Privacy Policy
Effective date: 22 March 2026
Nexentry Pty Ltd (ABN pending) ("Nexentry", "we", "us", "our") is committed to protecting the privacy of individuals whose personal information is collected and processed through the Nexentry platform ("Platform"). This Privacy Policy explains what data we collect, how we use it, and your rights.
This policy applies to all users of the Platform, including Customer administrators, site staff, and gym members whose data is managed by Customers on the Platform.
1. Information We Collect
1.1 Customer and User Data
When a Customer registers and uses the Platform, we collect:
- Account information: Name, email address, phone number, role, and login credentials.
- Business information: Company name, site addresses, and billing details.
- Authentication data: Hashed passwords, MFA secrets (encrypted), and backup codes.
- Usage data: Login times, actions taken within the Platform, and IP addresses (for audit logging).
1.2 Member Data (Processed on Behalf of Customers)
Customers input and manage data about their gym members, which may include:
- Identity: Full name, date of birth, email, phone number, emergency contact.
- Photos and documents: Profile photos, driver's licence images, signed membership agreements (stored in encrypted MinIO storage).
- Membership details: Plan type, status, billing anchor date, freeze history.
- Financial data: Payment token identifiers (we do not store full card numbers — tokenisation is handled by the payment processor).
- Access logs: Card tap events including timestamp, door, and access decision (granted/denied).
- RFID card numbers: Unique identifiers for physical access cards.
1.3 Edge Agent Data
On-premises edge agents at Customer sites collect:
- Card tap events (card number, timestamp, door reader identifier, access decision).
- A local cache of member and card data for offline operation.
- Agent health telemetry (heartbeat, last sync time, software version).
1.4 Website Visitors
When you visit nexentry.ai, we may collect:
- Information you voluntarily provide via demo request forms (name, email, company website).
We do not use cookies or third-party analytics trackers on our marketing website.
2. How We Use Your Information
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Provide the Platform | Account, member, access, billing data | Contract performance |
| Process payments | Payment tokens, billing amounts | Contract performance |
| Send SMS notifications | Phone numbers, message content | Contract performance / Consent |
| Security and fraud prevention | IP addresses, login attempts, audit logs | Legitimate interest |
| Platform improvement | Aggregated, anonymised usage data | Legitimate interest |
| Respond to enquiries | Contact form submissions | Consent |
3. Data Sharing
We do not sell personal information. We share data only in the following circumstances:
- Payment processor (Merchant Warrior): Payment tokens and transaction amounts for billing.
- SMS provider (Twilio): Phone numbers and message content for member notifications.
- Infrastructure providers: Our hosting infrastructure processes data to deliver the Platform. All data remains within Australia.
- Legal requirements: We may disclose data if required by law, court order, or government regulation.
4. Data Storage and Security
- All data is stored on infrastructure located in Australia.
- Data in transit is encrypted via TLS 1.2+.
- Passwords are hashed using bcrypt with appropriate cost factors.
- MFA secrets are encrypted at rest.
- File storage (photos, agreements) uses self-hosted S3-compatible storage (MinIO) with access controls.
- Database backups are performed daily and stored securely.
- Multi-tenant data isolation ensures Customers cannot access each other's data.
- Edge-to-cloud communication is secured with HMAC-SHA256 request signing.
5. Data Retention
- Active accounts: Data is retained for the duration of the subscription.
- Access logs: Retained per the Customer's configured retention period (default: 12 months), after which they are automatically purged.
- Audit logs: Retained per the Customer's configured retention period (default: 24 months).
- Post-termination: Customer data is retained for 30 days following account termination to allow for export, then permanently deleted.
- Demo requests: Retained for 12 months, then deleted.
6. Your Rights
Under the Australian Privacy Act 1988 and applicable privacy legislation, you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal information, subject to legal retention obligations.
- Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.
For gym members: your personal data is managed by your gym operator (our Customer). Please contact them directly for access, correction, or deletion requests. We will assist Customers in fulfilling these requests.
7. Children's Privacy
The Platform may process data about members under 18 as part of gym membership management (e.g., age-gated access zones). This data is provided and managed by the Customer, who is responsible for obtaining appropriate parental or guardian consent.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to active Customers at least 14 days before taking effect. The "effective date" at the top of this page reflects the latest revision.
9. Contact Us
For privacy-related enquiries or to exercise your rights, contact us at:
Nexentry Pty Ltd
Email: privacy@nexentry.ai