure visits — only after you opt in via the cookie banner. No analytics script loads and no analytics cookie is set before you consent, and rejecting is as easy as accepting. If you accept, Google sets first-party _ga and _ga_* cookies (expiry up to 2 years) used to count and distinguish visitors. You can change or withdraw your choice at any time via the Cookie settings link in the footer, or by clearing your cookies. The chat assistant itself sets no advertising identifiers and no cross-site tracking cookies; a strictly functional theme preference is kept in your browser’s local storage (no consent needed).

3. Where it lives (residency)

On our side:

  • Conversation memory, vault, and OAuth tokens: Google Cloud europe-west1 (Belgium).
  • Routing + subscription metadata: PostgreSQL on AWS Lightsail eu-west-3 (Paris).
  • Audit log: WORM tier in europe-west1 with offsite replication to eu-west-3.
  • Public website + dispatcher: AWS Lightsail eu-west-3 (Paris), served via Caddy with Let’s Encrypt TLS.

On the third-party side: when the Service reads your Gmail, Drive, OneDrive, Slack, Trello, or HubSpot, it reads from the vendor’s own servers. Those services have their own data-residency rules — many, especially consumer-tier Gmail and personal Microsoft accounts, store data globally. The Service only relays this data on demand; we do not move or duplicate it. If EU-only residency for the third-party data matters to you, configure it on the third-party side (e.g. Google Workspace Enterprise Data Regions, Microsoft 365 Enterprise data residency commitments).

4. How we protect it

The Service is designed for restricted-scope OAuth use (Google gmail.modify + drive, equivalent Microsoft Graph scopes) and has been built against the CASA Tier-1 control set (ASVS 4.0.3). Key controls:

  • EU residency — all compute and storage in the EU regions above.
  • TLS-only transport — every connection uses TLS 1.2+; the database server refuses plaintext connections (verified 2026-06-04).
  • Five-header pack on every TLS response — HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.
  • At-rest encryption — AES-256 on every storage tier; per-user encryption keys on the most sensitive material.
  • Per-user isolation — dedicated isolated compute instance per user; dedicated encrypted storage vault. Cross-user data paths are architecturally impossible.
  • Tamper-evident audit log — every operator-side access via the impersonation surface is recorded in a hash-chained audit table with 7-year WORM offsite retention.
  • CVE / SBOM scanning — every deploy + nightly + per-PR; dependency drift surfaced before merge.
  • No model training on your data — your data is not used to train any general-purpose AI model.
  • No data sale — we do not sell or rent your data, nor share it with third parties for marketing.

The detailed self-assessment is available on request at security@nitroxconsulting.com. Per-scope justifications (what we read, what we deliberately don’t do) are public at /scopes.

5. Subprocessors

The Service uses the following subprocessors. The list is the source of truth; we will update it here before any new subprocessor receives user data.

SubprocessorRoleRegionOpt-in only?
Anthropic (Claude API)LLM provider — turn-by-turn inferenceUSNo — default
OpenAILLM provider; voice-memo transcription via Whisper at the dispatcher boundaryUSNo — default
Google CloudInfrastructure (compute + storage) + Gemini LLM APIEU europe-west1 (Belgium)No — default
AWSInfrastructure (Lightsail dispatcher + routing Postgres) + contact-form email (SES)EU eu-west-3 (Paris)No — default
AssemblyAIAudio transcription (alternative to Whisper)USYes — opt-in per user
TavilyWeb search APIUSYes — opt-in per user
MistralLLM provider (alternative to Claude / Gemini)EU (France)Yes — opt-in per user
Google AnalyticsPublic-website traffic analytics (website only, not the chat Service)US (Google LLC)Yes — only after cookie opt-in

The Google Analytics row applies to the public website (nitroxbrain.com) only, not to the chat Service. The website contact form is delivered to us via AWS SES in the EU (eu-west-3) — there is no third-party form processor. LLM providers operate under no-training data-handling agreements at the API tier we use. They do not use customer data to train any general-purpose model. They retain conversation data only transiently for abuse and safety monitoring — typically up to 30 days for Anthropic and OpenAI — per their standard API policies, after which the data is deleted by the provider.

6. Who can access your data

  • You — always, via chat and via vault export (plain Markdown + JSON in a tar.gz).
  • The third-party services you connect — under the OAuth grant you authorised; revocable from the vendor at any time.
  • The subprocessors above — strictly as needed to deliver the function listed in §5, under their respective data-handling agreements.
  • NitroX Consulting operators — only when you ask for support, or under a binding lawful-access request. Every operator access is logged in the §2 audit log; access reports are available on request.

We do not sell or trade your data. Period.

7. Your rights (GDPR)

You have the following rights with respect to your personal data:

  • Access — request a copy of your data. We deliver within 30 days at privacy@nitroxconsulting.com.
  • Rectification — correct inaccurate data by editing in chat, or by writing to us.
  • Erasure — request deletion. We confirm by email within 30 days of completion.
  • Portability — your vault is plain Markdown + JSON, exportable as a tar.gz from chat or by request.
  • Restriction / objection — write to us with the specific processing you wish to limit; we respond within 30 days.
  • Withdraw consent — for opt-in subprocessors (AssemblyAI, Tavily, Mistral), toggle the opt-in off in your account settings.
  • Lodge a complaint — you can complain to the CNIL (the French data-protection authority) at any time.

The fastest erasure path is to revoke OAuth access from the third-party platform (e.g. Google Account → Security → Connected apps) AND notify us at privacy@nitroxconsulting.com to trigger the 30-day deletion clock.

8. Retention

  • Active account — data is retained as long as you remain an active user.
  • After termination — vault content, OAuth tokens, conversation history, and routing metadata are deleted within 30 days. We send a confirmation email.
  • Operational logs — 30 days, then automatic deletion.
  • Audit log — 7 years on WORM storage (regulatory + breach-investigation obligation; cannot be deleted on request).
  • Billing records (if you are on a paid plan) — kept as long as required by French / EU tax law (typically 10 years), separately from your service data.

9. International transfers

We process data in the EU as described in §3. Some subprocessors are US-based (Anthropic, OpenAI, AssemblyAI, Tavily). Transfers to US subprocessors rely on the EU-US Data Privacy Framework where the subprocessor is certified, or on Standard Contractual Clauses (SCCs) otherwise. The detailed transfer mechanism per subprocessor is available on request.

10. Security incidents

If a personal-data breach affecting your data is confirmed, we will notify you and the CNIL within 72 hours of confirmation, with the scope of the breach, the categories of data affected, the corrective actions taken, and recommended steps you may take.

Security vulnerabilities can be reported per our public policy at SECURITY.md or RFC 9116 security.txt. Coordinated-disclosure contact: security@nitroxconsulting.com.

11. Children

The Service is not intended for users under 18. We do not knowingly collect data from minors.

12. Changes to this Policy

We may update this Privacy Policy periodically. Material changes will be announced via the Service (in-chat notice) and via email to your registered address at least 30 days before they take effect. The version in effect at any time is published at /privacy with the effective date in the header.

13. Contact