Last updated: May 22, 2026 · Effective: May 22, 2026
Nexling is the data controller responsible for the personal data processed under this Privacy Policy.
Contact: info@nexling.app
Website: https://nexling.app
For privacy-related enquiries or to exercise your rights, please contact us at info@nexling.app with the subject line "Privacy Request".
This Policy applies to personal data we process about:
This Policy does not cover personal data processed within Your Content (translation strings you upload), where you act as the data controller and we act as your data processor. Our data processing role in respect of Your Content is described in Section 6.
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | First name, last name, email address, password (bcrypt-hashed), account creation date | Provided by you at registration |
| Billing data | Subscription plan, billing status, Paddle customer ID, subscription ID, transaction IDs | Received from Paddle (payment processor) |
| Usage data | Features used, API call counts, AI credit consumption, project and translation activity, export history | Collected automatically as you use the Service |
| Technical data | IP address, browser type and version, operating system, referring URL, session duration, HTTP request logs | Collected automatically via server logs and Google Analytics |
| Communication data | Emails you send us, support enquiries, feedback | Provided by you directly |
| Translation content | Source strings, translation strings, project names, webhook URLs, API keys (hashed) | Provided by you in the course of using the Service |
We do not intentionally collect sensitive personal data (special category data under GDPR). Please do not upload sensitive personal data in your translation content.
We rely on the following lawful bases under Article 6 GDPR:
| Purpose | Lawful Basis |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Providing the translation management Service | Performance of a contract (Art. 6(1)(b)) |
| Processing subscription payments via Paddle | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (account confirmation, password reset, invoices) | Performance of a contract (Art. 6(1)(b)) |
| Sending onboarding and re-engagement emails | Legitimate interests (Art. 6(1)(f)) — improving user activation |
| Service analytics and usage monitoring | Legitimate interests (Art. 6(1)(f)) — operating and improving the Service |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) — protecting users and the Service |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Retention of financial records | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that these interests are not overridden by your rights and interests. You may object to processing based on legitimate interests — see Section 11.
We use personal data for the following purposes:
We do not: sell your personal data to third parties; use your translation content for AI model training; use your data for advertising; or make automated decisions that produce legal or similarly significant effects about you.
We share personal data only with trusted third-party processors necessary to operate the Service. All processors are bound by data processing agreements and are required to maintain appropriate technical and organisational security measures.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Paddle.com Market Limited | Payment processing, subscription management, tax collection (Merchant of Record) | Email, billing information, subscription status | UK / EU |
| Anthropic, PBC | AI translation (Claude Haiku / Sonnet) | Translation strings submitted for processing | USA |
| OpenAI, LLC | AI translation (GPT models) | Translation strings submitted for processing | USA |
| Google LLC | Machine translation (Google Translate API) | Translation strings submitted for processing | USA |
| Sentry (Functional Software, Inc.) | Error monitoring and crash reporting | Anonymised stack traces, request metadata (no personal content) | USA |
| Google Analytics (Google LLC) | Website analytics and usage statistics | IP address (anonymised), page views, session data | USA |
| Hosting provider (VPS) | Infrastructure, hosting, and data storage | All data stored on the Service | EU |
Your Content as data processor. When you upload content containing personal data (e.g., customer-facing website strings), you are the data controller and we act as your data processor. We process such data only on your instructions (i.e., to provide the Service) and do not use it for our own purposes.
Legal disclosures. We may disclose personal data to law enforcement, government bodies, or courts where required by law, to protect our rights, or to investigate fraud or security incidents. We will notify you of such disclosures where legally permitted.
Business transfers. In the event of a merger, acquisition, or sale of substantially all our assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections. We will notify users before such a transfer occurs.
Some of our third-party processors (Anthropic, OpenAI, Google, Sentry) are located in the United States. When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
You may request a copy of the applicable transfer mechanisms by contacting us at info@nexling.app.
AI engine data processing. Translation strings submitted to AI engines (Anthropic, OpenAI, Google) are transferred to and processed in the USA. These providers operate under their own API data processing terms, which include commitments not to use API-submitted data for model training.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (name, email) | Duration of account + 30 days after deletion | To provide the Service; 30-day grace period for accidental deletion |
| Translation content (projects, terms, strings) | Until you delete it; account deletion triggers 30-day purge | To provide the Service |
| Billing records and transaction logs | 7 years from transaction date | Legal obligation (financial and tax regulations) |
| AI credit and usage logs | 3 years | Dispute resolution, abuse prevention |
| Server and HTTP request logs | 30 days rolling | Security and debugging |
| Error monitoring data (Sentry) | 90 days | Debugging and service improvement |
| Email communication records | 3 years from last interaction | Support and dispute resolution |
| Referral records | Duration of account | Credit tracking and dispute resolution |
When retention periods expire, data is securely deleted or anonymised. Anonymised, aggregated data may be retained indefinitely as it no longer constitutes personal data.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:
Despite these measures, no method of transmission over the internet is 100% secure. In the event of a personal data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and you within a reasonable timeframe, as required by GDPR Article 33–34.
10.1 Cookies we use.
| Cookie / Storage | Type | Purpose | Duration |
|---|---|---|---|
.AspNetCore.Identity.Application |
Strictly necessary | Authentication session — keeps you logged in | Session / persistent (14 days if "Remember me") |
nl-ref |
Functional | Referral tracking — records which referral link brought you to sign-up | 7 days |
lf-theme (localStorage) |
Functional | Stores your dark/light mode preference — not transmitted to our servers | Persistent (client-side only) |
nl-lang-{projectId} (localStorage) |
Functional | Stores the last selected translation language for embedded nl.js — not transmitted to our servers | Persistent (client-side only) |
_ga, _gid (Google Analytics) |
Analytics | Anonymised website traffic analysis — helps us understand how visitors use nexling.app | 2 years / 24 hours |
Anti-forgery token (__RequestVerificationToken) |
Strictly necessary | Protects form submissions against CSRF attacks | Session |
10.2 Google Analytics. We use Google Analytics 4 to collect anonymised data about how visitors interact with nexling.app (pages visited, session duration, referral sources). IP addresses are anonymised before transmission to Google. Google Analytics does not receive your name, email, or translation content. You can opt out of Google Analytics tracking using the Google Analytics Opt-out Browser Add-on.
10.3 No advertising cookies. We do not use advertising, behavioural targeting, or third-party marketing cookies.
10.4 Managing cookies. You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in. Disabling analytics cookies will not affect your use of the Service.
Under the GDPR and applicable privacy laws, you have the following rights regarding your personal data. These rights may be subject to certain conditions and exceptions under applicable law.
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Obtain confirmation of whether we process your data and receive a copy | Email info@nexling.app or use the "Download my data" feature in account settings |
| Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Update directly in account settings or email us |
| Erasure (Art. 17) | Request deletion of your account and personal data ("right to be forgotten") | Use "Delete account" in account settings, or email us |
| Restriction (Art. 18) | Request that we restrict processing of your data in certain circumstances | Email info@nexling.app |
| Portability (Art. 20) | Receive your translation data in a structured, machine-readable format | Export via JSON, PO, XLIFF, or RESX in the platform, or email us |
| Objection (Art. 21) | Object to processing based on legitimate interests (e.g., marketing emails) | Email info@nexling.app or use unsubscribe links in emails |
| Withdraw consent | Where processing is based on consent, withdraw it at any time | Email info@nexling.app |
| Complaint | Lodge a complaint with the relevant supervisory authority | See Section 15 for supervisory authority contact details |
We will respond to all rights requests within 30 days (extendable by a further 60 days for complex requests, with notice). We do not charge a fee for reasonable requests. We may ask you to verify your identity before fulfilling a request.
The Service is not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us immediately at info@nexling.app and we will delete such data promptly.
We do not engage in automated decision-making or profiling within the meaning of GDPR Article 22 that produces legal or similarly significant effects on you. AI translation engines process your content solely to generate translations at your request — this is not profiling or automated decision-making about you as an individual.
Plan limit enforcement (e.g., restricting actions when you reach your plan quota) is automated processing that produces effects on your use of the Service, but it is based on simple rule-based logic derived from your contractual subscription, not profiling. You may contact us if you believe a limit has been applied in error.
We may update this Privacy Policy periodically to reflect changes in our data practices, the Service, or applicable law. For material changes, we will provide at least 14 days' advance notice by email to the address associated with your account.
The "Last updated" date at the top of this Policy indicates when it was most recently revised. We encourage you to review this Policy periodically. Your continued use of the Service following the effective date of any update constitutes acceptance.
Privacy enquiries: For questions, requests to exercise your rights, or concerns about this Privacy Policy, contact us at:
Email: info@nexling.app (subject: "Privacy Request")
Website: https://nexling.app
We aim to acknowledge all privacy enquiries within 72 hours and resolve them within 30 days.
Supervisory authority. If you are located in the European Union or EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority in your EU member state of habitual residence, place of work, or where the alleged infringement occurred.
A list of EU data protection authorities is available at: edpb.europa.eu/about-edpb/members.
If you are in the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.