Privacy Policy

1. Introduction

PxNDA ("we," "our," or "us") is a product of Algo Mejor Media Labs, based in Santo Domingo, Dominican Republic. We operate pxnda.com, a platform that enables users to send confidential files protected by digitally signed Non-Disclosure Agreements ("NDAs").

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, with whom we share it, and what rights you have over it. It applies to all users of pxnda.com regardless of location, including users in the Dominican Republic, Latin America, the United States, and the European Union.

By using PxNDA, you agree to the practices described in this Policy. If you do not agree, please discontinue use of the Service.

2. Who We Are — Controller Information

For the purposes of applicable data protection law (including the Dominican Republic's Ley 172-13 and the EU General Data Protection Regulation):

Data Controller:

Name: Algo Mejor Media Labs

Product: PxNDA (pxnda.com)

Address: Santo Domingo, Dominican Republic

Contact: pxnda@algomejor.do

For users in the European Union, we are the data controller responsible for your personal data. We are evaluating the appointment of an EU Representative under GDPR Article 27.

3. What Data We Collect

3.1 Account & Identity Data

When you create an account or send/receive an agreement:

Email address
Full name and company name (optional)
Authentication method (Google OAuth or email/password)
Account creation timestamp
Policy acceptance timestamp and version (for legal audit trail)

3.2 Agreement & Transaction Data

When you use the file transfer and NDA service:

Recipient email address and name
Purpose / message associated with each transfer
NDA terms selected (duration, scope, custom clauses, jurisdiction)
NDA content generated by AI based on your inputs
Digital signature data (drawn, typed, or uploaded signature image)
Timestamps of: agreement creation, link opened, NDA signed
Transfer reference number (e.g., PXNDA-XXXXXXX)

Note: Personal identifiers entered for the NDA (nationality, ID document type and number) are embedded in the signed PDF only and are not persisted in our database. They exist only in the immutable signed agreement record.

3.3 Files & Attachments

Files you upload to be transferred (any file type, up to 2GB)
File names, sizes, and storage paths
Files are stored in private encrypted cloud storage and are only accessible via time-limited signed URLs generated for parties to each specific agreement

3.4 Biometric Data — Digital Signatures

IMPORTANT: Your digital signature (whether drawn, typed, or uploaded as an image) constitutes biometric or behavioral data under applicable law, including Ley 172-13 (Dominican Republic) and GDPR Article 9 (European Union).

We collect and process signature data exclusively for:

Authenticating your identity as a party to the NDA
Generating the legally binding signed PDF record
Maintaining an audit trail of agreement execution

We do not use signature data for biometric identification, marketing, or behavioral profiling.

3.5 Technical & Usage Data

IP address (used for geolocation at country/city level via ipapi.co)
Country and city of access
Device type (mobile/tablet/desktop)
Browser type and version
Operating system, screen resolution, language preference
Session identifier (stored in sessionStorage, not a cookie)
Web analytics events via Google Analytics 4 (page views, sign-in, transfers sent, agreements signed) — IP anonymized

3.6 Payment Data

Payments are processed exclusively by Lemon Squeezy (our payment processor and Merchant of Record). PxNDA does not collect, store, or process credit card numbers, bank account details, or any sensitive payment information. Lemon Squeezy's Privacy Policy governs the handling of payment data: lemonsqueezy.com/privacy

4. Legal Basis for Processing (GDPR)

For users in the European Union, we process your personal data under the following legal bases under GDPR Article 6:

Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service — account management, sending agreements, generating NDAs, storing signed documents.
Legitimate interests (Art. 6(1)(f)): Analytics to improve the Service, fraud prevention, security monitoring. We have conducted a legitimate interests assessment and determined these interests are not overridden by your rights.
Legal obligation (Art. 6(1)(c)): Retaining records as required by applicable law.
Consent (Art. 6(1)(a)): For the processing of biometric/signature data (Art. 9), which requires explicit consent given separately at the point of signing.

For users in the Dominican Republic, processing is governed by Ley 172-13 sobre Protección de Datos de Carácter Personal.

5. How We Use Your Data

We use your personal data exclusively for the following purposes:

Providing the Service: processing file transfers, generating NDAs, facilitating digital signatures
Account management: authentication, session management, account settings
Communications: sending transactional emails (invitation links, signature confirmations, account verification)
Analytics: understanding how users interact with PxNDA to improve the product (aggregated, non-identifying where possible)
Security: detecting fraud, unauthorized access, and abuse
Legal compliance: maintaining records as required by applicable law
Customer support: responding to inquiries

We do NOT use your data for: advertising, selling to third parties, behavioral profiling for commercial purposes, or any purpose beyond what is described in this Policy.

6. AI-Generated NDA Content

PxNDA uses Anthropic's Claude AI to generate NDA clauses based on inputs you provide (parties, jurisdiction, industry, purpose, duration, scope). The following applies to this feature:

The AI generates draft legal language — it is not a substitute for legal advice
Your inputs are transmitted to Anthropic's API to generate the NDA
The generated NDA content is stored as part of your agreement record
PxNDA is not a law firm and does not provide legal services
You are solely responsible for reviewing AI-generated NDA content before use

Anthropic processes API inputs in accordance with their Privacy Policy and API Terms of Service. Anthropic's data processing is governed by a Data Processing Agreement.

7. Data Sharing & Third-Party Processors

We share your data only with processors necessary to provide the Service. All processors are bound by Data Processing Agreements (DPAs) and contractual commitments to protect your data.

Processor	Purpose	Location	Privacy Policy
Supabase	Database, file storage, authentication	USA	supabase.com/privacy
Netlify	Web hosting	USA	netlify.com/privacy
Resend	Transactional email	USA	resend.com/privacy
Anthropic	AI NDA generation (Claude API)	USA	anthropic.com/privacy
Lemon Squeezy	Payment processing (Merchant of Record)	USA	lemonsqueezy.com/privacy
Google Analytics 4	Aggregated web analytics (IP anonymized)	USA / EU	policies.google.com/privacy
ipapi.co	Country/city geolocation (no PII stored)	EU	ipapi.co/privacy

We do not sell, rent, or trade your personal data to any third party for commercial purposes. We may disclose data if required by law, court order, or lawful government request.

8. International Data Transfers

Your data is processed and stored in the United States by our service providers. If you are located in the European Union, this constitutes a transfer of personal data outside the EEA.

We ensure appropriate safeguards for international transfers through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all processors
Processors participating in recognized frameworks (Supabase, Netlify, Resend, Anthropic, Google)

For Dominican Republic users, international transfers comply with Ley 172-13, Article 23 (International Data Transfers).

9. Data Retention

We retain your data for the following periods:

Account data: retained while your account is active, plus 12 months after deletion request
Agreement records and signed NDAs: retained for 5 years (legal record-keeping requirements)
Uploaded files: retained for the duration of the active agreement; you may request deletion at any time by contacting us. Automated retention policies (e.g., automatic deletion after a defined period) are planned for a future release and will be communicated in advance.
Signature images: retained as part of the agreement record for 5 years
Analytics events: retained for 24 months
Payment records: retained as required by Lemon Squeezy and applicable tax law

You may request earlier deletion of your data subject to the exceptions described in Section 11.

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

All data transmitted over HTTPS/TLS encryption
Files stored in private encrypted cloud storage (Supabase Storage with AES-256)
Time-limited signed URLs for file access (1-hour validity, regenerated on demand for authorized parties)
Signature data stored as encrypted database records
Access controls: data is only accessible to parties to each specific agreement
Content Security Policy (CSP), X-Frame-Options, HSTS, and other security headers active in production
XSS protection via HTML escaping on all user-generated content
Authentication via Supabase Auth with bcrypt password hashing
Webhook signature verification (HMAC SHA-256) for payment events

No system is 100% secure. In the event of a data breach that poses a high risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law (GDPR Art. 33-34, Ley 172-13).

11. Your Rights

11.1 Rights Under GDPR (EU Users)

Right of access (Art. 15): Request a copy of all personal data we hold about you
Right to rectification (Art. 16): Correct inaccurate or incomplete data
Right to erasure / Right to be forgotten (Art. 17): Request deletion of your data (subject to legal retention requirements)
Right to restriction of processing (Art. 18): Limit how we process your data in certain circumstances
Right to data portability (Art. 20): Receive your data in a machine-readable format
Right to object (Art. 21): Object to processing based on legitimate interests
Rights related to automated decision-making (Art. 22): PxNDA does not make solely automated decisions with legal effects on individuals
Right to withdraw consent: For signature/biometric data, you may withdraw consent — this will not affect lawfulness of prior processing

11.2 Rights Under Ley 172-13 (Dominican Republic Users)

Right to access your personal data
Right to rectification of inaccurate data
Right to cancellation (deletion) of data
Right to opposition to processing

11.3 Rights Under CCPA (California Users)

Right to know what personal information is collected
Right to deletion of personal information
Right to non-discrimination for exercising your rights
Note: We do not sell personal information

11.4 How to Exercise Your Rights

To exercise any of your rights, contact us at:

Email: pxnda@algomejor.do

Subject line: "Privacy Request — [Your Right]"

Include: your email address, the right you are exercising, and sufficient information to identify your account

We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving your request. We may need to verify your identity before processing requests.

EU users have the right to lodge a complaint with their local Data Protection Authority (DPA). A list of EU DPAs is available at: edpb.europa.eu

12. Cookies, Local Storage & Analytics

PxNDA uses browser localStorage and sessionStorage to maintain your session and preferences, plus Google Analytics 4 for aggregated usage analytics:

pxnda-auth-token (localStorage): Your authentication session token, encrypted by Supabase Auth. Persists until you sign out or clear browser storage.
pxnda-admin-token (sessionStorage): Admin dashboard access token. Cleared when browser tab closes.
px_sid (sessionStorage): Anonymous session identifier for analytics. Cleared when browser tab closes.
Google Analytics 4 cookies (_ga, _ga_*): aggregated web analytics with IP anonymization enabled. Configured under Google's Standard Contractual Clauses for EU users.

We do not use advertising cookies, Meta Pixel, retargeting pixels, or cross-site tracking technologies. Analytics data is used only to improve the product, not for advertising or behavioral profiling.

13. Children's Privacy

PxNDA is intended for users 18 years of age and older. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

If you believe we have collected data from a minor, please contact us at pxnda@algomejor.do.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this Policy
Post a notice on pxnda.com
For significant changes, notify registered users by email

Your continued use of PxNDA after the effective date of any changes constitutes your acceptance of the updated Policy.

15. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or our data practices:

Algo Mejor Media Labs — PxNDA

Email: pxnda@algomejor.do

Website: pxnda.com

Location: Santo Domingo, Dominican Republic

We are committed to resolving privacy concerns promptly and transparently.