Effective Date: March 17, 2026 | Version: 2.0
nextain Inc. ("Company", "we", "us") operates naia.nextain.io. This Privacy Policy explains how we collect, use, and protect your personal information in accordance with the Korean Personal Information Protection Act (PIPA), EU GDPR, and applicable international privacy laws.
1. Data Controller
| Company | nextain Inc. (주식회사 넥스테인) |
| Representative | Byeongseok Yang (CEO) |
| Address | 77, Maesong-Gosaek-ro 422beon-gil, Maesong-myeon, Hyohaeng-gu, Hwaseong-si, Gyeonggi-do, Republic of Korea |
| Privacy Contact | privacy@nextain.io |
2. Data We Collect
Account Data (collected via OAuth at sign-in)
| Data | Source | Required |
|---|---|---|
| Email address | Google / Discord OAuth | Yes |
| Display name | Google / Discord OAuth | Yes |
| Profile image URL | Google / Discord OAuth | Optional |
Service Usage Data (generated during use)
| Data | Description |
|---|---|
| API keys | Keys you create and manage for service access |
| Credit balance & history | Credit deduction records and cumulative usage |
| Usage logs | Request timestamp, model name, token counts, credits consumed |
| Access logs | IP address, request path, HTTP status, timestamp |
Payment Data
Payments are processed directly by LemonSqueezy (Merchant of Record). We do not store raw payment card data. We only retain: subscription status, payment event IDs, and renewal dates from LemonSqueezy webhook events.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account authentication and identity verification | Performance of contract (Art. 6(1)(b)) |
| Credit metering and API access management | Performance of contract (Art. 6(1)(b)) |
| Subscription and billing status synchronization | Performance of contract (Art. 6(1)(b)) |
| Service security, abuse detection, and incident response | Legitimate interests (Art. 6(1)(f)) |
| Service analytics and quality improvement | Legitimate interests (Art. 6(1)(f)) |
| Legal obligation compliance (tax records, dispute resolution) | Legal obligation (Art. 6(1)(c)) |
We do not use your API inputs or outputs to train AI models.
4. Data Retention
| Data | Retention Period | Basis |
|---|---|---|
| Account info (email, name, profile) | Until account deletion | Contract |
| Usage logs, API keys | Until account deletion | Contract |
| Payment event records | 5 years after deletion | Korean E-Commerce Act |
| Access logs (incl. IP) | 3 months | Korean Communications Secret Protection Act |
| Fraud prevention records | 6 months after deletion | Legitimate interests |
Upon account deletion: all data except legally required records is permanently deleted within 7 days of the request.
5. Third-Party Sharing
We do not sell or share your personal information for marketing purposes. Data may be shared only in the following cases:
- With sub-processors listed below, for service operations
- When legally required (e.g., valid court orders, law enforcement requests with lawful basis)
6. Sub-Processors
| Sub-Processor | Country | Purpose | Safeguard |
|---|---|---|---|
| LemonSqueezy (Lemon Squeezy, LLC) | USA | Payment processing, subscription management | Contractual agreement |
| Google LLC | USA | OAuth authentication, Analytics (GA4), Firebase (comments) | Google DPA |
| Discord Inc. | USA | OAuth authentication | Discord Privacy Policy |
| Vercel Inc. | USA | Web hosting and CDN | Vercel DPA |
7. International Data Transfers
Our sub-processors are based in the United States. Data transfers from Korea to the US are conducted under contractual data processing agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs) under GDPR Article 46.
Note for EU/EEA users: Korea received an EU adequacy decision in December 2023 (GDPR Art. 45), meaning transfers of data from the EU to Korea do not require additional transfer mechanisms.
8. Your Rights
All Users
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Delete your account and data via Settings, or email us
- Processing restriction: Request suspension of specific processing activities
EU/EEA Users (GDPR Art. 15–22)
In addition to the above:
- Data portability (Art. 20): Receive your data in a machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interests
- Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time
- Lodge a complaint: Contact your local Data Protection Authority (DPA)
California Users (CCPA/CPRA)
- Right to know: Categories of data collected, purposes, and sharing
- Right to delete: Request deletion of your personal information
- Right to opt-out of sale: We do not sell your personal information
- Right to non-discrimination: We will not discriminate for exercising your rights
To exercise any right: Email privacy@nextain.io. We respond within 30 days (EU users) or 45 days (California users). Identity verification may be required.
9. Automated Decision-Making
We do not make solely automated decisions that produce legal or similarly significant effects on users. Credit deduction is automated but directly reflects your API usage requests, not a decision about you.
10. Children's Privacy
Our services are not directed to children under 14 (Korea) or 16 (EU). We do not knowingly collect personal information from minors. If we become aware of such collection, we will delete the data promptly. Parents or guardians may contact us at privacy@nextain.io.
11. Cookies
We use essential session cookies for authentication. We may use analytics cookies (Google Analytics) to understand usage patterns. You may disable non-essential cookies through your browser settings. By continuing to use the service, you consent to essential cookies.
12. Privacy Officer
| Name | Byeongseok Yang |
| Role | CEO / Privacy Officer |
| privacy@nextain.io |
For EU users — supervisory authority contacts: edpb.europa.eu/about-edpb/board/members_en
13. Changes to This Policy
We may update this policy to reflect legal or service changes.
- Material changes: Notified at least 30 days before taking effect
- Minor changes: Notified at least 7 days before taking effect
Previous versions are available upon request.
This policy is governed by the laws of the Republic of Korea.