Privacy Policy

Introduction

NextPIM is a Product Information Management (PIM) system. This Privacy Policy explains how information is collected, used, and protected when you use the NextPIM software. Since NextPIM is self-hosted, data handling practices depend on how your organization has deployed and configured the system.

Private Repository Access

NextPIM source code is maintained in a private repository. Access to the repository must be requested and approved. The developers of NextPIM do not collect, store, or have access to any data processed by instances of NextPIM that you deploy.

Self-Hosted Deployment

When you deploy NextPIM on your own infrastructure:

• Data Ownership: You retain complete ownership and control of all data stored in your NextPIM instance.
• Data Location: All data remains within your chosen infrastructure (on-premises, cloud provider, etc.).
• Access Control: You are responsible for implementing and managing access controls, user authentication, and authorization.
• Security: You are responsible for securing your deployment, including network security, encryption, and regular security updates.

Information Collection and Use

User Account Information

NextPIM stores the following information for user accounts:

• Email addresses
• Display names
• Authentication credentials (securely hashed passwords or SSO tokens)
• User roles and permissions
• Account creation and last login timestamps

Product Data

NextPIM is designed to manage product information, which may include:

• Product descriptions, specifications, and metadata
• Product images and digital assets
• Categories, attributes, and taxonomies
• Pricing and inventory information
• Version history and audit logs

System Logs

NextPIM may generate system logs containing:

• API requests and responses
• Authentication attempts
• System errors and debugging information
• Data import/export activities
• User activity for audit purposes

Azure Active Directory Integration

If you configure Azure Active Directory (Azure AD) or Microsoft Entra ID for single sign-on:

• Authentication is handled by Microsoft's identity platform
• NextPIM receives user profile information (email, name) from Azure AD
• Microsoft's Privacy Policy and Terms of Service apply to the authentication process
• You control what information is shared between Azure AD and NextPIM through Azure AD configuration

Cookies and Local Storage

NextPIM uses browser storage mechanisms for:

• Authentication Tokens: JWT tokens stored in localStorage for maintaining user sessions
• User Preferences: Theme selection, language preferences, and UI settings
• Service Worker Cache: For offline functionality and improved performance (when PWA features are enabled)

These storage mechanisms are client-side only and are not transmitted to any external servers beyond your NextPIM instance.

Data Security

NextPIM implements security best practices, including:

• Password hashing using bcrypt
• JWT-based authentication with token expiration
• Role-based access control (RBAC)
• API rate limiting and request validation
• SQL injection protection through parameterized queries (Prisma ORM)
• HTTPS support (when configured)

However, as the system administrator of your NextPIM instance, you are responsible for:

• Keeping the software updated with security patches
• Configuring HTTPS/TLS certificates
• Setting strong password policies
• Regular database backups
• Network security and firewall configuration
• Monitoring and responding to security incidents

Third-Party Services

NextPIM may integrate with third-party services if you configure them:

• Azure Blob Storage: For storing product images and digital assets
• Azure Active Directory: For SSO authentication
• SMTP Servers: For sending email notifications (if configured)

When using these services, their respective privacy policies apply. You are responsible for understanding and complying with the terms of any third-party services you integrate.

Data Retention

Data retention policies are entirely under your control. NextPIM provides tools for:

• Deleting user accounts and associated data
• Removing products and their version history
• Clearing audit logs
• Exporting data for backup or migration purposes

You should establish data retention policies appropriate for your organization and comply with applicable regulations (GDPR, CCPA, etc.).

User Rights

Depending on your jurisdiction and organizational policies, users may have rights to:

• Access their personal data stored in NextPIM
• Correct inaccurate or incomplete data
• Request deletion of their account and associated data
• Export their data in a portable format
• Object to certain data processing activities

As the system administrator, you are responsible for handling such requests in compliance with applicable laws.

Children's Privacy

NextPIM is designed for business use and is not intended for children under the age of 16. Organizations deploying NextPIM should ensure they do not knowingly collect or process personal information from children without appropriate consent and safeguards.

Changes to This Privacy Policy

This Privacy Policy may be updated to reflect changes in NextPIM's features or legal requirements. When deploying updates to NextPIM, review the privacy policy for any changes. Users should be notified of material changes to how their data is processed.

Compliance Considerations

Organizations using NextPIM should consider compliance with:

• GDPR (General Data Protection Regulation) - if processing data of EU residents
• CCPA (California Consumer Privacy Act) - if processing data of California residents
• Industry-specific regulations - healthcare (HIPAA), finance (PCI-DSS), etc.
• Local data protection laws - applicable to your jurisdiction

NextPIM provides tools to support compliance, but achieving compliance requires proper configuration, policies, and procedures implemented by your organization.

Contact Information

For questions about NextPIM's privacy practices:

• Source Code: github.com/garethcheyne/NextPIM
• Issues: Report privacy concerns via GitHub Issues
• Administrator: Contact your NextPIM system administrator for instance-specific privacy questions