Privacy Policy

Effective date: 11 March 2026

This Privacy Policy explains how Campaignity Technologies Ltd (“Campaignity”, “we”, “us”, “our”) collects, uses, shares, stores, and protects personal data when you use our Services, including services made available through campaignity.com, neexa.co, neexa.ai, and related subdomains, apps, dashboards, plugins, forms, portals, and other online services we own or operate.

1. Scope

This Privacy Policy applies to:

  • visitors to our websites, landing pages, help content, learning resources, and other online services we operate;
  • individuals who create, access, manage, or use accounts, workspaces, dashboards, mobile apps, plugins, or integrations;
  • customers, administrators, owners, billing contacts, and other users of our Services; and
  • individuals who communicate with a customer through a customer’s deployment of our Services, including through website widgets, forms, portals, WhatsApp, email, social inboxes, or similar channels.

This Privacy Policy does not replace or override the Terms of Service, Cookie Policy, Acceptable Use Policy, or any other product-specific terms or commercial agreements.

2. Controller and processor roles

2.1 When Campaignity is a controller

Campaignity acts as a data controller for personal data we process for our own business purposes, including:

  • account registration and administration;
  • billing, invoicing, payment status, and collections;
  • customer relationship management;
  • support, onboarding, customer success, and service communications;
  • marketing our own Services where permitted by applicable law;
  • fraud prevention, abuse detection, security, and legal compliance; and
  • limited processing activities carried out for our own purposes, where applicable, including internal AI training and improvement for workspaces on the Default Free Plan, as described in this Privacy Policy.

2.2 When Campaignity is a processor

When a customer uses our Services to communicate with end users or to process end user data through its own workspace, channels, automations, and deployments, the customer is typically the data controller and Campaignity acts as a data processor on the customer’s behalf to the extent Campaignity processes that data in order to provide the Services in accordance with the customer’s instructions and the applicable agreement.

2.3 Mixed roles

Campaignity may act as both a data controller and a data processor, depending on the processing activity. Campaignity acts as a data processor when processing customer data on the customer’s behalf to provide the Services in accordance with the customer’s instructions. Campaignity acts as a data controller for Account Data and for limited processing activities carried out for its own purposes, including security, fraud prevention, abuse review, legal compliance, and, where applicable, internal AI training and improvement for workspaces on the Default Free Plan as described in this Privacy Policy.

2.4 Data Processing Agreement

Where Campaignity processes personal data as a processor on behalf of a customer, the Campaignity Data Processing Agreement applies. End users should primarily direct privacy requests to the relevant customer where Campaignity acts as processor. We will assist customers in responding to such requests where required and where we are able to do so.

3. Personal data we collect

Depending on how you interact with the Services, we may collect the following categories of personal data.

3.1 Account, profile, and workspace data

  • name;
  • email address;
  • phone number;
  • organisation name;
  • job title or role;
  • account ownership, admin, billing, and permission settings; and
  • workspace information and service configuration.

3.2 Customer data submitted into the Services

  • messages, conversation history, replies, follow-ups, and communication metadata;
  • contact records, lead details, and other information collected through workflows or conversations;
  • uploaded files, documents, spreadsheets, knowledge base content, and other materials provided to the Services;
  • website URLs, page content, or other source material you ask the Services to scan or process; and
  • agent settings, prompts, rules, tone, knowledge instructions, automations, and workflow configuration.

3.3 Usage, device, and technical data

  • IP address;
  • browser type, device type, operating system, and identifiers;
  • log data, access times, pages viewed, clicks, actions taken, and service interactions;
  • diagnostics, error reports, crash data, performance metrics, and security logs; and
  • cookies and similar technologies, subject to your choices where required.

3.4 Payment and transaction data

  • subscription plan and billing tier;
  • invoice details;
  • payment status;
  • transaction history; and
  • limited billing metadata.

Payment card details are generally handled by our payment providers rather than stored directly by us, depending on your payment method.

3.5 Marketing and communications data

  • subscription preferences;
  • communication preferences;
  • demo or event booking details;
  • email engagement data, where enabled and lawful; and
  • records of support, sales, legal, or privacy communications with us.

4. How we use personal data

We use personal data to:

  • provide, operate, maintain, and secure the Services;
  • create and manage accounts and workspaces;
  • authenticate users and manage permissions;
  • enable messaging, follow-ups, inbox workflows, contact management, knowledge processing, AI assistance, reporting, and related service functionality;
  • provide support, onboarding, training, customer success, maintenance, and troubleshooting;
  • send service, security, legal, billing, policy, and other operational communications;
  • manage subscriptions, invoicing, payments, renewals, discounts, credits, refunds, and collections;
  • prevent fraud, investigate abuse, detect misuse, enforce our Terms and Acceptable Use Policy, and protect the Services and users; and
  • generate and use aggregated, de-identified, anonymized, and usage data for analytics, benchmarking, service improvement, reporting, product development, security, and related business purposes, provided that such data does not identify an individual and is not reasonably likely to identify an individual.

5. AI features, AI training, and automated processing

5.1 AI features and outputs

Our Services may generate AI outputs, suggestions, replies, summaries, classifications, and other content based on customer data, end user interactions, and service configuration.

5.2 Internal AI training and improvement

We may use de-identified and anonymized customer data from workspaces on the Default Free Plan to train, improve, and operate our own internal AI models and related systems. Before such use, we take steps designed to remove or exclude direct identifiers such as names, email addresses, phone numbers, and other similar identifying information.

We do not use customer data from paid plans, enterprise plans, invoiced arrangements, manually allocated paid plans, complimentary paid plans, complimentary credits, or similar paid or paid-equivalent allocations for internal AI training, unless expressly agreed in writing.

5.3 Third-party AI providers

Where we use third-party AI providers in connection with AI features, we contractually restrict them from using customer data to train or improve their own models or services.

5.4 Plan changes

If a workspace moves from the Default Free Plan to any paid, enterprise, invoiced, manually paid, or complimentary paid arrangement, we will stop using new customer data from that workspace for internal AI training from the effective date of that change.

5.5 Automated actions

The Services may take automated actions based on customer configuration, customer use of the Services, default service settings, or enabled features. These actions may include sending messages, scheduling follow-ups, routing conversations, classifying leads, escalating issues, or executing workflows.

Customers remain responsible for determining whether such automated processing is lawful and appropriate for their use case.

6. Legal bases for processing

Where applicable law requires a legal basis for processing, we rely on one or more of the following:

  • contract, where processing is necessary to provide the Services or manage our relationship with you;
  • legitimate interests, where processing is necessary to secure, support, improve, market, or administer the Services responsibly;
  • consent, where required, such as for certain cookies, marketing preferences, or other optional processing; and
  • legal obligation, where processing is required to comply with law, regulation, court order, or lawful government request.

Where we act as a processor for a customer, the customer is responsible for establishing the appropriate legal basis for its own processing of end user personal data.

7. Data protection compliance and international privacy rights

Campaignity supports compliance with applicable data protection laws, including the GDPR where applicable, through this Privacy Policy, our Data Processing Agreement, our Subprocessors page, our security measures, and our procedures for handling privacy requests, international transfers, and processor obligations.

Where applicable law grants data subjects rights relating to access, correction, deletion, restriction, objection, portability, or withdrawal of consent, we will handle those requests in accordance with applicable law and our role in the processing. Where we act as a processor on behalf of a customer, we will direct or support such requests through the relevant customer as appropriate.

For questions about our data protection practices, or to request a copy of our Data Processing Agreement, contact privacy@neexa.co or legal@neexa.co.

8. Support, compliance, and abuse review access

8.1 Compliance and abuse review

We and our authorised personnel, agents, contractors, professional advisers, service providers, and other authorised third parties may access, review, use, and process customer data, account information, workspace information, logs, and related records to:

  • comply with law;
  • enforce our Terms, policies, and agreements;
  • investigate suspected unlawful, harmful, fraudulent, or unauthorised activity;
  • protect the Services, our users, customers, end users, or other persons; and
  • respond to lawful requests from courts, regulators, or government authorities.

Any such access is limited to what is reasonably necessary for those purposes and subject to appropriate confidentiality, security, and access controls.

8.2 Support and customer success access

Depending on the Services and settings, certain authorised support and customer success personnel may by default have access to workspace data, settings, logs, and related records to provide support, onboarding, customer success, maintenance, and troubleshooting.

Where the Services provide controls to disable or restrict such access, customers may choose to do so. However, restricting that access may limit or prevent certain support, troubleshooting, configuration, or customer success services.

9. How we share personal data

We may share personal data in the following circumstances.

9.1 Service providers and subprocessors

We may share personal data with service providers and subprocessors that help us host, operate, secure, support, analyze, maintain, monitor, and improve the Services. These providers may include hosting providers, communications providers, analytics tools, support systems, AI providers, monitoring tools, security vendors, website infrastructure providers, and related vendors.

We maintain a public subprocessors list and require relevant providers to process data only for authorised purposes and under appropriate obligations.

9.2 Customer-selected integrations

If a customer connects third-party services such as email systems, messaging platforms, social channels, CRMs, payment tools, or other integrations, relevant data may be exchanged with those services as directed by the customer and subject to the third party’s own terms and policies.

9.3 Website and CMS tooling

Some of our websites or pages may be built, managed, or enhanced using WordPress and related plugins, themes, forms, embedded services, analytics tools, security tools, caching tools, or performance tools. Depending on the page and your interaction with it, those tools may process technical data, cookies, form submissions, and related website usage data for hosting, performance, security, analytics, spam prevention, and content delivery purposes.

9.4 Business transfers

We may disclose or transfer personal data in connection with a merger, acquisition, financing, reorganisation, sale of assets, or other corporate transaction, subject to appropriate protections.

9.5 Legal and safety disclosures

We may disclose personal data where required by law or where reasonably necessary to protect rights, safety, property, the Services, users, customers, end users, or the public, or to investigate fraud, abuse, or violations of law or our policies.

9.6 Debt collection and recovery

If amounts remain unpaid, we may refer, assign, transfer, or sell the right to collect those amounts to a collection agency, debt purchaser, or other recovery service, and may disclose account, billing, payment, contact, and related information reasonably necessary for collection, recovery, enforcement, or settlement, subject to applicable law.

We do not sell personal data in the ordinary course of business.

10. International transfers and hosting

Campaignity is headquartered in Uganda and may process account data and business operations data there.

Our primary hosting is on Amazon Web Services, with primary servers in Stockholm, Sweden, using multi-availability zone redundancy in Europe. We may also use additional regions or providers where needed for resilience, support, performance, customer requirements, or legal compliance.

Where personal data is transferred internationally, we use appropriate safeguards where required by applicable law.

11. Data retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and protect the Services.

11.1 Active accounts and workspaces

While an account or workspace remains active, we retain relevant customer data and account information as needed to provide the Services.

11.2 Customer deletion controls

Customers may delete content and contacts within the Services, subject to available features and plan limitations.

Users may request account deletion through the account deletion portal.

11.3 Post-deletion retention

After account deletion, we delete or de-identify associated data within 90 days, unless a longer retention period is needed for legal, tax, dispute, security, or limited backup retention purposes.

11.4 Inactive accounts and workspaces

In line with our Terms, we may delete or deactivate inactive workspaces after 12 months of no activity and may delete inactive user accounts after 24 months of no login activity. Where reasonably practicable, we may provide notice and an opportunity to reactivate before deletion.

12. Security

We use administrative, technical, and organisational safeguards designed to protect personal data, including access controls, monitoring, logging, encryption in transit where supported, and other security measures appropriate to the nature of the Services.

No method of transmission or storage is completely secure. Customers are responsible for secure configuration of their workspaces, permissions, credentials, integrations, and admin controls.

13. Your rights and choices

Depending on your location and applicable law, you may have the right to:

  • access your personal data;
  • correct inaccurate data;
  • request deletion or erasure;
  • object to or restrict certain processing;
  • receive a portable copy of your personal data;
  • withdraw consent where processing is based on consent; and
  • opt out of marketing communications.

13.1 Requests by customers and users

Customers and users may contact us directly about personal data we control, including account data and other related personal data we process for our own business and operational purposes, subject to applicable law.

13.2 Requests by end users

If you are an end user whose personal data was collected through a customer’s use of the Services, your request is best directed to that customer first. We will assist the customer where required and where we act as processor.

13.3 Marketing opt-out

You may opt out of marketing emails at any time using the unsubscribe method in the message or by contacting us. This will not affect service, billing, security, legal, or other non-marketing communications.

14. Cookies and similar technologies

We use cookies and similar technologies on our websites and online services. Please see our Cookie Policy for more information about how we use cookies and similar technologies.

Customers remain responsible for any notices or consents required on their own websites, portals, applications, or channels where they deploy or integrate our Services.

15. Children and education contexts

Our Services are not directed to children for independent consumer use. However, customers such as schools or education providers may use the Services in contexts involving students, including minors.

In those cases, the customer is responsible for providing appropriate notices, obtaining parental or guardian consent where required by law, and configuring the Services appropriately for sensitive contexts.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we may provide notice through our websites, Services, email, or other appropriate means. The updated version will be effective from the date stated at the top of this Policy.

17. Contact

Privacy questions or requests: privacy@neexa.co
Legal notices or policy matters: legal@neexa.co
Product support: support@neexa.co
Phone: +256 707 444 474
Address: LR 12, Lugonvu Road, Wakiso, Uganda

Other resources

Terms of Service: https://campaignity.com/legal/terms
Cookie Policy: https://campaignity.com/legal/cookies
Data Processing Agreement: https://campaignity.com/legal/data-processing-agreement