Privacy Policy
Last updated: March 2026
This privacy policy explains how neexo ApS (CVR no.: 46273125) ("we", "us" or "our") collects, processes, stores and protects your personal data when you use the Neexo Configurator platform ("the Platform"), in accordance with the EU General Data Protection Regulation (GDPR) 2016/679.
1. Data Controller
neexo ApS is the data controller for all personal data processed through the Platform.
neexo ApSCVR no.: 46273125
Andkærvej 19, 7100 Vejle, Denmark
Email: hello@neexo.dk
Phone: +45 31 65 54 60
We have not appointed a Data Protection Officer (DPO) as we are not required to do so under GDPR Article 37.
2. Personal Data We Collect
The Platform is a B2B SaaS tool. Access requires authentication through an organisational account. We collect and process only the data necessary to deliver the service:
- Account identity: User ID, name, and email address — provided and managed by Clerk (our authentication provider). We store a reference to your user ID in our database but do not independently store your password.
- Configuration data: Machine selections, module choices, notes, and any customer name you enter when saving a configuration. This data is associated with your user ID and organisation.
- Usage events: In-app events (e.g. machine selected, render requested) including a snapshot of your name and email at the time of the event, for internal analytics and product improvement.
- Draft configurations: Automatically saved session state, scoped to your user ID and organisation.
- Uploaded files: 3D model files (GLB) and rendered images uploaded by Studio administrators, stored in Cloudflare R2 object storage.
- Error and performance data: Technical error reports are sent to Sentry. Session replay is enabled only on errors; all text content and media is masked before transmission — no readable personal data is included in error reports.
- Preference data: Display preferences such as dimension units (mm/cm/m/ft), stored per user.
We do not collect sensitive personal data (special categories under GDPR Article 9).
3. Purpose and Legal Basis for Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Authenticating and authorising users | Contract performance (6(1)(b)) — necessary to provide the service |
| Storing and serving machine configurations | Contract performance (6(1)(b)) |
| Usage analytics and product improvement | Legitimate interest (6(1)(f)) |
| Error monitoring and platform stability | Legitimate interest (6(1)(f)) |
| Billing and invoicing (if applicable) | Legal obligation (6(1)(c)) and contract performance (6(1)(b)) |
We do not use your personal data for automated profiling or automated individual decision-making under GDPR Article 22.
4. Sub-processors and Data Transfers
We use the following sub-processors to operate the Platform. All are subject to Data Processing Agreements (DPAs) and transfer mechanisms compliant with GDPR Chapter V (Standard Contractual Clauses or adequacy decisions):
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication, user sessions, organisation management | USA (SCCs) |
| Neon (database) | PostgreSQL database hosting | EU (AWS eu-central-1) |
| Cloudflare R2 | Object storage (3D models, rendered images) | EU region |
| Vercel | Application hosting and edge network | USA/EU (SCCs) |
| Sentry | Error monitoring (text masked, no readable personal data) | USA (SCCs) |
We do not sell your personal data to third parties.
5. Retention Periods
| Data type | Retention period |
|---|---|
| Account identity (held by Clerk) | Until account or organisation is deleted |
| Saved configurations and version history | Until deleted by the user or organisation offboarding |
| Draft configurations | Until overwritten or organisation offboarding |
| Usage analytics events (name/email snapshots) | 12 months from event date, then automatically deleted |
| Uploaded files (GLB models, rendered images) | Until deleted by a Studio administrator or organisation offboarding |
| Error reports (Sentry — masked) | 90 days (Sentry default) |
6. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15): Obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Have inaccurate data corrected.
- Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction (Art. 18): Request that processing be restricted under certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests.
To exercise your rights, contact us at hello@neexo.dk. We will respond within 30 days. You may also lodge a complaint with the Danish Data Protection Agency (Datatilsynet): www.datatilsynet.dk.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) and at rest
- Authentication and role-based access control via Clerk (supporting MFA)
- Organisation-scoped data isolation — users can only access data within their own organisation
- Error monitoring with all personal data masked before transmission
- Regular security updates and dependency patching
8. Cookies and Local Storage
The Platform uses the following browser storage:
- Clerk session cookies: Strictly necessary for authentication. Cannot be disabled without losing access to the Platform.
- localStorage (configuration state): Your current machine selections and module choices are stored locally in your browser so your session is preserved on page reload. This data remains on your device and is not transmitted unless you explicitly save a configuration.
We do not use third-party tracking cookies or advertising cookies.
9. Changes to This Policy
We may update this policy from time to time. The date at the top of this page reflects the most recent revision. Continued use of the Platform after a change constitutes acceptance of the updated policy. For significant changes, we will notify administrators via email.
10. Contact
For questions about this privacy policy or to exercise your GDPR rights, contact us at hello@neexo.dk or by post: neexo ApS, Andkærvej 19, 7100 Vejle, Denmark.