NexaGuard
  1. Security-and-Privacy
NexaGuard
  • Getting-Started
    • NexaGuard Developer Documentation
    • Quickstart (5 to 10 Minutes)
    • Documentation Overview
    • Concepts and Glossary
  • Compliance-and-Standards
    • Compliance Overview
    • IAB TCF v2.3 Support
    • Google Consent Mode v2 Validation
    • TCF API Validation
    • Audit Checklist (Pre-Launch)
  • Web-and-CMS-Integrations
    • NexaGuard CMP SDK – Web & GTM Setup
    • Integrate NexaGuard CMP with Webflow and Wix
    • Integrate NexaGuard CMP with WordPress
    • Integrate NexaGuard CMP with Drupal
    • Integrate NexaGuard CMP with Shopify
  • Mobile-SDKs
    • NexaGuard CMP SDK - iOS Setup
    • iOS SDK API Reference
    • NexaGuard CMP SDK - Android Setup
    • Android SDK API Reference
    • App Attribution Partner (AAP) Integrations
  • Developer-Reference
    • Web JS API Reference
    • Consent Event Schema
    • Deployment and Environments
    • NexaGuard Debug Tool
    • Troubleshooting Playbook
    • Performance and Best Practices
    • Accessibility and UX Guidelines
    • Localization Workflow
    • Migration Guide
  • Security-and-Privacy
    • Security Overview
    • Privacy Architecture
    • Data and Logging Transparency
    • Subprocessors
    • CSP and Network Allowlist
  • Enterprise-and-Legal
    • DPA and Legal Pack
    • RFP Feature Matrix
    • Status and Reliability
    • Support and Escalation
    • NexaGuard CMP SDK – Commercial Licence
  • Operations
    • Changelog and Version Policy
  1. Security-and-Privacy

Data and Logging Transparency

Last updated: February 18, 2026
This page explains what consent-related data NexaGuard CMP retains for service operation, auditability, and regulatory support.
NexaGuard is designed to process and store consent state information only, not personal profile data.

1. Typical Stored Fields#

NexaGuard may store the following consent-related data elements:
A pseudonymous consent token or consent identifier
Consent status by category or purpose (for example advertising, analytics)
Timestamp of consent creation
Timestamp of last update
Framework flags (for example TCF, GPP, Google Consent Mode v2)
Region and policy evaluation flags used to determine applicable banner behavior
Vendor or purpose selection state (where applicable under TCF/GPP)
These fields are required to:
Maintain user consent state
Support audit verification
Synchronize consent with supported SDKs and integrations
Comply with framework technical requirements
NexaGuard does not enrich consent records with behavioral tracking or marketing data.

2. Typical Excluded Fields#

NexaGuard CMP does not store:
Full names
Email addresses
Phone numbers
Free-text user input
Authentication credentials
Payment data
Device fingerprinting data beyond what is strictly necessary for consent state persistence
Consent identifiers are pseudonymous and are not intended to directly identify a natural person.
Customers remain responsible for any personal data processed outside of NexaGuard CMP.

3. Storage and Processing Location#

NexaGuard uses cloud infrastructure providers to host production systems.
Primary processing region: United States
Infrastructure: hosted within secure cloud environments managed by third-party infrastructure providers.
Data is transmitted and processed over encrypted connections (TLS 1.2+).
If regional hosting becomes available or customer-specific arrangements are implemented, those will be documented in contractual agreements.

4. Retention#

Retention policies are designed to balance audit requirements and data minimization principles.
Consent record retention:
Consent records are retained for the duration of the customer's active subscription, unless earlier deletion is requested or required by law.
Audit/debug log retention:
Operational logs are retained for a limited period based on internal security and operational policies.
Deletion workflow:
Upon subscription termination or written request:
Consent data may be deleted or anonymized.
Customers may request confirmation of deletion.
Deletion timelines are governed by contractual terms.
NexaGuard does not retain consent records longer than necessary for operational and compliance purposes.

5. Access and Export#

Access to consent-related records is restricted:
Role-based access control (RBAC) applies.
Least-privilege access is enforced for administrative systems.
Administrative access is logged.
Export options:
Customers may request export of consent data where contractually required.
Export formats may include structured data formats (for example CSV or JSON), subject to subscription tier and operational policies.
API-based access to consent state is available through documented SDK interfaces.

6. Related Pages#

Privacy Architecture
Security Overview
DPA and Legal Pack
Previous
Privacy Architecture
Next
Subprocessors