Draft version 0.2-draft, dated May 22, 2026
Privacy Statement
This Privacy Statement explains how nexcite processes personal data when users access our website, application, AI features, document uploads, web sources, support channels and e-mail communication.
1. Controller
The controller responsible for processing personal data is BlockBite GmbH with postal address c/o Mathias Scherer, Hardstrasse 59, 5432 Neuenhof, Switzerland.
Privacy requests may be sent to [email protected] or to the contact address stated in the imprint.
2. Scope
This statement applies to the public website, the application, registered accounts, document uploads, processing of web sources, chat and RAG features, support requests, feedback and technical operational data.
nexcite is currently offered to students and private individuals only (B2C). If nexcite later offers services to institutions, companies or other organisations, the controller/processor roles and any required Data Processing Agreement will be handled separately.
3. Categories of personal data
- Account data such as name, e-mail address, role, approval status and timestamps.
- Authentication and security data such as sessions, IP address, user agent, password hash, two-factor data and backup codes.
- User content such as uploaded files, web sources, extracted text passages, bibliographic metadata, prompts, chat history, answers and citations.
- Processing data such as embeddings, model calls, token counts, source status, error messages and technical task data.
- Feedback, support communication and e-mail communication.
- Technical website and application data such as cookies, logs, browser logs, IP address, device data and usage events.
- Product and usage analytics such as feature usage, approval status, usage volume, account activity, error rates and aggregated beta usage statistics.
4. Purposes and legal bases
We process personal data in particular for the following purposes:
- Providing, operating and securing the website and application.
- Registration, login, e-mail verification and two-factor authentication.
- Recording acceptance of our Terms of Service and Privacy Statement, including version, timestamp, IP address and user agent, to document consent and fulfil our accountability obligations.
- Processing uploaded documents and web sources to generate citations, source references, search indexes, embeddings and AI-supported answers.
- Communication, support, feedback processing and beta programme management where applicable.
- Analysing usage in aggregate where possible to improve the service, understand beta demand and develop fair pricing before launch.
- Abuse prevention, error analysis, security, traceability and operations.
- Compliance with legal obligations and protection of legal claims.
nexcite is operated from Switzerland and this statement is primarily aligned with the Swiss Federal Act on Data Protection (FADP/nDSG). We process personal data lawfully, in good faith, proportionately and transparently for the purposes described above. Where the GDPR applies additionally, we rely in particular on contract performance and pre-contractual measures, legitimate interests, legal obligations and, where required, consent.
Users are responsible for ensuring that they are entitled to upload and process third-party materials, including lecture slides, articles, copyrighted works, personal data, sensitive personal data or confidential information.
Where usage monitoring or product analytics can be linked to a user, account, device or other identifier, we treat the data as personal data. We aim to use aggregated or otherwise reduced data where this is sufficient for product improvement, beta management and pricing analysis.
5. AI and document processing
nexcite processes documents and web sources to create text passages, structural information, bibliographic metadata, embeddings, search results, answers and source references. Content from documents may be transmitted together with prompts, chat history and technical context to AI and infrastructure providers where this is necessary to provide the service.
Until further notice, the current code path uses OpenAI for text generation and text embeddings. Document processing workers may be run through Lyceum Technology in Europe. The product strategy is to move embeddings, and later inference where possible, to Europe. Until this change is technically completed and verified, OpenAI must also be disclosed for embeddings.
For streaming responses, the current OpenAI configuration uses store: false. According to provider information, API data is not used by default to train OpenAI models; depending on contract and configuration, however, data may be processed for a limited time for abuse and security monitoring.
6. Service providers and data transfers
We use service providers where this is required for operation, security, communication and product functionality. We enter into appropriate contractual arrangements with processors.
International transfers from Switzerland are assessed under the FADP/nDSG. For transfers to countries without an adequate level of data protection, we use suitable safeguards such as FDPIC-recognised Standard Contractual Clauses with the adaptations required for Swiss law, Data Processing Agreements, transfer assessments and supplementary measures where required. Where the GDPR applies additionally, EU Standard Contractual Clauses and related transfer assessments may also be used.
| Provider | Role | Location / transfer |
|---|---|---|
| Hetzner Online GmbH | Hosting and infrastructure | Germany, in particular Falkenstein |
| Lyceum Technology | Document processing, worker infrastructure and planned Europe-based AI processing | Europe/EEA according to provider information |
| OpenAI | Text generation and, until further notice, text embeddings | United States or international processing with confirmed DPA and transfer safeguards |
| Tavily / AlphaAI Technologies Inc. | Web search and extraction of web sources | United States; SOC 2 Type II according to provider information |
| Resend / Plus Five Five, Inc. | Transactional e-mails only, such as login, verification and support e-mails | United States or international processing |
| Grafana Labs / Grafana Cloud | Application logs, metrics, error analysis and operational monitoring | Switzerland, Grafana Cloud prod-eu-central-0 |
7. Cookies and logs
We use necessary cookies and similar technologies, in particular for sessions, login, security, theme settings and temporary notices. Our infrastructure provider Cloudflare sets security cookies for bot detection and WAF protection at the network level. These cookies are strictly necessary for security and cannot be disabled without affecting the integrity of the service.
Application logs, metrics and technical events may be exported to Grafana Cloud for monitoring, troubleshooting, error analysis and security investigation.
8. Retention and deletion
We store personal data only as long as necessary for the intended purpose. Users can request deletion of their data at any time through the privacy contact address or by exercising their rights under Section 9.
Statutory retention obligations and legitimate security interests may prevent immediate deletion in individual cases.
9. Data subject rights
Depending on the applicable law, data subjects have rights of access, rectification, deletion, restriction, data portability, objection to certain processing activities and withdrawal of consent. They may also lodge a complaint with the competent data protection authority. For Switzerland, the competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).
10. Security
We use technical and organisational measures to protect personal data against unauthorised access, loss, misuse and alteration. These measures include transport encryption for public web traffic, access controls, authentication, two-factor features, logged operational processes and restricted administrative rights.
11. Changes
This Privacy Statement may be updated if our product, technology, service providers, legal requirements or beta programme change. Each version is identified by version number and date. Where the application requests acceptance, the acceptance record should include the applicable version and date.