Privacy Policy

1. Introduction and scope

This Privacy Policy (the "Policy") describes how Newcrux ("Newcrux", "we", or "the Company") collects, uses, stores, protects, and discloses the personal data of individuals who interact with the website https://newcrux.io and its subdomains (together, the "Site"), as well as those who contact us through the channels we make available.

This Policy applies to:

• Visitors to the Site.
• Individuals who complete the contact form or any other form available on the Site.
• Current and prospective Newcrux customers who engage with the Company through digital means.
• Individuals who contact Newcrux by email, social media, or other official channels.

Excluded scope: This Policy does not govern personal data processing that Newcrux carries out as a processor when it processes end-user conversations of our enterprise customers through the Nebula Commerce platform or similar products. Such processing is governed by the Data Processing Agreement (DPA) signed individually with each enterprise customer, who acts as controller toward its own end users.

2. Controller identity

Controller: Newcrux.io

Legal address:

Privacy contact email: privacidad@newcrux.io

General email: hola@newcrux.io

For any inquiry, request, or complaint related to your personal data, you may contact us through the channels indicated in Section 11.

3. Applicable legal framework

Personal data processing by Newcrux is governed by the laws in force in the Argentine Republic, in particular:

• Law No. 25,326 on Personal Data Protection and Regulatory Decree No. 1,558/2001.
• Law No. 26,951 ("Do Not Call"), where applicable.
• Law No. 24,240 on Consumer Defense, where relevant.
• National Constitution, Article 43, third paragraph (habeas data action).
• Civil and Commercial Code of the Nation.
• Resolutions, provisions, and criteria issued by the Agency for Access to Public Information (AAIP) as the supervisory authority.
• Council of Europe Convention 108+ on the protection of individuals with regard to automatic processing of personal data, to which Argentina is a party.

Additionally, where applicable based on the data subject’s residence or the nature of the processing, the following international frameworks will be observed:

• Regulation (EU) 2016/679 (GDPR) for data subjects residing in the European Economic Area.
• Brazil’s General Data Protection Law (LGPD, Law No. 13,709/2018).
• Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP).
• Equivalent regulations in other Latin American countries where Newcrux provides services.

4. Personal data we process

Newcrux only collects personal data necessary to fulfill the purposes described in this Policy. Depending on your interaction with the Site, we may process the following categories of data:

4.1. Data you provide voluntarily

When you complete the Site’s contact form, we collect:

• First and last name (required).
• Email address (required).
• Company or organization (optional).
• Job title or role (optional).
• Message content (required).

When you contact us by email, social media, WhatsApp, or other channels, we collect the data you voluntarily choose to share, metadata inherent to the communication (date, time, sender identifier), and the content exchanged.

4.2. Automatically collected data

When you browse the Site, our systems may automatically log:

• IP address.
• Browser type and version.
• Operating system.
• Pages visited, time on page, and browsing patterns.
• Referring website (referrer).
• Date and time of access.
• Device identifiers.

This information is collected through cookies, pixels, log files, and similar technologies, as detailed in Section 10.

4.3. Contracting and business relationship data

If you represent a company that contracts or evaluates Newcrux services, we may additionally process:

• Company tax data (legal name, tax ID, address).
• Billing data.
• History of commercial interactions.
• Communications related to contract performance.

4.4. Sensitive data

Newcrux does not request or intend to process sensitive data (as defined in Section 2 of Law 25,326: racial or ethnic origin, political opinions, religious, philosophical, or moral convictions, trade-union membership, or information concerning health or sex life). Please do not include such information in your communications with us unless strictly necessary.

5. Processing purposes and legal bases

Newcrux processes your personal data for the following purposes and on the following legal bases:

You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

6. Recipients and service providers (subprocessors)

To provide its services, Newcrux uses external providers that act as processors under our instructions and with contractual duties of confidentiality and security. These providers may include, among others:

• Cloud infrastructure and hosting: cloud computing providers that host the Site and Newcrux systems.
• AI model providers: platforms supplying language models and natural language processing used in our products.
• Email and communication tools: email, CRM, and messaging providers.
• Web analytics tools: platforms that measure Site usage.
• Billing and administration services: accounting and invoicing systems.
• Professional advisors: law, accounting, or audit firms bound by confidentiality.

An up-to-date list of relevant subprocessors may be requested at privacidad@newcrux.io. Enterprise customers will receive a detailed list of subprocessors and their geographic location at contracting and upon any material change.

Newcrux does not sell your personal data to third parties. We may disclose data when required by competent authority, court order, or legal obligation.

7. International data transfers

Some of our infrastructure, AI model, and operational tool providers are located outside the Argentine Republic, including the United States, Ireland, and other EU member states.

For all international transfers of personal data, Newcrux implements appropriate safeguards in accordance with Law 25,326, DNPDP Provision 60/2016 and amendments, and AAIP Resolution 198/2023 on model contractual clauses for international transfers. Safeguards may include:

• Transfer to countries with an adequate level of protection.
• Model contractual clauses approved by the AAIP.
• Standard contractual clauses under Regulation (EU) 2016/679 where applicable.
• Certification mechanisms or binding codes of conduct.

You may request a copy of the safeguards applied by writing to privacidad@newcrux.io.

8. Data retention period

We retain personal data only as long as necessary to fulfill the purposes in this Policy and applicable legal obligations. General criteria:

• Contact form data without subsequent contracting: up to 24 months from last contact, unless the data subject objects earlier.
• Active customers: for the entire contractual relationship.
• Former customers: for the limitation period for legal actions arising from the contract (up to 10 years for contractual matters, under the Civil and Commercial Code), and while tax or regulatory retention duties remain.
• Browsing records and logs: between 12 and 24 months, depending on purpose.
• Commercial communications: until consent is withdrawn, and thereafter only minimum data needed to prove withdrawal.

After applicable periods, data will be deleted, anonymized, or blocked as appropriate.

9. Data subject rights

Law 25,326 and applicable international frameworks grant you the following rights regarding your personal data:

• Access: know what personal data we process about you, for what purpose, and to whom we disclose it. The first access is free; further requests may be made at intervals of no less than six months, unless legitimate interest applies.
• Rectification: request correction of inaccurate, incomplete, or outdated data.
• Update: request that your data reflect your current situation.
• Erasure: request deletion when no longer necessary, when you withdraw consent, or when processing is unlawful. This right may be limited where legal retention duties exist.
• Objection: object to processing for specific purposes, such as commercial communications.
• Withdrawal of consent at any time.
• Portability, where technically feasible and provided by applicable law.
• Not to be subject solely to automated processing that produces significant legal effects or similarly affects you, except as provided by law. You may request human review, express your point of view, and contest the decision.
• Lodge a complaint with the supervisory authority (see Section 13).

Under Article 14 of Law 25,326, Newcrux will respond to access requests within ten (10) calendar days. Rectification, update, or erasure requests will be answered within five (5) business days under Article 16. These periods may be extended when justified by complexity or volume.

10. How to exercise your rights

To exercise any of the rights described, you may:

1. Send an email to privacidad@newcrux.io with the subject line "Exercise of rights – Law 25,326".
2. Send a written notice to the address indicated in Section 2.

In either case, you should include:

• Full name and a copy of your ID (or equivalent verification).
• A clear description of the right you wish to exercise.
• Email or postal address where you wish to receive the response.
• Any supporting documentation, where applicable.

Newcrux may request reasonable additional information to verify your identity before processing the request, solely to protect the security of your data.

Exercising your rights is free of charge.

11. Security measures

Newcrux implements reasonable technical and organizational measures to protect personal data against unauthorized access, loss, alteration, disclosure, or unlawful destruction. These measures include, without limitation:

• Encryption of data in transit (HTTPS/TLS) and, where appropriate, at rest.
• Role-based access controls and least-privilege principles.
• Strong authentication for administrative access.
• Audit logs and monitoring of security events.
• Incident response procedures.
• Internal confidentiality policies applicable to all staff.
• Data processing agreements with all external providers.
• Periodic risk assessments.

Despite these measures, no system can guarantee absolute security. If a security incident affects your personal data, Newcrux will take notification measures as required by applicable law.

12. Automated decisions and artificial intelligence

Newcrux develops and offers AI-based products. Under this Policy:

• The Site does not make automated decisions that produce significant legal effects concerning you.
• If you interact with a conversational assistant on the Site, you will be clearly informed in advance that you are communicating with an AI system.
• Data you enter in the contact form is not used to train third-party AI models without your explicit additional consent.
• When we use third-party AI services to process your inquiries, we do so under contracts that prohibit using your data to train those providers’ base models, unless you expressly opt in.

If you are an end user of a Newcrux customer that has implemented Nebula Commerce or similar products, information on automated decisions, transparency, and AI will be provided by that customer (retailer) as controller, under the DPA between Newcrux and that customer.

13. Cookies and similar technologies

The Site uses cookies and similar technologies to ensure proper operation, measure audience, personalize experience, and, where applicable, for advertising.

Categories of cookies we may use:

• Strictly necessary / technical: essential for browsing and basic Site functionality. No consent required.
• Analytics: help us understand how users interact with the Site. Used with consent unless properly anonymized.
• Preferences: remember settings such as language or light/dark theme.
• Advertising or marketing: only activated with explicit consent where applicable.

You can configure your browser to reject cookies or alert you before they are set. Blocking some cookies may affect Site functionality.

14. Minors

The Site and Newcrux services are aimed at professionals and businesses; they are not intended for individuals under 18. Newcrux does not knowingly collect or process minors’ personal data. If you are a parent, guardian, or legal representative and believe a minor in your care has provided personal data, please contact us at privacidad@newcrux.io so we can delete it.

15. Supervisory authority and complaints

The supervisory authority for Law 25,326 in the Argentine Republic is the Agency for Access to Public Information (AAIP), before which you may file complaints related to the processing of your personal data.

Agency for Access to Public Information (AAIP). Website: https://www.argentina.gob.ar/aaip Address: Av. Pte. Gral. Julio A. Roca 710, 2nd floor, City of Buenos Aires.

Without prejudice to the above, we encourage you to contact Newcrux first at privacidad@newcrux.io to try to resolve any issue before contacting the authority.

16. Changes to this Policy

Newcrux may modify this Policy at any time to adapt to regulatory, technological, or business developments. Changes will be published on the Site with the date of last update. Where changes are material, we will notify data subjects by reasonable means where appropriate.

We recommend reviewing this Policy periodically. Continued use of the Site after publication of changes constitutes acceptance of the updated terms where applicable.

17. Contact

For inquiries, requests to exercise rights, or complaints related to the processing of your personal data:

• Email: privacidad@newcrux.io
• General email: hola@newcrux.io
• Postal address:
• © 2026 newcrux. All rights reserved.