Privacy Policy

Last updated: [DATE]

This Privacy Policy explains how [LEGAL ENTITY NAME] (“Nexus”, “we”, “us”), the operator of Nexus, with registered address at [ADDRESS] (registration number: [REG. NO.]), collects and processes personal data when you use the Nexus messaging service (the “Service”). We are the data controller for this processing under Regulation (EU) 2016/679 (“GDPR”).

Contact for privacy matters: [privacy@yourdomain].

Important note about message security. Nexus secures all connections in transit with HTTPS/TLS. However, your messages and shared files are stored on our servers and are not end-to-end encrypted at this time. This means that, in principle, they can be accessed by our systems and authorised personnel (for example, to operate the Service or comply with law). Do not use Nexus to share information you need to be technically inaccessible to us.

1. Data we collect

Account & identity. When you register, we collect an email address (directly, or from Google if you choose Google sign-in) or, where supported, a phone number, together with a short verification code used to confirm ownership. We create a username and store a display name.

Profile data. Display name, username, avatar (a colour and/or an image you upload), an optional bio, an optional date of birth, your language and interface preferences, and a presence indicator (“last seen”).

Messages & media. The content of your messages, and any photos, videos, audio, voice notes and files you send, together with related metadata (timestamps, reactions, read status, reply references, and which chat they belong to).

Calls. When you make voice or video calls we process call records (participants, type, status, and start/answer/end times) and temporary signalling data. Call audio/video is transmitted peer-to-peer via WebRTC and is not stored by us.

Technical & security data. A session token (stored in a cookie and in your browser’s local storage) to keep you signed in; a cryptographic public key generated on your device (the foundation for future end-to-end encryption); and, at the infrastructure level, server access logs that may include your IP address and browser/device information.

Push notifications. If you enable them, we store a push subscription so we can deliver notifications.

Reports & moderation data. If you report content or a user, or if a moderation decision concerns you, we process the report (reporter, reported user/content, reason and any text you add, a snapshot of the reported content, and date), any resulting enforcement measure (type, reason, evidence reference, duration and status), and audit-log entries of moderator actions. Legal basis: legitimate interest in keeping the Service safe and complying with law.

We do not use advertising, and we do not use third-party analytics or tracking technologies in the app.

2. Why we use your data and our legal bases

To provide the Service — create your account, deliver messages and calls, show your profile and history. Legal basis: performance of a contract (Art. 6(1)(b)).
To verify your identity at sign-in via email codes or Google. Legal basis: contract / consent.
To keep the Service secure and prevent abuse, fraud and spam. Legal basis: legitimate interests (Art. 6(1)(f)).
To send notifications you have enabled. Legal basis: consent (Art. 6(1)(a)).
To comply with legal obligations. Legal basis: Art. 6(1)(c).

Optional fields (such as bio and date of birth) are processed on the basis of your consent and may be left blank or removed at any time.

3. Who we share data with

We do not sell your personal data. We share data only with service providers that help us run Nexus, and only as needed:

Google — if you choose Google sign-in, Google authenticates you and provides us your email address and name.
Email delivery provider — to send your verification codes (where configured).
STUN/TURN connectivity providers — to establish voice/video calls. To connect a call, these providers necessarily see participants’ IP addresses.
Browser / operating-system push services — to deliver push notifications you have enabled.
Our hosting provider — which stores the data and maintains server logs on our behalf.

We may also disclose data where required by law or to protect the rights, safety and security of users, the public, or Nexus.

4. International transfers

Some providers above may process data outside the European Economic Area. Where this happens, transfers are made under an adequacy decision or appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

5. How long we keep data

Account and profile data — for as long as your account exists; deleted on account deletion.
Messages and media — until you delete them, the other participant deletes the chat, or you delete your account.
Call records — until you clear your call history or delete your account.
Verification codes — they expire after 10 minutes.
Session tokens — until you log out.
Server access logs — for the limited period operated by our hosting provider.

6. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction, data portability, to object, and to withdraw consent at any time. To exercise these rights contact [privacy@yourdomain].

You also have the right to lodge a complaint with a supervisory authority. In the Czech Republic this is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ), www.uoou.cz. You may also contact the authority in your country of residence.

7. Cookies and local storage

Nexus uses a small number of strictly necessary client-side stores: a nexus_token cookie and a nx_token entry in local storage to keep you signed in, local storage for your language/theme preferences, and IndexedDB to hold the private cryptographic key generated on your device. We do not use advertising or analytics cookies.

8. Children

You must be at least 13 years old, or the minimum age required by the laws of your country, to use Nexus. Nexus is not intended for children below that age. If you are below the applicable age, please do not use the Service without the consent of a holder of parental responsibility. If we learn that we have collected personal data from a child below the applicable age without such consent, we will delete it.

9. Security

We protect data in transit using HTTPS/TLS and apply access controls and other reasonable technical and organisational measures. We generate a key pair on your device as the foundation for future end-to-end encryption of messages. As stated above, message content and attachments are not currently end-to-end encrypted and are stored on our servers. No method of transmission or storage is completely secure.

10. Changes

We may update this Policy. We will post the new version with an updated “Last updated” date and, for material changes, provide a notice within the Service.

11. Contact

[Nexus] — [ADDRESS] — [privacy@yourdomain]