Privacy,
in plain English.
We treat your data the way we would want ours treated. This policy tells you exactly what we collect, why, how it is protected, and how you can control it — under India’s DPDP Act 2023, EU/UK GDPR, California CCPA/CPRA, Brazil’s LGPD, and equivalent laws around the world.
1. About this policy
This Privacy Policy explains how NextSpace Labs Private Limited (referred to as “NextSpace Labs”, “we”, “us” or “our”) collects, uses, discloses, retains, and protects personal information when you visit nxtspacelabs.com (the “Website”), our applications, or any product or service that links to this policy (together, the “Services”).
NextSpace Labs is a company incorporated under the Companies Act, 2013, with its registered office at Door No 1-60/8/A & B, 3rd Floor, KNR Square, Opp. The Platina, Gachibowli, Kondapur, Hyderabad — 500 032, Telangana, India.
For the purposes of the DPDP Act 2023 we act as a Data Fiduciary. For the purposes of GDPR we act as a Controller. For the purposes of CCPA/CPRA we act as a Business. Where we process data on behalf of another organisation, we act as a Data Processor under a separate written agreement.
2. Who this policy applies to
- Visitors to our Website and readers of our publications;
- Users of our products;
- People who write to us, apply for a role, or otherwise interact with the company;
- Business contacts of prospective partners, vendors, and service providers.
Users under the age of 18 must not use our Services without verifiable parental or guardian consent, and in some jurisdictions we do not knowingly permit use at all — see section 12.
3. Information we collect
We collect only what we need to provide the Services and to comply with the law. Categories:
3.1 Information you give us
- Account information — name, phone number, email address, gender (where a product requires it), profile photograph, chosen username, and preferences.
- Verification information — identity documents, KYC documents, selfies, or voice samples where a product feature such as creator on-boarding, payouts, or trust-and-safety requires them. These are held only as long as required and encrypted at rest.
- Communications — messages you send us through forms, email, chat, calls, or our support channels, together with any attachments and metadata.
- Payment information — card numbers, UPI handles, and bank details are collected and stored by our licensed payment partners (Cashfree, Stripe, or equivalent) — not by us. We receive only a masked identifier, the amount, and the transaction status.
- User-generated content — text, images, audio, video, or other content you upload, transmit, or make available through our Services.
3.2 Information we collect automatically
- Device and log data — IP address, approximate location (city/country level, derived from IP), device model, operating system, browser, timestamps, referrer URL, and interactions with the Services.
- Cookies and similar technologies — see our Cookie Policy for the full detail.
- Product telemetry — anonymous, aggregated usage signals that help us understand which parts of a product work and which do not.
- Fraud, safety, and abuse signals — behavioural signals, device fingerprints where lawful, and safety signals used to detect fraud, abuse, or terms violations.
3.3 Information from third parties
We may receive information from payment processors, identity-verification providers, SMS/OTP delivery partners (e.g. MSG91), authentication providers (e.g. Firebase), analytics services, cloud infrastructure providers, and, with your consent, publicly-available data. We only receive what we need to run the feature you are using.
3.4 Sensitive personal data
We do not deliberately collect sensitive personal data (as defined under DPDP Rules, GDPR Article 9, or the CCPA) unless (a) a specific product feature requires it, (b) you provide it to us with your explicit consent, or (c) we are required to process it by law. Where collected, it is subject to enhanced technical and organisational safeguards.
4. Why we use your information (purposes of processing)
- To provide, operate, maintain, personalise, and improve the Services.
- To create, secure, and authenticate your account.
- To process payments, subscriptions, refunds, payouts, and related financial operations.
- To keep our platform safe — prevent fraud, abuse, harassment, and violations of our Terms and community guidelines.
- To communicate with you about the Services, product updates, security incidents, replies to your enquiries, and (only if you opt in) our writing.
- To meet regulatory, statutory, tax, accounting, and audit obligations.
- To conduct research and design better products — in aggregate and, where possible, using pseudonymised data that does not identify you.
- To defend or exercise legal claims, and to protect the rights, property, or safety of NextSpace Labs, our users, or the public.
5. Legal bases for processing
Under the DPDP Act 2023, we process personal data on the basis of your consent or on the basis of a legitimate use as defined in section 7 of the Act. Under GDPR / UK GDPR, we rely on one or more of:
- Consent (Article 6(1)(a)) — for optional analytics cookies, marketing communications, or specific product features.
- Contract (Article 6(1)(b)) — to provide the Services you have requested.
- Legal obligation (Article 6(1)(c)) — tax, KYC, cyber-security, and regulator requirements.
- Vital interests (Article 6(1)(d)) — to prevent imminent harm to a person.
- Legitimate interests (Article 6(1)(f)) — to secure the Services, prevent fraud, defend claims, and improve products, balanced against your rights.
Under CCPA/CPRA, we process personal information for the disclosed business purposes and do not sell your personal information; we do not knowingly “share” it for cross-context behavioural advertising within the meaning of CPRA. Where required, you may opt out of any such sharing via connect@nxtspacelabs.com.
6. How we share information
We do not sell your personal information. We disclose personal information only in these limited situations:
- Service providers & sub-processors who process data on our written instruction, under contracts that meet DPDP §8(2), GDPR Article 28, or equivalent standards. Categories include cloud hosting (Vercel, Supabase), communications (MSG91, Zoho), payments (Cashfree), identity (Sandbox.co / Cashfree Verification Suite), and analytics (Vercel Analytics).
- Business partners where a feature requires it and you have been informed — for example, a partner running a room or event you have chosen to join.
- Legal & safety — where required by law, subpoena, court order, or regulator request; or to protect people from imminent harm.
- Corporate events — in the event of a merger, acquisition, restructuring, or insolvency, subject to protective safeguards and, where required, prior notice.
- With your consent — any other sharing is only after we ask, and always revocable.
A current list of our material sub-processors is available on request at connect@nxtspacelabs.com.
7. International data transfers
Our infrastructure runs primarily in India (Supabase Mumbai, Vercel Mumbai/Singapore edge) and the European Union. If your personal data is transferred outside your country of residence, we rely on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, and equivalent UK IDTA safeguards.
- Adequacy decisions where the destination jurisdiction has been recognised by the source jurisdiction.
- Compliance with any prohibition or restriction on cross-border transfer that the Central Government of India may notify under DPDP §16.
8. Data retention
We retain personal data only for as long as is necessary to provide the Services, comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. Indicative retention periods:
- Active-account data — while your account is active, plus up to 12 months after closure for defence of legal claims.
- KYC / identity records — the period prescribed by applicable law (typically 5–8 years for Indian entities under PMLA and financial regulations).
- Transaction records — 8 years from the end of the relevant financial year (Companies Act, 2013 and Income-tax Act, 1961).
- Support communications — up to 3 years from last contact.
- Marketing consents and preference logs — while the consent is valid, plus a reasonable audit tail after withdrawal.
When retention ends we delete, anonymise, or aggregate the data so it can no longer be linked to you.
9. Your rights
Depending on where you are, you may have some or all of the following rights over your personal data:
- Right of access / confirmation — ask us for a copy of the personal data we hold about you and the material summary set out in DPDP §11.
- Right to correction & erasure — ask us to correct inaccurate data or delete data we no longer need.
- Right to portability — ask us for your data in a structured, machine-readable form (GDPR Art. 20).
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of earlier processing.
- Right to object & restrict — object to certain processing (including profiling), or ask us to restrict it (GDPR Art. 21).
- Right to opt out of sale/share — California and Nevada residents can direct us not to “sell” or “share” personal information (we already do not).
- Right to nominate — DPDP §14: nominate another individual to exercise your rights in the event of death or incapacity.
- Right to grievance redressal — contact our Grievance Officer (below) and, if unsatisfied, escalate to the Data Protection Board of India (once constituted) or your local supervisory authority.
- Right to complain to a supervisory authority — you can complain to the Information Commissioner’s Office (UK), your EU Data Protection Authority, or the California Attorney General.
10. How to exercise your rights
Write to connect@nxtspacelabs.com from the email address associated with your account, or use the in-product data-request tool where available. We may need to verify your identity before acting on your request. We aim to respond promptly and in line with the timelines applicable to your matter under law — indicatively, up to 30 days for DPDP requests, one month for GDPR requests (extendable by two months for complex requests), and up to 45 days for CCPA requests — free of charge, except where a request is manifestly unfounded or excessive.
11. Grievance Officer & Data Protection Officer
In accordance with the DPDP Act 2023, the Information Technology Act, 2000, and the Consumer Protection Act, 2019, our Grievance Officer for privacy and content matters is:
- Name — Saidulu Shaik (until formally re-designated)
- Designation — Grievance Officer / Data Protection Officer
- Email — connect@nxtspacelabs.com
- Postal address — NextSpace Labs Private Limited, Door No 1-60/8/A & B, 3rd Floor, KNR Square, Opp. The Platina, Gachibowli, Kondapur, Hyderabad — 500 032, Telangana, India.
- Acknowledge — as promptly as reasonably possible, typically within one business day.
- Resolve — we aim to resolve promptly (target: 15 days from receipt), and in any event in line with the timelines applicable to your matter under law.
12. Security
We apply reasonable and appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, hardened cloud infrastructure, role-based access controls, audit logs, periodic security reviews, secure-development practices, and an incident-response plan. No system is perfectly secure, and we cannot guarantee absolute security. If we ever suffer a personal-data breach that is likely to result in risk to your rights, we will notify affected users and the relevant regulator without undue delay, and in any event within the statutory timelines (72 hours under GDPR / DPDP §8(6) once operative).
13. Children’s privacy
Our Services are not directed at persons under the age of 18. Under DPDP §9, we do not knowingly process personal data of children without verifiable parental consent, do not undertake behavioural monitoring of children, and do not deliver targeted advertising to children. If we learn that we have collected data from a child without proper consent, we will delete it. Parents and guardians who believe we have unknowingly done so should contact the Grievance Officer immediately.
14. Automated decision-making & AI
Some of our features use automated systems — for example, matching, ranking, safety classifiers, and language-model-assisted features (e.g. Icebreakers). We do not use solely automated decisions that produce legal or similarly significant effects on you without a human review. Where we use AI systems to process your personal data, we take reasonable steps to (a) evaluate the accuracy of the models, (b) prevent harmful bias, (c) protect the confidentiality of training and inference data, and (d) give you a way to escalate to a human.
15. Job applicants & team members
When you apply for a role or work with us, we process the personal data you share — CVs, cover notes, communications, references — on the legal bases of consent and pre-contractual/contractual necessity. Applicant data is retained for up to 24 months from the last interaction unless you ask us to delete it sooner. Team-member data is retained per applicable labour, tax, and social-security law.
16. Third-party links & services
The Services may link to third-party websites or embed third-party services. We are not responsible for their content or their privacy practices. Please review their policies separately.
17. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you through the Service or by email at least 30 days before the change takes effect where required by law. The “Effective” date at the top of this policy is authoritative.
18. Governing law
This policy is governed by the laws of the Republic of India, without prejudice to any mandatory rights you have under the laws of your country of residence (including GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, and PIPL). Courts at Hyderabad, Telangana, India shall have non-exclusive jurisdiction; you retain the right to bring proceedings in the courts of your country of habitual residence to the extent required by applicable consumer or data-protection law.
19. Contact
For any privacy question, complaint, or right-exercise request:
- Email — connect@nxtspacelabs.com
- Postal address — NextSpace Labs Private Limited, Door No 1-60/8/A & B, 3rd Floor, KNR Square, Opp. The Platina, Gachibowli, Kondapur, Hyderabad — 500 032, Telangana, India.
- CIN — U72900TG2026PTCXXXXXX (publishing on incorporation)
Version history
- Version 1.0 — effective 4 July 2026 — first publication of the multi-jurisdiction policy (DPDP 2023, GDPR, CCPA/CPRA, LGPD baseline).
- 8 July 2026 — hCaptcha removed from §6 (sub-processors) — the contact form no longer uses a CAPTCHA provider; anti-abuse is now handled entirely server-side.
We wrote this policy ourselves, in plain English, on purpose. If any part remains opaque, that is a mistake we would like to fix — please tell us.