Privacy Policy
Version: v0.1(Draft for boss + lawyer review · 2026-04-29) Effective Date: 2026-05-01(试商用首日 / pending publication) Last Updated: 2026-04-29 Operator: Cete Ventures Pte. Ltd. · UEN 202421160G · 160 Robinson Road, #14-04, Singapore 068914 Data Protection Officer: privacy@nextoken.biz
1. Introduction
This Privacy Policy describes how Cete Ventures Pte. Ltd. ("we", "us", "NexToken") collects, uses, shares, and protects information when you use our services at nextoken.biz, api.nextoken.biz, app.nextoken.biz, admin.nextoken.biz, or via our SDKs and APIs (collectively, the "Service").
We comply with Singapore's Personal Data Protection Act 2012 ("PDPA"). Where applicable, we honor rights under the EU/UK General Data Protection Regulation ("GDPR") and other regional privacy laws.
2. Information We Collect
2.1 Information You Provide
| Type | Examples | Source |
|---|---|---|
| Account information | Email, password (hashed), country, business name, UEN/VAT (if applicable) | Registration / OAuth |
| Identity verification | OAuth provider ID (Google, GitHub) | OAuth flow |
| Payment information | Cardholder name, last 4 digits, billing address (full PAN handled by Stripe), USDT wallet address (we receive only the on-chain transaction hash) | Stripe / blockchain |
| Communications | Support tickets, emails | When you contact us |
2.2 Information We Generate
| Type | Examples |
|---|---|
| Usage data | API key hashes, token counts (input/output), model used, provider used, latency, status code, timestamp |
| Wallet ledger | Top-ups, deductions, refunds, balance |
| Compliance data | Country resolution result, safety_identifier hash, OpenAI moderation results |
2.3 Information We Receive Automatically
| Type | Examples |
|---|---|
| Connection metadata | IP address, user-agent, geographic region (country-level via MaxMind GeoLite2) |
| Cookies / local storage | Session token, language preference, theme |
2.4 What We Do NOT Store
- Prompt content (your inputs to models): we process in transit but do not retain Prompt text in production logs. Token counts and metadata are retained for billing and quality. (This applies to self-hosted models in Singapore. For third-party providers, see §4.)
- Completion content (model outputs): same as above.
- Plain-text passwords (hashed only).
- Plain-text API keys (SHA-256 hashed; you receive the plain text once at creation only).
3. How We Use Your Information
| Purpose | Lawful basis (PDPA / GDPR) |
|---|---|
| Operate the Service (route requests, meter usage, charge wallet) | Performance of contract |
| Bill you and prevent fraud | Performance of contract / legitimate interest |
| Respond to support inquiries | Performance of contract |
| Comply with provider compliance requirements (country gate, safety_identifier) | Legal obligation / legitimate interest |
| Detect and prevent abuse | Legitimate interest |
| Send service emails (welcome, password reset, low balance, payment confirm) | Performance of contract |
| Send marketing emails (Pro/Business launch announcements) | Consent — opt-in only |
| Improve the Service (aggregate analytics, latency metrics) | Legitimate interest — no Prompt content used |
We do NOT: sell your personal information; use your Prompts or Completions to train our own models; use your Prompts or Completions to train third-party models without your explicit consent.
4. Subprocessors
We share information with the following subprocessors as needed to operate the Service. By using the Service, you consent to such sharing.
4.1 Infrastructure
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | EC2 hosting, RDS PostgreSQL, ElastiCache Redis, S3 backups | ap-southeast-1 (Singapore) |
| Stripe, Inc. | Credit card processing | Global (PCI-DSS) |
| Zoho Corporation | Transactional email (smtppro.zoho.com) | Global |
| MaxMind, Inc. | IP-to-country lookup (GeoLite2 database, downloaded; no live lookups) | Local file |
4.2 LLM / AI Model Providers (Third-Party)
When you submit Prompts to these providers' models, your Prompts and Completions are processed by them according to their privacy policies:
| Subprocessor | Models | Privacy Policy |
|---|---|---|
| OpenAI, L.L.C. | gpt-4o, gpt-4o-mini, etc. | https://openai.com/policies/privacy-policy |
| Anthropic, PBC | claude-sonnet-4, claude-haiku-4 | https://www.anthropic.com/legal/privacy |
| Google LLC | gemini-2.5-pro, gemini-2.5-flash | https://policies.google.com/privacy |
| DeepSeek (HK) Ltd. | deepseek-v3, deepseek-r1 | https://chat.deepseek.com/downloads/privacy |
| Groq, Inc. | llama-3.3-70b on Groq | https://groq.com/privacy-policy/ |
| Together Computer Inc. | llama-3.1-405b | https://www.together.ai/privacy |
| Mistral AI SAS | mistral-large-2 | https://mistral.ai/terms/#privacy-policy |
| Fireworks AI Inc. | mixtral-8x22b | https://fireworks.ai/privacy |
| Beijing Zhipu Huazhang Tech | glm-4 | https://open.bigmodel.cn/dev/api#privacy |
| Alibaba Cloud (Singapore) | qwen-max | https://www.alibabacloud.com/help/privacy |
Routing default: Requests to text-embedding-3-small and text-embedding-3-large are by default routed to our self-hosted models in Singapore (no third-party transmission). You may override via extra_body.nex_passthrough = true.
Subprocessor changes: We will update this list and notify users via email or in-app notice at least 14 days before adding new categories of subprocessors.
5. International Transfers
Your data may be transferred to and processed in countries other than your country of residence: - Self-hosted infrastructure: Singapore (ap-southeast-1) - Stripe: Global, including United States - LLM providers: see §4.2 — primarily United States, with some EU (Mistral) and China (DeepSeek, ZhiPu) options
For transfers from the EEA / UK / Switzerland, we rely on Standard Contractual Clauses (SCCs) where required, or on the recipient's adequacy decision (where granted). Contact privacy@nextoken.biz for our SCC documentation.
For Singapore: transfers comply with PDPA Section 26 — recipients are under contractual obligation to protect data to a standard comparable to PDPA.
6. Data Retention
| Data | Retention period |
|---|---|
| Account data (email, country, etc.) | While account is active + 90 days after termination |
| Usage logs (metadata, no Prompt content) | 12 months for billing, fraud, and quality purposes |
| Billing records / tax invoices | 7 years (Singapore IRAS / GST requirement) |
| API key hashes | While key is active; deleted within 30 days of revocation |
| Email logs (Zoho) | Per Zoho retention policy, max 30 days |
| Prompt / Completion content | Not retained by us (self-hosted); per provider for third-party (typically 30 days) |
After retention, data is deleted or irreversibly anonymized.
7. Security
We implement administrative, technical, and physical safeguards appropriate to the data we process:
- In transit: TLS 1.2+ for all client connections; mutual TLS for internal services where feasible
- At rest: AWS RDS encryption at rest (AES-256); EBS volume encryption; S3 SSE-S3
- Access control: IAM least-privilege; SSH disabled to public for production; admin access via SSM Session Manager + MFA; RBAC on admin endpoints; JWT auth
- Secret handling: Provider credentials encrypted with Fernet symmetric encryption; environment files mode 0600; SECRET_KEY rotated 2026-04-27
- Network: EC2 IMDSv2 enforced; security groups restrictive; uvicorn bound to 127.0.0.1; nginx TLS termination
- Monitoring: fail2ban; CloudWatch logs; abuse detection logging
- Incident response: Documented in
SECURITY_INCIDENT_REPORT_2026-04-27.md(internal). Material breaches affecting your data will be notified within 72 hours per PDPA / GDPR.
No system is 100% secure. We disclaim warranties of perfect security to the extent permitted by law.
8. Your Rights
Subject to applicable law (PDPA / GDPR / others), you have rights to:
- Access your personal data we hold
- Correct inaccurate data
- Delete your data (subject to retention requirements in §6)
- Restrict processing in certain circumstances
- Object to processing based on legitimate interest
- Portability — receive your data in a machine-readable format
- Withdraw consent for marketing communications at any time
- Lodge a complaint with the Singapore Personal Data Protection Commission ("PDPC") or your local data protection authority
To exercise these rights: email privacy@nextoken.biz from the email associated with your account. We will respond within 30 days.
9. Children
The Service is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has registered, email privacy@nextoken.biz and we will delete the account.
10. Cookies & Tracking
We use: - Strictly necessary cookies (session, CSRF) — no consent required - Functional cookies (language, theme) — no consent required under PDPA - No advertising or analytics tracking at this time. If we add analytics in the future, we will request consent.
11. Marketing Communications
We send service emails (welcome, password reset, payment confirmation, low balance) as part of operating the Service.
We send marketing emails only with opt-in consent. You can unsubscribe at any time via the link in each marketing email or by emailing support@nextoken.biz.
12. Changes to This Policy
We may update this Privacy Policy. Material changes will be notified at least 14 days in advance via email or in-app notice. The "Last Updated" date at the top will reflect changes.
13. Contact
- Data Protection Officer / Privacy: privacy@nextoken.biz
- General support: support@nextoken.biz
- Abuse reports: abuse@nextoken.biz
- Address: Cete Ventures Pte. Ltd., 160 Robinson Road, #14-04, Singapore 068914
- Singapore PDPC: https://www.pdpc.gov.sg