Privacy Policy
Effective Date: December 27, 2025
1. Introduction and Organization
At N3XT:CX, we are committed to serving our customers and contacts to the best of our abilities. Part of our commitment is the responsible handling of personal data collected through our website n3xt-cx.io and all related interactions.
Our main goals in processing personal data:
- Improving user experience on our platform by understanding customer needs and preferences
- Providing timely support and responding to inquiries or service requests
- Improving our products and services to meet the evolving requirements of our users
- Conducting necessary business operations such as billing and account management
It is our principle to process personal data while ensuring maximum privacy and security. We adhere to all applicable regulations and guidelines to ensure that the data we process is protected from unauthorized access, disclosure, alteration, and destruction. Our practices are designed to protect the confidentiality and integrity of your personal data while delivering the services you expect from us in the best possible way.
Data Controller:
R3ASON GmbH
Westhafentower, Westhafenplatz 1, 60327 Frankfurt am Main, Germany
We do not have a designated Data Protection Officer (DPO), but we remain fully committed to your data protection concerns. If you have any questions or need more information about how we manage personal data, please feel free to contact us:
Your privacy is our priority. We are committed to processing your personal data transparently and with consideration for your security. This commitment extends to our collaboration with third-party providers who process personal data on our behalf, such as when sending invoices. All activities are conducted in strict compliance with applicable data protection laws.
2. Scope and Application
Our privacy policy is designed to protect the personal data of all our stakeholders, including visitors to our website, registered users, and customers.
Whether you are simply browsing our website n3xt-cx.io, using our services as a registered user, or working with us as a valued customer, we ensure that your personal data is processed in accordance with the highest privacy and security standards.
This privacy policy sets out our practices and your rights regarding personal data.
3. Data Collection and Processing
Our commitment to transparency and privacy extends to how we collect and use your personal data. We collect personal data through various interactions, including but not limited to when you use our services or products such as consulting, or provide us with information directly.
The following is a list of personal data types we may process:
- First and last name
- Email address and/or phone number
- IP address
- Browser information and language
- Operating system and version
- Interaction logs (e.g., clicks, time on pages)
- IP-based approximate location
Please note that we only process information that is necessary for the provision of our services, compliance with legal obligations, or improvement of your user experience. Your privacy is our top priority, and we are committed to handling your personal data responsibly and in accordance with all applicable laws.
The data we collect serves multiple purposes:
- Customizing user experience
- Content delivery
- Communication measures
- Analytics and performance tracking
- Marketing and advertising (only with consent)
- Research and development
- Customer support
- User retention and engagement
- User feedback and satisfaction
Your privacy is our priority. We process your personal data transparently and in accordance with your preferences and applicable data protection laws. We are committed to ensuring that your data is only used for the purposes for which it was collected and in a manner that you have approved.
4. Data Storage and Protection
We implement comprehensive technical and organizational measures to protect your personal data from unauthorized access, loss, destruction, or manipulation (Art. 32 GDPR).
Personal data is stored on secure servers in the EU, USA, and UK. For services that require international data transfer, we ensure that these transfers comply with all applicable laws and maintain data protection standards equivalent to those at our primary location.
We work with reputable data hosting providers who are committed to applying state-of-the-art security measures. These partners are selected based on their compliance with strict data protection standards.
Data Protection Measures:
- Encryption: To protect data during transmission and at rest, we employ robust encryption technologies. All data transfers between your browser and our servers are encrypted using SSL/TLS (HTTPS).
- Access Control: Access to personal data is strictly limited to authorized personnel with a legitimate business need. We enforce strict access controls and regularly review permissions.
- Abuse Protection: Rate limiting mechanisms protect against automated attacks and abuse.
Privacy by Design
We consider data protection requirements during system development (Art. 25 GDPR). Examples: CX Navigator responses are not stored (data minimization), IP addresses are hashed or anonymized.
In accordance with GDPR Article 5(1)(e), we retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable legal obligations. The specific retention period depends on the nature of the data and processing purpose: data processed for contractual purposes is retained for the duration of the business relationship plus any legally required retention periods; data processed based on consent is retained until consent is withdrawn; and data processed for legitimate interests is retained only as long as the legitimate interest persists. Upon expiration of the applicable retention period, your personal data will be securely deleted or anonymized.
5. Data Sharing and Disclosure
At N3XT:CX, we are committed to protecting your personal data and ensuring that it is treated with the utmost respect. This commitment extends to how we handle the sharing and disclosure of your data.
We may share your data with third-party providers who provide services on our behalf. These trusted parties may have access to personal data on a need-to-know basis and are contractually obligated to treat your data confidentially.
Service Providers:
| Service | Provider | Purpose(s) | Data Types | DPA |
|---|---|---|---|---|
| PostHog | PostHog Inc. (USA) | Analytics, UX Optimization | IP address, Browser, OS, Interaction logs, Approximate location | DPA |
| Vercel | Vercel Inc. (USA) | Hosting, Performance | IP address, Approximate location, Interaction logs, Browser | DPA |
| Brevo | Sendinblue GmbH (DE) | Email Marketing, Content Delivery | First and last name, Email address, Phone number, IP address, Browser, OS | DPA |
| Upstash | Upstash Inc. (USA) | Rate Limiting (Abuse Protection) | IP address (hashed, max. 1h retention) | DPA |
| Cal.com | Self-hosted (cal.msrcx.com) | Appointment Booking | First and last name, Email address, Booking details | N/A (self-hosted) |
Data Processing Agreements
When we share your data with third-party providers, we do so under the protection of Data Processing Agreements (Art. 28 GDPR), ensuring that your information is managed in accordance with GDPR and other applicable data protection laws.
We believe in transparency and that you have control over your personal data. You will always be informed of any significant changes to our sharing practices and will have the opportunity to consent to these changes where appropriate.
Your trust is important to us. If you have questions or concerns regarding the sharing and disclosure of personal data, please contact us at datenschutz@r3ason.io.
6. User Rights and Choices
At N3XT:CX, we recognize and respect your rights regarding your personal data, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We are committed to enabling you to exercise your rights effectively.
Your rights under the GDPR:
- Right of Access (Art. 15 GDPR): You have the right to request access to the personal data we hold about you and to receive information about how we process it.
- Right to Rectification (Art. 16 GDPR): If you believe that the personal data we hold about you is inaccurate or incomplete, you have the right to request its correction or completion.
- Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data when, among other things, it is no longer necessary for the purposes for which it was collected.
- Right to Restriction of Processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data under certain conditions.
- Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit this data to another controller.
- Right to Object (Art. 21 GDPR): You have the right to object to the processing of your personal data under certain conditions, including processing for direct marketing.
- Right to Withdraw Consent (Art. 7(3) GDPR): If the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates applicable data protection laws.
To exercise any of these rights, please contact us at datenschutz@r3ason.io or +49 (0) 69 15320 1801. We will respond to your request in accordance with applicable data protection laws and within the time frames prescribed by those laws.
Competent Supervisory Authority:
Hessian Commissioner for Data Protection and Freedom of Information (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
You may also contact the supervisory authority of your habitual residence or place of work.
7. Cookies and Tracking Technologies
At N3XT:CX, we value your privacy and are committed to being transparent about our use of cookies and other tracking technologies on our website n3xt-cx.io. These technologies play a crucial role in ensuring the smooth operation of our digital platforms, enhancing your user experience, and providing insights that help us improve.
Cookies are small files placed on your device that allow us to store your preferences and collect information about your website usage. Tracking technologies, such as web beacons and pixel tags, help us understand how you interact with our website and which pages you visit.
How we use these technologies:
- Essential Cookies (n3xtcx_cc): Stores your cookie consent preferences. Necessary for website functionality. Does not require consent.
- Performance and Analytics Cookies (ph_*): PostHog cookies for anonymized usage analysis. Collect information about how visitors use our website. Only set with your consent.
On your first visit to our website, a banner will be displayed where you can give your consent to cookies:
Your choices and consent:
- Accept All Cookies: You consent to the use of all cookies and tracking technologies.
- Reject Non-Essential Cookies: Only essential cookies will be used to provide you with necessary website functionality.
- Customize Your Preferences: Choose which categories of cookies you wish to allow.
You can change your cookie settings at any time via the 'Cookie Settings' link in the footer.
We may update our use of cookies and tracking technologies to improve our services or comply with legal requirements. We will inform you of any significant changes and obtain your consent where appropriate.
If you have any questions or concerns about our use of cookies and tracking technologies, please do not hesitate to contact us at datenschutz@r3ason.io. Your privacy and the integrity of your personal data are of the utmost importance to us.
8. International Data Transfers
At N3XT:CX, we may transfer your personal data to locations outside your country of residence, including countries where different data protection laws may apply than in your jurisdiction. We want to assure you that such transfers are carried out with the utmost care and in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR).
Some of our service providers are based in the United States. To ensure adequate protection for your personal data when transferred to the US, we rely on the following legal mechanisms in accordance with GDPR Articles 44-49:
Transfer Mechanisms:
- EU-US Data Privacy Framework (DPF): Our US-based providers PostHog, Vercel, and Upstash are certified under the EU-US Data Privacy Framework, which has been recognized as providing an adequate level of data protection by the European Commission.
- Standard Contractual Clauses (SCCs): As an additional safeguard, we maintain Standard Contractual Clauses (SCCs) approved by the European Commission with our US-based service providers, ensuring contractual protection of your data.
- UK International Data Transfer Agreement: For transfers from the UK, we utilize the UK IDTA or UK Addendum to the SCCs to ensure compliance with UK GDPR requirements.
Data Privacy Framework Verification
You can verify the DPF certification status of our US service providers at dataprivacyframework.gov. Our providers' compliance is monitored through their Data Processing Agreements.
9. Direct Marketing and Communication
At N3XT:CX, we may use your personal data to send you direct marketing communications about our products, services, promotions, and other relevant information that we believe may be of interest to you. We are committed to ensuring that our direct marketing practices are transparent and lawful, in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
Obtaining Consent for Direct Marketing:
- Opt-In Consent: We obtain your explicit consent before sending you direct marketing communications, where required by law. This means you have the opportunity to actively opt in to receiving marketing messages from us before we send them to you.
- Opt-Out Option: Every direct marketing communication we send contains clear instructions on how you can unsubscribe from receiving future marketing communications. You can exercise your right to unsubscribe at any time, and we will promptly comply with your request to stop sending you marketing messages.
We may use your personal data to send you direct marketing communications through various channels, including:
Types of Direct Marketing Communication:
You have control over the direct marketing communications you receive from us. You can manage your communication preferences by using the unsubscribe link in our marketing emails.
10. Data Breach Notification Procedures
At N3XT:CX, we are aware of the importance of protecting your personal data and take proactive measures to secure it. In the event of a data breach that poses a risk to your rights and freedoms, we have established clear procedures to promptly identify, assess, and mitigate the impact of the breach. Our data breach notification procedures are designed to comply with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR).
Detection and Assessment:
- Internal Monitoring: We employ robust security measures and monitoring systems to immediately detect and respond to potential data breaches.
- Breach Impact Assessment: Upon discovery of a data breach, we conduct a thorough assessment to determine the nature and extent of the breach, including the types of personal data affected and the potential impact on affected individuals.
Notification Obligations:
- Supervisory Authorities: Where required by law, we will notify the relevant data protection authorities of the data breach within 72 hours of becoming aware of it, in accordance with GDPR Article 33(1).
- Affected Individuals: If a data breach poses a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with GDPR Article 34(1), and provide clear and precise information about the breach, the types of personal data affected, and the steps you can take to protect yourself.
We would notify affected individuals by email using the contact information provided to us, where possible and appropriate.
In the event of a data breach, we are committed to providing affected individuals with the necessary support and assistance, including guidance on steps they can take to mitigate the potential risks associated with the breach.