Privacy Policy

Your privacy is important to us. It is NexVigilant, LLC's policy to respect your privacy regarding any information we may collect from you across our website and services. This policy outlines how we collect, use, and protect your information in a transparent manner aligned with our core values of independence and integrity.

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us when you:

• Create an account (email address, password, display name)
• Update your profile (biographical information, professional details such as job title, employer, and areas of expertise)
• Use our services (capability pathway progress, job applications, community posts)
• Contact us for support (email correspondence, feedback)
• Subscribe to newsletters or marketing communications
• Make purchases or subscribe to paid services

1.2 Information We Collect Automatically

When you access or use our services, we automatically collect:

• Usage Data: Pages viewed, features used, time spent on pages, navigation paths
• Device Information: Browser type, operating system, device type, screen resolution
• Analytics Data: Interactions with buttons, forms, and other elements (tracked via Vercel Analytics)
• Authentication Data: Sign-in method (email/password or Google OAuth), sign-in timestamps
• Security Data: Device and browser characteristics for bot detection (BotID), IP address (anonymized), interaction patterns for fraud prevention

1.3 Do Not Track (DNT)

We respect browser Do Not Track (DNT) signals. Our analytics systems are designed with privacy-first principles and do not engage in cross-site tracking.

2. How We Use Your Information

We use the information we collect to:

• Provide Services: Operate and maintain your account, deliver capability pathways, process applications
• Improve Our Platform: Analyze usage patterns to enhance user experience and fix issues
• Communicate: Send service updates, security alerts, and support messages
• Security: Detect and prevent fraud, abuse, and security incidents
• Compliance: Meet legal obligations and enforce our terms of service
• AI-Powered Features: Provide personalized recommendations and intelligent assistance (see Section 3.5)

We do NOT sell your personal information to third parties. We do NOT share your data with pharmaceutical companies or other industry entities for marketing purposes, in accordance with our founding principles of independence.

2.1 Data Minimization

We adhere to the principle of data minimization. We only collect personal information that is necessary for the specific purposes described in this policy. We do not collect data "just in case" it might be useful later. When data is no longer needed for its original purpose, we delete or anonymize it in accordance with our retention schedule.

2.2 Professional Information Protection

We understand that your professional details (job title, employer, credentials, areas of expertise) are provided in trust. We commit to:

• Never sharing your professional information with your employer, regulatory bodies, or third parties without your explicit consent or legal requirement
• Never using your professional data for purposes other than providing and improving our services
• Allowing you to control the visibility of professional information within the community (public, members-only, or private)

2.3 How We Obtain Consent

Where we rely on consent as a legal basis for processing, we obtain it through clear, affirmative actions:

• Marketing Communications: Opt-in checkbox during registration or in account settings (unchecked by default)
• Behavior Tracking: Explicit opt-in via the behavior tracking preference in your account settings
• Community Features: Accepting community guidelines when joining forums or posting content

You can withdraw consent at any time through your account settings or by contacting us at privacy@nexvigilant.com. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

3. Analytics, Tracking, and AI Features

3.1 Firebase Services

We use Google Firebase for authentication and data storage. Firebase may collect device and usage information for service operation and security. Learn more: firebase.google.com/support/privacy

3.2 Vercel Analytics

We use Vercel Analytics to monitor site performance and usage. Vercel Analytics collects:

• Page views and unique visitors (anonymized)
• Geographic location (country/region level only)
• Referral sources
• Device type and browser information

Vercel Analytics is privacy-friendly and GDPR compliant:

• ✓ No cookies or persistent identifiers
• ✓ All data is anonymous and aggregated
• ✓ No cross-site tracking
• ✓ Data stored in accordance with privacy regulations

Learn more: Vercel Analytics Privacy Policy

3.3 Vercel Speed Insights

We use Vercel Speed Insights to monitor and improve site performance. Speed Insights collects:

• Page load times and performance metrics
• Core Web Vitals scores
• Browser and device performance data

Speed Insights data is anonymized and used solely for performance optimization. No personal information is collected.

3.4 Bot Detection and Security (BotID)

We use Vercel BotID to protect our services from automated abuse, spam, and fraudulent activity. BotID works by:

• Running JavaScript challenges on your browser to verify you are a real person
• Analyzing device and browser characteristics (fingerprinting) for security purposes
• Monitoring interaction patterns to detect automated behavior

What BotID protects:

• Account creation and sign-in (prevents fake accounts)
• Form submissions (prevents spam on contact and waitlist forms)
• Payment processing (prevents fraud and abuse of trials)
• Content access (prevents scraping and unauthorized access)

Privacy safeguards:

• ✓ Bot detection runs transparently - no CAPTCHA challenges for legitimate users
• ✓ Data is used only for security purposes, not for tracking or marketing
• ✓ Results are processed in real-time and not permanently stored
• ✓ No personal information is collected beyond what is necessary for bot detection

BotID is essential for maintaining platform integrity and protecting all users from abuse. Learn more: Vercel Security Documentation

3.5 Artificial Intelligence Features

We use Google's Gemini AI (via Firebase Genkit) to power certain features of our platform, including:

• Personalized learning recommendations
• Content summarization and explanations
• Intelligent search and discovery
• Assessment feedback and guidance

How AI processes your data:

• When you use AI-powered features, relevant context (such as your question or the content you're viewing) is sent to Google Cloud AI services for processing
• We do NOT use your personal data to train AI models
• AI responses are generated in real-time and not stored by Google for model improvement
• Your interactions with AI features are subject to our standard data retention policies

AI processing is covered by Google Cloud's Data Processing Terms. Learn more: Google Cloud Data Processing Addendum

4. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds under GDPR:

Where we rely on legitimate interests, we have conducted balancing tests to ensure your rights and freedoms are not overridden. You may object to processing based on legitimate interests by contacting us at privacy@nexvigilant.com.

5. Data Storage and Security

We store your data using industry-standard security measures:

• Encryption: Data is encrypted in transit (HTTPS/TLS 1.3) and at rest (AES-256)
• Access Controls: Only authorized personnel can access user data, with role-based permissions
• Authentication: Firebase Authentication with secure password hashing (bcrypt)
• Firestore Security: Database rules prevent unauthorized access with user-level granularity
• Infrastructure: Hosted on Google Cloud Platform and Vercel with SOC 2 Type II compliance

While we implement strong security measures, no internet transmission is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users and relevant authorities of any data breaches within 72 hours as required by GDPR.

5.1 Security Certifications and Audits

We rely on infrastructure providers with recognized security certifications:

• Google Cloud Platform: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS
• Vercel: SOC 2 Type II certified
• Stripe: PCI DSS Level 1 (highest level for payment processors)

We conduct regular security reviews of our application code and access controls. We are committed to achieving independent security certifications as we scale, and will update this policy accordingly.

6. Data Retention

We retain your information for specific periods based on the type of data and our legal obligations:

When you delete your account, we will delete or anonymize your personal information within 30 days, except where longer retention is required by law (such as payment records).

Data in Backups: Deleted data may persist in encrypted backups for up to 30 additional days before being automatically purged. Backup data is not actively processed and is protected by the same security measures as primary data.

7. Cookies and Local Storage

We use cookies and browser local storage for:

• Essential/Authentication: Keeping you signed in securely
• Preferences: Remembering your settings and choices
• Security: Fraud prevention and bot detection

7.1 Cookies

We use the following cookies:

Note: Vercel Analytics does not use cookies. We do not use advertising or tracking cookies.

7.2 Local Storage Keys

We store the following data in your browser's localStorage:

You can clear this data at any time through your browser settings (Settings → Privacy → Clear browsing data → Cookies and site data).

You can control cookies through your browser settings. Disabling essential cookies may prevent you from signing in or using certain features.

8. Third-Party Services and Subprocessors

We use the following third-party services to operate our platform. These entities process data on our behalf under data processing agreements:

8.1 Payment Processing (Stripe)

When you make a payment, Stripe processes your transaction. Stripe collects:

• Payment card details (we never see or store your full card number)
• Billing name and address
• Transaction history and amount
• Device information for fraud prevention

Stripe is PCI DSS Level 1 compliant (the highest level of certification). For fraud prevention purposes, Stripe acts as an independent data controller. See Stripe's Privacy Policy for details.

9. Your Rights and Choices

You have the right to:

• Access: Request a copy of your personal data in a portable format
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data
• Portability: Export your data in a machine-readable format (JSON)
• Restriction: Request we limit processing of your data
• Objection: Object to processing based on legitimate interests
• Opt-Out: Enable Do Not Track (DNT) in your browser to prevent analytics tracking
• Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, contact us at privacy@nexvigilant.com. We will verify your identity before fulfilling requests and respond within 30 days (or sooner where required by law). Some requests may be limited where we must retain data for legal, security, or compliance reasons.

10. International Data Transfers

Your information is processed primarily in the United States, where our service providers are located. If you are located outside the United States, your data will be transferred internationally.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards for international transfers through:

• Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms with our processors
• Data Privacy Framework: Our key providers (Google, Stripe, Vercel) are certified under the EU-U.S. Data Privacy Framework
• Supplementary Measures: Encryption in transit (TLS 1.3) and at rest (AES-256)

You may request a copy of the SCCs by contacting privacy@nexvigilant.com.

11. Children's Privacy

Our services are designed for professionals and are not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately and we will delete such information.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by:

• Posting a prominent notice on our website
• Sending you an email (for registered users)
• Updating the "Last updated" date at the top of this policy

Your continued use of our services after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

13.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories:

• Identifiers: Name, email address, account name
• Professional Information: Job title, employer, professional credentials
• Internet Activity: Browsing history, search history, interaction with our services
• Geolocation: Country/region level only (not precise location)
• Inferences: Preferences and characteristics derived from your activity

13.2 Your California Rights

• Right to Know: Request disclosure of personal information collected, sources, purposes, and third parties shared with
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do NOT sell your personal information or share it for cross-context behavioral advertising
• Right to Limit Use of Sensitive Information: We do not collect sensitive personal information as defined by CPRA
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

13.3 How to Exercise Your Rights

Submit requests to privacy@nexvigilant.com or call us at the number below. We will verify your identity and respond within 45 days.

Do Not Sell or Share My Personal Information: We do not sell or share personal information. No opt-out action is required.

14. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right not to be subject to automated decision-making (we do not make solely automated decisions with legal effects)

14.1 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with a supervisory authority. For EEA residents, you can find your local authority at: European Data Protection Board Members. For UK residents, contact the Information Commissioner's Office (ICO).

We encourage you to contact us first at privacy@nexvigilant.com so we can address your concerns directly.

Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us:

• Email: privacy@nexvigilant.com
• Mail: NexVigilant, LLC
  Attn: Privacy Team
  95 Spring Street
  Swansea, MA 02777
  United States

For privacy inquiries, we aim to respond within 5 business days. For formal data rights requests, we will respond within 30 days (or the timeframe required by applicable law).