Privacy Policy

Last updated: March 31, 2026

This Privacy Policy describes how Nax and its affiliates ("Nax", "we", "us", or "our") collect, use, and share information in connection with our venue capacity management platform and related services. It applies to all users of the Service regardless of location.

1. Definitions

Throughout this policy, we use the following terms:

  • "Service" refers to the Nax platform, including the web application, APIs, and all related tools and features.
  • "Personal Data" means any information that identifies or could reasonably be used to identify an individual, such as name, email address, or IP address.
  • "Organization" refers to a venue owner, security firm, or other entity that creates an account on the Service.
  • "Administrator" refers to the individual who manages an Organization's account, subscription, and settings.
  • "Manager" refers to a user assigned to oversee one or more venues within an Organization.
  • "Staff" refers to door personnel and employees who use the Service for occupancy counting.
  • "Venue Data" refers to aggregate occupancy counts, access point configurations, shift reports, and operational information associated with a venue. Venue Data does not contain Personal Data of venue guests or visitors.

Information we collect

a. Account information

When you create an account, we collect your name, email address, organization name, and password. If you are invited to the platform by another Organization, we collect the information provided during the invitation and onboarding process. For Staff accounts, we collect the username and name provided by the Administrator.

b. Venue and operational data

We collect data related to venue operations, including venue names, addresses, capacity limits, access point configurations, and occupancy counts. Occupancy data consists of aggregate entry and exit counts and does not include any personally identifiable information about venue guests or visitors.

c. Shift reports and incident logs

Users may submit shift reports containing event descriptions, incident summaries, visitor counts, and optional photographs. These reports are stored securely and accessible only to authorized members of the submitting Organization and linked partner Organizations.

d. Usage and device data

We automatically collect technical information when you use the Service, including IP address, browser type, operating system, device identifiers, and pages visited. This data is used for service operation, security monitoring, and improvement of the Service.

How we use your information

We process information for the following purposes:

  • Providing, operating, and maintaining the Service
  • Managing accounts, subscriptions, and billing
  • Processing occupancy data and generating analytics and forecasts
  • Facilitating partnerships between venue owners and security firms
  • Sending service-related communications, including trial and subscription notices
  • Enforcing our terms, preventing fraud, and ensuring platform security
  • Complying with applicable legal obligations

Guest privacy

Nax is designed to count venue entries and exits without collecting any personally identifiable information about guests or visitors. The Service does not use cameras, facial recognition, biometric scanning, or any form of individual identification. Occupancy data consists solely of aggregate numerical counts.

The Service includes an optional guest list feature that allows Organizations to manually enter guest names for operational purposes such as VIP management. This data is entered voluntarily by the Organization, stored only for the duration of the active session, and can be cleared at any time by the Organization. Nax acts as a data processor for this information — the Organization is the data controller and is responsible for obtaining any necessary consent. Guest list data is not shared with third parties, used for marketing, or retained beyond the Organization's active use.

Data sharing and disclosure

We share information only in the following circumstances:

a. Within partnerships

When a venue owner and security firm are linked on the platform, Venue Data for shared venues is accessible to both parties in accordance with permissions configured by the inviting Organization. Administrators control what information is visible to invited parties.

b. Service providers

We engage third-party service providers for infrastructure hosting, email delivery, and payment processing. These providers process data strictly as necessary to deliver their services and are bound by data processing agreements that restrict further use or disclosure.

c. Legal and regulatory

We may disclose information where required by law, regulation, legal process, or enforceable governmental request. We may also disclose information to protect the rights, property, or safety of Nax, our users, or the public.

Data storage and security

All data is stored on enterprise-grade infrastructure located in Frankfurt, Germany, within the European Union. Our infrastructure providers maintain industry-standard security certifications.

Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Database connections are secured and access is restricted through role-based authentication. The Service implements role-based access control: Administrators have full access to their Organization's data, Managers access only assigned venues, and Staff accounts are limited to occupancy counting.

While we implement commercially reasonable measures to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of data transmitted to or stored by the Service.

Data retention

We retain account and operational data for as long as your account is active or as necessary to provide the Service. Occupancy logs, shift reports, and analytics data are retained for the duration of the subscription to support compliance, audit, and operational requirements. Upon account deletion, all associated data is permanently purged within 30 days, unless a longer retention period is required by applicable law.

International data transfers

The Service is operated from the European Union. If you access the Service from outside the EU, your information may be transferred to, stored, and processed in the EU. Where data is transferred across borders, we ensure appropriate legal safeguards are in place, including Standard Contractual Clauses approved by the European Commission or other mechanisms recognized under applicable law.

Your rights and choices

Depending on your location, you may have the following rights with respect to your Personal Data:

  • Access: Request a copy of the Personal Data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your Personal Data, subject to legal retention obligations.
  • Portability: Request your data in a structured, commonly used, machine-readable format.
  • Objection: Object to certain processing activities.
  • Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at privacy@nax.app. We will respond within the timeframe required by applicable law.

Jurisdiction-specific provisions

Australia

If you are located in Australia, we handle your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Your data is stored in the European Union. By using the Service, you consent to the transfer of your information to servers located outside Australia. We ensure that overseas recipients are subject to substantially similar privacy protections. If you believe we have breached the APPs, you may lodge a complaint with us. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

European Economic Area and Switzerland

We process Personal Data on the following legal bases under the General Data Protection Regulation (GDPR): (a) performance of a contract, when processing is necessary to provide the Service; (b) legitimate interests, including fraud prevention, security, and service improvement; (c) compliance with legal obligations; and (d) consent, where specifically obtained. You have the right to lodge a complaint with your local data protection authority. For cross-border transfers, we rely on Standard Contractual Clauses or other approved mechanisms.

United Kingdom

If you are located in the United Kingdom, we process your Personal Data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The legal bases for processing are the same as described above for the EEA. Your data is stored in the European Union, which is recognized by the UK as providing an adequate level of data protection. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

United States — California

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). You may request disclosure of the categories and specific pieces of Personal Data collected, the sources and purposes of collection, and the categories of third parties with whom data is shared. You may request deletion or correction of your data. You have the right to opt out of the sale or sharing of Personal Data — Nax does not sell or share Personal Data as defined under the CCPA/CPRA. We will not discriminate against you for exercising your rights. To submit a request, contact privacy@nax.app. You may designate an authorized agent to act on your behalf.

United States — Other states

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights to access, correct, delete, and port their Personal Data, as well as the right to opt out of targeted advertising and profiling. Nax does not engage in targeted advertising or profiling. To exercise your rights, contact privacy@nax.app.

Cookies

The Service uses essential cookies required for authentication and session management. We do not use advertising, analytics, or third-party tracking cookies. As we use only strictly necessary cookies as defined under the ePrivacy Directive and similar regulations, no separate cookie consent is required.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. Material changes will be communicated via email or through a prominent notice on the Service prior to taking effect. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

Contact us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, contact us at:

Nax

Email: privacy@nax.app

We aim to respond to all legitimate requests within 30 days. If your request is particularly complex, we may notify you and extend the response period as permitted by applicable law.