Legal

Privacy Policy

Last updated: April 2026 (v2)

1. Introduction & Who We Are

Nexora Cyprus ("Nexora Cyprus", "we", "us", or "our") is a corporate services provider incorporated and operating in Paphos, Cyprus. We provide Cyprus company formation, corporate tax structuring advisory, IP Box advisory, nominee services, annual compliance, and related corporate administrative services to clients worldwide.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at nexoracyprus.com, contact us, or engage our services. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Processing of Personal Data (Protection of Individuals) Law of 2018, as amended (Cyprus Law 125(I)/2018).

If you have any questions about this policy or our data practices, please contact us at privacy@nexoracyprus.com.

2. What Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

Identity data: Full name, date of birth, nationality, passport or national identity card details.
Contact data: Email address, telephone number, country of residence, and postal address.
Business data: Company name, industry, proposed business activities, existing corporate structure, and source of funds information.
Correspondence data: The content of emails, messages, and enquiry form submissions you send to us.
Technical data: IP address, browser type, operating system, pages visited, and time of access when you visit our website.
KYC / due diligence data: Identity documents, proof of address, source of funds declarations, and other documents required for anti-money laundering compliance.

We do not knowingly collect personal data from individuals under the age of 18.

3. How We Use Your Data

We use your personal data for the following purposes:

Responding to enquiries: To process and respond to your questions, quote requests, and consultation requests submitted via our website or by email.
Service delivery: To incorporate your Cyprus company, maintain your corporate records, provide nominee services, file compliance documents, and deliver all contracted services.
KYC / AML compliance: To verify your identity and source of funds as required by Cyprus AML legislation (Law 188(I)/2007 and related instruments) and as a condition of providing regulated services.
Client relationship management: To manage our ongoing client relationship, including billing, account management, and service improvements.
Legal and regulatory compliance: To comply with applicable laws, court orders, regulatory requirements, and requests from competent authorities.
Marketing communications: To send you relevant regulatory updates, tax alerts, and information about our services, where you have consented or where we have a legitimate interest to do so. You may opt out at any time.

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

Contractual necessity (Art. 6(1)(b)): Where processing is necessary to perform a contract with you or to take steps at your request prior to entering into a contract (e.g., responding to enquiries, delivering services).
Legal obligation (Art. 6(1)(c)): Where we are required to process data to comply with AML obligations, regulatory requirements, or other legal duties to which we are subject.
Legitimate interests (Art. 6(1)(f)): Where processing is necessary for our legitimate business interests — such as improving our services, managing our business, and communicating relevant updates — provided these interests are not overridden by your rights.
Consent (Art. 6(1)(a)): Where you have given clear consent for us to process your data for a specific purpose, such as subscribing to our newsletter. You may withdraw consent at any time.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations:

Enquiry data: Data collected from website enquiries or consultations that do not result in an engagement is retained for up to 3 years from last contact, after which it is securely deleted.
Client data: Data relating to active or former clients, including KYC documentation, correspondence, and service records, is retained for a minimum of 7 years following the end of the client relationship, in compliance with Cyprus AML obligations under Law 188(I)/2007.
Financial records: Accounting and billing records are retained for the periods required under Cyprus tax and corporate law.

After the applicable retention period, personal data is securely deleted or anonymised.

6. Data Sharing

We do not sell, rent, or trade your personal data. We may share your data with:

Service providers: Third-party providers who assist us in delivering our services (e.g., licensed auditors, legal counsel, registered agents, cloud storage providers). These parties are bound by confidentiality obligations and are only permitted to process data on our instructions.
Regulatory and governmental authorities: The Cyprus Registrar of Companies, Cyprus Tax Department, Cyprus Bar Association (for AML reporting obligations), competent AML supervisory authorities, and other authorities as required by law or court order.
Professional advisers: Our legal advisers, accountants, and insurers, where necessary for the conduct of our business and subject to professional confidentiality obligations.

We will not share your personal data with third parties for their own marketing purposes.

7. Your Rights Under GDPR

Subject to applicable exemptions, you have the following rights in relation to your personal data:

Right of access: To obtain a copy of the personal data we hold about you.
Right to rectification: To have inaccurate or incomplete personal data corrected.
Right to erasure: To request deletion of your personal data where there is no legitimate reason for us to continue processing it.
Right to restriction: To request that we restrict processing of your data in certain circumstances.
Right to data portability: To receive your personal data in a structured, machine-readable format and to transmit it to another controller.
Right to object: To object to processing based on legitimate interests or for direct marketing purposes.
Rights related to automated decision-making: We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

To exercise any of these rights, please contact us at privacy@nexoracyprus.com. We will respond within 30 days. We may need to verify your identity before processing your request.

8. Cookies

Our website uses cookies to ensure essential functionality and to improve your experience. For detailed information about the cookies we use, how they work, and how to manage your cookie preferences, please see our Cookie Policy.

9. International & Cross-Border Data Transfers

As a Cyprus-based company serving international clients, your personal data may be transferred to and processed by our service providers located within the European Union (EU) or European Economic Area (EEA). All such transfers are subject to appropriate safeguards under GDPR.

Where data is transferred outside the EU/EEA (for example, to a non-EEA service provider), we ensure such transfers are governed by appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or the adequacy decisions in force.

10. How We Log Consent

When you submit any of our forms (contact, free consultation, custom-quote, newsletter signup or any tool result email-capture), we record the fact and timestamp of your consent in line with GDPR Article 7. The record contains the consent timestamp (UTC), the form source, the policy version in force at the time, and the IP address / user-agent we received with the submission. We keep that record for as long as the underlying engagement and statutory retention period require, and we can produce it on request if you ask for evidence of your consent or initiate a data-subject access request.

You can withdraw consent at any time by emailing privacy@nexoracyprus.com — withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

11. Sub-Processors

We engage the following third-party data processors to operate the website and deliver our services. Each is bound by a data-processing agreement and processes your personal data only on our documented instructions.

Sub-processorRegionPurpose

Vercel Inc.EU / USWebsite hosting, edge caching, analytics

ResendEU / USTransactional email delivery (form confirmations)

CloudflareGlobalDNS, DDoS protection

Cal.comEUOptional booking calendar (when enabled)

Google Analytics 4EU / USAggregated traffic analytics

LinkedInUSLogged-out social embed only — see cookie policy

We update this list when we change sub-processors. Material changes are reflected here and in the "last reviewed" date at the top of the policy.

12. Data Protection Officer

Although the appointment of a Data Protection Officer is not strictly mandatory for our scale of processing under Article 37 GDPR, Nexora Cyprus has voluntarily designated a Data Protection contact for all privacy-related correspondence. The DPO contact is responsible for monitoring compliance, advising on data-protection impact assessments, cooperating with the supervisory authority, and acting as the point of contact for data subjects.

You can reach the DPO at privacy@nexoracyprus.com.

13. Incident Response

In the event of a personal-data breach (as defined by Article 4(12) GDPR) that is likely to result in a risk to the rights and freedoms of natural persons, Nexora Cyprus will notify the Cyprus Office of the Commissioner for Personal Data Protection within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify affected data subjects without undue delay, with clear, plain-language information on the nature of the breach and the steps taken to mitigate it (Article 34 GDPR).

We maintain an internal register of all personal-data breaches, the facts surrounding them, the effects, and the remedial action taken (Article 33(5) GDPR), and we keep that register available for the supervisory authority on request.

14. Contact Us for Privacy Matters

If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of your personal data, please contact us:

Nexora Cyprus
Paphos, Cyprus
Email: privacy@nexoracyprus.com
Website: nexoracyprus.com

15. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Cyprus, this is the:

Commissioner for Personal Data Protection (Cyprus)
1 Iasonos Street, 1082 Nicosia, Cyprus
Website: www.dataprotection.gov.cy

We would, however, appreciate the opportunity to address your concerns directly before you approach the supervisory authority. Please contact us in the first instance at privacy@nexoracyprus.com.