Privacy Policy

The controller within the meaning of Article 4(7) GDPR is:

Mehdi Al Madani Nexus Creative Lab Adolfsallee 44 65185 Wiesbaden Germany Email: info@nexus-creative-lab.com

No data protection officer has currently been appointed because, based on the present business model and scope of processing, there is no legal obligation to do so.

If you have questions about privacy, access requests, corrections, deletion, or other data subject rights, you can contact us at the email address above.

We process personal data only to the extent necessary to provide the website, digital products, user accounts, payment flows, licensing, downloads, support, newsletters, analytics, marketing functions, and system security.

The main legal bases are Article 6(1)(a) GDPR for consent-based processing such as newsletters, Google Analytics, Meta Pixel, and other non-essential cookies, Article 6(1)(b) GDPR for contract performance and pre-contractual steps, Article 6(1)(c) GDPR for legal retention and documentation duties, and Article 6(1)(f) GDPR for legitimate interests such as system security, abuse prevention, product operations, debugging, and orderly support processes.

Depending on how you use the website and account area, we may process identity and contact data, account data, contract and payment data, product and license data, support and communication data, and technical usage data.

When you create an account or sign in, we process your data to provide the user account, authenticate access, store onboarding answers, manage the account, and connect product access to your profile.

The main legal basis is Article 6(1)(b) GDPR. Where we apply technical security measures or abuse prevention, we additionally rely on Article 6(1)(f) GDPR.

During onboarding, the likely country of a user can be detected through ipapi.co only after explicit user consent via the consent management platform so regional context, currency hints, and price tags can be displayed more appropriately. Prices themselves are maintained manually and are not individually set by automated decision-making.

When you purchase a product or start a subscription, we process the data necessary to perform the contract. This includes product choice, plan, purchase or subscription status, payment references, invoice data, license assignment, and download entitlement.

We use Stripe for payment processing and subscription management. Stripe processes payment and billing data under its own privacy and compliance framework as an independent payment provider.

The legal bases are Article 6(1)(b) GDPR for contract performance and Article 6(1)(c) GDPR to the extent commercial, tax, bookkeeping, or documentation duties apply.

We process your data when you contact us by email, request an email change, trigger a password reset, receive verification or purchase emails, request support, or send feedback.

Resend is used for transactional emails and may also be used for newsletter delivery, audience/contact management, confirmation emails, and unsubscribe handling. Newsletter subscriptions run through a double opt-in flow so consent can be verified and documented before activation.

Mailchimp may be used for newsletter audience management and campaign delivery after newsletter confirmation. Confirmed subscriptions and unsubscribes can be synchronized with Mailchimp so newsletter preferences remain consistent.

For internal feedback or CEP routing, Google Apps Script and Google Sheets may be used behind the scenes as internal workflow tools. Users do not interact with Google Apps Script directly. In that context, an email address can be stored together with the feedback content where this is necessary for processing, quality assurance, or follow-up questions.

Access to such Google Sheets feedback or support entries is limited internally to Mehdi Al Madani as controller. They are used only for feedback handling, support, and any necessary follow-up regarding your message.

The legal basis is Article 6(1)(b) GDPR for contract-related communication, Article 6(1)(a) GDPR for newsletter communication, and Article 6(1)(f) GDPR for orderly support and quality processes.

We disclose personal data only where necessary to provide our services, handle payments, operate the platform technically, or comply with legal obligations.

Depending on the service used, the related processing is based in particular on Article 6(1)(b) GDPR for contract performance and pre-contractual steps, Article 6(1)(c) GDPR where consent logging or other compliance duties are relevant, Article 6(1)(f) GDPR for legitimate interests such as technical delivery, security, support, and abuse prevention, and Article 6(1)(a) GDPR where analytics, marketing, or newsletter processing requires prior consent.

Unless stated otherwise, infrastructure and workflow providers such as Netlify, Supabase, Resend, Mailchimp, and Usercentrics generally act as processors on our behalf under data processing arrangements. Stripe generally acts as an independent controller for payment-related processing. For certain collection and transmission steps via Meta Business Tools such as Meta Pixel, we and Meta may be jointly responsible to the extent provided for under Meta's Business Tools and controller terms.

Where service providers process personal data outside the EU or EEA, we aim to ensure that such transfers take place only in accordance with the GDPR, for example on the basis of an adequacy decision or appropriate safeguards such as standard contractual clauses.

Some providers are based in the United States or may use infrastructure, support teams, or subprocessors outside the EU or EEA. Where applicable, such transfers are safeguarded via the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses pursuant to Article 46 GDPR. If a provider relies on another valid transfer mechanism, the then-current legal basis of that provider remains decisive.

Supabase and Resend are currently configured in Ireland (EU West). The website itself is currently delivered through Netlify-hosted infrastructure. International transfers may nevertheless be technically possible in particular where globally operating providers such as Netlify, Stripe, Google, or Meta are used for delivery, analytics, advertising, support, or subprocessing. The relevant current privacy terms and transfer mechanisms of those providers remain decisive.

We keep personal data only for as long as necessary for the relevant purpose. Unless longer legal or regulatory obligations apply, we generally use a retention baseline of up to 12 months after the last relevant activity for support, feedback, newsletter, analytics, and comparable general usage data, or we delete or anonymize earlier if the purpose ends sooner.

Account and product data may be stored for as long as the account remains active or as long as claims, support, security, or abuse-prevention needs require retention. Payment, invoice, tax, bookkeeping, and similar records are stored for the period required by the law that applies in the concrete case. Those periods can differ by country, record type, and legal situation and may extend beyond 12 months.

We do not use one single worldwide retention period for all data. Instead, retention follows applicable legal obligations as well as legitimate needs such as legal defense, fraud prevention, IT security, and the enforcement or defense of claims. If deletion is requested, we therefore assess case by case which data can be deleted immediately and which data must still be retained.

Subject to the legal requirements, you have the right of access, rectification, erasure, restriction of processing, data portability, objection to certain processing, and the right to withdraw consent with effect for the future.

If you want to exercise any of these rights, please email info@nexus-creative-lab.com. We answer such requests without undue delay and generally within one month.

You can in particular withdraw newsletter consent through the unsubscribe link in each email and adjust cookie or tracking consent through the consent tool and the Cookie settings link.

You also have the right to lodge a complaint with a supervisory authority. For Hesse, this is the Hessian Commissioner for Data Protection and Freedom of Information.

You can initiate subscription cancellation through the Stripe customer portal in your dashboard. If you want your account deleted, a dashboard function is also provided for that purpose.

Please note that account deletion may be limited while a paid subscription is still active or not yet fully terminated. In such cases, the subscription must first be cancelled or properly closed out.

Even after account deletion, some data may remain stored where this is necessary to fulfill legal retention duties, defend legal claims, or maintain payment and documentation records.

We may use technically necessary cookies and, only on the basis of your consent, non-essential cookies and similar technologies for analytics, reach measurement, and marketing. These may include Cookiebot as the consent management tool, Google Analytics, and Meta Pixel.

Technically necessary cookies are used for core site operation, storing your consent choice, login and security functions, and comparable essential functions. Analytics and marketing cookies are only set or activated once you have explicitly consented through the consent management platform.

If Meta advanced matching is enabled in the final production configuration, Meta may additionally receive privacy-protected matching data derived from information you already provided, for example name data, country, city or postal data, date of birth, gender, or an internal or external identifier, in order to improve attribution and remarketing. Email- and telephone-based advanced matching are intended to remain disabled unless this configuration is changed and the privacy policy is updated accordingly.

You can withdraw or adjust your consent at any time for the future. We provide consent management through Cookiebot, a Cookie settings link to reopen those choices, and the live Cookiebot declaration where available.

Based on the current setup, we do not carry out solely automated decision-making within the meaning of Article 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

Where we use automated logic such as country lookup, regional context display, consent handling, security checks, or marketing and analytics evaluations, these primarily serve technical delivery, measurement, security, and user guidance. Prices themselves are maintained manually and are not individually calculated by automated profiling.

Our offer is aimed at the general public and is not exclusively intended for adults or exclusively for minors. At the same time, it is not specifically directed at children within the meaning of relevant privacy rules.

We update this privacy policy when technical processes, service providers, legal requirements, or our services change materially.

Version date: April 19, 2026.