Nexte
FeaturesTestimonialsRoadmapDocs

Create my workspace

GDPR and your data

Hosting, subprocessors, export, deletion, transparency.

Nexte is hosted in France and built for European freelancers and agencies — GDPR compliance isn't an add-on, it's the foundation. We strictly follow the 6 GDPR principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality.

Where your data is hosted

Supabase servers (PostgreSQL) in the EU — Frankfurt, Germany. AES-256 at-rest encryption and TLS 1.3 in transit. Daily backups kept 30 days, EU region only. Uploaded files (images, PDFs, audio) are stored in Supabase Storage with the same guarantees.

List of subprocessors (DPA signed)

Full transparency: here are the subprocessors Nexte transmits data to and for what purposes. All have signed a DPA (Data Processing Agreement) compliant with GDPR Article 28.

  • Supabase (EU, Frankfurt) — database and file hosting.
  • Stripe (Ireland for EU) — payments only, if enabled.
  • Resend (EU) — transactional emails (reminders, notifications).
  • Google / Microsoft (EU/US depending on service) — only for users activating Gmail/Outlook/Drive. Minimal scope.
  • Cloudflare (EU edge nodes) — CDN for static assets and DDoS protection.
  • Vercel (Frankfurt) — Next.js app hosting.

Export your data

Settings → Security → Data export. Nexte generates a full ZIP including: invoices (PDF), contacts (CSV), projects (JSON), uploaded files, conversations (JSON), audit logs. Delivered by email within 24h (often minutes). Unlimited, no fees.

Delete your account

  1. Settings → Security → Danger zone → Delete my account.
  2. Confirm by typing your organization's exact name.
  3. Confirm again with your password.
  4. 30-day grace period during which the account can be reactivated (change of mind, mistake).
  5. After that, all data is irrevocably deleted, including from backups (immediate purge).
  6. A confirmation email is sent for attestation (useful for your GDPR obligations if you were the data controller).

Client requests (GDPR)

If one of your clients exercises their right of access, rectification, or erasure, you can generate the report via CRM → Contact → Menu (···) → GDPR report. Complete JSON export of all data about them (profile, projects, invoices, emails, timeline). Complete deletion in 1 click if erasure request.

Data retention

  • Invoices and accounting documents: 10 years (French legal requirement).
  • Contacts and projects: as long as you're an active customer, deletable at any time.
  • Audit logs: 90 days (Independent) or 1 year (Agency).
  • Backups: rolling 30 days.
  • Session and OAuth tokens: deleted on logout.

Breach notification

In case of confirmed security breach impacting your data, Nexte commits to notify you within 72h (per GDPR Article 33) with: nature of breach, data concerned, actions taken, recommended actions on your side. Our DPO is reachable at dpo@getnexte.com.

For any legal question, custom DPA request, or security audit: contact dpo@getnexte.com. We reply within 5 business days.