Last Updated: April, 24, 2025
This Privacy Policy explains how Nexsecure (“Nexsecure”, “we”, “us” or “our”) collects, uses, discloses, and protects personal information when you use our cybersecurity awareness training platform, website, and related services (collectively, the “Services”). It also describes your rights regarding your personal data. Nexsecure is committed to safeguarding personal data in compliance with applicable laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and, where applicable, the Health Insurance Portability and Accountability Act (HIPAA). If you do not agree with this Privacy Policy, please do not use our Services.
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at support@nexsecure.us.
This Privacy Policy applies to personal data we collect through the Services, including our SaaS security training platform and any websites or online services we operate. It covers personal data of our business clients, their authorized users (such as employees undergoing training), and website visitors.
For clarity, “personal data” means any information that identifies or can be used to identify an individual, as defined by applicable law. Nexsecure may act as a data processor on behalf of our business clients for certain data (for example, employee training data provided by a client, referred to as “Customer Data”), and as a data controller for other data that we collect for our own purposes (such as website visitor analytics or account registration information, referred to as “Other Information”). In general, our client (e.g. your employer) is the controller of Customer Data, and Nexsecure processes that data under their instruction; Nexsecure is the controller of personal data collected through our website, marketing and business operations. This Policy covers all such personal data. We have a separate Cookie Policy that provides details on our use of cookies and similar technologies.
We collect personal data from and about users in a variety of ways:
If you are a client or an authorized user, we may collect information that you or your employer provides to us. This includes identifiers and contact details such as your name, work email address, phone number, job title, department, and company/organization name. We may also collect account credentials (like username and password) and any profile information you choose to provide. If you are an administrative user or purchaser of our Services, we collect billing information (such as billing address, and payment details) as needed to process transactions.
When using the Nexsecure platform, you or your employer may submit information as part of training activities. This can include quiz or phish test responses, training scores, course completion data, feedback, or any files or content uploaded to the platform as part of the cybersecurity training (“Customer Data”). This data is typically provided under the direction of your employer in the context of using our Services. We only collect and process this data as necessary to provide the training Services and in accordance with your organization’s instructions.
Like most online services, Nexsecure automatically collects certain technical data when you interact with our website or platform. This includes:
We may receive personal data about you from third-party sources. For example, if your employer (our client) provides us a roster of employees to enroll in training, we collect those names and emails. If you log in via a single sign-on provider or integrate a Third-Party Service with our platform, we may receive certain information from that third party (such as an authentication token or your profile information from your employer’s directory). We may also obtain contact details from authorized resellers, referral partners, or marketing lead providers (for instance, if you attended an event or webinar and agreed to share your information). Any such data is treated in accordance with this Policy and any additional restrictions imposed by the source.
When you visit our websites or use the platform, we (and authorized third parties) use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities and device. This may include your preferences and settings, and helps us recognize you across different services and sessions. Our use of these technologies is described in our Cookie Policy, and you can manage your preferences as explained therein.
Nexsecure does not intentionally collect sensitive personal information such as social security numbers, driver’s license numbers, financial account or credit card numbers, precise health or medical information, or biometric data, unless necessary for providing our Services and requested by a client. We ask that users do not submit any highly sensitive personal information on the platform unless a specific arrangement is in place. In particular, our Services are not meant to collect personal health information from individuals.
HIPAA Notice: Nexsecure is not a covered entity under HIPAA and our platform is not intended to handle Protected Health Information by default. However, if a client in the healthcare sector requires us to process any health-related personal data subject to HIPAA, we will enter into a Business Associate Agreement (BAA) and handle that information in compliance with HIPAA’s requirements.
Nexsecure uses personal data for the following purposes, and in reliance on the legal bases described in the “Legal Bases for Processing” section below:
We process personal data to set up and administer accounts, to deliver our cybersecurity training content, simulate phishing exercises, record training progress, and otherwise provide the functionality of our platform to users. For example, we use your information to personalize training modules, track which courses you have completed, and generate reports for you or your employer on training performance. We also analyze usage patterns and feedback to improve our content and Services over time (e.g., to add new features, enhance user experience, and refine our training materials). This is in our legitimate interest to make sure our platform is effective and user-friendly.
We use contact information (such as email addresses and phone numbers) to send service-related communications. This includes sending onboarding information, invitations to training, password reset emails, alerts or reminders about pending training modules, and notifications of policy updates or security alerts. We may also send you information requested via our website (for example, a demo request or a whitepaper download) and respond to your inquiries or support tickets. If you contact us for support, we will use your information to troubleshoot issues and improve our support services.
Personal data is used to maintain the security of our Services, our users, and others. We monitor and analyze login activity, IP addresses, and usage logs to detect and prevent fraudulent behavior, phishing attacks, unauthorized access, cheating on training assessments, or other misuse of the platform. If we detect suspicious or malicious activity, we may investigate and take appropriate action (such as alerting the client organization or locking a compromised account) in order to protect our network and the personal data we process. It is in our legitimate interest (and the interest of all users) to keep the Services secure and free from abuse.
We process personal data as required to comply with applicable laws, regulations, and legal processes. For example, we may retain certain records to meet financial reporting or audit requirements, or disclose information in response to valid legal requests such as subpoenas or court orders. We will notify you or the relevant controller (such as your employer) of such requests when permitted by law. We also use personal data to uphold your privacy rights and preferences (for instance, recording opt-outs from marketing communications or documentation of consent).
We may use contact information of business clients or prospects (not end-user trainees without permission) to send promotional communications about our products, events, newsletters, or updates that may be of interest. For example, if you are an administrator or have signed up to receive our emails, we may send you educational materials or marketing emails about new features. We will do so in accordance with applicable law – for instance, we will seek your consent where required (such as for individuals in the EU). You can opt out of marketing emails at any time by clicking the unsubscribe link or contacting us. We do not use the training activity data of employees for marketing purposes. Additionally, we may use cookies and similar tracking for targeted advertising to site visitors, only with consent where required (see Cookie Policy).
We may use personal data for other necessary business purposes, such as to enforce our terms of service, to administer and improve our internal operations, for research and development, to de-identify or aggregate data (so it no longer identifies individuals) for analytical purposes, or as otherwise described to you at the point of collection.
If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws that require a “legal basis” for processing personal data, Nexsecure only processes your personal data when we have a valid legal basis to do so. These bases include:
We process personal data to provide the Services under our contractual agreement with our clients or with you (Art. 6(1)(b) GDPR). This applies, for example, when we use employee data to deliver training content and evaluate results as part of our contract with your employer, or when you (as a user) accept our terms to use the platform. Without this data, we cannot fulfill the contract and provide the requested Services.
We process certain personal data as necessary for our legitimate business interests (Art. 6(1)(f) GDPR), provided those interests are not overridden by your data protection rights. Our legitimate interests include providing, maintaining, and improving our Services; ensuring the security of our platform and preventing misuse; analyzing and understanding how our Services are used; and promoting our Services to business clients. For example, it is in our legitimate interest and that of our customers to monitor usage to improve the platform’s effectiveness and to prevent cybersecurity threats. When we rely on legitimate interests, we will consider and balance any potential impact on your rights. You have the right to object to processing based on our legitimate interests in certain cases (see “Your Privacy Rights” below).
In some cases, we rely on your consent to process personal data (Art. 6(1)(a) GDPR). For instance, we will obtain your consent before setting non-essential cookies (such as analytics or advertising cookies) on your device, as required by law. We may also ask for your consent to send marketing emails if you are not an existing corporate client or to process special categories of data should that ever be necessary. Where we process personal data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing already carried out.
We process personal data to the extent necessary to comply with our legal obligations (Art. 6(1)(c) GDPR). For example, we may retain transactional records for tax compliance or respond to government requests as required by law.
Although rare in our context, if we ever process personal data in the public interest, we will ensure there is a lawful basis under Art. 6(1)(e) GDPR or equivalent provisions. For example, this might apply if we contribute anonymized cybersecurity threat data for public research or law enforcement assistance.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another compatible purpose and that purpose is permitted by law. If we need to process your personal data for an unrelated purpose, we will notify the relevant data controller (such as your employer or yourself) and explain the legal basis that allows us to do so or seek consent if required.
We do not sell your personal information to third parties for their own commercial use. However, we may disclose or share personal data with the following categories of recipients, for the business purposes described below:
If your access to the Services is provided by your employer or another organization (our client), that organization and its administrators have access to the data within the platform associated with your training. This includes your profile information, training status, scores, and any content or responses you provide. They may download or generate reports containing this data. In this context, your organization is the data controller of your personal data in the training platform, and Nexsecure is processing it on their behalf. Please refer to your organization’s internal policies for further details on how they use your data.
We share personal data with third-party service providers and vendors that perform services on our behalf, in support of the purposes described in this Policy. These third parties include data hosting providers (for example, cloud infrastructure like Amazon Web Services), analytics and business intelligence providers, email and communication service providers, customer support and CRM platforms, payment processors, marketing and sales tools, and other IT or security service providers. We contractually require our service providers to safeguard personal data and to use it only for the services they are providing to us. They are not permitted to use your data for their own unrelated purposes. A list of critical subprocessors can be provided upon request or may be available on our website for transparency.
If you or your organization choose to enable integrations or third-party applications in conjunction with our Services, we may share certain data with the provider of that integration at your direction. For example, if your organization integrates our platform with a single sign-on (SSO) identity provider or an HR system, we will exchange relevant user data to facilitate those connections. Such transfers of data are based on your organization’s instructions and subject to the third party’s privacy terms. We are not responsible for how third-party services handle the data once you have allowed them to access it via our platform.
We may share personal data with our affiliated companies (e.g., subsidiaries or future parent company) for purposes consistent with this Policy. For instance, if Nexsecure expands internationally and establishes branches in other countries, your information may be shared with or processed by those affiliates as needed to provide the Services and support to you. All such entities will be bound to protect personal data as described here.
If Nexsecure is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal data may be transferred as part of that transaction. We would only transfer your data under appropriate confidentiality agreements and with sufficient safeguards. In the event of an acquisition or merger, we will require the new owner to continue to honor the privacy commitments we have made in this Policy, or we will notify you and/or provide an opportunity to opt out of the transfer or deletion of your data where required by law.
We may disclose personal data to courts, law enforcement, government authorities, or other third parties when we believe such disclosure is required or appropriate under applicable law. For example, we may disclose information: (1) if required to do so by law or legal process (such as a subpoena or court order); (2) when we believe, in good faith, that disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of our users, clients, or others; (3) to investigate fraud, security incidents, or violations of our terms of service; or (4) to respond to an emergency which we believe in good faith requires us to disclose data to assist in preventing a threat to health or safety. Where appropriate and legally permitted, we will attempt to notify you or the primary data controller (e.g., your employer) of such requests before disclosing your personal data.
We may share information that has been aggregated or anonymized (so it is no longer associated with an identifiable individual) with third parties for research, marketing, analytics, or other purposes. Such information does not constitute personal data and is not subject to the same restrictions, because it cannot be used to identify any individual.
Nexsecure does not sell your personal information to third parties, and we do not share personal data with third parties for their own direct marketing use without your consent. We may use third-party advertising or analytics cookies on our website (with your consent where required), which could be considered a “sale” or “share” of personal information under certain U.S. state laws; however, any such activity is disclosed in our Cookie Policy and you have the opportunity to opt-out of those cookies if you wish. Aside from that context, we have not sold personal data and have no plans to do so.
Nexsecure is headquartered in the United States and the majority of the personal data we collect is stored and processed in the U.S. However, we serve clients and users around the world. If you are located outside of the United States, your personal data may be transferred to, stored, or processed in the United States or other countries which may not have equivalent privacy laws as your home jurisdiction. We take steps to ensure that appropriate safeguards are in place to protect your personal data in accordance with this Privacy Policy and applicable law.
For personal data subject to GDPR (European user data), when we transfer such data from the European Economic Area (EEA) or United Kingdom to the United States or any country that is not deemed “adequate” by the European Commission, we rely on legally approved transfer mechanisms. These may include: Standard Contractual Clauses (SCCs) adopted by the European Commission, which contractually oblige the recipient to provide a level of protection equivalent to EU law; and/or Nexsecure’s participation in an approved data transfer framework. We are committed to implementing supplementary measures as needed to ensure transferred data is protected.
Nexsecure is monitoring developments around the EU-U.S. Data Privacy Framework. If certified under this or a similar framework, we will process applicable personal data in compliance with its principles and properly communicate our certification. In the meantime, we continue to use SCCs and other measures for cross-border transfers. For transfers from other jurisdictions (such as Canada or other countries with data export requirements), we will similarly ensure compliance through contractual and legal measures consistent with those jurisdictions’ requirements.
By using our Services or providing us personal data, you understand that your information may be transferred to the United States or other jurisdictions as described here. If you have questions about international data transfers or require a copy of the relevant safeguards in place, please contact us.
Nexsecure retains personal data for as long as reasonably necessary to fulfill the purposes for which it was collected, as outlined in this Policy, and to comply with applicable laws. The exact retention period will depend on the type of data and the context in which it was collected:
We retain Customer Data (such as training records for your organization’s employees) in accordance with our client’s instructions and contract. This generally means we keep such data for the duration of the service agreement with the client, unless instructed otherwise (for example, deletion of certain data upon a user’s departure or upon request). We may also retain Customer Data for a brief period after contract termination to facilitate data export by the client or as required by law or legitimate business purposes (e.g., to resolve any post-termination issues). When a client deletes data within the platform, we will make sure the deleted data is removed from active systems and then, within a reasonable time, from backups, in accordance with our standard data deletion schedules.
For data that Nexsecure controls (such as account registration information, communication logs, and analytics), we retain it as long as necessary for the purposes described in this Privacy Policy. For example, if you have an account on our platform, we will keep your account information while your account is active and for a reasonable period after you deactivate or stop using the account, in case you or your organization reactivate the service, or as needed to comply with legal obligations or to resolve disputes. We may keep certain information after you close your account for legitimate business reasons such as to comply with recordkeeping laws, to evidence our compliance with agreements (e.g., keeping evidence of consent or past training completions), to resolve disputes or enforce our agreements, or to pursue other lawful purposes consistent with this policy. When personal data is no longer needed, we will either delete it or anonymize it (so that it can no longer be associated with an identifiable individual).
Please note that residual copies of data might persist in our backup systems for a short period after deletion, as part of routine backup operations. We have processes to eventually purge or overwrite such data in the normal course of business.
Our retention practices are designed to comply with applicable data retention and disposal laws. If you have specific questions about our retention periods for certain data types, you may contact us for more detail.
We take the security of personal data very seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to: encryption of data in transit (e.g., TLS for web connections) and at rest where appropriate, access controls to restrict personal data to only those employees or contractors with a legitimate need, regular security training for our staff, firewalls and network security monitoring, and security testing of our platform. We also maintain policies and procedures to handle any suspected data incidents, including incident response plans and breach notification processes in line with applicable laws.
While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. Therefore, we cannot guarantee absolute security of information. You should also take steps to protect your information – for example, by choosing a strong password for the platform and not sharing it, and by using secure networks to access the Services. If you believe that your account or data may have been compromised, please contact us immediately.
We continuously work to update our security measures to follow best practices and to protect the confidentiality and integrity of personal data. Additional information about our security practices may be available on our website or by request (for instance, we can share our Security Overview or compliance certifications upon request, where relevant).
Our Services are not intended for use by children or minors under the age of 16. Nexsecure is a business-oriented service aimed at companies and their employees. We do not knowingly collect personal data from anyone under 13 years of age (or under 16 in jurisdictions where 16 is the age of consent for data processing). If you are under the age of 13 (or 16, as applicable), please do not use our website or platform or provide any personal information to us.
If we become aware that we have inadvertently collected personal data from a child without proper consent or outside of a context permitted by law, we will take immediate steps to delete that information. If you believe that we might have any information from or about a minor, please contact us so that we can investigate and address the issue.
Depending on your location and applicable privacy laws, you may have certain rights regarding your personal data. Nexsecure is committed to honoring applicable rights requests in accordance with the law. This section describes rights that may apply and how to exercise them.
If you are in the European Union, European Economic Area, United Kingdom, or certain other jurisdictions with similar laws (e.g., Brazil’s LGPD, Canada’s PIPEDA), you have the following rights (subject to certain exceptions and limits under law):
To exercise these rights, you (or an authorized agent acting on your behalf) can contact us at support@nexsecure.us with your request. We may need to verify your identity and residency to process certain requests, which could involve asking for additional information. For certain requests, especially access, deletion, or portability requests, if you are an employee of one of our clients, we may direct your request to your employer (the data controller) and assist them in fulfilling it, since they control the primary account data. We will do our best to respond to your request within the timeframe required by law (typically within one month for GDPR, which can be extended if necessary).
Account Access: If you have an account on our platform, you may also be able to access, correct, or delete certain information directly by logging into your account and using the profile or settings features. Authorized users (such as administrators) at your organization may also have the ability to correct or delete information on your behalf through the platform’s tools.
If you are an employee/trainee and cannot fulfill a request directly through the platform, we recommend you first contact your employer (the Nexsecure client) as they may be responsible for handling your request. As a processor for our clients, we will support our clients in responding to any data subject requests. You may also contact us at support@nexsecure.us and we will coordinate with the appropriate party (e.g., your employer) to address your concerns.
Right to Lodge a Complaint: Users in the EU, UK, or other jurisdictions with a data protection authority have the right to lodge a complaint with the supervisory authority in their country if they believe we have infringed their data protection rights. For example, EU users can contact the Data Protection Authority (DPA) in the member state of their habitual residence or where an alleged infringement occurred. Contact information for DPAs in the EEA can be found on the European Data Protection Board website, and UK residents can contact the UK Information Commissioner’s Office (ICO). We encourage you to contact us first, so we have an opportunity to address your concerns before you do this.
If you are a resident of California, you are entitled to specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), regarding your personal information. This section applies solely to residents of California and the personal information about them that we collect in the context of the Services.
In the preceding 12 months, Nexsecure may have collected the following categories of personal information about California consumers, to the extent they engaged with our Services (whether as clients, users, or website visitors):
We collect these categories of information from the sources and for the business and commercial purposes described in earlier sections of this Privacy Policy. In summary, we collect personal information directly from the individual or their employer (Identifiers, Professional info), automatically through their interactions with our Services (Online activity, Geolocation, Inferences), and from service providers or partners (Identifiers, Professional info). We use the information for the business purposes detailed in “How We Use Personal Data” above, which align with the purposes set forth in the CCPA regulations (such as performing services on behalf of the business, security, debugging/repair, certain short-term uses, providing advertising or marketing services with consent, and internal research and development). We disclose personal information to third-party service providers and other parties as described in “Disclosure of Personal Data” above, which mainly fall under the categories of service providers and those with whom consumers direct us to share information.
Nexsecure does not sell the personal information of California consumers to third parties. We also have not sold personal information in the preceding 12 months. We do not share personal information for cross-context behavioral advertising except potentially through the use of third-party advertising cookies on our marketing website, which you can control via our cookie consent mechanism (and we treat such use as a “share” under CPRA if applicable). In any event, if we ever considered selling personal information or using it for targeted advertising beyond what is disclosed, we would provide required notices and the opportunity to opt-out. As of the last updated date of this Policy, we confirm we do not sell or share personal information as those terms are defined under California law.
Under the CCPA/CPRA, California residents have the following rights with respect to their personal information, subject to certain exceptions:
To exercise your Right to Know, Delete, or Correct under CCPA, you (or your authorized representative) may submit a request to us by emailing support@nexsecure.us or by mailing us at the address provided in the “Contact Us” section below. Please indicate that you are a California resident making a “CCPA Request” and specify the nature of your request (access/know, deletion, correction, etc.). We will need to verify your identity to process your request, which may involve confirming information we already have on file (such as your name, email address, or other details). For your protection, we will only fulfill requests when we have been able to adequately verify the requester’s identity and authority to make the request. If you have an account with us, we may verify your request through existing account authentication mechanisms. If an authorized agent submits a request on your behalf, we may require proof of the agent’s authorization and, in some cases, direct confirmation from you.
Once we receive and verify a valid request, we will respond within 45 days as required by CCPA (or inform you if an extension of up to 45 additional days is needed). Our response will cover the information required by law, or if we must deny the request (for example, due to a legal exception), we will explain the reason.
For requests to opt out of cookies that could be considered a “sale” or “share,” please use our website’s cookie preference center or send us a message indicating your desire to opt out of sale/sharing of your data. Note that because we do not otherwise sell/share personal information, opting out of cookies (or not giving consent for them) is generally sufficient.
California’s “Shine the Light” law (Civil Code § 1798.83) also permits users of our Services who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. Nexsecure does not disclose personal information to third parties for their own direct marketing purposes without consent. Therefore, we do not have any such list of disclosures to provide. If you have questions about this, you can contact us.