Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Nairux, Inc. and its affiliates ("Nairux," "we," "us," or "our") process personal information collected through:

- our public websites and online properties (including nairux.io and any subdomains that link to this Policy); - our marketing, sales, demonstration, and event activities; - email, telephone, chat, and other direct communications between you and Nairux; - customer support inquiries and other support channels; - marketing and newsletter subscriptions; and - account registration and administration for the Nairux platform (the "Service").

This Policy does not apply to personal information that Customer or its Authorized Users process through the Service in the ordinary course of using the Service, including (without limitation) network configurations, device telemetry, credentials, access logs, and other Customer Data. For such information, Customer is the data controller, Customer's own privacy policy applies, and Nairux acts solely as a data processor in accordance with the agreement between Nairux and Customer (including any applicable Data Processing Agreement). Please direct questions about such processing to Customer in the first instance.

By accessing or using our websites or otherwise interacting with us, you acknowledge that you have read and understood this Policy. This Policy may be supplemented by separate notices, terms, or agreements that govern your specific interactions with us. In the event of a conflict between this Policy and any such supplemental notice or agreement, the supplemental notice or agreement will prevail with respect to the relevant processing.

Capitalized terms used but not defined in this Policy have the meanings given in our Terms of Service or in the applicable agreement between Nairux and the customer that engaged you ("Customer").

2. Our Role

For the personal information within the scope of this Policy (as described in Section 1), Nairux acts as the data controller (or, where applicable under U.S. state privacy laws, the "business").

For personal information processed on behalf of Customer in connection with Customer's use of the Service, Nairux acts as a data processor (or, where applicable, a "service provider") and processes such information solely in accordance with Customer's documented instructions and the applicable agreement between Nairux and Customer, including any Data Processing Agreement. Such processing is outside the scope of this Policy. If you have questions about how Customer uses your personal information, please direct those questions to Customer.

This Policy does not apply to personal information collected, used, or otherwise processed by third parties, including through third-party websites, services, or applications that integrate with or are accessed through the Service or our websites. We encourage you to review the privacy practices of any such third parties.

3. Information We Collect

Within the scope described in Section 1, we collect information in the following ways and from the following sources, in each case to the extent reasonably necessary to operate our websites, communicate with you, administer accounts, and comply with applicable law:

Information you provide to us. When you create or administer an account, request a demonstration, subscribe to a newsletter or marketing communications, attend an event, participate in a survey, register for or download content, contact our sales, support, or other teams, submit a job application, or otherwise interact with us directly, you may provide information such as your name, business email address, telephone number, company name, job title or role, postal or business address, billing and payment information, content of your communications, and any other information you elect to provide. You are responsible for the accuracy of information you provide and should not provide more information than is reasonably necessary for the relevant interaction.

Information we collect automatically. When you access our websites, our systems and those of our service providers automatically collect certain information, including (without limitation) standard device and browser information (such as device type, operating system, browser type, and language settings), screen and connection information, general location information derived from network metadata such as IP address ranges, referring and exit pages, time and date of access, and information generated as you interact with our websites and their content.

Information from third parties. We may receive information about you from third parties, including (without limitation) identity providers (such as those used for single sign-on), business partners and resellers, professional services providers, marketing and lead-generation partners, social media platforms (where you have made such information publicly available or have authorized the disclosure), and publicly available sources, in each case to the extent permitted by applicable law and subject to any restrictions communicated by such third parties.

Cookies and similar technologies. We and our service providers use cookies, pixels, web beacons, software development kits, local storage, and similar technologies on our websites. See Section 8 ("Cookies and Similar Technologies") for additional information regarding our use of such technologies and the choices available to you.

4. How We Use Information

We use the information we collect for the following purposes:

To provide, operate, and improve the Service, including to register and authenticate users, manage accounts, deliver Service features and updates, develop new features, and maintain Service quality and reliability.

To communicate with you, including to respond to inquiries, provide customer support, send transactional and Service-related communications, and (where permitted by applicable law) send marketing and promotional communications about Nairux products and services.

To ensure the security and integrity of the Service, including to detect, investigate, prevent, and respond to security incidents, fraud, abuse, technical issues, and violations of our terms or applicable law.

To comply with legal and regulatory obligations, respond to lawful requests from public authorities, exercise or defend legal claims, and protect the rights, property, or safety of Nairux, our users, or others.

To conduct research and analytics, including to understand how the Service is used, measure the effectiveness of our marketing, and develop new offerings.

For any other purpose with your consent or as otherwise permitted by applicable law.

We do not sell personal information for monetary consideration. We do not use personal information for advertising on third-party platforms, behavioral profiling unrelated to the Service, or other purposes that would be inconsistent with this Policy.

5. Legal Bases for Processing (EEA, UK, Switzerland)

Where the General Data Protection Regulation (Regulation (EU) 2016/679), the United Kingdom General Data Protection Regulation, or the Swiss Federal Act on Data Protection applies, we process personal information based on one or more of the following legal bases:

Performance of a contract — where processing is necessary to enter into or perform a contract with you (or with the Customer that engaged you).

Legitimate interests — where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your interests or fundamental rights. Our legitimate interests include operating, securing, and improving the Service; communicating with you about products and services; conducting research and analytics; and protecting Nairux and others from fraud, abuse, and security threats.

Compliance with legal obligations — where processing is necessary to comply with applicable law, regulation, or legal process.

Consent — where you have given us consent to process your personal information for a specific purpose. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Where we rely on legitimate interests, you have the right to object to such processing as described in Section 11.

6. How We Share Information

We share personal information only in the limited circumstances described in this Section.

Service providers. We engage third-party service providers to perform services on our behalf, including (without limitation) cloud infrastructure and hosting providers, communications and email delivery providers, payment processors, customer support tools, analytics providers, information security providers, and professional advisors. Such service providers are granted access only to the information reasonably necessary to perform the services we have engaged them to provide and are bound by contractual obligations to process information solely in accordance with our instructions, only for the purposes for which it was provided, and consistent with the protections described in this Policy and applicable law.

Affiliates. We may share information with our affiliates, parent entities, and subsidiaries for purposes consistent with this Policy and subject to confidentiality obligations no less protective than those set forth herein.

Business transfers. In the event of a merger, acquisition, consolidation, financing, reorganization, bankruptcy, receivership, sale of company assets, transition of service to another provider, or similar corporate transaction, we may share information with the counterparties, advisors, and other persons reasonably involved in such transaction. We will require any successor entity to honor the commitments made in this Policy or to provide affected individuals with reasonable advance notice of any material changes.

Legal compliance and protection. We may disclose information when we determine in good faith that disclosure is reasonably necessary to (i) comply with applicable law, regulation, legal process, subpoena, court order, or lawful governmental request; (ii) enforce our agreements, including these Terms and our Acceptable Use Policy; (iii) detect, investigate, prevent, or respond to fraud, security incidents, abuse, or technical issues; or (iv) protect the rights, property, or safety of Nairux, our users, or any other person. Where legally permitted and operationally feasible, we will notify the affected Customer in advance of any such disclosure that involves Customer Data.

With your consent or at your direction. We may share information with third parties when you direct us to do so or have otherwise provided your informed consent, including in connection with optional features or integrations you elect to enable.

Aggregated or de-identified information. We may share information that has been aggregated, anonymized, or otherwise de-identified in a manner that does not reasonably identify an individual, for purposes such as research, analytics, benchmarking, and Service improvement.

A current list of the material subprocessors that process Customer Data on Nairux's behalf is made available to Customers upon request through their Nairux account team, and Customers receive advance notice of any material changes to such list in accordance with the applicable Customer Agreement or Data Processing Agreement.

7. International Data Transfers

Nairux is headquartered in the United States, and we may process personal information in the United States and other countries where we or our service providers operate. The data protection laws in these countries may differ from those in your country of residence.

Where required by applicable law, we implement appropriate safeguards for international transfers of personal information, including the Standard Contractual Clauses adopted by the European Commission, the United Kingdom International Data Transfer Agreement or Addendum, the Swiss Federal Data Protection and Information Commissioner-recognized clauses, or other lawful transfer mechanisms.

By using the Service or providing information to us, you understand that your personal information may be transferred to and processed in jurisdictions outside your country of residence, subject to the safeguards described above.

8. Cookies and Similar Technologies

We and our service providers use cookies, web beacons, pixels, local storage, and similar technologies (collectively, "cookies") to operate and improve the Service.

Strictly necessary cookies enable core Service functionality, including authentication, session management, security, and load balancing. These cookies cannot be disabled without impairing the Service.

Functional cookies remember your preferences and settings, such as language and display preferences.

Analytics cookies help us understand how the Service is used, measure performance, and improve our offerings.

You may control the use of cookies through your browser or device settings. Disabling certain cookies may impair the functionality of the Service. Where required by applicable law, we obtain consent before placing non-essential cookies on your device.

9. Data Retention

We retain personal information for as long as is reasonably necessary to fulfill the purposes for which it was collected, including to provide and administer the Service, maintain the security and integrity of the Service, comply with our legal, regulatory, tax, accounting, audit, and reporting obligations, resolve disputes, enforce our agreements, and protect our legal rights.

The criteria we use to determine appropriate retention periods include, without limitation, the nature, scope, and sensitivity of the information; the purposes for which we process the information; the potential risk of harm from unauthorized access, use, or disclosure; the applicable legal, regulatory, and contractual obligations to which we are subject; the existence of legitimate business needs warranting continued retention; and whether the relevant purposes can be achieved through other means, such as de-identification, anonymization, or aggregation.

For personal information processed by us on behalf of Customer in connection with the Service, retention periods, return, and deletion are governed by the applicable Customer Agreement, any applicable Data Processing Agreement, and Customer's configuration of retention policies within the Service. Following the effective termination or expiration of Customer's subscription, Customer Data will be returned to Customer or deleted from production systems within the timeframe set forth in the applicable agreement, subject to any obligation to retain such information to comply with applicable law or to defend legal claims.

We may retain information that has been aggregated, anonymized, or otherwise de-identified for longer periods, including for analytics, research, benchmarking, and Service improvement purposes, provided such information cannot reasonably be used to identify an individual.

Backups and archives may persist for limited additional periods after deletion from production systems in accordance with our standard backup retention practices, after which time they are overwritten or deleted in the ordinary course.

10. Information Security

Nairux maintains a comprehensive, defense-in-depth information security program designed to protect the confidentiality, integrity, and availability of personal information and Customer Data. Our program is informed by leading industry frameworks and standards and incorporates administrative, technical, physical, and organizational safeguards reasonably designed to be appropriate to the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of natural persons.

Our security program includes, without limitation: documented information security policies reviewed on a periodic basis; access controls based on the principles of least privilege and need-to-know; identity and authentication controls for personnel access; secure development practices and code review; vulnerability management, monitoring, and incident response capabilities; regular security training for personnel; logical and physical separation of environments; and supplier and subprocessor due diligence and oversight.

We periodically review and update our security program to reflect changes in technology, applicable law, threats, and the evolving nature of our Service. While we devote substantial resources to the security of personal information, no method of transmission, storage, or processing is completely secure, and we cannot and do not guarantee absolute security.

If you believe that your account, your credentials, or any information you have provided to us has been compromised or is no longer secure, please contact us promptly at security@nairux.io so that we may take appropriate action.

11. Your Rights and Choices

Depending on your jurisdiction and subject to applicable law, you may have one or more of the following rights with respect to your personal information:

The right of access — to request confirmation of whether we process personal information about you and to obtain a copy of such information.

The right to rectification — to request correction of inaccurate, outdated, or incomplete personal information.

The right to erasure — to request deletion of your personal information in certain circumstances, subject to legal, regulatory, or contractual obligations that may require continued retention.

The right to restriction of processing — to request that we restrict the processing of your personal information in certain circumstances.

The right to data portability — to receive a copy of personal information you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that information to another data controller where technically feasible.

The right to object — to object to processing of your personal information based on our legitimate interests, including profiling, and to object at any time to processing for direct marketing purposes.

The right to withdraw consent — where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.

The right not to be subject to solely automated decision-making — including profiling that produces legal or similarly significant effects concerning you, except as permitted by applicable law.

The right to lodge a complaint — with a competent supervisory authority, regulator, or other appropriate body in your jurisdiction.

To exercise any of these rights, please contact us at privacy@nairux.io. We will respond to verifiable requests within the timeframe required by applicable law. We may request additional information from you to verify your identity and the scope of your request before responding, and we may decline requests to the extent permitted by applicable law (for example, where the request is manifestly unfounded or excessive, or where compliance would adversely affect the rights of others).

If your personal information is processed by us on behalf of Customer, you may need to direct your request to Customer in the first instance, and we will provide reasonable cooperation and support to Customer in responding to your request as required by our agreement with Customer.

12. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), provides you with certain rights regarding your personal information, including: the right to know what categories and specific pieces of personal information we have collected, used, disclosed, and shared; the right to delete personal information, subject to certain exceptions; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; the right to limit the use and disclosure of sensitive personal information; and the right to non-discrimination for exercising your CCPA rights.

In the twelve (12) months preceding the Effective Date of this Policy, we have collected the categories of personal information described in Section 3 for the business and commercial purposes described in Section 4 and have disclosed such information only to the categories of recipients described in Section 6. We have not sold personal information for monetary consideration and have not shared personal information for cross-context behavioral advertising, as those terms are defined under the CCPA.

To exercise your rights under the CCPA, please contact us at privacy@nairux.io. We will respond to verifiable consumer requests within the timeframe required by the CCPA. You may also designate an authorized agent to submit requests on your behalf, subject to verification in accordance with applicable law.

For purposes of the CCPA's Notice at Collection requirements, the categories of personal information we collect, the purposes for which we use such information, and our retention practices are described in Sections 3, 4, and 9 of this Policy.

13. Children's Privacy

The Service is not directed to children under the age of eighteen (18) (or such lower minimum age as may be required by applicable law in your jurisdiction, such as sixteen (16) in the European Economic Area or thirteen (13) in the United States under the Children's Online Privacy Protection Act), and we do not knowingly solicit or collect personal information from such children. If we become aware that we have collected personal information from a child in violation of applicable law, we will take prompt steps to delete such information.

If you are a parent or legal guardian and you believe that a child has provided personal information to us without the consent required by applicable law, please contact us at privacy@nairux.io so that we may take appropriate action.

14. Third-Party Links and Services

The Service may contain links to, integrations with, or references to third-party websites, services, applications, or content that are not operated or controlled by Nairux. This Policy does not apply to information collected or processed by such third parties, and we are not responsible for the privacy or security practices of any third party.

Access to, and use of, third-party websites, services, applications, or content is at your own risk and is governed by the terms and privacy practices of the relevant third party. We encourage you to review such terms and privacy practices before providing any personal information to or otherwise interacting with any third party.

15. Do Not Track Signals

Certain web browsers and devices may transmit "Do Not Track" or similar signals indicating a user's preference not to be tracked across websites or online services. At present, there is no commonly agreed-upon standard for how online services should respond to such signals. Accordingly, the Service does not currently respond to "Do Not Track" signals or similar mechanisms. We continue to monitor developments in this area and may revise our practices as industry standards evolve.

16. Changes to This Policy

We may amend, modify, or update this Policy from time to time to reflect changes in our information practices, the Service, applicable law, regulatory guidance, or other factors. The "Effective Date" at the top of this Policy indicates when this Policy was last revised.

If we make material changes to this Policy, we will provide notice by posting the updated Policy on our website, sending notice through the Service, sending an email to the address associated with your account, or by other reasonable means designed to provide actual notice. Where required by applicable law, we will obtain your consent before implementing such changes.

Your continued access to or use of the Service after the Effective Date of the revised Policy constitutes your acceptance of the revised Policy. If you do not agree with the revised Policy, you must stop using the Service.

17. Contact Us

If you have questions, concerns, complaints, or requests regarding this Policy or our processing of personal information, please contact us using the following channels:

By email: privacy@nairux.io By mail: Nairux, Inc., Attn: Privacy, [Address]

For data subjects located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with a competent data protection supervisory authority. A list of supervisory authorities in the European Economic Area is available at edpb.europa.eu. The supervisory authority in the United Kingdom is the Information Commissioner's Office, available at ico.org.uk. The supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner, available at edoeb.admin.ch.

We encourage you to contact us first so that we may address your concerns directly.