Privacy Policy

Effective date: 15 January 2026

Summary (what this policy is about)

When you use a website that has integrated NXTL, we process:

the messages you send in the assistant
some technical and usage data (like page URL, browser info, timestamps)
certain identifiers/cookies, where permitted

We do this mainly:

to provide the assistant and keep your conversation coherent
to help the website owner understand and improve how NXTL works on their site
to secure and maintain the service

The website owner is usually the data controller for your use of NXTL on their site. The Next Level AS is mostly a data processor, and for some limited purposes also a controller (e.g. security and service maintenance).

We do not sell your personal data and we do not use customer data to train global models across customers. We aim to be transparent and to restore trust between users and providers of technical solutions.

1. About The Next Level AS

The Next Level AS (“The Next Level”, “we”, “us” or “our”) is a independent company located in Norway. We provide NXTL, a conversational AI assistant that our customers embed on their own websites and services (together, the “Service” or “NXTL”).

Company details

Company: The Next Level AS
Address: Hetlandsgata 9, 4344 Bryne, Norway
Organisation no.: 933 671 48
Email: contact@nxtl.ai

This page informs you of our policies regarding the collection, use and disclosure of personal data when you interact with NXTL and the choices you have associated with that data.

We use your data to provide, secure and improve NXTL. If you do not wish to provide personal data (directly or via the website where you use NXTL), we may not be able to provide the full functionality of the Service.

Unless otherwise defined in this Privacy Policy, the terms used here have the same meanings as in our terms and conditions and in our agreements with the website owners who use NXTL.

2. General Statement of Applicability of This Privacy Policy

This Privacy Policy applies to our collection, use and processing of personal data in connection with NXTL, including when:

you use NXTL as an assistant or chat widget on a website or in an application operated by one of our customers (the “Website Owner”), and
we process data on behalf of, or in relation to, that Website Owner.

Who is responsible for your data?

The Website Owner is generally the data controller for the use of NXTL on their own site or application. They decide whether and how NXTL is used, and which categories of data are shared with NXTL.
The Next Level AS typically acts as the Website Owner’s data processor, processing data on their instructions.

For certain limited and clearly defined purposes (for example security, abuse prevention, diagnostics and platform-level service improvement), The Next Level AS may also act as an independent data controller.

Where we act as controller, this Privacy Policy describes how we process your data and on what legal bases. Where we act as processor, we process your data according to our agreements with the Website Owner, and the Website Owner’s privacy policy will provide the primary information about how and why your data is used.

If there is any conflict between this Privacy Policy and the Website Owner’s privacy or cookie notice, the Website Owner’s notice will normally govern their use of NXTL on their site.

3. The Next Level AS’s Processing of Your Personal Data

3.1 Types of Personal Data Processed (“Information we collect”)

Depending on how you interact with NXTL and how the Website Owner has configured the integration, we may process the following categories of personal data.

a) Interaction and conversation data

When you use NXTL, we process the content of your interactions, including:

messages you send to NXTL (user prompts)
messages NXTL returns to you (assistant responses)
metadata linked to those messages (e.g. which page you were on when you sent the message)

This data may contain personal data if you choose to include it in your messages (for example your name, contact details or other information about yourself or others).

b) Signals, events and telemetry

NXTL’s SDK and backend generate and store “signals” and events related to how the assistant is used, such as:

opening or closing the assistant
clicking specific buttons or options
sending or receiving a message
certain errors or technical events

Signals can contain:

a signal type (e.g. user, assistant, event, telemetry)
a signal identifier or session identifier
a timestamp for when the event occurred

Some signals may include or be linked to the message content and metadata described above.

c) Website and usage data

When you use NXTL, we may process data about the context in which the interaction takes place, for example:

the URL or path where NXTL is used
the referrer host (the site you came from)
UTM parameters and similar campaign parameters in the URL
the language configured in your browser
screen resolution

We may also process technical usage and diagnostic data, such as:

browser type and version
approximate geographic area inferred from IP address (e.g. country or region)
time and date of interactions
performance and error logs related to NXTL

We do not attempt to determine your precise GPS location.

d) Cookie and identifier data

When NXTL is integrated on a website, we may use cookies or similar technologies to keep track of interactions from the same browser over time. This may include:

the NXTL cookie nxtl_signal, which stores a compact “signal stack” of your interactions with NXTL to help link them into coherent sessions

For more detailed information about cookies and nxtl_signal, including duration and purposes, please see our Cookie Policy (see section 3.4).

e) Data provided by the Website Owner

The Website Owner may send additional metadata to NXTL, such as:

an internal user ID, username or account identifier
your role or segment (e.g. “admin”, “prospect”, “existing customer”)
other profile attributes relevant to how they want NXTL to respond

The exact data of this kind is determined by the Website Owner and described in their privacy policy. We process this data on their behalf when acting as a data processor.

f) Contact, support and business communication data

If you contact us directly (e.g. by email):

we may process your name, email address, message content and any other information you choose to share
if you act on behalf of a Website Owner or potential customer, we may also process your company and role

g) Children’s data

NXTL is not intended to be used by children as a stand-alone service. However, it may appear on websites that are open to a broad audience. We do not knowingly target or profile children under the age applicable in your jurisdiction.

If we become aware that we have processed personal data of a child in a way that requires parental consent under applicable law and such consent has not been obtained, we will take appropriate steps to delete the data or to obtain the necessary consent.

3.2 Our Use of Your Personal Data (“How we use it”)

We use the data described above for the following purposes:

To provide and maintain NXTL
- Deliver the assistant’s core functionality: understand your messages, generate relevant responses and adapt to the Website Owner’s configuration and content.
- Maintain conversation context within and, where configured, between visits in the same browser.
To keep conversations coherent and useful
- Link your interactions from the same browser or session so that NXTL can “remember” limited context, using identifiers and cookies where permitted.
To support the Website Owner
- Provide logs, diagnostics and aggregated statistics to the Website Owner so they can understand how NXTL is being used and improve their own services.
- Help the Website Owner respond to support requests or investigate issues related to NXTL.
To improve and develop NXTL (without cross-customer model training on your data)
- Analyse signals and usage patterns (often in aggregate or pseudonymised form) to improve the accuracy, stability and user experience of NXTL.
- Use anonymised or aggregated statistics across customers to improve NXTL’s features, where permitted by our agreements and applicable law.
- We do not use customer data to train global models across customers in a way that would expose one customer’s identifiable data or patterns to other customers. We aim to be a counterweight to misuse of user data and do not sell data onward.
To monitor, secure and troubleshoot the Service
- Detect, prevent and address abuse, spam or misuse of NXTL.
- Monitor usage and performance to maintain a secure and reliable platform.
- Detect, investigate and fix technical issues and security incidents.
To comply with legal obligations and handle disputes
- Comply with retention, accounting or disclosure duties under applicable law.
- Defend or exercise legal claims and enforce our agreements with Website Owners and others.

We do not sell your personal data and we do not use your data to build marketing profiles about you for advertising purposes.

3.3 Legal Basis for Processing Personal Data Under the General Data Protection Regulation (GDPR)

When NXTL is used on a Website Owner’s site, we may process personal data as:

a data processor, acting on the Website Owner’s instructions; and/or
an independent data controller, for limited platform-level purposes.

Where we act as data processor, the Website Owner is responsible for determining and communicating the legal basis (for example, consent, legitimate interests or performance of a contract). Our processing is then based on our data processing agreement with the Website Owner.

Where we act as an independent controller, our typical purposes and legal bases are:

Purpose (as controller)	Examples of data categories	Legal basis under GDPR
Provide and secure the NXTL platform	Interaction data, signals, technical and diagnostic data	Legitimate interests and/or contract
Detect and prevent abuse, security incidents	Logs, IP-based region, event metadata	Legitimate interests; legal obligation in some cases
Improve the performance and quality of NXTL (platform-level)	Aggregated or pseudonymised usage statistics, technical metrics	Legitimate interests; and consent where required for certain analytics/cookies
Use non-essential cookies/identifiers (e.g. analytics)	Cookie/ID data (e.g. nxtl_signal)	Consent (where required by local law, e.g. EEA/UK)
Comply with legal and regulatory obligations	Records required by law	Legal obligation

In jurisdictions where consent is required for certain cookies or analytics (for example under ePrivacy rules in the EEA/UK), we rely on the consent collected by the Website Owner via their cookie banner or privacy tools. If consent is not given, we will not use cookie-derived interaction data for non-essential analytics and improvement, but we may still process strictly necessary signals to provide the core functionality and security of NXTL.

Withdrawal of consent (through the Website Owner’s tools) does not affect the lawfulness of processing based on consent before it was withdrawn, but may limit some functionality.

3.4 Cookies and similar technologies

When NXTL is embedded on a Website Owner’s site, we may use cookies and similar technologies to:

remember interactions from the same browser and keep conversations coherent
support basic telemetry, diagnostics and platform security
(where permitted) understand how the assistant is used to improve stability and user experience

The main cookie used by NXTL is:

nxtl_signal – a persistent cookie that stores a compact “signal stack” of your interactions with NXTL (such as events, user messages, assistant messages and technical telemetry). It typically has an expiry of up to 12 months from your last interaction and may contain the text you enter into the assistant.

Whether and how nxtl_signal is used, and for which purposes, can depend on:

how the Website Owner has configured their cookie banner or consent solution, and
which choices you make in that banner or settings panel.

In jurisdictions where consent is required for non-essential cookies or analytics, nxtl_signal will only be used for such purposes if valid consent has been obtained.

For full and up-to-date details about the cookies we use, including their names, purposes, lifetimes and legal bases, please see our dedicated Cookie Policy: Cookie Policy (lenkes opp)

The Website Owner may also use their own cookies and third-party cookies on the same site. Those cookies are described in the Website Owner’s own cookie and/or privacy policy.

4. Retention of Data

The Next Level AS retains personal data only for as long as necessary for the purposes set out in this Privacy Policy and in our agreements with Website Owners.

In particular:

Interaction and signal data
- Retained for the time needed to provide the Service, maintain conversation context (where configured), support and troubleshoot for the Website Owner, improve and secure NXTL, and comply with legal obligations.
Logs and diagnostic data
- Retained for a period appropriate to security, performance and troubleshooting needs, unless a longer period is required by law.
Support and contact data
- Retained as long as needed to handle your request and to maintain proper records of our communications.

Where we act as data processor, we may delete or return personal data earlier if instructed by the Website Owner, in line with our data processing agreement.

5. Transfer of Data

We may process and store personal data in countries other than the one you are located in. This may include transfers:

within the European Economic Area (EEA); and/or
to countries outside the EEA that may have different data protection laws.

Where we transfer personal data to a country that is not recognised by the European Commission as providing an adequate level of protection, we will ensure that appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by the European Commission; or
other appropriate safeguards permitted under data protection law.

You can contact us if you would like more information about the safeguards we use for international transfers.

6. Disclosure of Data

We do not sell your personal data. We may share personal data only in the following situations:

With the Website Owner
- We share interaction data, signals and diagnostics with the Website Owner in accordance with our agreement with them, so they can operate and improve their services and their use of NXTL.
With our service providers (sub-processors)
- We use trusted third parties to provide services such as hosting, storage, logging, monitoring and platform analytics. These providers process personal data on our behalf and only according to our instructions. A list of our main sub-processors is available to our customers on request or through our customer information channels.
With professional advisers and auditors
- Where necessary, we share limited data with lawyers, auditors or other professional advisers, subject to confidentiality obligations.
For legal reasons and protection of rights
- To comply with legal obligations, enforceable governmental or court orders.
- To protect and defend the rights, property or safety of The Next Level AS, our customers, users of NXTL or others, including enforcing our agreements.

In all cases, we limit the data shared to what is necessary for the specific purpose and require appropriate privacy and security safeguards.

7. Links to Other Sites

NXTL may be integrated into websites that contain links to external sites not operated by us. If you click a third-party link, you will be directed to that third party’s site.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party websites or services.

We encourage you to review the privacy policy of every site you visit, including the Website Owner’s own privacy policy.

8. Your Data Protection Rights

Depending on your location and applicable law (for example, if you are in the European Economic Area (EEA) or the United Kingdom), you may have the following rights regarding your personal data:

Right of access – to obtain confirmation as to whether we process personal data about you and, if so, to receive a copy.
Right to rectification – to have inaccurate or incomplete personal data corrected.
Right to erasure (“right to be forgotten”) – to request deletion of your personal data in certain circumstances.
Right to restriction of processing – to request that we restrict processing in specific situations.
Right to object – to object to processing based on our legitimate interests, on grounds relating to your particular situation.
Right to data portability – to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and, where technically feasible, have it transferred to another controller.
Right to withdraw consent – where processing is based on consent, to withdraw that consent at any time.

Because NXTL is usually used on a Website Owner’s site, it may be more appropriate to exercise some of these rights through the Website Owner, who is normally the primary data controller for your interactions with NXTL. We may coordinate with the Website Owner to respond to your request, or direct you to them where appropriate.

We may ask you to verify your identity before responding and may not be able to fully comply with a request where we have overriding legal obligations or compelling legitimate interests.

You also have the right to lodge a complaint with your local data protection authority. In Norway, this is the Norwegian Data Protection Authority (Datatilsynet).

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example if we change how we process personal data in NXTL or if legal requirements change.

When we make changes, we will:

update the effective date at the top of this Privacy Policy; and
where appropriate, notify our customers (Website Owners) so they can update their own information to users.

We encourage you to review this Privacy Policy periodically for any changes. Changes are effective when they are posted on this page.

10. Jurisdiction and Applicable Law

Subject to any mandatory local law that applies, this Privacy Policy shall be governed by and construed in accordance with the laws of Norway, and be subject to the non-exclusive jurisdiction of the courts of Norway.

This does not affect any rights you may have under applicable data protection laws in your country.

11. How to Contact Us

If you have any questions about this Privacy Policy or about how we process personal data in connection with NXTL, you can contact us:

The Next Level AS

Hetlandsgata 9

4344 Bryne, Norway

Organisation / company number: 933 671 48

Email: contact@nxtl.ai
Subject: Privacy / NXTL

You can also contact the Website Owner directly with questions about how they use NXTL and other services on their site, and about the legal bases they rely on for processing your data.