Privacy Policy

1. Introduction

Welcome to BMB Nexus ("we," "our," or "us"). We are committed to protecting your privacy and handling your data in an open and transparent manner.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our AI-powered marketing automation platform.

🔒 Our Privacy Commitment:

We do NOT sell your data to third parties
We do NOT use your content to train public AI models
We do NOT share your information for advertising purposes
We do NOT access your social media platforms without explicit authorization

Who We Are:

Service: BMB Nexus - AI Business Partner Platform
Website: https://bmbnexus.ai
Contact: [email protected]
Jurisdiction: European Union (GDPR Compliant)

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address (via Google OAuth)
Name and profile information
User ID (automatically generated)
Account creation date and last login timestamp

2.2 Payment Information

Payment processing is handled by Stripe. We do NOT store your credit card numbers or payment details directly. We only retain:

Stripe customer ID (for subscription management)
Subscription tier and status
Billing history and invoices
Transaction metadata (amounts, dates)

2.3 Content Data

When you use our platform to create content, we store:

Posts and captions you create for social media
Media files (images, videos) generated via AI
AI prompts and queries you submit to our agents
Campaign data (names, settings, target audiences)
Social media analytics (engagement metrics, performance data)
Draft content and editing history

2.4 Platform Connection Data

When you connect social media accounts via OAuth:

OAuth access tokens (encrypted and stored securely)
OAuth refresh tokens (encrypted at rest)
Platform user IDs (LinkedIn, Instagram, TikTok, etc.)
Platform profile information (username, display name)
Connection status and last refresh timestamps

2.5 Usage Data & Analytics

To improve our service, we automatically collect:

Feature usage statistics (which AI agents you use most)
Session data (login times, session duration, device type)
Tab activity (which sections you visit, time spent per tab)
API calls made (content generations, research queries)
Credits consumed (AI generations, video creations)
Error logs (technical issues for debugging)
Browser and OS information (for compatibility)
IP address (for security and fraud prevention)

2.6 Telegram Bot Data (Optional)

If you connect the Telegram bot integration:

Telegram user ID (for authentication)
Messages sent to VA agent (for responses)
Conversation history (stored in LightRAG memory)
Bot interaction logs (commands used)

2.7 Knowledge Base Documents

When you upload documents to Nexus (your AI brain):

Document content (PDFs, text files, etc.)
Document metadata (filename, upload date, size)
Vector embeddings (stored in Qdrant vector database)
RAG memory queries (what you search for in your knowledge base)

3. How We Use Your Information

We use your data for the following purposes:

3.1 Provide the Service

Generate AI-powered content (posts, images, videos)
Publish content to your connected social media platforms
Store and manage your content library
Track analytics and performance metrics
Maintain your Nexus AI memory and knowledge base

3.2 Improve Our Platform

Analyze feature usage to prioritize development
Identify and fix bugs and technical issues
Optimize AI model performance and accuracy
Develop new features based on user behavior

3.3 Communication

Send service updates and feature announcements
Notify you of important account changes
Respond to support requests
Send billing and payment confirmations

3.4 Security & Compliance

Prevent fraud and abuse
Comply with legal obligations (GDPR, data protection laws)
Enforce our Terms of Service
Protect our platform and users from malicious activity

⚠️ AI Training Disclaimer:

Your content is NEVER used to train public AI models. However, third-party AI providers (OpenAI, Anthropic, etc.) may process your prompts according to their own privacy policies. We use enterprise API plans that do NOT train on customer data.

4. Data Storage & Security

4.1 Where We Store Your Data

Data Type	Storage Location	Encryption
Account & User Data	PostgreSQL Database	✅ Encrypted at rest
Content & Campaigns	PostgreSQL Database	✅ Encrypted at rest
Media Files (Images/Videos)	Google Drive	✅ Google encryption
OAuth Tokens	PostgreSQL (encrypted)	✅ AES-256 encryption
RAG Memory / Knowledge Base	Qdrant Vector DB	✅ Encrypted at rest
Session Cache	Redis (temporary)	✅ Encrypted in transit

4.2 Security Measures

HTTPS/TLS encryption for all data in transit
AES-256 encryption for OAuth tokens and API keys
Database encryption at rest (PostgreSQL, Qdrant)
API keys never exposed to frontend/client-side code
Role-based access controls (user authentication)
Regular security audits and vulnerability scanning
Automated backups with 30-day retention
Rate limiting to prevent abuse

4.3 Infrastructure Partners

Database: PostgreSQL (self-hosted, encrypted)
Media Storage: Google Drive API
Payment Processing: Stripe (PCI DSS compliant)
Vector Database: Qdrant (self-hosted)

🔐 Your OAuth Tokens Are Safe:

Social media access tokens (LinkedIn, Instagram, etc.) are encrypted using industry-standard AES-256 encryption before storage. We never see your platform passwords - OAuth flow is handled directly between you and the social platform.

5. Third-Party Services We Use

5.1 AI & Content Generation Providers

Service	Purpose	Privacy Policy
OpenAI (GPT-4)	Text generation, AI prompts	View Policy
Anthropic (Claude)	AI agents, strategic planning	View Policy
Runway ML	Video generation	View Policy
Fal.ai	AI image/video generation	Enterprise API (no training)
Kie.ai (Sora)	Advanced video generation	Enterprise API (no training)

5.2 Social Media Platforms

We integrate with (via OAuth - you control access):

LinkedIn - Post publishing, analytics
Instagram - Content posting, engagement tracking
TikTok - Video uploads, performance metrics
YouTube - Video publishing, SEO optimization
Twitter/X - Tweet posting, thread creation
Facebook - Page management, post scheduling

We ONLY access what you explicitly authorize. You can revoke access anytime.

5.3 Infrastructure & Payments

Google Drive - Media file storage (images/videos)
Stripe - Payment processing (PCI DSS compliant)
Telegram - Optional bot integration for VA agent

⚠️ Third-Party Data Processing:

When you use AI features, your prompts are sent to third-party AI providers (OpenAI, Anthropic, etc.). We use enterprise API agreements that prohibit training on customer data. However, you should review their privacy policies linked above.

6. Your GDPR Rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

6.1 Right to Access

You can request a copy of all personal data we hold about you.

How: Account Settings → Privacy → "Download My Data"

6.2 Right to Rectification

You can correct inaccurate or incomplete data.

How: Edit directly in Account Settings or contact support

6.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data.

How: Account Settings → Privacy → "Delete My Account"

Timeline: Complete deletion within 30 days

6.4 Right to Data Portability

You can export your data in a machine-readable format (JSON).

Includes: Content, campaigns, analytics, settings

How: Account Settings → Privacy → "Export Data"

6.5 Right to Restrict Processing

You can limit how we process your data.

How: Contact [email protected] with your request

6.6 Right to Object

You can object to processing for specific purposes (e.g., analytics).

How: Account Settings → Privacy → "Opt-out of Analytics"

6.7 Right to Withdraw Consent

You can revoke social media platform connections anytime.

How: Account Settings → Platform Connections → "Disconnect"

📧 Exercising Your Rights:

Most rights can be exercised directly in Account Settings
For complex requests, email: [email protected]
We respond within 30 days (GDPR requirement)
Identity verification may be required for security

7. Cookies & Tracking

7.1 Types of Cookies We Use

Essential Cookies (Cannot be disabled)

Authentication tokens - Keep you logged in
Session management - Remember your settings during a visit
Security tokens - Prevent CSRF attacks

Analytics Cookies (Optional - can opt-out)

Feature usage tracking - Which AI agents you use
Session analytics - Time spent, pages visited
Performance monitoring - Load times, errors

We DO NOT Use:

❌ Third-party advertising cookies
❌ Social media tracking pixels
❌ Cross-site tracking

7.2 Managing Cookies

Browser Settings: Disable cookies entirely (may break functionality)
Account Settings → Privacy: Opt-out of analytics cookies
Cookie Banner: Customize preferences on first visit

7.3 Local Storage

We use browser local storage for:

UI preferences (theme, layout)
Draft content (auto-save)
Recent activity cache

You can clear: Browser Settings → Clear Site Data

8. International Data Transfers

BMB Nexus is based in the European Union and prioritizes EU data protection standards.

8.1 For EU/EEA Users

Data processed and stored primarily in EU/EEA
GDPR compliant by default
AI providers (OpenAI, Anthropic) use EU data centers when possible

8.2 For Non-EU Users

Your data is still protected under GDPR standards
Transfers governed by Standard Contractual Clauses (SCCs)
Same security measures regardless of location

8.3 Third-Party AI Providers

Some AI services (OpenAI, Anthropic) may process data in the US. These providers:

Use EU Standard Contractual Clauses
Comply with EU-US Data Privacy Framework
Provide enterprise-grade data protection

9. Children's Privacy

BMB Nexus is not intended for users under 16 years old.

We do not knowingly collect data from children under 16
If we discover underage users, accounts are immediately terminated
Data is deleted within 30 days of discovery
Parents/guardians can contact us at: [email protected]

Age Verification: By creating an account, you confirm you are 16+ years old.

10. Data Retention

10.1 Retention Periods

Data Type	Retention Period	Reason
Account Information	Until account deletion	Service provision
Content & Campaigns	12 months (configurable)	User access, analytics
Analytics Data	24 months	Platform improvement
Billing History	7 years	Legal/tax compliance
Deleted Data	30 days (soft delete)	Recovery window

10.2 After Account Deletion

Days 0-30: Soft delete (data recoverable if you change your mind)
Day 31: Hard delete begins (permanent removal)
Day 60: All backups purged (complete erasure)

10.3 Legal Hold Exceptions

Data may be retained longer if:

Required by law (e.g., ongoing legal investigation)
Needed for dispute resolution
Tax/accounting obligations (billing records)

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

New features or services
Changes in data protection laws
Improvements to security measures
User feedback and best practices

11.1 How We Notify You

Major changes: Email notification 30 days in advance
Minor changes: Dashboard notification banner
All changes: Updated "Last Modified" date at top of page

11.2 Your Options

If you disagree with updated terms:

Cancel your subscription before the effective date
Contact us to discuss concerns: [email protected]
Continued use after effective date = acceptance of new terms

11.3 Version History

Previous versions available on request: [email protected]

12. Contact Information

12.1 Privacy Questions

📧 Email: [email protected]

⏱️ Response Time: Within 30 days (GDPR requirement)

🆘 Urgent Issues: [email protected] (24-48 hour response)

12.2 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer:

Email: [email protected]

12.3 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we've violated GDPR.

EU Users: Find your authority at https://edpb.europa.eu

12.4 Business Address

BMB Nexus
[Your Registered Business Address]
[City, Postal Code, Country]
[VAT/Tax ID if applicable]

📋 Table of Contents