Skip to main content

Privacy Policy

Last updated: March 30, 2026

1. Introduction

Mendios Technologies (webMOBI) ("we", "our", or "us"), operating as NexaLink, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile applications (NexaLink Card, NexaLink Scanner, NexaLink CRM) and website at nexalink.co (collectively, the "Service").

Our registered address is: 1250 Oakmead Pkwy Ste 210, Sunnyvale, California 94085, US.

By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, and authentication credentials when you create an account via email one-time passcode (OTP), Apple Sign-In, or Google Sign-In. We do not store passwords — authentication is handled via one-time codes sent to your email address or via third-party identity providers.
  • Digital Business Card Data: Name, job title, company, phone numbers, email addresses, website, social media links, profile photo, bio, and card design preferences.
  • Contact Information: When you scan business cards, import phone contacts, or manually add contacts to the CRM, we store names, email addresses, phone numbers, company, job title, social links, and notes.
  • Event Data: Event names, locations, dates, and contacts captured during events.
  • Voice Notes: Audio recordings and transcriptions you create in the CRM app.
  • Interaction Notes: Notes, tags, and context you add about your contacts and conversations.
  • Chat Assistant Queries: Text queries you type into the in-app chat assistant.
  • Feedback & Feature Requests: Content you submit through our feedback system.

2.2 Information from Third-Party Services

  • Gmail Integration (CRM App): When you connect your Gmail account, we access email metadata (sender, recipient, subject line, and date) from the last 90 days to identify contacts you communicate with. We do not read email body content. We also send follow-up emails on your behalf when you explicitly tap "Send." No emails are sent automatically. You can disconnect Gmail at any time from Settings.
  • Google Sign-In: Name, email address, and profile information from your Google account.
  • Apple Sign-In: Name and email address (or private relay email) from your Apple ID.
  • Phone Contacts: With your permission, we access your device's contact list to enable contact import. We only import contacts you explicitly select.

2.3 Information Collected Automatically

  • Usage Data: Features used, screens viewed, actions taken, time spent, and in-app events.
  • Device Information: Device type, operating system version, app version, and unique device identifiers.
  • Card Analytics: When someone views your digital business card, we record the view event, referral source, device type, and browser type. We do not identify the viewer unless they save your contact.
  • Session Replay: A sample of app sessions (up to 50%) may be recorded for debugging and UX improvement via Mixpanel. On the website, Microsoft Clarity may record additional session replays and generate heatmaps. Text and images in session replays are masked to protect sensitive content.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service across all three apps
  • Create and manage your account and digital business cards
  • Process business card scans using AI (image analysis)
  • Generate AI-powered follow-up messages based on your conversation context
  • Discover contacts from your email history (Gmail integration)
  • Send follow-up emails on your behalf via Gmail (only when you tap "Send")
  • Provide analytics on card views and shares
  • Send you notifications about follow-ups, reminders, and weekly activity summaries
  • Send onboarding and product emails (you can unsubscribe anytime)
  • Process subscriptions and manage your plan
  • Detect and prevent fraud, abuse, and security incidents
  • Improve our AI models and product features (using aggregated, de-identified data only)

4. AI and Automated Processing

Our Service uses artificial intelligence for several features:

  • Business Card OCR: Card images are sent to Google Gemini or OpenAI for text extraction. Images are processed in memory and not permanently stored by these providers.
  • AI Follow-up Drafting: Your contact context (name, company, conversation topics, notes) is sent to our AI proxy server, which calls Google Gemini or OpenAI to generate personalized messages. We do not send email body content.
  • Chat Assistant: Your natural language queries are processed to classify intent and retrieve relevant contact information.
  • Contact Scoring: We use algorithmic scoring (not AI) to rank contacts by follow-up urgency based on interaction patterns.

AI-generated content is always presented as a draft for your review. No AI-generated messages are sent without your explicit approval.

5. Data Sharing and Third Parties

We share your information with the following service providers:

ProviderData SharedPurpose
Supabase (EU/US)All user and contact dataDatabase, authentication, file storage
Google (Gemini API)Card images, text promptsOCR, AI text generation
OpenAIText prompts (fallback)AI text generation
Google Gmail APIEmail metadataContact discovery, email send
MixpanelUsage events, user ID, emailProduct analytics, session replay
RevenueCatPurchase status, user IDSubscription management
Apple App StorePurchase transactionsPayment processing (iOS)
Google Play StorePurchase transactionsPayment processing (Android)
VercelWebsite traffic, API requestsWebsite hosting, serverless functions
AWS SESEmail address, first nameOnboarding drip emails, weekly summaries, transactional emails
SentryError data, device info, user IDCrash reporting and error tracking
Microsoft ClaritySession recordings, mouse movements, clicks, device infoSession replay, heatmaps, UX analysis (website)
ExpoPush notification tokensPush notification delivery

We do not sell your personal information. We do not share your data with advertisers.

5.1 Google API Services — Limited Use Disclosure

NexaLink's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only access Gmail data (email metadata: sender, recipient, subject, date) necessary to provide and improve the contact discovery and follow-up features you have requested.
  • We do not use Gmail data to serve advertising.
  • We do not allow humans to read your Gmail data unless: (a) you provide affirmative consent, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) our use is limited to internal operations and the data is aggregated and anonymized.
  • We do not transfer Gmail data to third parties except as necessary to provide or improve the features you requested, to comply with applicable law, or as part of a merger/acquisition with appropriate protections.

6. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place through Standard Contractual Clauses and our providers' compliance certifications.

7. Data Retention

  • Account data: Retained as long as your account is active. Deleted within 30 days of account deletion.
  • Contact and CRM data: Retained as long as your account is active.
  • Card analytics: Retained for up to 365 days (depending on plan).
  • OCR cache: Business card scan results cached locally for 24 hours, then deleted.
  • Voice notes: Retained as long as your account is active.
  • Analytics data: Retained by Mixpanel per their data retention policy (typically 5 years).
  • Gmail tokens: Stored encrypted on your device. Deleted when you disconnect Gmail or delete your account.
  • Card Agent leads: Visitor emails and chat transcripts are retained as long as the card owner's account is active. Card owners may delete individual leads at any time.
  • Crash reports (Sentry): Retained for 90 days by default per Sentry's data retention settings.
  • Session recordings (Microsoft Clarity): Retained per Microsoft's data retention policy (typically 30 days).
  • Feedback submissions: Retained indefinitely for product improvement unless you request deletion.

8. Your Rights

All Users

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your data (Pro plans and above)
  • Disconnect third-party integrations (Gmail, LinkedIn) at any time
  • Unsubscribe from marketing emails
  • Opt out of session replay (contact us)

European Economic Area (GDPR)

If you are in the EEA, you have additional rights including:

  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to lodge a complaint with your local data protection authority

Legal basis for processing: consent (Gmail, phone contacts), contract performance (account features), legitimate interests (analytics, security).

California Residents (CCPA/CPRA)

California residents have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of personal information
  • Opt out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising your rights

India (DPDP Act, 2023)

Indian users (data principals) have the right to:

  • Access their personal data and obtain a summary of processing activities
  • Correct and update inaccurate or incomplete personal data
  • Erase personal data that is no longer necessary for the purpose it was collected
  • Nominate another individual to exercise these rights in case of death or incapacity
  • File a complaint with the Data Protection Board of India

Grievance Officer for Indian Users:
Email: grievance@nexalink.co
Response time: We will acknowledge your request within 48 hours and resolve it within 30 days as required under the DPDP Act.

9. Data Security

  • Authentication tokens stored in iOS Keychain / Android Keystore (encrypted)
  • All API communications over HTTPS/TLS
  • Row-level security on all database tables (users can only access their own data)
  • AI API keys stored server-side only (never in app bundles)
  • Rate limiting on all API endpoints
  • Session replay data is masked (text and images obscured)
  • CRM contact data is stored locally on your device using SQLite (local-first architecture) in addition to cloud sync with Supabase, meaning your data remains accessible offline. Uninstalling the app removes all local data.

9.1 Data Breach Notification

In the event of a security breach involving your personal data, we will:

  • Notify affected users via email and/or in-app notification without undue delay and, where required by applicable law (including GDPR Article 33), within 72 hours of becoming aware of the breach.
  • Notify the relevant supervisory authority where required by law.
  • Provide information about the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address the breach.
  • Maintain an internal breach register documenting all data breaches, their effects, and the remedial actions taken.

10. Children's Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. Contact Data Processing

When you scan a business card or add a contact, we store the contact's information (name, email, phone, company) in your private account to help you manage your professional relationships.

  • Contact data is stored only in your account and is not shared with other users or third parties
  • We do not use stored contacts for unsolicited outreach — NexaLink never contacts your contacts directly
  • You can delete any contact at any time
  • When you delete your account, all contact data is permanently removed

12. Email Communications

12.1 Onboarding Drip Series (10 emails)

When you create a NexaLink account, we automatically enqueue a series of 10 onboarding emails delivered over 18 days (on days 0, 2, 4, 6, 8, 10, 12, 14, 16, and 18 after signup). These emails are designed to help you get the most out of NexaLink and include:

  • Product education (creating cards, scanning, AI follow-ups, Event Mode, Gmail integration)
  • Social proof and success stories from other professionals
  • Feature discovery prompts
  • Subscription upgrade information (in later emails only)

Onboarding emails are sent from NexaLink <noreply@nexalink.co> via AWS SES. Emails may be personalized with your first name and, where available, the name of a recently added contact to make follow-up suggestions relevant. We do not share your contacts' information with third parties through these emails.

You can unsubscribe from the onboarding series at any time via the unsubscribe link included in every email. Unsubscribing stops all remaining onboarding emails immediately.

12.2 Weekly Networking Summary

Once per week (Monday mornings), we send an activity summary email to users who have email preferences enabled. The weekly email includes:

  • Your activity stats for the past 7 days (follow-ups sent, new contacts, cards scanned, card views)
  • A networking score based on your engagement
  • Contacts that may need follow-up attention
  • A weekly tip for better networking

If you had no activity in the past week, you may receive a reactivation email instead, reminding you about contacts that may be going cold. Users with zero activity and zero contacts are skipped entirely — we do not email inactive users with no data.

You can unsubscribe from weekly summaries independently from onboarding emails via the unsubscribe link in each weekly email.

12.3 Email Infrastructure

All automated emails are sent via Amazon Web Services Simple Email Service (AWS SES) from verified sender addresses on the nexalink.co domain. We track email delivery status (sent, failed) for operational reliability. We do not use tracking pixels or open-rate tracking in our current implementation.

Email preferences are stored in our database and linked to a unique unsubscribe token for each user. You can manage your preferences by:

  • Clicking the unsubscribe link in any email
  • Contacting us at privacy@nexalink.co

12.4 Follow-up Emails You Send

When you use NexaLink to send follow-up messages, those emails are sent from your email account (e.g., Gmail), not from NexaLink. We facilitate the send but do not store or access email body content beyond what's needed for CRM features. Follow-up emails may include a link to your digital business card so recipients can save your contact easily.

We never send unsolicited emails to your contacts or to people who have not signed up for NexaLink.

12.5 Transactional Emails

We send transactional emails that are necessary for the operation of your account, including:

  • OTP verification codes for authentication
  • vCard delivery when a visitor requests your contact from your card page
  • Lead capture notifications when someone interacts with your card agent

Transactional emails cannot be unsubscribed from as they are required for service functionality.

13. Digital Card Pages, Card Agent & Sharing

When you create a digital business card, it is accessible via a public URL. We track anonymous page views (view count, referrer source, device type) to provide you with analytics on your card's reach.

13.1 Card Agent (AI Chatbot)

Your card page may include an AI-powered chat assistant ("Card Agent") that allows visitors to ask questions about you and your professional background. When a visitor interacts with the Card Agent:

  • The visitor's chat messages are sent to Google Gemini for AI-generated responses based on information you have added to your card and knowledge base.
  • If the visitor provides their email address (voluntarily), it is stored as a lead in your NexaLink account. You, as the card owner, can view the visitor's name, email, and chat transcript.
  • A vCard file containing your contact information may be sent to the visitor's email address via AWS SES if they request it.
  • You will receive a push notification and in-app notification when a new lead is captured.

Visitors who interact with the Card Agent are presented with a link to this Privacy Policy before submitting their email address. We process visitor data on the legal basis of consent (the visitor voluntarily provides their information) and our legitimate interest in enabling professional networking.

Card Agent visitor data (email, name, chat messages) is retained as long as the card owner's account is active. The card owner may delete individual leads. When a card owner deletes their account, all associated leads are permanently deleted.

13.2 Public Card Pages

When someone views your card page without interacting with the Card Agent, we collect only anonymous analytics data (view count, referrer, device type). We do not identify the viewer. Card pages may display a prompt inviting visitors to create their own NexaLink card.

14. Push Notifications

With your permission, we send push notifications for follow-up reminders, weekly activity nudges, and product updates. You can disable push notifications at any time in your device settings.

15. Cookies, Tracking Technologies & Consent

15.1 Website Cookies and Tracking

Our website at nexalink.co uses the following tracking technologies:

  • Essential cookies: Required for website functionality (session management, security). These cannot be disabled.
  • Mixpanel analytics: Collects usage events, page views, and user interactions for product improvement. May set first-party cookies.
  • Microsoft Clarity: Records session replays and generates heatmaps for UX analysis. Sets first-party and third-party cookies. For more information, see Microsoft's privacy statement at privacy.microsoft.com.

We do not use advertising cookies, retargeting pixels, or cross-site tracking.

15.2 Consent

For users in the European Economic Area, United Kingdom, and other jurisdictions that require prior consent for non-essential tracking, we will present a cookie consent banner before activating Mixpanel or Microsoft Clarity. You may withdraw consent at any time by clearing your cookies or contacting privacy@nexalink.co.

15.3 Do Not Track

We respect browser "Do Not Track" (DNT) signals. When DNT is enabled, we will not activate non-essential analytics tracking on our website.

15.4 Mobile App Analytics

In our mobile applications, we use Mixpanel for usage analytics, Sentry for crash reporting, and Microsoft Clarity for session recording. Session replay in the mobile app is sampled (up to 50% of sessions) with text and input masking enabled. You may opt out of session replay by contacting privacy@nexalink.co.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification. Continued use of the Service after changes constitutes acceptance.

17. Contact Us

For privacy-related inquiries, data access requests, or to exercise your rights:

  • Email: privacy@nexalink.co
  • Address: Mendios Technologies (webMOBI), 1250 Oakmead Pkwy Ste 210, Sunnyvale, California 94085, US
  • Website: nexalink.co/contact