Privacy Policy

Last updated: 19 April 2026

In short

NEXUS DSP is an intelligence platform for UK Amazon Delivery Service Partners. We collect the information you give us to create your account, the Amazon scorecard and related files you upload to generate your briefings, and basic technical data needed to run the service. We do not sell your data. We do not use advertising or tracking cookies. We store data in the EU on industry-standard infrastructure, and we delete it on a published schedule. For questions, contact privacy@nexusdsp.ai.

This notice explains how we handle personal data in more detail. It forms part of the contract between you and us and complies with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Who we are

The data controller for personal data processed in connection with the NEXUS DSP platform is:

VELLOX LTD
Company number 17136312, registered in England and Wales.
Registered office: Cranberrie Heights, Old Newport Road, Old St Mellons, Cardiff CF3 5FX.
ICO registration: ZC115373.
Contact: privacy@nexusdsp.ai

Data Protection Officer. We have appointed a Data Protection Officer, registered with the Information Commissioner's Office. The DPO can be contacted by email at dpo@nexusdsp.ai or by post at our registered office marked “FAO Data Protection Officer”. The DPO monitors our compliance with data-protection law, advises on data-protection impact assessments, and acts as the point of contact for the ICO and data subjects.

2. Scope of this notice

This notice applies to personal data we process in connection with:

The marketing website at nexusdsp.ai;
The NEXUS DSP platform at app.nexusdsp.ai;
The NEXUS DSP driver application (for drivers whose DSP has activated the application);
Correspondence with us at hello@nexusdsp.ai, support@nexusdsp.ai, privacy@nexusdsp.ai, legal@nexusdsp.ai, or dpo@nexusdsp.ai.

Where we process personal data on behalf of a DSP (our business customer) — including information about the DSP's drivers uploaded or entered into the platform — the DSP is the data controller and VELLOX LTD is the data processor under UK GDPR Article 28. In that case, the DSP's own privacy notice governs that processing. Our role and responsibilities as a processor are set out in our Data Processing Agreement, available on request at legal@nexusdsp.ai.

3. Personal data we collect

3.1 Account and contact data

When you create an account or contact us, we collect:

Name and work email address;
Employer / DSP name, Amazon station code, DSP short code;
Your role within the DSP;
Password (stored as a one-way cryptographic hash using Argon2id);
Multi-factor authentication secrets, where enabled;
Records of your communications with us.

3.2 Operational data uploaded to the platform

Once an account is active, the DSP can upload Amazon-issued performance data to the platform. These files contain information relating to named drivers, including:

Amazon transporter ID;
Name (where present in mapping files provided by the DSP);
Weekly performance metrics (DCR, DSC, CC, CE, POD, PHR, IADC, DWC, False Scan and related);
Concession records, including tracking IDs, cost data and reason codes;
Route, postcode and delivery geography data;
Telematics-derived scores (FICO, Mentor, or Netradyne where applicable).

Where the DSP uploads data relating to identified individuals, VELLOX LTD processes that data as a data processor on the DSP's behalf. The DSP is the controller.

3.3 Derived intelligence data

From uploaded operational data, the platform generates:

Driver performance scores and tier classifications;
Pattern analysis, including anomaly flags and drift detection;
Postcode risk profiles and geocoded location data;
Self-Organizing Map (SOM) behavioural clusters;
Triangulation findings and service-update drafts;
Integrity indicators.

Derived intelligence is held in the same processor relationship as the underlying operational data (§3.2) and is deleted when that data is deleted.

3.4 Driver application data

Where a DSP has activated the NEXUS DSP driver application, we additionally process:

The driver's mobile phone number, for one-time-password authentication;
Expo push notification tokens, for delivery of platform-initiated notifications;
App usage data (log-in timestamps, screens viewed, notification read and acknowledgement receipts);
Content uploaded by the driver through the app (for example, field-report photos, voice notes, or GPS coordinates attached to a report submission).

Driver application data is processed on the instructions of the driver's DSP. The DSP is the controller. Drivers should direct rights requests to their DSP in the first instance.

3.5 Technical data

When you use the platform or the driver application, we automatically collect:

IP address and approximate location (country / city level);
Browser type and version, operating system, device type;
Pages accessed, features used, timestamps of actions;
Error events and diagnostic data (via Sentry);
Rate-limiting counters (keyed by IP or user identifier, held for 24 hours).

3.6 Billing data

When you subscribe, payment information is collected and processed by Stripe Payments UK Ltd in its capacity as an independent data controller. We do not see or store your full card details. We receive and store the Stripe customer identifier, subscription status, tier and billing history.

3.7 Data you do not have to provide

You do not have to give us data beyond what is needed for the contract (§3.1, §3.2, §3.4 and §3.6). If you choose not to provide it, we may not be able to provide the service.

4. Why we process personal data and our lawful bases

We process personal data only where we have a lawful basis to do so under UK GDPR Article 6.

Purpose	Lawful basis
Creating and managing your account; providing the platform under contract	Contract (Art. 6(1)(b))
Processing subscription payments; issuing invoices	Contract and legal obligation
Providing customer support and responding to enquiries	Contract and legitimate interests
Diagnosing, preventing and resolving technical issues	Legitimate interests — platform security and reliability
Detecting and addressing fraud, abuse or Terms breach	Legitimate interests
Rate limiting and bot detection	Legitimate interests
Complying with legal obligations (tax, company law, court orders)	Legal obligation
Sending service announcements and essential account notifications	Contract
Sending marketing to existing business customers about related features	Legitimate interests, subject to right to object

Where we process operational data (§3.2), derived intelligence (§3.3) or driver application data (§3.4) uploaded or instructed by DSPs, we do so as a processor on the DSP's instructions, not under our own lawful basis. The lawful basis for that processing is the DSP's to identify and document.

5. Who we share personal data with

We share personal data only where necessary and only with:

Our sub-processors, listed in §6. All sub-processors are bound by data protection obligations no less protective than ours;
Professional advisers (lawyers, accountants, auditors) bound by confidentiality duties;
Law enforcement, regulators and courts where required by law, court order, or legally binding request;
Prospective or actual successors in the context of a merger, acquisition, or sale of all or substantially all of our assets. Any successor will be required to honour this notice.

We do not sell your personal data. We do not share it with advertisers. We do not use it to train third-party AI or machine-learning models.

6. Our sub-processors

We use the following sub-processors to operate the platform:

Sub-processor	Purpose	Location
Supabase Inc. (via AWS)	Database, auth, storage, Edge Functions	EU (eu-west-1, Ireland)
Vercel Inc.	Application hosting	EU / global edge
Cloudflare, Inc.	DNS, CDN, DDoS, WAF, Turnstile, email routing	Global edge
Upstash, Inc.	Rate-limiting counters (Redis)	EU
Trigger.dev (Resonance Limited)	Background task execution (parsing, cron)	EU
Resend (Resend.com, Inc.)	Transactional email delivery	EU / US
Sentry (Functional Software, Inc.)	Error monitoring	EU (Frankfurt)
Stripe Payments UK Ltd	Payment processing	UK / EU / US
Expo (650 Industries, Inc.)	Driver app push notification dispatch	US (Expo Push Service)
Google LLC (Firebase Cloud Messaging)	Android push delivery (via Expo)	EU / US

Notes on the push notification chain. When we send a push notification to a driver, we send it to the Expo Push Service, which relays it to Firebase Cloud Messaging (for Android devices) or the Apple Push Notification service (for iOS devices) for final delivery. Apple's push notification service is included in the chain but is not listed separately above because we do not transmit identifiable content directly to Apple — the notification payload is opaque to Apple at the point of delivery.

Where a sub-processor transfers personal data outside the UK, we rely on one or more of the following transfer mechanisms: UK adequacy regulations, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures identified as appropriate following a transfer risk assessment.

A current list of sub-processors is maintained and available on request. We will provide advance notice of material changes to business-customer contacts.

7. International transfers

Most of your personal data is stored in the EU (Republic of Ireland). Some sub-processors (e.g. Cloudflare edge, Stripe US entity, Resend, Expo, Firebase Cloud Messaging) may process data outside the UK and EU. Where this occurs, we rely on the transfer mechanisms described in §6.

8. How long we keep personal data

We apply published retention periods to every category of personal data we process. A summary appears below; for the full retention schedule — including specific deletion methods, backup behaviour, and derived-intelligence cascade rules — see our Data Retention Policy.

Category	Retention
Account data	Active subscription + 30 days
Operational data (scorecard, concession, contact, POD, PHR, DWC, false scan, field reports)	24 months, automated weekly purge
Derived intelligence (scores, patterns, clusters, drafts, coaching messages)	24 months, cascade-deleted with source
Technical and diagnostic logs	90 days
Login history	90 days
Push notification records and delivery receipts	12 months
Audit logs	36 months
Usage analytics	12 months
Rate-limiting counters	24 hours (Redis TTL)
Error events (Sentry)	90 days
Billing and invoicing records	7 years (HMRC)
Support communications	24 months from resolution
Database backups	7 days (Supabase Pro PITR, EU-West-1)
Marketing-contact records	Until you object or unsubscribe, +12 months to demonstrate compliance

We may retain data longer where required to comply with a legal obligation, to establish or defend legal claims, or to protect the rights of another person.

9. Your rights

Under UK GDPR you have the following rights in respect of your personal data:

Right of access — to obtain a copy of the personal data we hold about you.
Right to rectification — to have inaccurate personal data corrected.
Right to erasure (“right to be forgotten”) — to have your personal data deleted, subject to limited exceptions.
Right to restrict processing — to limit how we process your data in certain circumstances.
Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format.
Right to object — to object to processing based on our legitimate interests, including any direct marketing.
Right to withdraw consent — where we process data on the basis of consent, at any time.
Right not to be subject to automated decision-making — including profiling. We do not carry out such decision-making; see §11.

To exercise any of these rights, contact privacy@nexusdsp.ai or our Data Protection Officer at dpo@nexusdsp.ai. We will respond within one month. We may need to verify your identity before acting on a request. In limited cases — for example, where a request is manifestly unfounded or excessive — we may charge a reasonable fee or refuse to act, and will tell you why.

Where you are a driver whose data has been uploaded by a DSP, or whose data has been entered into the driver application by or on behalf of your DSP, please direct your request to the DSP in the first instance. The DSP is the controller of that data.

10. Complaints

If you believe we have mishandled your personal data, please contact us first at privacy@nexusdsp.ai or dpo@nexusdsp.ai. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
ico.org.uk· 0303 123 1113.

11. Automated decision-making

The platform performs analytical processing — including clustering, anomaly detection, pattern analysis and forensic scoring — against operational data uploaded by DSPs. These outputs are presented as information for the DSP to act on. They do not produce legal or similarly significant effects on any individual without human review and decision by the DSP. We do not make solely automated decisions that produce such effects.

12. Security

We take information security seriously. Measures include:

Certification. VELLOX LTD is Cyber Essentials certified. Certificate fd4ff875-0799-4a20-9ed4-a4b3897b5392, issued by The IASME Consortium Ltd (NCSC Cyber Essentials Partner) on 13 April 2026, valid to 13 April 2027.
Encryption in transit. All traffic encrypted using TLS 1.2 or higher.
Encryption at rest. Database and file storage encrypted with AES-256.
Access control. Customer data protected by row-level security at the database layer. Managers restricted to assigned stations. Staff access is least-privilege.
Authentication. Argon2id password hashing. MFA supported and enforced for privileged roles. Leaked-credential detection via Cloudflare.
Monitoring. Production monitored for error, abuse and anomalous access. Security events logged in a role-scoped audit log retained for 36 months.
Rate limiting. Sign-in, account-creation, file-upload and sensitive endpoints rate-limited using Upstash Redis sliding-window counters.
Bot protection. Cloudflare Turnstile on auth pages; Cloudflare WAF and Bot Fight Mode across the platform.
Backups. Point-in-Time Recovery enabled, 7-day retention in EU-West-1. Backups encrypted at rest.
Sub-processor diligence. We review the security posture of sub-processors before onboarding and at reasonable intervals thereafter.
Coordinated disclosure. A security.txt file is published at /.well-known/security.txt.

No platform can guarantee absolute security. You are responsible for keeping your account credentials confidential and notifying us promptly of any suspected compromise.

13. Personal data breaches

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required under UK GDPR Article 33, and will notify affected individuals without undue delay where required under Article 34. Where we are a processor for data uploaded by a DSP, we will notify the DSP without undue delay on becoming aware of a breach affecting that data.

14. Cookies

We use only essential cookies required for authentication, session management and security (including bot protection). We do not use analytics, marketing or tracking cookies. Full details are in our Cookie Policy.

15. Children

The platform is intended for business use by Amazon DSP operators and their staff. It is not directed at children under 13 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@nexusdsp.ai.

16. Changes to this notice

We may update this notice from time to time. The “Last updated” date at the top of the page reflects the date of the most recent change. Material changes affecting how we process your personal data will be communicated to registered account holders by email at least 14 days before they take effect. Continued use of the platform after the notice period indicates acceptance of the revised notice.

17. Contact

For privacy matters: privacy@nexusdsp.ai
For our Data Protection Officer: dpo@nexusdsp.ai
For general support: support@nexusdsp.ai
For legal matters: legal@nexusdsp.ai

VELLOX LTD, company number 17136312, registered in England and Wales. Registered office: Cranberrie Heights, Old Newport Road, Old St Mellons, Cardiff CF3 5FX. ICO registration: ZC115373.

Privacy·Terms·Cookies·Data Retention·Security