Privacy Policy
Last Updated: July 8, 2026
Effective Date: June 29, 2026
Introduction
NUEXUS Technologies (Private) Limited ("NUEXUS", "we", "us", or "our") is an information technology, cybersecurity, and professional-training company registered in Pakistan (Corporate Universal Identification No. 0260005). We respect your privacy and are committed to protecting the personal information you entrust to us. This Privacy Policy explains what information we collect, how we use and protect it, with whom we share it, and the rights and choices available to you.
This Policy applies to our website, products, services, training programs, and any related interactions. Where we deliver client engagements (for example, security assessments, software development, or managed services), the handling of client and engagement data is additionally governed by the specific contract, statement of work, and non-disclosure agreement entered into with that client.
1. Scope of This Policy
This Policy covers personal data of website visitors, prospective and existing clients, training participants, newsletter subscribers, and individuals who contact us. It does not cover third-party websites we link to, or data processed strictly on behalf of a client as their data processor under a separate agreement (in which case the client's privacy notice governs the data subjects involved).
2. Information We Collect
a. Information you provide directly
- Contact & enquiry data: your full name, email address, phone number, the subject and service type of your enquiry, and the contents of your message when you use our contact form.
- Account data: if you register for an account or training portal, identity and login credentials managed through our authentication provider (name, email, and a securely hashed password we never see in plain text).
- Training & event data: enrolment details, course preferences, and materials you submit during a program.
- Business & engagement data: company name, role, project requirements, and commercial details shared when you request a proposal or engage our services.
b. Information collected automatically
- Device & log data: IP address, browser type, operating system, referring pages, and timestamps.
- Usage & analytics data: pages viewed, navigation paths, and aggregated engagement metrics, collected via privacy-conscious analytics to help us improve the site.
- Cookies & similar technologies: as described in our Cookie Policy.
c. Information from client engagements
When delivering services such as security testing or development, we may necessarily process technical information about a client's systems, applications, and (only where strictly required and authorised) limited data within those systems. Such processing is performed under contract and confidentiality obligations, on a least-privilege basis, and only to the extent needed to perform the agreed work.
3. How We Use Your Information
- To respond to enquiries, provide quotes, and deliver the services or training you request.
- To create and administer accounts, authenticate users, and secure access to portals.
- To operate, maintain, secure, and improve our website and services.
- To send service communications, updates, and (where permitted) marketing you may opt out of.
- To detect, prevent, and investigate security incidents, fraud, and misuse.
- To comply with legal, regulatory, accounting, and contractual obligations.
- To establish, exercise, or defend legal claims.
4. Legal Bases for Processing
Where applicable data-protection law requires a legal basis, we rely on: (i) your consent (for example, marketing or non-essential cookies); (ii) the performance of a contract with you; (iii) our legitimate interests in operating and securing our business, balanced against your rights; and (iv) compliance with legal obligations. You may withdraw consent at any time without affecting prior lawful processing.
6. Third-Party Service Providers
We rely on a small number of reputable providers who process data on our behalf under appropriate data- processing terms. These currently include:
- Authentication & identity, to register, sign in, and secure accounts.
- Hosting & analytics, to serve the website and measure aggregate usage.
- Media & file storage, to store course materials and uploaded documents.
- Email delivery, to deliver enquiry and transactional messages.
These providers may process data outside Pakistan. We require each to maintain appropriate technical and organisational safeguards and to process personal data only on our documented instructions.
7. Identity Verification & One-Time Passcodes
To protect our services from spam, bots, and automated abuse, and to keep the cost of our AI features sustainable, we may ask you to confirm that you are a real person before we act on certain requests, for example before our AI assistant (Nexi) makes a request on your behalf, or before some form submissions are accepted. We do this by sending a one-time passcode to the email address (or, where that option is offered, the phone number) you provide, which you enter to confirm you control it. If you are signed in to a NUEXUS account, that sign-in can serve the same purpose.
- What we process: the email address or phone number you ask us to verify, together with limited technical data such as your network (IP) address and the timestamps of the attempt.
- The code is never stored: the six-digit code is generated from a secure random source and travels only in the message we send you. We do not save it on our servers; it is validated using a cryptographically signed challenge and it expires within 10 minutes.
- Verification session: once you verify, we issue a short-lived signed token (valid for up to 12 hours) so you are not asked again on every action. It records that verification succeeded and the email or phone number you verified; it contains no password or other secret. We may ask you to verify again at any time.
- Delivery: codes are sent by email through our own mailbox (with a reputable fallback email provider), or by SMS through a third-party messaging provider where that channel is offered.
- Anti-abuse: we apply rate limits to how often codes can be requested and checked, and we may record verification attempts (including IP address and timestamps) to detect and prevent misuse.
Chat moderation and abuse logging. Messages sent to our AI assistant are automatically screened for abusive, threatening or manipulative content and for misuse of the service. When a message is flagged, we log an incident record containing the message, recent conversation context, the date and time, a session identifier and your network (IP) address, and the assistant may warn you or end the conversation. Incidents involving abuse or threats are referred to the NUEXUS team, including our legal desk. We use these records to enforce our policies, protect our staff, systems and other users, comply with law, and establish, exercise or defend legal claims, relying on our legitimate interests and, where applicable, legal obligations (see Section 4). Details of the warnings and enforcement steps are in our AI Assistant Policy.
The email or phone number you verify is otherwise handled as part of your enquiry, application, or registration, as described in Sections 2 and 3. Where a legal basis is required we rely on your consent and our legitimate interest in keeping our services secure and available (see Section 4). Providing a contact detail you do not control, or attempting to bypass verification, is not permitted. Verification inside our AI assistant is described further in our AI Assistant Policy.
9. International Data Transfers
We are headquartered in Pakistan and may serve clients globally. Your information may be transferred to and processed in countries other than your own. Where required, we implement appropriate safeguards (such as contractual data-protection clauses) for cross-border transfers.
10. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, including to satisfy legal, tax, accounting, or reporting requirements, and to resolve disputes. When no longer required, data is securely deleted or anonymised. Engagement and client data is retained per the relevant contract.
11. Data Security
As a security-focused organisation, we apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls on a least-privilege basis, secure authentication, logging and monitoring, and regular review of our practices. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; however, we work continuously to protect your data and to respond promptly to any incident.
12. Confidentiality of Client & Engagement Data
For consulting, development, and security-testing engagements we frequently handle highly sensitive client information, including findings that could affect a large set of stakeholders. We treat such information as strictly confidential: it is processed only under a signed agreement and, where applicable, a non-disclosure agreement; access is limited to authorised personnel on a need-to-know basis; reports and evidence are stored securely and shared only through agreed channels; and data is returned or destroyed on completion in accordance with the engagement terms. We act as a data processor for such data and process it solely on the client's instructions.
13. Your Privacy Rights
Subject to applicable law, you may have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data in certain circumstances.
- Restrict or object to certain processing.
- Data portability, receive your data in a portable format.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with a competent data-protection authority.
To exercise any right, contact us using the details in Section 18. We will respond within the timeframe required by applicable law and may need to verify your identity first.
14. Children's Privacy
Our services are intended for individuals aged 18 and over and are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will take appropriate steps to delete it.
15. Marketing & Communications
With your consent where required, we may send you newsletters and updates about our services and training. You can opt out at any time using the unsubscribe link in our emails or by contacting us. We will still send essential service-related messages (for example, security or account notices).
16. Data Breach Notification
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the relevant authority and affected individuals where and as required by applicable law, and take prompt steps to contain and remediate the incident.
17. Changes to This Policy
We may update this Policy to reflect changes in our practices, technology, or legal requirements. Updates are posted on this page with a revised "Last Updated" date. Material changes may be communicated more prominently. Continued use of our services after an update constitutes acceptance of the revised Policy.
18. Contact & Grievances
For any questions, requests, or complaints regarding this Privacy Policy or your personal data, please contact our privacy team:
NUEXUS Technologies (Private) Limited
CUIN: 0260005
NASTP, Alpha Square, Nur Khan Airbase, Rawalpindi, Pakistan
Email: legal@nuexus.com
Phone: +92 300 5874020
