1. Privacy Mission Statement

Nexly.biz (the “Company”) views privacy not as a compliance checkbox, but as a foundational civil right of the digital age. Our mission is to provide an educational ecosystem where users retain absolute sovereignty over their data. We engineer for privacy-by-design, ensuring that individual autonomy is the default setting of our infrastructure.

2. Structural Scope

This policy governs all personal data processed by Nexly’s global operations, including web interfaces, mobile applications, and AI diagnostic modules. It applies universally to all customers, regardless of their geographic location, ensuring a "Highest Common Denominator" approach to privacy.

3. The Principle of Data Minimization

We only collect the data points strictly necessary for the execution of Nexly business logic. Our "Data Vacuuming" prohibition prevents the idle collection of metadata. If a data point does not directly enhance your educational outcome or system security, we do not store it.

4. Collection Logic & Transparent Use

We process data for clearly defined purposes:

• Service Execution: To provision user accounts and facilitate course interaction.
• AI Personalization: To adapt curriculum velocity to individual cognitive patterns.
• Network Fortification: To detect anomalous access attempts and maintain platform integrity.

5. Jurisdictional Legal Basis

We process data under the following GDPR-aligned legal pillars: Contractual Necessity (to provide the service), Legitimate Interest (platform security), and Explicit Consent (for optional marketing or telemetry streams).

6. Data Retention Protocols

Personal data is retained only as long as necessary to fulfill the purposes outlined above. Upon account termination, we trigger a "De-Identification Sequence" or permanent deletion, except where minimal data must be retained to meet financial or legal auditing requirements.

7. Security Matrix & Shielding

User data is shielded by multi-layered defenses:

• Encryption: AES-256 for data at rest and TLS 1.3 for data in transit.
• Pseudo-Anonymization: Decoupling personal IDs from interaction telemetry in our analytics tier.
• Access Isolation: Engineers only access production data via just-in-time (JIT) administrative nodes.

8. Third-Party Governance

Nexly does not sell customer data to third-party aggregators. We share data only with verified "Sub-Processors" (e.g., cloud hosting providers) who are contractually mandated to uphold Nexly’s high privacy standards via signed Data Processing Agreements (DPAs).

9. Cross-Border Transfers & Safe Harbors

For users outside the data residency of our primary clusters, we utilize "Standard Contractual Clauses" (SCCs) and comply with jurisdictional frameworks (e.g., EU-US Data Privacy Framework) to ensure your data receives the same level of protection as it would in its home node.

10. Universal User Rights Matrix

Regardless of your local laws, Nexly grants you the following rights:

• Access & Portability: Obtain a JSON-formatted copy of all data Nexly holds on you.
• Rectification & Erasure: Correct inaccuracies or request the permanent deletion of your profile.
• Restriction: Limit how we process specifically sensitive data points.

11. Algorithmic Opt-Out & Human Review

Where Nexly uses AI for decision-making (e.g., grading or pathing), users have the right to request a "Human-in-the-Loop" review if they believe the algorithm has made an erroneous determination impacting their status.

12. Minor Safeguards (COPPA/GDPR-K)

Nexly does not knowingly collect data from individuals under the age of 16 without explicit parental or institutional consent. Our platforms feature specialized "Restricted Layers" to protect the privacy of students in primary educational tiers.

13. Digital Privacy & Rights Desk

To exercise your rights, report a suspected privacy breach, or submit a query to our Data Protection Officer (DPO), please connect with the Privacy Command.