Data Handling & AI Usage

Exactly how ONX handles
your data and uses AI.

Written for security reviewers, legal teams, and procurement. No marketing language — just the specific, verifiable answers to the questions you actually ask.

EU database

Stockholm (eu-north-1)

No PII to AI

No names, emails, or deal data

Auto-deletion

Enforced by pg_cron at DB layer

Human review

Required before every AI action

No model training

Contractually prohibited with all AI providers

No automated decisions

AI is decision-support only

What ONX stores

Data you create or import — persisted in your account

Deal rooms

Low

Room name, deal value, close date, pipeline stage, CRM deal ID

Companies

Low

Company name, domain, industry. CRM sync stores domain and industry only — no financials, no company contacts.

Contacts

Medium

First name, last name, job title, business email, LinkedIn URL. Stored only if added by your team.

Assets

Low–Medium

File metadata (title, type, size, upload date). File content stored in encrypted object storage.

CRM sync data

Low

Deal-level commercial fields (stage, value, close date, owner ID). Contact associations stored as IDs only — no contact names or emails imported from CRM.

OAuth tokens

High — isolated

HubSpot access and refresh tokens — encrypted at rest, service-role only access, never exposed to client-side code.

Special category data (health, race, religion, etc.) is not processed — category blocked at ingestion. Article 9 GDPR.

What ONX tracks

Behavioural events generated when people interact with your rooms and assets

Asset downloads

Asset performance analytics; rep engagement view

Timestamp, viewer email (authenticated users only), source context, pseudonymised IP

Deal room views

Buyer engagement scoring; deal health signals

Viewer email and name (collected via email gate — see consent notice), content interactions, duration

NBA actions

Win-rate attribution; effectiveness analytics

Action type, deal ID, rep who acted, timestamp, outcome (won/lost/stalled)

Rep activity

Pipeline health; manager visibility

Actions per deal, last active timestamp — no keystroke or screen recording

IP addresses are never stored in plaintext. ONX applies HMAC-SHA256 pseudonymisation with a daily rotating salt — same IP on the same day produces the same hash (for deduplication); different day produces a different hash (no cross-day tracking). The secret key is held separately; hashes cannot be reversed without it.

Retention periods

Enforced at the database layer by scheduled jobs — not a policy statement, a mechanism

Contact records

120 days from ingestion

Auto-expiry enforced — no silent renewal without lawful basis re-confirmation

CRM sync mappings

90 days from last sync

pg_cron job runs nightly. Deleted after 90 days of no activity.

Asset view events

365 days

Viewer email and pseudonymised IP auto-deleted after one year

Deal room view events

365 days

Viewer email, name, and IP hash auto-deleted after one year

Account deletion (Art. 17)

30 days from request

View-table PII anonymised immediately on erasure request. Account and residual data deleted within 30 days.

OAuth tokens (CRM)

Deleted on disconnection

Access and refresh tokens removed immediately when CRM integration is disconnected

Audit logs

7 years

Retained for legal and regulatory compliance purposes

Retention jobs run at the database layer (PostgreSQL pg_cron), not the application layer. This means they execute regardless of application deployments or API availability. Deletion is logged in the audit trail.

AI-assisted features

Every AI feature in ONX — what it does and what model it uses

Email draft

Claude HaikuAI-generated

Writes a first-draft cold outreach email for a contact based on company signals, news, and ICP context.

Rep clicks "Draft email" — never automatic

Executive summary

Claude HaikuAI-generated

Generates a boardroom-ready pipeline briefing from aggregate deal health, activity, and win-rate data.

Rep/CRO clicks "Generate" — never automatic

Signal scoring

ClaudeAI-assisted indicator

Scores market intelligence signals (hiring patterns, intent data) for relevance to the ICP.

Background job — output is a score, not a decision

News relevance scoring

ClaudeAI-assisted indicator

Evaluates news articles for commercial relevance to target accounts.

Background enrichment — surfaced as context, not instruction

What is sent to AI providers

The exact fields included in prompts — specific, not approximate

Email draft

→Contact first name (not full name — last name is not sent)

→Contact job title / role

→Company name and industry

→Company employee count (band, e.g. "200–500")

→Recent market signals for the company (hiring patterns, news — company-level, not personal)

→Industry news context

→ICP persona summary (your product description + target profile, no customer data)

Executive summary

→Aggregate deal counts (total, at-risk, stalling, strong)

→Aggregate pipeline values (£ totals, no individual deal names)

→NBA action statistics (counts, rates — no contact or company names)

→Rep names where available, or "a team member" — rep emails never sent

→Win-rate percentages and velocity metrics

Signal / news scoring

→Signal text (e.g. job posting title, function, seniority level)

→Company name and industry

→No contact data of any kind

What is never sent to AI providers

Explicit list — not a general statement

Contact email addresses

Contact last names or full names

Rep or user email addresses

Deal names (which often contain contact or company names)

CRM OAuth tokens or any authentication credentials

Asset file content — documents, PDFs, presentations are never sent to AI

Deal room content or buyer engagement details

Raw IP addresses (pseudonymised hashes are used internally only, never sent to AI)

Customer proprietary data of any kind beyond the fields listed above

Data from one customer account is never used in prompts for another account

Model training: Anthropic and all other AI providers used by ONX are contractually prohibited from using your data to train or fine-tune their models. This applies to all plans.

Human oversight model

How ONX ensures AI output is never acted on automatically

Every AI-generated output is labelled “AI-generated” or “AI-assisted” in the interface — no unlabelled AI content

Email drafts require the rep to review, edit, and manually send — ONX never sends emails automatically

Pipeline summaries are generated on demand and reviewed before sharing — no automated distribution

Signal scores and intent indicators are surfaced as context — reps decide how to act

NBA (Next Best Action) recommendations are rule-based, not AI-generated, and require one-click confirmation

No automated decisions affecting contacts, deals, or commercial outcomes

No automated outreach, scheduling, or CRM updates triggered by AI output

EU AI Act alignment: ONX's preliminary internal assessment classifies the platform as a limited-risk AI system. All AI-generated content is transparently labelled per Article 52. No high-risk use cases (employment, credit, law enforcement, healthcare) are in scope.

Subprocessors

Every third-party service that touches customer data

ProcessorRoleData regionTransfer basis

SupabaseDatabase, auth, storageEU (Stockholm, eu-north-1)Primary processor — EU hosted

VercelApplication compute, CDNGlobal edge / EU configurableSCCs

AnthropicAI inference (Claude)United StatesSCCs + DPA

ResendTransactional emailUnited StatesSCCs

HubSpotCRM data source (optional)United StatesSCCs (customer-configured)

30 days' notice is provided for new subprocessors. DPA available on request.

EU hosting

Where your data physically resides

Database

Supabase eu-north-1 — Stockholm, Sweden

All customer data at rest. EU territory. GDPR territorial requirement satisfied.

File storage

Supabase Storage (eu-north-1) — Stockholm

Assets, uploads, generated documents — same region as database

Application compute

Vercel global edge — configurable to EU-only on Enterprise

Serverless functions run at the edge nearest the user by default

AI inference

Anthropic — United States

Data-in-transit to AI providers is covered by SCCs. See 'What is sent to AI' for field-level detail.

Email delivery

Resend — United States

Transactional emails only (confirmation, erasure notifications). No customer contact data in email payloads.

Data residency commitment: All structured customer data (deals, contacts, companies, assets, view events) is stored in the EU (Stockholm) and does not leave the EU except where explicitly described above — specifically the limited fields sent to Anthropic for AI inference, covered by SCCs and DPA.

Questions or need a DPA?

We respond to procurement security questions within 2 business days.

Contact security team Procurement Pack

Security & Trust Privacy Policy Terms of Service Subprocessors AI Transparency security@optimalnexus.com

Exactly how ONX handles your data and uses AI.