Privacy Policy

Last updated: March 2026

This Privacy Policy explains how Willow Project Limited, trading as Nxpa (“we”, “us”, “our”), collects, uses, and protects your information when you use nxpa.io, the Nxpa application, and any related services (collectively, the “Service”).

Data Controller

The data controller for the Service is:

Willow Project Limited
[Registered Address]
CRO Number: [CRO Number]
Contact: [email protected]

Information We Collect

Account information

When you create an account or request early access, we collect your name, email address, and password. For waitlist requests, we may also collect your company name, company size, and role. Providing this information is necessary to create your account and access the Service. If you do not provide it, you will not be able to use the Service.

Content you upload

When you upload images to Nxpa, we store your files along with metadata such as filename, file size, and image dimensions. If your images contain EXIF data (camera settings, date taken, etc.), we extract and store that information to display within the Service. You can choose to strip EXIF data when exporting.

For user-uploaded content that may contain personal data (such as photographs of people), you are the data controller and we act as a data processor on your behalf. We process this content only as necessary to provide the Service.

Team and collaboration data

When you create or join a team, we store your team name, team logo, membership details, and the email addresses of invited members. We also store comments, annotations, review decisions, and activity associated with your team’s work.

Payment information

Payment processing is handled by Stripe. We do not store your credit card number or bank details. We receive your subscription status, billing period, and invoice history from Stripe.

Device and session information

When you sign in, we record your browser type and device name so you can manage your active sessions and spot unauthorised access.

Usage data

We collect usage data — such as pages viewed, links clicked, and feature interactions — using PostHog, an open-source product analytics platform. Analytics data is sent to PostHog’s EU-hosted infrastructure. Analytics are only activated after you accept cookies. We do not use Google Analytics or any advertising-based tracking.

We process your personal data on the following legal grounds under Article 6 of the GDPR:

  • Contract (Art. 6(1)(b)) — account creation, authentication, providing the Service, processing your uploads, managing your subscription and payments, and sending transactional emails (password resets, email verifications, team invitations).
  • Consent (Art. 6(1)(a)) — analytics cookies and usage tracking. You can withdraw your consent at any time by clearing your cookie preferences, which will not affect the lawfulness of processing carried out before withdrawal.
  • Legitimate interest (Art. 6(1)(f)) — error monitoring and maintaining the security and reliability of the Service, device and session tracking to detect unauthorised access, and improving the Service based on aggregated usage patterns. Our legitimate interest is ensuring the Service operates securely and reliably for all users.

Cookies

We use a small number of cookies:

  • Session — keeps you signed in. Strictly necessary.
  • Security (CSRF) — protects form submissions. Strictly necessary.
  • Cookie consent — remembers your analytics preference. Expires after 7 days.
  • Theme — stores your light or dark mode selection.

Analytics cookies are only set after you give consent. You can withdraw consent at any time by clearing your cookies or declining when prompted. We do not use advertising cookies, retargeting pixels, or third-party tracking cookies.

How We Use Your Information

  • Provide, maintain, and improve the Service
  • Process your uploads and facilitate team review workflows
  • Manage your account and active sessions
  • Process payments and manage your subscription
  • Send transactional emails — such as password resets, email verifications, and team invitations
  • Monitor for errors and maintain reliability
  • Understand how the Service is used so we can improve it

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

Automated Decision-Making

The Service may use automated image quality analysis to generate a quality score for uploaded images. This score is used as a tool to assist your review workflow and does not result in any decisions with legal or similarly significant effects. You are always in control of approval and rejection decisions for your content.

Third-Party Services

We use the following services to operate Nxpa. Each processes data on our behalf and under our instructions:

  • Stripe (United States) — payment processing and subscription management. Stripe is certified under the EU-US Data Privacy Framework.
  • Hetzner (Germany) — cloud infrastructure and object storage for your uploaded files, databases, and application hosting. All data is stored within the EU.
  • Amazon Web Services (EU region) — transactional email delivery via Amazon SES.
  • Cloudflare (United States) — content delivery, DDoS protection, and bot protection. Cloudflare is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses.
  • Sentry (United States) — error monitoring. Sentry may receive request context when errors occur. Sentry uses Standard Contractual Clauses for data transfers.

International Data Transfers

Your uploaded content and account data are stored on servers located in Germany (EU). Some of our sub-processors are based in the United States. Where personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place through the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) approved by the European Commission.

You can review each provider’s data processing agreements and safeguards directly:

Data Storage and Security

All data is transmitted over HTTPS. Passwords are securely hashed and never stored in plain text. We implement reasonable technical and organisational measures to protect your data against unauthorised access, alteration, or destruction. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Data Retention

We retain your account information and uploaded content for as long as your account is active. Specific retention periods:

  • Sessions — inactive device sessions are automatically deleted after 30 days.
  • Exports — download links and exported files expire and are automatically deleted.
  • Email logs — transactional email records are retained for delivery tracking and troubleshooting.

If you request deletion of your account, we will remove your personal data within 30 days, except where we are required by law to retain certain records.

Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights in relation to your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure— request deletion of your data (“right to be forgotten”)
  • Restriction — request that we limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests, including direct marketing
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Irish Data Protection Commission:

Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
www.dataprotection.ie

Your Content

You retain full ownership of all images and files you upload to Nxpa. We do not claim any intellectual property rights over your content. We access your content only to provide the Service.

Children’s Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will delete it promptly.

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and inform the Data Protection Commission within 72 hours in accordance with the GDPR.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. We encourage you to review this policy periodically.

Contact

If you have any questions about this Privacy Policy or how we handle your data, contact us at [email protected].