Guides
NEXUS
Start typing to search…

August 21, 2025

Privacy Policy

Effective Date: August 21, 2025

Introduction

NEXUS Co., Ltd. (“NEXUS,” “we,” “our,” or “us”) takes the protection of your personal data (“Personal Data”) very seriously. This Ara Service Privacy Policy supplements our main Privacy Policy and specifically describes how we collect, use, store, share, and transfer personal data when you use the Ara Service, which is integrated into the CROSS application and powered by Flowise Cloud and the OpenAI API.

By checking the consent boxes and using the Ara Service, you confirm that you have read, understood, and agree to the collection, use, third-party provision, and international transfer of your personal data as described below. If you do not agree, you may not use the Ara Service.

1. Legal Grounds for Processing

There must be a valid basis for using your personal data, which is referred to as the "legal grounds for processing" under certain laws. We process your personal data based on the following grounds:

• Your Consent: This means that, as the data subject, you have agreed and consented to the processing of your personal data for the specified purposes.

• Legal Obligation: The processing of your personal data is necessary to comply with legal obligations applicable to us

• Legitimate Interest: This refers to cases where the processing is necessary for pursuing our legitimate interests, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject, that require the protection of your personal data. Our legitimate interests generally include:

∘ Product improvement and research & development

∘ Marketing and promotion

∘ Security and fraud prevention

∘ Legal compliance

∘ Business operations

2. Collection of Personal Data

When you use the Ara Service, we collect and process the following personal data. The types of personal data we collect may vary depending on how you use or interact with our services. The information listed below may be essential to providing our services; without it, some or all service features may not be available. We do not collect additional categories of personal data without informing you.

• Session and Interaction Data

∘ Session ID (chat identifier)

∘ Conversation history (questions and answers), conversation timestamps, last session time

• Device and Technical Information (if applicable)

∘ Browser type, operating system, IP address (temporarily collected only when using the CROSS platform or Flowise Cloud interface)

• Information Automatically Collected When Using the Service

∘ For information on automatically collected device and usage data, please refer to Section 10 (Cookies and Other Tracking Technologies).

3. Purposes of Using Personal Data

We may process your personal data for the following purposes:

• To Provide and Operate the Ara AI Service: Your personal data is used to provide the services, communicate regarding service usage, fulfill orders, and for other customer support purposes.

• To generate AI-based responses using the OpenAI API

• To improve service quality, diagnose errors, and enhance security

• To maintain session continuity and conversation history during active sessions

• To Comply with Legal and Regulatory Obligations: Your personal data may be used to enforce our service terms, comply with laws, legal processes, or legal obligations, exercise or defend legal claims, detect, prevent, or address fraud, comply with requests from law enforcement, regulatory, and tax authorities (both domestic and international), resolve security or technical issues, or otherwise protect the property and legal rights of the company or others.

4. Data Storage and Retention Period of Information

• Local Storage: Session ID and conversation history are temporarily stored in your browser and deleted when you click the “Reset” button.

• Flowise Cloud Server (if enabled): Session ID, conversation history, and last session time are stored on FlowiseAI Inc.’s cloud servers located in the United States without automatic deletion and are retained until you manually delete them or request deletion. If Flowise Cloud storage is disabled in your configuration, no personal data will be stored on FlowiseAI Inc.’s servers.

• OpenAI Server (if applicable): When your request is processed through the OpenAI API, conversation history, timestamps, response IDs, model names, and conversation size are stored on OpenAI’s servers for up to 30 days before being automatically deleted. Data stored on OpenAI servers cannot be manually deleted by users. If your configuration does not route data through the OpenAI API, no personal data will be stored on OpenAI servers.

We retain your personal data for the period necessary to fulfill the purposes outlined in this Privacy Policy or as instructed by you. This includes retaining data for legal, accounting, or other obligations. However, In some cases, we may retain in cases where longer retention periods are required or permitted by law, and we may retain your personal data for the duration necessary for legal claims, complaints, lawsuits, or regulatory procedures.

5. International Transfer of Personal Data

To provide AI responses, your personal data is transferred to OpenAI OpCo, LLC in the United States for AI model processing and response generation.

RecipientOpenAI OpCo, LLCFlowiseAI Inc.
CountryUnited States(unless otherwise notified)
Items TransferredConversation history, timestamps, response IDs, model names, conversation size (only if processed through OpenAI API)Session ID, conversation history, last session time (only if stored in Flowise Cloud, not applicable when disabled)
PurposeAI model processing and response generationHosting, maintenance, and operation of Ara Service chat sessions
Retention PeriodUp to 30 days (automatic deletion thereafter)Until manually deleted by the user or upon request

Depending on your usage and system configuration, your data may be stored only in OpenAI servers, only in Flowise Cloud servers, in both.

All transfers occur via secure network connection at the time of use. Data is not used by OpenAI or FlowiseAI Inc. for model training unless we have expressly stated otherwise.

We implement safeguards, such as the Standard Contractual Clauses (SCCs), to protect your data during cross-border transfers in accordance with applicable laws.

6. Provision of Personal Data to Third Parties

Other than transfers to OpenAI and FlowiseAI Inc. as described above, we may provide your personal data to other third-party service providers, such as hosting and security vendors, solely for system hosting, maintenance, technical support, or security monitoring.

All third-party recipients are contractually obligated to:

  • Process your personal data only on our instructions
  • Maintain its confidentiality
  • Implement appropriate technical and organizational measures to protect it in accordance with applicable data protection laws.

7. Disclosure of Your Personal Data

We may disclose your personal data to the extent required by legal obligations or when we believe in good faith that disclosure is necessary to comply with legal processes. In such cases, the receiving entity may not be able to ensure the same level of security for your personal data.

Additionally, we may disclose your personal data in connection with the transfer of business or corporate restructuring.

8. Your Rights as a Data Subject

Depending on your location, you may have rights under applicable data protection laws, including the right to access, correct, delete, restrict processing, object to processing, and request data portability. You may withdraw your consent at any time; however, this will not affect the lawfulness of processing prior to withdrawal.

If you withdraw consent for the processing described in this Ara Service Privacy Policy, you will no longer be able to use the Ara Service.

• Right of Access or Right to be Informed
This means you have the right to obtain information from us about our data processing activities concerning you (e.g., how we collect and use your personal data, retention periods, sharing entities, etc.).

You have the right to confirm whether we are processing personal data about you, and if so, to obtain a copy of such personal data along with certain related information.
In some cases, we may refuse your access request. In such instances, we will provide the reasons for the refusal.

• Right to Rectification or Correction
You have the right to request the correction of any inaccuracies in the personal data we hold about you without undue delay, as well as the completion of incomplete personal data.

If you are unable to modify the information yourself through your account settings, please contact us, and we will do our best to modify the personal data on your behalf.

• Right to Deletion or Erasure
You have the right to request the anonymization, deletion, or removal of your personal information when appropriate. In such cases, we will delete your personal data unless we have overriding legitimate interests or legal requirements to continue processing it. We will also inform you of the reasons if we refuse a deletion request.

• Right to Restrict the Processing of Your Personal Data
This is known as the "right to restrict processing." You have the right to request that your personal data is only used or stored for specific purposes. This right applies in certain cases, such as when you believe the data is inaccurate or that the processing activity is unlawful.

• Right to Object to Processing
If we process your personal data based on legitimate interests or for direct marketing purposes, you have the right to object to such processing of your personal data.

Except in the following cases, we will cease processing your personal data:

(i) If we have strong legal grounds for processing that override your interests, rights, and freedoms, or

(ii) If the processing is necessary for the establishment, exercise, or defense of legal claims.

• Right to Data Portability
If we process your personal data based on a contract with you or your consent, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, or to request the transfer of this personal data to a third party.

• Right to Withdraw Consent
If we rely on your consent as the legal basis for processing your personal data, you can withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. If you have consented to sharing your details with third parties and wish to withdraw this consent, please contact the relevant third parties to modify your preferences.

• Right to Non-Discrimination
We will not discriminate against you for exercising any of your rights provided to you under law.

• Identity and Authority Verification
To respond appropriately to your privacy rights requests, we may need to verify your identity and may request additional information. The personal data provided for this purpose will only be used to verify your identity or authority to make the request.

If submitting a request on behalf of someone else, you must provide proof of authority to act on their behalf. Please ensure that you provide a valid signed power of attorney, or proof of parental responsibility or legal guardianship, when contacting us for rights requests.

• Response Time and Format for Your Requests
We will acknowledge receipt of your request within 10 business days and inform you of the expected response time, including any identity verification or processing delays.


Typically, we will respond to your request within one month from the date of receipt. However, if more time is required (up to 90 days), we will inform you of the reason for the delay and the extended time frame.

In some cases, we may be unable to process your request, and we will explain the reasons in our response.
We do not charge fees to process your request. However, if your request is excessive, repetitive, or manifestly unfounded, we may charge a fee. In such cases, we will explain the reasons for the charge and provide a cost estimate before completing your request.

9. Data Security

We take the security of your personal data seriously and have established a dedicated team with expertise in information security. The members of this team are committed to safeguarding your data. We implement technical, administrative, and physical measures designed to protect your personal data, and we will continuously improve and maintain these measures. These measures include encryption, access control, and secure deletion.

10. Cookies and Other Tracking Technologies

Cookies are small text files that are downloaded to your computer or mobile device and contain data. Browser cookies and other similar technologies (referred to as "Cookies" in this cookie policy) allow websites and apps to store information or provide access to information stored on your device. These technologies are used by most website and app providers to help users navigate between pages efficiently, ensure the security of web pages or applications, understand how websites are used, remember user preferences, and generally improve the user experience.

When you use our services, we may place cookies on your device. We use cookies to automatically set the language according to your device's region, and these cookies are essential for providing the service and cannot be disabled.

11. Right to File a Complaint with a Supervisory Authority

When EU or UK GDPR applies to the processing of your personal data, you have the right to file a complaint with a supervisory authority if you are not satisfied with how your personal data is handled.

You can file a complaint with the supervisory authority in the EU member state of your residence, workplace, or where the alleged GDPR violation occurred. In the UK, you can file a complaint with the Information Commissioner’s Office (ICO).

12. Changes to This Policy

We reserve the right to amend this Privacy Notice at any time to reflect changes in the law, our data collection, use or sharing practices or advances in technology. We will make the revised Privacy Notice accessible throughout the Services. You should review this Privacy Notice periodically. The “Date of Last Revision" included at the of this privacy notice will indicate when it was last updated.

By continuing to access or use the Services, you are confirming you have read and understand the latest version of this Privacy Notice.

13. Contact Information

If you have any questions about this privacy policy or concerns related to your personal data or this privacy policy, please contact us at:

Privacy Officer

• Address: Daewangpangyo-ro 606gil 10, Bundang-gu, Sungnam-si, Gyeonggi-do, Republic of Korea
• Email: [email protected]

It may take up to one month to respond to your inquiry.

[EU Representative]

We have appointed VeraSafe as our representative for data protection matters in the EU. You can contact us or VeraSafe regarding any issues related to the processing of personal data.

• Company: VeraSafe Ireland Ltd.

• Address: Unit 3D North Point House North Point Business Park New Mallow Road Cork T23 AT2P, Ireland

• Phone: +420 228 881 031

• Contact Form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

• Email: [email protected]

• Website: https://www.verasafe.com/about-verasafe/contact-us/

[UK Representative]
We have appointed VeraSafe as our data protection representative in the UK. You can contact us or VeraSafe regarding any issues related to the processing of personal data.

• Company: VeraSafe United Kingdom Ltd.

• Address: 37 Albert Embankment, London, SE1 7TL, United Kingdom

• Phone: +44 (20) 4532 2003

• Contact Form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

• Email: [email protected]

• Website: https://www.verasafe.com/about-verasafe/contact-us/

Updated 25 days ago