← Back to home

Privacy Policy

Last updated: May 11, 2026 · Data controller: NEXORA SASU

NEXORA SASU (“we”, “us”), operator of the StixBNK open banking and payments platform, is committed to protecting your privacy. This Policy explains how we collect, use, disclose and safeguard personal data in compliance with the GDPR (EU Regulation 2016/679) and French law. It is designed to be read together with our Terms and Conditions of Sale and Cookie Policy, where applicable.

Refunds, returns and exchanges

To request a refund, return or exchange for an order where NEXORA SASU acts as Merchant of Record (as indicated on your checkout, order summary or invoice), please contact us:

  • via our contact page or the support channel indicated in your account, if you have one;
  • by email at support@stixbnk.com;
  • by post at:
    NEXORA SASU — Customer support
    195 RUE PIERRE ET MARIE CURIE, 27310 BOURG-ACHARD, France

For payment flows where another merchant is the seller of record, please contact that merchant directly; we may process data only as a technical or payment service provider on their instructions.

Introduction

This introduction summarises the main topics covered in this Privacy Policy in an accessible way. It does not replace the full Policy below, which is the legally binding document regarding how NEXORA SASU processes personal data.

Information collected in connection with a sale or checkout

When you purchase through a checkout or payment journey operated by us (including pay-by-bank / open banking or card flows made available), we collect the minimum information necessary to prove the transaction, comply with tax and anti-fraud rules, and deliver the service (for example name, contact details, billing or delivery information as applicable, and payment-related technical identifiers). Where we act for a merchant partner, relevant information may be shared with that partner so they can fulfil the purchase (e.g. access to a digital product, licence or service).

We and our partners contractually commit to process such data in line with the GDPR. If optional marketing is offered and you opt in, your choice is recorded accordingly. If you do not opt in (or no marketing option is shown), your contact details will not be used for marketing beyond what is described in the Marketing section below.

We may use aggregated, non-identifying statistics about transactions (for example average order value or volumes by region) to understand how our services are used. Such reporting does not involve tracking you individually for that purpose.

“Personas” and product planning

We may use customer data in aggregated or pseudonymous form to build internal “personas” (fictional profiles representing segments of users) to help product and marketing teams improve our services. Personas are analytical tools; they do not require identifying you individually in those materials. You may object to processing based on legitimate interests where applicable by contacting us (see Access & correction).

Marketing

If you have consented to receive personalised offers or newsletters, we may use your data to tailor communications. You can withdraw consent or unsubscribe using the link in each marketing email or by writing to privacy@stixbnk.com or support@stixbnk.com.

Geolocation (VAT and language)

Your IP address may be used to derive an approximate location for applying the correct VAT or sales tax rules and, where relevant, to suggest an appropriate language or region for the checkout. Geolocation data used for this purpose is kept only for a short period (typically up to 72 hours) and access is restricted. You cannot object to this processing where it is necessary to comply with tax law and prevent fraud. We do not store a precise geolocation history of your movements; we may retain the tax outcome (e.g. VAT rate) or language preference linked to the transaction.

Collection by third parties

We and merchants using StixBNK may involve third parties (e.g. analytics, hosting, payment initiation partners, fraud tools) that process data on our instructions. They are bound by contract to protect your information in line with this Policy and applicable law.

Accounts

If we give you access to a customer or merchant account, it may be linked or synchronised with an account on a partner site where that integration is part of the service you chose.

Abandoned checkout

We may temporarily retain details of an unfinished checkout so you can complete your purchase later, and we may send a reminder email if you have provided an address and applicable law allows. Data collected for this purpose is not used for unrelated marketing and is deleted within a maximum of 72 hours unless you complete the purchase or another retention rule applies.

Summary retention periods

Retention depends on the processing purpose. Examples:

Processing type Indicative period
Accounting / legal / tax evidence Up to 10 years where required by French or EU law
Marketing (with consent) Up to 3 years after your last interaction or until you withdraw consent
Geolocation / IP for VAT (raw signals) Typically up to 72 hours
Aggregated sales statistics As needed for reporting, in non-identifying form
Abandoned checkout Up to 72 hours unless the order completes

Data controller

Personal data collected when you use our website, checkout, StixBNK platform or related services is controlled by NEXORA SASU, SASU - Société par actions simplifiée unipersonnelle, with registered office at 195 RUE PIERRE ET MARIE CURIE, 27310 BOURG-ACHARD, France (SIREN 102 944 022), unless we inform you that another entity acts as controller for a specific product.

We apply organisational and technical measures intended to ensure an appropriate level of protection. Personal data may be accessed, transferred and stored as described in this Policy, including by processors and, where applicable, standard contractual clauses for transfers outside the EEA.

1. Personal information

“Personal information” means information relating to an identified or identifiable individual, such as name, postal or email address, telephone number, and associated non-public information.

We collect personal information that you voluntarily provide and, in some cases, information generated automatically:

  • Website and platform use: when you visit our site or use StixBNK, we may automatically collect technical data (including IP address, browser type, date and time of access) in server logs. We use this for security, fraud prevention, language or regional settings, service operation and usage analysis.
  • Orders and payments: to complete a purchase we collect identity, contact and billing details and payment-related data. For open banking or pay-by-bank flows, you may authenticate with your bank; we receive transaction references and status rather than your full banking credentials. For card payments, data is handled by certified payment partners; we do not store full card numbers on our systems beyond what partners return for reconciliation (e.g. last digits where applicable).
  • Postal / fiscal information: we may collect postal or tax identifiers for fraud checks, VAT, invoicing and after-sales support. We do not use this information for unrelated advertising or sell it to third parties for their marketing.
  • Accounts: registration may include name, business details, email, password (stored hashed) and preferences.
  • Contact forms and support: name, company, country, email, description of the request and any attachments you choose to send.
  • Communications: if you email or call us, we process the personal data you provide in that context.
  • Feedback: we may use feedback for improvement; if it is not linked to your identity, we may use it more broadly.
  • Service messages: we send essential notices (e.g. about your order, security, or changes to terms or this Policy) that you cannot opt out of as long as they are non-promotional.
  • Newsletters / marketing: only with your consent or another lawful basis, with an unsubscribe option in each message.

2. Automatic data collection and analytics

When you interact with our services, certain information is exchanged between your device and our systems (browser type, visit time, referring page, pages viewed). Where this data cannot reasonably identify you on its own, we may treat it as analytical information and use it to operate and improve the service; we may disclose such aggregated or anonymous statistics without identifying you as an individual.

Cookies and similar technologies

We and our partners may use cookies or similar technologies for session management, security, preferences and, where you consent, audience measurement or advertising-related features. You can adjust your browser to refuse or delete cookies; some features may then work less efficiently. See our Cookie Policy.

Analytics tools

If we use third-party analytics (for example Google Analytics or similar), we configure them where possible to limit identification (e.g. IP truncation) and we rely on appropriate legal bases and, where required, your consent. The provider’s terms and privacy notice apply in addition to this Policy. You can control cookies as described above and in our Cookie Policy.

3. Disclosure of personal information

We do not sell or rent your personal information for third-party marketing. We share personal information only as described below or with your consent.

  • Merchants and product suppliers: where necessary to deliver what you bought (including activation, support or updates), subject to their own policies where they act as independent controllers.
  • Your choices: if you are a customer of another merchant using our technology, direct marketing opt-outs may need to be addressed with them; for data we hold as controller, contact us as in section 8.
  • Service providers: hosting, email, payment initiation, fraud screening, KYC/KYB, customer tools and similar processors acting on our instructions under contract.
  • Credit and payment risk: for certain payment methods we or our partners may obtain information from third parties as permitted by law, with notice at the point of collection where required.
  • Authorities: we may disclose information if required by law, court order, or legitimate requests from public authorities, or to protect rights, security and integrity of our services, users and third parties. For tax or customs purposes, address or VAT ID verification data may be shared with competent authorities when the law requires it.
  • Business transfers: in a merger, acquisition or asset sale, personal data may be transferred to the successor, who must honour this Policy or inform you of changes.

4. Exporting and processing data outside the EEA

Your data may be processed in the European Economic Area and, where we use providers or partners in other countries, transferred subject to appropriate safeguards (including the European Commission’s standard contractual clauses or other mechanisms recognised under GDPR). We assess risks and implement supplementary measures where appropriate.

5. Data security and confidentiality

We implement physical, technical and organisational measures appropriate to the risk, including access controls and staff training. No system is completely free of risk; we continually work to protect personal data.

6. Transport Layer Security (TLS)

Access to sensitive areas (including checkout and account login) is intended to be provided over HTTPS/TLS so that data in transit is encrypted. Use an up-to-date browser. Despite these measures, absolute security on the internet cannot be guaranteed.

7. Payment card and payment data

Where card payments are offered, processing is carried out in environments designed to meet industry security expectations (such as PCI DSS requirements) by qualified partners. We typically only see limited card data (e.g. last four digits) for display or reconciliation. Open banking flows rely on your bank’s authentication; we do not receive your online banking password.

8. Correction, access and your rights

You may request access, rectification, erasure, restriction, portability or object to certain processing, and withdraw consent where processing is consent-based. You may lodge a complaint with the CNIL (www.cnil.fr).

Send requests in writing (email or post). We will respond within approximately thirty (30) days where feasible under GDPR timelines.

Data protection contact (DPO / privacy):
NEXORA SASU
195 RUE PIERRE ET MARIE CURIE, 27310 BOURG-ACHARD, France
Email: privacy@stixbnk.com
You may also write to support@stixbnk.com for general privacy-related enquiries.

9. Data retention

We keep personal data only as long as needed to provide services, meet legal obligations (accounting, tax, anti-fraud), resolve disputes and enforce agreements. After a relationship ends, some data may be restricted internally then deleted at the end of statutory periods. Deletion from active systems may leave residual copies in backups until they are rotated; those copies are protected and not used for new processing.

Our site may link to third-party sites we do not control. Their privacy practices are their own; this Policy does not apply there.

11. Protection of minors’ data

Our services are not directed at children for marketing. We do not knowingly solicit personal data from minors for marketing. A purchase may involve data strictly necessary for proof of transaction where a minor uses a payment method lawfully.

Notice for United States residents: we do not knowingly collect personal information from children under 13 for online services subject to U.S. children’s privacy rules; if you believe we have, please contact us so we can delete it where appropriate.

12. Changes to this Privacy Policy

This Policy may be updated to reflect legal, technical or business changes. Material changes may be communicated by email, notice on the site, or as required by law. The “Last updated” date at the top will be revised. We encourage you to review this page periodically. This Policy forms part of our overall contractual framework together with our Terms and Conditions of Sale where referenced.

© 2026 NEXORA SASU. All rights reserved.