This Privacy Policy explains how Nexus Connect AS ("Nexus", "we", "us") collects, uses, and protects personal data when you use the Nexus equity management platform. We are committed to protecting your privacy in accordance with the GDPR, the Norwegian Personal Data Act (personopplysningsloven), and other applicable data protection laws.
1. Who We Are
Nexus Connect AS is the data controller for personal data processed through the Platform in connection with account management, billing, and customer communications. Where Nexus processes personal data (e.g. shareholder records) on behalf of a Customer, Nexus acts as a data processor and the Customer is the data controller. Processing in that context is governed by a separate Data Processing Agreement (DPA).
2. Information We Collect
2.1 Information You Provide
- Account data: name, email address, phone number, job title, and company name provided during registration
- Identity data: national identity information verified through Vipps MobilePay (Norwegian BankID) during authentication
- Billing data: billing address and payment method details (card data is processed and stored by Stripe; Nexus does not store full card numbers)
- Customer Data: shareholder records, share registers, cap table information, documents, and other data you upload
- Communications: the content of support requests, emails, or feedback you send to us
2.2 Information Collected Automatically
- Usage data: pages visited, features used, time spent, and actions taken within the Platform
- Device & log data: IP address, browser type and version, operating system, referring URLs, and access timestamps
- Cookies & similar technologies: session cookies and analytics cookies (see Section 9)
2.3 Information from Third Parties
- Vipps MobilePay: authentication tokens and basic profile information (name, phone number) returned after successful login
- Brreg / Roaring: publicly available company registry data used to auto-populate company details
3. How We Use Your Information
| Purpose | Categories of data used |
|---|---|
| Providing and operating the Platform | Account data, Customer Data, usage data |
| Authentication and security | Identity data (Vipps), device & log data |
| Billing and subscription management | Account data, billing data |
| Customer support | Account data, communications, usage data |
| Product improvement and analytics | Anonymised or aggregated usage data |
| Legal compliance and fraud prevention | Account data, device & log data, identity data |
| Marketing communications (with consent) | Account data (email/phone) |
4. Legal Basis for Processing (GDPR Article 6)
- Contract performance (Art. 6(1)(b)): processing necessary to deliver the Platform under our Terms of Service
- Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, product analytics, and improving the Platform
- Legal obligation (Art. 6(1)(c)): processing required by Norwegian or EU law (e.g., VAT records, anti-money laundering)
- Consent (Art. 6(1)(a)): marketing communications — you may withdraw consent at any time
6. International Data Transfers
We endeavour to process personal data within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to US-based sub-processors), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission, or reliance on an adequacy decision.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law:
- Account data: subscription duration plus 3 years after termination
- Customer Data: available for export for 30 days after account termination; then permanently deleted
- Billing records: 10 years (Norwegian bookkeeping law, bokføringsloven)
- Log & usage data: 12 months rolling
- Marketing consent records: until consent is withdrawn plus 2 years
8. Security
Nexus implements appropriate technical and organisational measures to protect personal data, including:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Role-based access controls and principle of least privilege
- Multi-factor authentication for internal systems
- Regular penetration testing and security reviews
- Incident response and 72-hour breach notification to the supervisory authority (GDPR Art. 33)
10. Your Rights Under GDPR
- Right of access (Art. 15): request a copy of the personal data we hold about you
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data
- Right to erasure (Art. 17): request deletion of your data where no overriding legal basis applies
- Right to restriction (Art. 18): request that we limit processing in certain circumstances
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interests, including direct marketing
- Right to withdraw consent: withdraw consent at any time where processing is consent-based
To exercise any of these rights, contact us at privacy@nexus.no. We will respond within 30 days. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at www.datatilsynet.no.
11. Children's Privacy
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a prominent notice on the Platform at least 14 days before changes take effect. The date at the top of this Policy indicates when it was last revised.
13. Contact & Data Processing Agreement
For any privacy-related questions, requests, or to obtain a copy of our DPA, please contact our Data Privacy team:
See also our Terms of Service which govern your use of the Platform.