NexReply logo

Privacy Policy

Last updated: 05-01-2026

Who we are

NexReply (“we”) provides software for automating customer service emails using matching and AI. Contact: info@nexreply.nl.

NexReply processes personal data exclusively on behalf of its customers, who act as the data controllers. NexReply acts as a data processor within the meaning of the General Data Protection Regulation (GDPR).

Which data we process

  • Contact details submitted via the form (name, email address, message).
  • Operational email data from your mailbox/ticketing system/ERP: sender/recipient, subject, content, attachments, metadata, and system logs.
  • Order and shipping data via your webshop (API/IMAP/SMTP/webhooks; e.g. order number, status, Track & Trace). These data are stored and processed insofar as necessary for providing the service, such as analyzing messages, generating replies, logging, auditing, and support, and are not retained longer than agreed or legally required.
  • Usage and logging (technical logs, error reports, security logs).
  • Cookies and similar technologies (see ‘Cookies’ below).

Purposes & legal bases

  • Service provision (performance of a contract): processing emails and generating replies according to your instructions.
  • Security and logging (legitimate interest).
  • Support and communication (legitimate interest / performance of a contract).
  • Legal obligations (statutory retention and tax obligations).
  • Marketing (only with consent or where a legitimate interest applies; you can unsubscribe at any time).

Use of AI

AI-generated responses are created solely within instructions approved by you and based on context provided by you. Where there is insufficient certainty, the conversation is forwarded to a human agent (human fallback).

The data processed by NexReply are not used to train AI models and are not used for any independent purposes outside the provision of the service to the customer, unless explicitly agreed otherwise.

Retention periods

  • Form submissions: up to 24 months.
  • Operational email data & (security) logs: by default 90 days, unless otherwise agreed or legally required.
  • Contractual/administrative data: in accordance with statutory retention periods.

Sharing with third parties

We use carefully selected processors and sub-processors for, among other things, hosting, email infrastructure, and AI services. We enter into a data processing agreement (DPA) with each (sub-)processor.

Personal data are shared only insofar as necessary for providing the service and in accordance with our instructions. An up-to-date list of sub-processors is available via support or upon written request.
In addition, we may share data where necessary:

  • to comply with applicable laws and regulations or a lawful request from a competent authority,
  • to protect our rights, property, or safety and that of customers or users.

Business transactions

In the event of a (proposed) merger, acquisition, or sale of (part of) our activities, personal data may be transferred to a successor party. Where legally required, we will inform you accordingly.

International data transfers

Processing may take place outside the EU/EEA (e.g. when using cloud or AI providers). In such cases, we apply appropriate safeguards, such as the Standard Contractual Clauses (SCCs) of the European Commission and additional measures where necessary. Details about regions and providers are available upon request.

Security

  • Transport security (TLS) for IMAP/SMTP/API where possible.
  • Access control per mailbox/customer, logging, and least-privilege principles.
  • Isolated tenants where applicable; periodic review of access rights and configurations.
  • Encryption at rest where available within the chosen infrastructure.

No method of transmission or storage is 100% secure; we strive to implement appropriate technical and organizational measures in line with risks and the state of the art.

Your rights

To the extent permitted by law, you have the right to access, rectification, erasure, restriction, data portability, and objection to certain processing activities (including direct marketing). Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. Requests can be sent to privacy@nexreply.nl.

Cookies

We use necessary cookies and — where enabled — analytical cookies.

  • Type: session cookies (expire when the browser is closed) and persistent cookies (remain until their expiration date or deletion).
  • Purposes: basic functionality, statistics/analytics, and performance monitoring.
  • Your choices: you can manage cookie preferences via our banner (if available) or through your browser settings. Disabling certain cookies may affect functionality.

Links to third parties

Our website/service may contain links to third-party websites or services (e.g. carriers or AI providers). We are not responsible for their privacy practices. Please consult their privacy statements before providing personal data.

Children

Our services are not intended for persons under the age of 16. We do not knowingly collect data from children under 16. If you believe this has occurred, please contact us so we can take appropriate measures.

Changes to this policy

We may update this policy due to changes in legislation, technology, or our services. In the event of material changes, we will publish a clear notice on our website and update the “Last updated” date.

DPA / data processing agreement

We offer a data processing agreement (DPA). Please contact us for execution and for the current list of sub-processors.

Contact

Questions or complaints? Email privacy@nexreply.nl. You may also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).