Privacy policy.

§ I · IdentityWho we are.

This policy applies to Nexurion, LLC (“Nexurion,” “we,” “us”), a Massachusetts limited liability company headquartered at 111 Speen Street, 2nd Floor, Framingham, MA 01701. We are a senior-led security, compliance, and AI-governance firm. We act as a data controller for information collected through this website (nexurion.io) and through our direct engagements with clients and prospects. When we process client data inside an engagement, we typically act as a data processor under a written agreement; that engagement-level processing is governed by the engagement contract, not this policy.

§ II · InputsWhat we collect.

We collect the minimum information needed to do our work, run this site, and respond to inquiries. Specifically:

Information you give us

• Contact form / scoping requests: name, work email, company, role, the trigger you described, anything you typed into the message field. If you booked a call, the time slot.
• Newsletter (Field Notes) sign-ups: email address. Optional: name, company, role.
• Email correspondence: whatever you write to us. We read it.
• Engagement materials: documents, evidence, screenshots, system descriptions you provide during a paid engagement. Governed by the engagement contract and the data-processing addendum, not this policy.

Information collected automatically

• Server logs: IP address, user agent, requested URL, referrer, timestamp. Standard web-server logging. Retained 30 days for security and abuse investigation.
• Cookies: one strictly-necessary session cookie. We do not currently run third-party analytics, ad-tracking, or session-replay tools. See § VIII.

Information we do not collect

• We do not buy mailing lists.
• We do not run ad-network pixels (no Meta, no LinkedIn Insight, no Google Ads remarketing).
• We do not run session-replay (no FullStory, Hotjar, or equivalent).
• We do not sell personal information. Ever.

§ III · PurposeWhy we collect it · and our legal basis.

Under GDPR Article 6 and similar US state-privacy frameworks, we identify a lawful purpose for every data category:

• Respond to your inquiry: legal basis: performance of a contract (taking steps at your request before entering into a contract) or legitimate interest (responding to business inquiries).
• Send our Field Notes: legal basis: consent (your sign-up). Withdraw any time via the unsubscribe link in every email.
• Run and secure this website: legal basis: legitimate interest (operating a website, preventing abuse).
• Comply with legal obligations: tax records, regulatory inquiries, lawful subpoenas. Legal basis: legal obligation.
• Deliver paid engagements: legal basis: performance of a contract. Engagement-level processing is covered by your contract and DPA, not this policy.

§ IV · DistributionWho we share it with.

We share information only when it is necessary to deliver the service, comply with the law, or run the firm. The list is short and we keep it that way.

Service providers (sub-processors)

• Email delivery & transactional mail: for delivering our Field Notes and responding to inquiries. Operates under a written DPA.
• Cloud infrastructure: for hosting this website. US-based.
• Calendar / booking: if you book a call directly from a CTA, the booking provider stores your name, email, and selected slot.

A current sub-processor list is available on request to [email protected]. We do not add a sub-processor without ensuring a written agreement that covers confidentiality, security, and (where relevant) GDPR Article 28 obligations.

Legal & safety

We may disclose information if required by valid legal process (subpoena, court order, regulatory request) or where we believe in good faith that disclosure is necessary to protect rights, safety, or to investigate fraud or abuse. We will resist overbroad requests and will, where lawful, notify you before disclosure.

Business transfers

If Nexurion is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you and provide choices regarding your information before it becomes subject to a different privacy policy.

§ V · RetentionHow long we keep it.

• Inquiry / scoping form: 24 months from last contact, then deleted unless we are in an active engagement.
• Newsletter list: until you unsubscribe; then we retain your email on a suppression list to avoid re-adding you.
• Server logs: 30 days.
• Engagement deliverables & correspondence: 7 years after engagement close, for professional liability and tax purposes, then deleted unless statutorily required to keep longer.

§ VI · ProtectionHow we protect it.

We are a security firm. Our internal posture is described in detail at /security. In summary: phishing-resistant MFA on every account that touches customer data, encryption in transit (TLS 1.2+) and at rest, least-privilege access with documented reviews, hardware-key-protected admin access, written incident response, and a vendor security review process for every sub-processor.

§ VII · RightsYour rights.

Depending on where you live, you have rights regarding personal information about you. We honor these rights regardless of jurisdiction unless a specific exception applies.

Under GDPR (EU/UK/EEA)

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate data.
• Erasure: ask us to delete data, subject to retention obligations.
• Restriction: limit processing in certain circumstances.
• Portability: receive your data in a machine-readable format.
• Object: object to processing based on legitimate interest.
• Withdraw consent: for any processing based on consent (e.g., the newsletter).
• Lodge a complaint: with your local supervisory authority. We would prefer you tell us first.

Under US state-privacy laws (CA, CO, CT, VA, UT, TX, OR, MT, IA, DE, NH, NJ, MD, MN, RI, KY, IN, TN, NE, FL & the rest of the 2024-26 patchwork)

• Know: what categories of personal information we have collected, sources, purposes, and to whom we have disclosed it.
• Delete: subject to retention exceptions.
• Correct: inaccurate personal information.
• Opt out: of sale or sharing of personal information for cross-context behavioral advertising. We do not sell or share personal information for advertising.
• Limit use of sensitive personal information: we do not collect SPI through this site.
• Non-discrimination: for exercising your rights.

To exercise any right, email [email protected] with your request and enough information for us to verify your identity. We respond within 30 days (45 for complex requests, with notice).

§ VIII · CookiesCookies & analytics.

Strictly-necessary cookies. One session cookie for session continuity. No tracking, no ad pixels, no session-replay.

We use one strictly-necessary cookie for session continuity. We do not currently run third-party analytics, ad pixels, or session-replay tools. If we add analytics in the future, we will update this section, post a banner where required, and prefer privacy-respecting tooling (server-side, IP-truncating, no cross-site identifiers).

§ IX · TransfersInternational transfers.

Nexurion is based in the United States. If you are accessing this site from the EU/UK/EEA, your information will be transferred to the US for processing. Where required, we rely on the EU-US Data Privacy Framework, the UK extension thereof, or Standard Contractual Clauses with our sub-processors. We monitor the post-Schrems II landscape and will adjust our basis as the legal regime evolves.

§ X · UpdatesChanges to this policy.

We may update this policy as our practices change or as the law requires. The “effective” and “last updated” dates at the top of this page reflect the current version. Material changes will be announced on the homepage and, for newsletter subscribers, by email. We will not retroactively reduce your rights without your consent.

§ XI · ContactHow to reach us.

For privacy questions, requests, or complaints:

Email: [email protected]
Mail: Nexurion, LLC · Attn: Privacy · 111 Speen Street, 2nd Floor · Framingham, MA 01701 · USA

For EU/UK residents who would prefer a local point of contact, email us; we will route your request through our designated representative arrangement, where applicable.