Privacy at NexLet.

What this is

NexLet is the inbox an agent opens between an inbound WhatsApp message from a high-net-worth client and the moment that client signs a villa lease. It is not a marketplace, not a public directory, and not a payment processor. Helena, the assistant built into the app, drafts replies and gathers stay details on your behalf; she never makes a booking, never transacts money, and never identifies as you or as NexLet to your client.

Two threads run through every paragraph below. First: we collect only what the product needs to keep an agent, an owner, a client, and a vendor on the same page about a stay. Second: every piece of data has a known address — an EU Supabase region, a Hetzner VPS in Germany, or an Anthropic API endpoint configured for zero-retention — and you can ask us where it is at any time by emailing adrian@adriantroop.com.

What we collect and why

Six categories of data flow through NexLet. We describe each in the same shape: the data itself, the reason we need it, and the shortest answer to “what would happen if you didn’t collect it?”

• •Account. Your email address, display name, and the role memberships your agency assigns to you (Agent, Owner, Client, Vendor). We save your email so you can sign back in and so we can send you a magic link. Without it there is no account.
• •WhatsApp message relay. The text content of messages that move through your linked WhatsApp number on our self-hosted Baileys relay. We store these so threads survive between sessions and so Helena can draft a reply with context. Without them every conversation would forget itself after a refresh.
• •AI-parsed inquiry data. Structured fields extracted by Claude Haiku 4.5 from inbound messages: dates, headcount, budget hints, asset preferences. We save these to power your pipeline view and to draft Selections that match a client’s actual ask. Without them every inquiry would be free-form text and you would re-read it three times.
• •Billing identifier. For Starter (€50/mo) and Pro (€149/mo): the Apple In-App Purchase original transaction identifier so we know which account you bought. For Studio (€399/mo), Power (€899/mo), and Enterprise (€2,499/mo): a Stripe customer identifier issued when you check out on the web. We never store full card numbers; Apple and Stripe respectively own that layer.
• •Error diagnostics. When the app crashes or an Inngest workflow throws, Sentry captures a stack trace plus the device class (e.g. “iPhone 17 Pro, iOS 26.4”). We save these so we can fix the bug that hit you before it hits five more agents. Without them we’d learn about outages from angry WhatsApps.
• •Push tokens. The APNs device token Apple issues to your iPhone so NexLet can notify you that a new inquiry landed. We save it for the life of your account; when you sign out we discard it. Without it the app would only refresh when you opened it.

Where your data lives

Six places. We list them with the legal entity and the region so an Apple Privacy Nutrition Label reviewer (and you) can match this page to the declarations in App Store Connect.

• •Supabase (Postgres + Auth + Storage + Realtime, EU region). This is the durable store of record for accounts, threads, inquiries, Selections, and reputation rows. Row-Level Security is enforced on every table; another agency cannot read yours.
• •Baileys VPS (Hetzner, Germany). Our self-hosted WhatsApp transport. Inbound and outbound messages move through this server; ephemeral cache only, no long-term content stored on the VPS itself. The durable copy lives in Supabase.
• •Anthropic (Claude Haiku 4.5 + Sonnet 4.6 via the Anthropic API). US-based subprocessor. Your message text is sent to Anthropic in the moment Helena drafts a reply or parses an inquiry. We use Anthropic’s API zero-retention tier: Anthropic does not retain the request or response beyond the duration of the call, and your data is not used to train Anthropic models.
• •Resend (US-based, transactional email). Sends magic-link sign-in emails, billing receipts, status notifications, and the rare refund or credit email after a sev-1/2/3 incident.
• •Sentry (US-based, crash diagnostics). Stack traces and device class for crashes in the iOS binary and the Vercel edge runtime.
• •APNs (Apple-owned, push notification routing). Apple owns the token; we send a notification payload, Apple delivers it to your iPhone.

We do not use Google Analytics, Mixpanel, Amplitude, Segment, Hotjar, FullStory, Datadog, or any other third-party product analytics or session-recording vendor. The list above is the complete subprocessor list as of the Last-updated stamp at the top of this page.

Who can see your data inside NexLet

Your agency sees its own data. Another agency cannot see yours. We enforce this with Postgres Row-Level Security on every table from creation, indexed on the agency-scope columns, and tested via a cross-tenant probe that runs in CI on every pull request. The probe issues a realistic agency-A JWT against a row owned by agency B and asserts the read returns zero rows; if it ever returns a row, the deploy is blocked.

Inside your agency, role memberships govern what each person sees. An agent sees the threads they own and the threads assigned to them. The agency owner sees every thread in the agency. An owner-role user (the property manager of a villa or chalet) sees only the threads about their own assets and the availability they’ve published. A client sees only the Selections an agent has sent to them. A vendor sees only the briefs they’ve been invited to bid on.

Adrian (the founder) has administrative access to the Supabase project for support and incident response — for example, to unstick a stuck inquiry, restore a Selection that was archived in error, or investigate a Sentry trace that mentions your account. Administrative reads are not casual reads; they are logged in an admin audit trail (Plan 12-09).

We do not share your data with other agencies, with marketing partners, with the Machri Group cohort, or with any other customer of NexLet. The reputation system — bidirectional, network-wide stars — exposes only the star count plus the number of bookings it’s derived from. Notes attached to a star are private to the staff inside the agency that wrote them and never travel cross-agency.

AI and your data

Helena is the assistant built into NexLet. She uses two Anthropic models: Claude Haiku 4.5 for parsing inbound messages into structured fields (dates, headcount, budget hints) and Claude Sonnet 4.6 for drafting replies and Selection descriptions. Every call to Anthropic happens through Inngest workflows that run on Vercel — Helena never calls Anthropic from a real-time Edge Function path because long-running Sonnet requests would time out.

Three guarantees apply to every Anthropic call:

• •We use the Anthropic API zero-retention tier. Anthropic does not store the request or response beyond the call duration and your data is not used to train Anthropic models. If Anthropic ever changes that posture, we will update this page and re-email cohort agencies within 14 days of the change.
• •Helena identifies as “[Agent]’s assistant” in every WhatsApp message she sends. She never identifies as the agent themselves and never as NexLet. This is a forbidden-pattern guardrail in our own engineering rules and a hard-stop rule in Helena’s system prompt.
• •Per Apple App Store Review Guideline 5.1.2(i), an in-app AI disclosure modal appears on first use of any Helena-drafted surface. You can opt out of Helena drafting on a per-thread basis from the conversation header.

Helena drafts. Humans transact. Helena never makes a booking and never processes a payment. Every action she suggests lands on your sign-off — a one-tap confirm in the iOS app — before anything moves through WhatsApp.

What we don’t do

A negative list is sometimes the clearest privacy statement. We do not, and will not in v1, do any of the following:

• •Resell or rent your data to anyone. Ever.
• •Run third-party product analytics. No Google Analytics, no Mixpanel, no Amplitude, no Segment, no Hotjar, no FullStory.
• •Use advertising identifiers. No IDFA, no GAID, no cross-app tracking — App Tracking Transparency in the iOS binary is set to “do not request” because we have nothing to request.
• •Build a shadow profile of anyone — not of you, not of your clients, not of villas or owners outside NexLet.
• •Train AI models on your messages, your Selections, or your reputation rows.
• •Share data across agencies. Your reputation rows on a client are private to your agency; another agency cannot read your stars or your private notes.
• •Run a public agent directory or a public villa search. NexLet is closed-network; Selections are shared via universal links to specific people.
• •Operate a public Selection browse — every /s/[slug] URL is keyed to a private slug shared one-to-one.
• •Make bookings or process payments. Helena drafts; humans transact off-platform.

Your choices

Four levers control your data inside NexLet, all reachable from the iOS app:

• •Delete your account. Settings → Account → Delete account. Per Apple App Store Review Guideline 5.1.1(v), this path is in the iOS binary itself, not buried in a web flow. We process deletion within 30 days of your request. If your agency-owner deletes the agency, all agent accounts inside it are deleted with the agency.
• •Opt out of email notifications. Every transactional email from Resend includes an unsubscribe link with a per-recipient token. Magic-link sign-in emails are exempt — without them you can’t sign in.
• •Unpair WhatsApp. Sign out of the linked WhatsApp session in Settings → WhatsApp. Your Baileys session drops, no new messages relay, and the existing thread history stays attached to your agency until you delete the account.
• •Opt Helena out of a thread. Tap the Helena badge in a conversation header and select “Pause Helena.” Helena stops drafting on that thread; you continue to send messages by hand.

Contacting us

Adrian replies personally to every privacy email. Response target is five business days; the long tail is when he’s in transit between Mykonos and Courchevel during the swing season.

Email adrian@adriantroop.com with “Privacy” in the subject line. For incident reports tied to your account, include your agency name and the rough date and time so we can scope the Sentry trace.

Mailing address: c/o Adrian Torrente Tenreiro, Mykonos / Courchevel (founder home base — exact address available on request for a registered post recipient).

If we materially change this page — for example, if we add a new subprocessor or change Anthropic’s retention tier — we will bump the Last-updated stamp at the top and re-email cohort agencies before the change goes live.