Legal
Privacy Policy
NexBDM (Pty) Ltd · Global Privacy Policy (GDPR & POPIA) · Effective 25 May 2026
NexBDM (Pty) Ltd ("NexBDM", "we", "us") is a South African technology company registered in accordance with the Companies Act, No. 71 of 2008. We provide AI chatbot agent development, business automation consulting, SaaS platform services, and related technology services to businesses worldwide. This policy describes what personal information we collect, why, how we protect it, your rights as a data subject, and how we handle third-party and client data. Because this site serves a global audience, we comply with both the EU/UK General Data Protection Regulation (GDPR) and South Africa's Protection of Personal Information Act (POPIA), and we apply the stricter protection where the two differ.
Information Officer / Data Protection Contact: Heinoux Jakobus Roux, Founder and Information Officer · hjr@nexbdm.com · 079 607 5372
EU/UK visitors: our lead supervisory authority is the relevant member-state authority; you may also lodge a complaint with your local authority. South African visitors: you may lodge a complaint with the Information Regulator of South Africa.
What personal information we collect
- Prospective clients (leads): full name, email address, phone and WhatsApp number, business name, industry, number of employees, job title, and notes from calls, emails, and WhatsApp messages.
- Clients: identity and contact details, invoice records and payment history, signed statements of work and NDAs, and project records (discovery notes, process maps, solution designs, build documentation).
- SaaS platform users (NexSign, NexLog, NexCRM, NexSync): account information (name, email, organisation), authentication data (hashed passwords, JWT session tokens, not stored in plain text, login timestamps), usage data (feature usage, audit logs, session duration, IP address at login), and billing contact (no card data stored by NexBDM).
- Client customer information (operator role): when we build chatbots or automation, we may process personal information belonging to our clients' customers. In this capacity NexBDM acts as Operator and processes this data only as instructed by the client (Responsible Party) under a Data Processing Agreement.
- Website visitors: IP address, browser and device type, pages visited, time on site, referral source, and contact-form submissions (name, email, message).
Why we collect it (lawful basis)
- Prospective clients: to qualify, assess fit, and prepare proposals. Lawful basis: legitimate interest.
- Clients: to deliver contracted services, manage the relationship, invoice, and collect payment. Lawful basis: performance of a contract.
- SaaS platform users: to provide, maintain, and improve platform functionality; authenticate users; and process subscription billing. Lawful basis: performance of a contract / legitimate interest.
- Website visitors: to understand website usage and respond to enquiries. Lawful basis: legitimate interest.
How we store and protect it
We implement appropriate technical and organisational measures: only the Information Officer has access to sensitive client data; strong unique passwords and a password manager are used at all times; client credentials and sensitive data are stored in encrypted form; the website and all SaaS platforms use SSL/HTTPS encryption. Following a security audit in May 2026, NexBDM implemented server-level hardening (firewall rules, access-key rotation, deployment-pipeline security controls) on Hetzner/Coolify infrastructure. Session tokens are short-lived, signed, and not stored in plain text.
Third-party service providers and data sharing
NexBDM uses third-party platforms to deliver its services and operate its SaaS products. Personal information may be processed by these platforms as sub-processors. We do not sell personal information to third parties under any circumstances.
- GoHighLevel CRM (USA) · client contact and lead information.
- n8n (self-hosted, Germany) · automation workflows which may include client data.
- Anthropic (Claude AI) (USA) · conversation data as part of chatbot solutions.
- WhatsApp Business API (Meta Platforms, USA) · client-facing messaging.
- Google Workspace (USA / EU) · email communication and document storage.
- Hetzner (Germany, EU) · primary cloud infrastructure; subject to GDPR as well as POPIA contractual protections.
- Coolify (Hetzner) · self-hosted deployment platform; no third-party data access.
- Cloudflare (USA / Global) · DNS, CDN, and DDoS protection; may process IP addresses and request metadata.
- Paystack (Nigeria / USA) · payment gateway; PCI DSS compliant; card data is NOT stored by NexBDM.
- Resend (USA) · transactional email delivery for platform notifications.
Cookies and website tracking
The NexBDM website uses cookies. Strictly necessary cookies (session management, security tokens, load balancing) require no consent. Analytics and performance cookies are aggregated and anonymised and may be opted out of at any time. Non-essential marketing or retargeting cookies are never placed without your prior, informed, freely given consent via the cookie consent banner.
Retention of personal information
- Lead records not converted: 24 months from last interaction.
- Client contractual records (SOW, NDA, invoices): 5 years from end of engagement.
- Financial records (invoices, payments): 5 years.
- Chatbot conversation logs: as specified in the client SOW (typically 12 months).
- Website visitor data: 12 months.
- Deleted SaaS account data: purged within 30 days of deletion, except where retention is required by law.
Your rights (GDPR and POPIA)
Whether you are in the EU/UK (GDPR) or South Africa (POPIA), you have the following rights, and we honour the broader set where the two laws differ:
- Right to be informed: to know what we collect and why, as set out on this page.
- Right to access: request confirmation of whether we hold your personal information and a copy thereof.
- Right to rectification: request correction of inaccurate or outdated personal information.
- Right to erasure: request deletion where personal information is no longer necessary for the original purpose (the "right to be forgotten" under GDPR).
- Right to restrict processing: ask us to limit processing while a correction or objection is verified.
- Right to data portability: (GDPR) request your personal information in a structured, commonly used, machine-readable format.
- Right to object: object to processing on grounds relating to your specific situation, including direct marketing and automated decision-making.
- Right to withdraw consent: where we rely on consent, withdraw it at any time without affecting prior lawful processing.
- Right to lodge a complaint: with your local authority, the Information Regulator of South Africa, or (for EU/UK visitors) your member-state supervisory authority.
To exercise any of these rights, contact the Information Officer at hjr@nexbdm.com with subject line "Privacy Request: [Your Name]: [Request Type]". We respond within 30 days of receipt, or within the GDPR statutory period where that is shorter.
International transfers
Because we serve clients worldwide, personal information may be transferred to and processed in countries outside both South Africa and the European Economic Area. Where we transfer personal information out of the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement, and we maintain a contractual Data Processing Agreement with each sub-processor. Where we transfer out of South Africa, we rely on POPIA's recognised safeguards (including SCCs and binding corporate rules). We do not transfer personal information to a country that does not provide an adequate level of protection unless appropriate safeguards are in place.
The formal legal copy of this policy is published as privacy-policy.pdf (POPIA Privacy Policy v1.2). This web page is the global, plain-language summary covering both GDPR and POPIA.
Book Your Discovery Session