Privacy Policy

The data controller responsible for your personal information is:

NxSure acts as a data controller for personal information collected through our own websites and services, and as a data processor on behalf of insurance agency customers who use our platform. When we process data on behalf of our customers, their privacy policies govern that data.

This Privacy Policy applies to:

• Our public-facing websites (including nxsure.com and related domains)
• Our subscription platform for insurance professionals
• Forms, intake processes, e-signatures, and scheduling tools
• Customer support interactions
• Email and SMS communications

This policy does not apply to third-party websites linked from our services or to the independent privacy practices of our insurance agency customers. Insurance agency customers using our platform are responsible for their own compliance with the Gramm-Leach-Bliley Act (GLBA), state insurance data security laws, and other applicable regulations governing nonpublic personal information (NPI) they collect from their clients.

Information You Provide Directly

• Contact information: name, email address, phone number, and agency name
• Billing information: payment details processed through Stripe (we do not store full card numbers or CVC/CVV codes on our systems)
• Lead and intake information: data submitted through our forms and intake processes
• Support content: messages, files, and communications you send to our team

Information Collected Automatically

• Device and usage data: IP address, browser type, operating system, referring URLs, and pages visited
• Analytics data: interaction patterns, session duration, and feature usage to help us improve our services
• Cookies and similar technologies: used for core functionality, security, and analytics (see Section 10)
• Bot protection data: Cloudflare Turnstile collects interaction and device signals to distinguish legitimate users from automated bots, without requiring a traditional CAPTCHA

Information from Third Parties

We may receive information from service providers such as Stripe (payment confirmations and fraud signals) and Google Workspace (for account provisioning).

Data Processed on Behalf of Customers

When acting as a processor for our insurance agency customers, we handle customer-collected data (which may include nonpublic personal information as defined under GLBA) strictly per those customers’ instructions and applicable data processing agreements. We do not use information we process as a service provider for our customers to market to you independently.

The following table describes the categories of personal information we have collected in the preceding 12 months, the sources of that information, the business purposes for collection, and the categories of third parties with whom it is shared.

Under the CCPA/CPRA and other state privacy laws, certain categories of personal information are considered “sensitive.” NxSure collects limited sensitive personal information as follows:

• Financial account information: Payment card details are collected and processed exclusively by Stripe. NxSure does not store full card numbers, CVC/CVV codes, or bank account numbers on our systems.

We use sensitive personal information only as necessary to provide our services (processing payments, managing your account) and not for the purpose of inferring characteristics about you. You have the right to limit the use and disclosure of your sensitive personal information. To exercise this right, see Section 12 below.

We use the information we collect for the purposes and legal bases described below:

• Provide and support our services (websites, forms, e-signatures, scheduling, customer support) — Legal basis: performance of our contract with you
• Process payments and manage subscriptions through Stripe — Legal basis: performance of contract
• Send account-related communications (confirmations, invoices, service updates) — Legal basis: performance of contract; legitimate interest
• Protect security and integrity of our infrastructure — Legal basis: legitimate interest
• Improve and develop our services based on usage patterns — Legal basis: legitimate interest
• Send marketing communications with your consent (you can opt out at any time) — Legal basis: consent
• Comply with legal obligations — Legal basis: legal obligation

Data minimization: We collect only the personal information that is reasonably necessary for the purposes described above and retain it only for as long as needed to fulfill those purposes or as required by law.

All payment transactions are handled by Stripe, which maintains PCI DSS Level 1 certification — the highest level of security compliance in the payments industry.

We use Stripe for payments, analytics, and other business services. Stripe may collect personal data including via cookies and similar technologies. The personal data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection and prevention. You can learn more about Stripe and its processing activities via its privacy policy at stripe.com/privacy.

We do not store full card numbers or CVC/CVV codes on our systems. Stripe processes and stores your payment information securely and provides us only with limited transaction details (such as the last four digits of your card and transaction confirmation) necessary to manage your account and provide receipts.

We share your information only in the following circumstances:

• Service providers: trusted partners who help us operate our business, including Stripe (payments), Google Workspace (email and productivity), Mailchimp (email communications), Vercel (hosting and analytics), Cloudflare (security and bot protection), and Sentry (error monitoring) — all connected via secure APIs
• Authorized dashboard users: role-based access for authorized personnel within your agency
• Legal compliance: when required by law, legal process, or to protect the rights, property, or safety of NxSure, our customers, or others
• User-initiated sharing: when you request data exports or share information through our platform
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to affected users

NxSure does not sell your personal information. We do not sell, rent, or share personal information with third parties for cross-context behavioral advertising or for monetary or other valuable consideration as defined under the CCPA/CPRA.

We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

If you wish to exercise your right to opt out of any future sale or sharing, you may do so by emailing privacy@nxsure.com or by enabling the Global Privacy Control (GPC) signal in your browser (see Section 10).

We use cookies and similar technologies for the following purposes:

Cookie Inventory

We do not use cookies for targeted advertising or cross-context behavioral tracking.

Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for the sale or sharing of your personal information under applicable state privacy laws. We will not set non-essential analytics cookies when a GPC signal is detected.

Do Not Track (DNT)

Some browsers offer a “Do Not Track” (DNT) setting. While there is no uniform standard for responding to DNT signals, we treat DNT signals the same as GPC signals described above.

Your Cookie Choices

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our services. Essential and security cookies cannot be disabled as they are required for the site to function.

We implement industry-standard security measures to protect your personal information, including:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls and multi-factor authentication for staff
• Regular security monitoring and auditing
• Vendor security oversight and assessment
• All data transmitted between you and our services uses encrypted channels

While we take reasonable steps to protect your information, no method of transmission or storage is completely secure. If you have concerns about the security of your data, please contact us at privacy@nxsure.com.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access / Right to know: request a copy of the personal information we hold about you, including the categories of data collected, sources, purposes, and third parties with whom it is shared
• Correction: request correction of inaccurate or incomplete information
• Deletion: request deletion of your personal information, subject to legal retention requirements
• Opt-out of sale/sharing: opt out of the sale or sharing of your personal information for cross-context behavioral advertising (NxSure does not currently sell or share your data)
• Limit use of sensitive data: request that we limit the use and disclosure of your sensitive personal information to what is necessary for providing our services
• Data portability: request your data in a portable, machine-readable format (e.g., CSV or JSON)
• Restrict processing: request that we limit how we use your information
• Object to processing: object to processing based on legitimate interests
• Withdraw consent: where processing is based on consent, withdraw that consent at any time

California Residents (CCPA/CPRA)

If you are a California resident, you have the rights listed above plus the right to: (a) know what personal information we have collected about you in the preceding 12 months and beyond, (b) request deletion, (c) opt out of sale or sharing, (d) limit use of sensitive personal information, (e) receive equal service and pricing regardless of exercising your privacy rights, and (f) designate an authorized agent to submit requests on your behalf.

Other U.S. State Residents

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia may have similar rights under their respective state privacy laws, including the rights to access, correct, delete, and opt out of targeted advertising. We will honor valid requests from residents of all states with applicable privacy laws.

European Economic Area & United Kingdom (GDPR)

If you are located in the EEA or UK, you also have the right to: (a) lodge a complaint with your local data protection authority, (b) request restriction of processing, and (c) object to processing based on legitimate interests.

How to Exercise Your Rights

You may submit a privacy request through either of the following methods:

• Email: privacy@nxsure.com with the subject line “Privacy Request”
• Contact form: nxsure.com/contact — select “Privacy Request” as the subject

We will respond within 30 days (or 45 days with notice if additional time is needed). We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

Verification

To protect your privacy, we will verify your identity before fulfilling a request. We may ask you to confirm your email address or provide other information we have on file. If an authorized agent submits a request on your behalf, we may require proof of authorization (such as a signed written permission or power of attorney) and verify the consumer’s identity directly.

Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you services, charge you different prices, provide a different level of quality, or suggest that you will receive different treatment as a result of exercising your privacy rights.

We retain personal information for as long as necessary to provide our services and fulfill the purposes described in this policy. Specific retention periods are listed in the categories table in Section 4. In general:

• Account data: retained for the duration of your account plus 1 year after closure
• Transaction and billing records: retained for 7 years to comply with tax and legal obligations
• Analytics and log data: retained for up to 90 days
• Error monitoring data: retained for up to 30 days
• Marketing consent records: retained for as long as the consent is active, plus 3 years

When data is no longer needed, we securely delete or anonymize it.

NxSure does not use automated decision-making technology (ADMT) to make decisions that produce legal or similarly significant effects on you without human review.

We may use automated tools for: (a) bot detection and security (via Cloudflare Turnstile), (b) fraud prevention in payment processing (via Stripe), and (c) spam filtering. These tools assist our operations but do not make consequential decisions about your access to services, pricing, or account standing without human oversight.

NxSure is not an insurance carrier or producer, and our platform does not perform insurance underwriting, claims processing, or coverage binding decisions.

If we introduce automated decision-making features in the future, we will update this policy and provide notice and opt-out rights as required by applicable law.

Your information may be transferred to and processed in the United States and other countries where our service providers operate. When transferring data internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure your information remains protected.

For transfers from the European Economic Area, we rely on the EU-U.S. Data Privacy Framework, SCCs, or other lawful transfer mechanisms as applicable.

Our services are designed for business professionals and are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will promptly delete it.

If you believe a child has provided us with personal information, please contact us at privacy@nxsure.com.

You can opt out of marketing communications at any time:

• Email: click the unsubscribe link at the bottom of any marketing email
• SMS: reply STOP to any marketing text message

Opting out of marketing will not affect transactional communications related to your account or services.

We maintain incident response procedures to address security breaches promptly. If we discover a security incident that results in unauthorized access to or disclosure of your personal information, we will:

• Notify affected individuals in accordance with applicable state and federal law
• Notify the relevant state attorney general or regulatory body as required (e.g., within 15 calendar days to the California Attorney General if 500+ residents are affected)
• Provide sufficient detail to enable you to take protective steps and, if you are a platform customer, fulfill your own notification obligations under applicable law

If you believe your account has been compromised, please contact us immediately at privacy@nxsure.com.

If you have questions about this Privacy Policy or our data practices, please contact us: