Privacy Policy
Last updated: June 26, 2026
1. Introduction and identification
NexTool Soluções em TI LTDA, registered under CNPJ no. 38.239.534/0001-48 ("NexTool", "NexTool Solutions", "we" or "our"), responsible for the domain nextoolsolutions.com and the services associated with it, respects the privacy of data subjects and is committed to protecting the personal data it processes, in accordance with Law no. 13.709/2018 (Brazilian General Data Protection Law - LGPD).
This Privacy Policy describes how we process personal data across the three fronts of our ecosystem:
- Institutional website (nextoolsolutions.com): informational pages, blog, contact form and newsletter;
- Customer Portal (app.nextoolsolutions.com): registration, authentication, account management, contracting, payment and licensing of modules;
- NexTool plugin for GLPI and its modules: software installed on the customer's infrastructure, including artificial intelligence, messaging and integrations with external services.
By using any of these fronts, you declare that you are aware of this Policy. We recommend reading it in full. If you have any questions, use the Data Protection Officer's channel indicated in section 14.
2. Roles in processing: Controller and Processor
The LGPD distinguishes the Controller (who is responsible for decisions regarding processing - Art. 5, VI) from the Processor (who processes data on behalf of the Controller - Art. 5, VII). In our ecosystem, NexTool acts in both roles, depending on the front:
| Front | NexTool's role | Data Controller |
|---|---|---|
| Institutional website | Controller | NexTool |
| Customer Portal (account, payment, licensing) | Controller | NexTool |
| Plugin and modules running inside the customer's GLPI | Processor | The customer (organization that operates the GLPI instance) |
What this means in practice: when you browse our website or create an account on the Portal, NexTool decides the purposes and means of processing and is your direct point of contact. The data that lives inside the customer's GLPI instance (users, tickets, attachments), however, belongs to the customer, who is the Controller; in these cases NexTool acts as a Processor, processing the data on behalf and by order of the customer, in accordance with the contract and instructions. If you are an employee of a customer organization and wish to exercise rights over data processed within its GLPI, your request must first be directed to your organization (the Controller); NexTool will provide support in its capacity as Processor.
3. Data we process, by front
3.1 Institutional website (NexTool as Controller)
- Contact form data: name, e-mail, phone, subject and message content (free text, which may contain other data you choose to provide).
- Newsletter: e-mail address and subscription date, when you opt in to receive it.
- Technical browsing data: IP address, User-Agent (browser and operating system), pages accessed, date and time, status and response time.
- Blog audience metrics: view identifiers to count accesses per publication. When we use the IP address for this purpose, it is anonymized/processed so as not to allow the visitor to be directly identified.
- Blog comments: when you comment via the integrated comment system (GitHub Discussions/giscus), your login, avatar and the comment content are processed directly by the GitHub platform.
- Measurement and advertising data: measurement (Google Analytics) and advertising (Google AdSense) identifiers and cookies, loaded only after your consent (see section 6).
3.2 Customer Portal (NexTool as Controller)
- Account and contact data: name, e-mail, phone (and whether it is WhatsApp), company, job title and profile photo (when uploaded).
- Tax data: CPF and/or CNPJ and, where applicable, date of birth, requested at the time of contracting/checkout for issuing billing and complying with tax obligations.
- Authentication credentials and secrets: password (stored in encrypted form), "remember me" tokens and two-factor authentication secrets (2FA/MFA). This data is kept encrypted and is not accessible in plain text by our team.
- Social login identity (when you use SSO): when you sign in with Google, GitHub, Microsoft or LinkedIn, we receive from the provider your name, e-mail and an account identifier.
- Payment data: card processing is performed by Stripe. We do not store the full card number; we keep only a minimal mirror (the customer identifier on Stripe, card brand and the last four digits) and the subscription data.
- Licensing data: license key and status, plan, enabled modules, the link between your account and the GLPI environment to which the license applies, and transaction records.
- Session, device and audit data: IP address, User-Agent, access records and an audit trail of relevant actions (e.g., login, environment linking, license change).
- Preferences and communication: display preferences and opt-in to receive announcements and news.
3.3 NexTool plugin and modules (NexTool as Processor)
The NexTool plugin and its modules are run inside the customer's GLPI instance, over data that belongs to the customer (users, tickets, attachments). In these processing activities NexTool acts as a Processor. The categories of data involved depend on the modules activated by the customer and include:
- Identification of GLPI users (name, e-mail, login) of technicians, agents and requesters;
- ITIL ticket content (descriptions, follow-ups, tasks, solutions and attachments), which may contain personal data of third parties provided by the requester;
- Corporate identity via Microsoft Teams/Azure AD (name, corporate e-mail, account and tenant identifier) and message content, when the customer activates the Teams support assistant;
- Phone/WhatsApp, Telegram identifier and message content, when the messaging modules are activated;
- Geolocation (coordinates), captured only upon the user's explicit authorization in the browser, when the geolocation module is activated;
- Signatory data (name, e-mail, CPF, document and phone for validation) when the digital signature module is activated;
- Requester/approver data in B2B purchasing integrations;
- Data of tickets synchronized between GLPI instances, when synchronization is activated.
In addition, to enable licensing (a relationship in which NexTool is the Controller), the plugin communicates with our infrastructure (ContainerAPI) by sending technical data about the installation, such as an environment identifier, the instance domain and license validation counters. This data is intended for license control, module distribution and fraud prevention.
4. Purposes of processing
We process personal data for the following purposes, according to the front:
- Website: respond to contact requests (by opening a ticket in our GLPI), conduct pre-contractual and commercial procedures, send the newsletter upon consent, ensure security and prevent fraud/abuse, measure audience (upon consent) and enable blog comments.
- Portal: create and maintain the account, authenticate access (including 2FA and social login), process contracting and payment, issue and manage licenses, link the account to the GLPI environment, provide support, comply with tax and legal obligations, prevent fraud and maintain an audit trail.
- Plugin/modules: run the features contracted by the customer (AI assistance, messaging, digital signature, synchronization, geolocation, etc.) on behalf and by order of the customer Controller, and operate license control.
5. Legal bases
Processing is based on the LGPD legal bases applicable to each purpose:
- Performance of a contract and pre-contractual procedures (Art. 7, V): account, authentication, contracting, payment, licensing and environment linking; handling of commercial contacts; running of the modules on behalf of the customer.
- Compliance with a legal or regulatory obligation (Art. 7, II): tax data (CPF/CNPJ, transactions) and retention of application access records, pursuant to the Brazilian Internet Civil Framework (Law no. 12.965/2014).
- Legitimate interest (Art. 7, IX): information security, fraud prevention, auditing, usage telemetry and metrics, always subject to a proportionality assessment and respect for your expectations and rights.
- Consent (Art. 7, I, and Art. 8): newsletter and marketing communications, measurement and advertising cookies, geolocation capture and specific processing activities that require it. Consent may be revoked at any time.
When NexTool acts as a Processor (plugin/modules), the legal basis is defined by the customer Controller; NexTool processes the data in accordance with the instructions and the contract.
6. Cookies and tracking technologies
We use cookies and similar technologies classified by category. Non-essential cookies (measurement and advertising) are loaded only after your consent, given through the consent banner, which allows you to accept or decline by category and change your choice at any time.
Institutional website:
| Cookie/technology | Category | Purpose |
|---|---|---|
| Theme preference (localStorage) | Necessary | Remember light/dark mode; does not leave the browser |
| cookie_consent | Necessary | Record your consent preferences |
| Cloudflare Turnstile | Functional | CAPTCHA for the contact form |
| Cloudflare (CDN/security) | Necessary | Distribution and protection of the website |
| giscus (GitHub) | Functional | Blog comments (login managed by GitHub) |
| Google Analytics (_ga, _ga_*) | Measurement | Audience measurement - loaded only after consent |
| Google AdSense (__gads, __gpi etc.) | Advertising | Ads and profiling - loaded only after consent |
Customer Portal: uses cookies that are strictly necessary for its operation (authenticated session, CSRF protection, "remember me" and social login flow state). As they are essential to the provision of the service, they do not require consent, but are listed here for transparency.
7. Automated processing and Artificial Intelligence
Some plugin modules offer features based on artificial intelligence (for example, ticket summarization, response suggestion, sentiment analysis, semantic search and translation) and automated support assistants (chatbots on Teams, WhatsApp and Telegram).
- These features process the content of tickets to generate the requested assistance, but do not make automated decisions with legal effects or that significantly affect the data subject (Art. 20 of the LGPD); support is conducted by a human team, and you may request human review.
- Several modules adopt the BYOK ("bring your own key") model: the AI provider is contracted and configured by the customer itself, who determines to which service the content is sent.
- When these features send data to external providers, sections 8 (sub-processors) and 9 (international transfer) apply.
8. Sharing, processors and sub-processors
We do not sell your personal data. We share data only with processors and partners necessary for the provision of the services, within the limits of the purposes of this Policy. The main ones are:
| Partner | Function | Front |
|---|---|---|
| Cloudflare | CDN, security, CAPTCHA | Website |
| Google Analytics | Audience measurement (after consent) | Website |
| Google AdSense | Advertising (after consent) | Website |
| GitHub (giscus) | Blog comments | Website |
| Google / GitHub / Microsoft / LinkedIn | Social login (SSO) | Portal |
| Stripe | Payment and subscription processing | Portal |
| Brevo | Sending transactional e-mails (verification, password reset) | Portal |
| Hostinger | Infrastructure hosting | Portal/infra |
| OpenAI, Google, Anthropic | AI providers (summary, response, translation, embeddings) | Modules |
| NexSuite (api-chat) | Chat assistant orchestration | Modules |
| Microsoft 365/Teams | Channel and identity of the Teams assistant | Modules |
| WhatsApp/Meta, Telegram | Messaging | Modules |
| DeepL, Google Translate | Translation | Modules |
| Mercado Eletrônico | B2B purchase requests | Modules |
| Autentique | Digital signature | Modules |
| Geocoding providers | Conversion of coordinates into addresses | Modules |
The detailed and up-to-date list of processors can be requested from the Data Protection Officer (section 14). In processing activities in which NexTool is a Processor, the partners above act as sub-processors, and sharing occurs on behalf and by order of the customer Controller.
9. International data transfer
Some processors and partners are located in or process data outside Brazil (for example, in the United States and the European Union), including Google, Microsoft, Stripe, Brevo, OpenAI, Anthropic, DeepL, Meta, Telegram and geocoding providers. The chat orchestration backend (NexSuite) may also process data outside Brazil. In these cases, the international transfer complies with the provisions of Arts. 33 to 36 of the LGPD, through guarantees of an adequate level of protection, such as standard contractual clauses and the providers' own privacy commitments.
The infrastructure operated by NexTool itself is kept in Brazil, without transferring such data to third parties for its own purposes: the website's GLPI instance, the licensing infrastructure (ContainerAPI) and the WhatsApp messaging gateway. The digital signature (Autentique) and B2B purchase (Mercado Eletrônico) modules are provided by Brazilian companies; to the extent that any processing occurs outside Brazil, the international transfer regime above applies equally.
10. Retention and disposal
We keep personal data only for as long as necessary for the purposes for which it was collected, observing legal deadlines. Criteria by category:
| Category | Retention criterion |
|---|---|
| Contact/ticket (website) | For the duration of the service and for the applicable contractual/legal retention period |
| Newsletter | Until consent is revoked (unsubscribe), which can be done at any time |
| Access logs | For the security/diagnostic period, observing the legal minimum of the Internet Civil Framework |
| Audience metrics | For a limited period, in aggregated/anonymized form |
| Account and licensing (portal) | During the term of the contractual relationship and for the subsequent legal periods |
| Tax data and transactions | For the periods required by tax/accounting legislation |
| Audit trail | For a period compatible with the security and evidentiary purposes |
Once the periods have ended, the data is deleted or anonymized, except in cases of mandatory retention (Art. 16 of the LGPD).
11. Data subject rights
Pursuant to Art. 18 of the LGPD, you may, at any time:
- confirm the existence of processing and access your data;
- correct incomplete, inaccurate or outdated data;
- request the anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance;
- request the portability of the data;
- request the deletion of data processed on the basis of consent;
- obtain information about the sharing of your data;
- revoke consent;
- object to processing carried out on the basis of legitimate interest.
In the Portal, we provide means to update account data and to request the deletion/anonymization of the account, except for data that we must retain due to a legal obligation (e.g., tax records).
For data processed inside the customer's GLPI (where NexTool is a Processor), direct your request to the Controller organization; NexTool will support the handling.
To exercise your rights, use the Data Protection Officer's channel (section 14).
12. Information security
We adopt technical and organizational measures to protect data, including: HTTPS/TLS connection; storage with encryption and access controls; two-factor authentication and encrypted secrets in the Portal; isolation per instance and per database for each customer; signed communication (HMAC) between components; the principle of least privilege; and audit records. Administrative access to customer data (including the assisted account viewing feature in the Portal) is controlled and audited.
13. Incident management
We maintain processes for the detection, response and containment of security incidents. Should an incident occur that may give rise to relevant risk or harm to data subjects, we will notify the National Data Protection Authority (ANPD) and the affected data subjects, pursuant to Art. 48 of the LGPD. When we act as a Processor, we will notify the customer Controller so that it can fulfill its duties.
14. Data Protection Officer (DPO)
NexTool provides a channel for contact with its Data Protection Officer for clarifications about this Policy and for the exercise of rights:
- Data Protection Officer: Richard Loureiro Leite
- E-mail: privacidade@nextoolsolutions.com
15. Changes to this Policy
We may update this Policy at any time. In the event of relevant changes, we will revise the "last updated" date at the top and, where appropriate, notify you through the available channels. Continued use after the changes take effect implies acknowledgment of the updated version.
16. Contact and jurisdiction
For questions about this Policy, contact us at privacidade@nextoolsolutions.com. This Policy is governed by Brazilian law. The courts of the Comarca de São João del-Rei/MG are elected to resolve disputes, with waiver of any other.