Privacy Policy
How Nexora handles your data — what we collect, why we collect it, where we store it, and the rights you have over it.
1. Who we are
Nexora is the data controller for personal data processed through nexorahft.com and the Nexora Unified desktop application. For any privacy request reach us at privacy@nexorahft.com.
2. Data we collect
2.1 Account data
- Email address (required for sign-in)
- Display name and password (only for email-based accounts; OAuth users never share their password with us)
- Country (auto-detected from IP, used to set your default language)
- Your assigned Nexora ID (5-digit number from
00001to10000)
2.2 Subscription & billing data
- Plan, status, trial dates, renewal dates
- Stripe customer ID (we never see your card number — Stripe handles it)
- Invoices and amounts paid
2.3 Nexora Unified instance metadata
- Hardware hash (SHA-256 of MAC + CPU + machine — used to bind a license to one PC)
- Operating system, app version, last-seen timestamp
- We never receive: MT5 account passwords, broker credentials, individual ticks, or trade signals
2.4 Usage telemetry (optional, requires cookie consent)
- Pages visited, features clicked, error reports
- Web Vitals (LCP, CLS, INP — for performance monitoring)
3. Lawful basis (GDPR Art. 6)
| Purpose | Basis |
|---|---|
| Authentication, sign-in, security | Contract performance |
| Subscriptions, payments, invoicing | Contract performance |
| License binding to your PC | Contract performance |
| Sending welcome and trial-expiry emails | Contract performance + legitimate interest |
| Analytics & performance metrics | Consent (cookie banner) |
| Anti-fraud, audit log, abuse prevention | Legitimate interest |
| Tax records, legal retention | Legal obligation |
4. Where your data lives
- Supabase (PostgreSQL, EU region) — accounts, subscriptions, instances
- Stripe — payments and invoices
- Resend — transactional emails (welcome, receipts)
- PostHog (only if consented) — usage analytics
- Sentry — error reports (PII fields redacted server-side)
- Vercel — web hosting and edge cache
All providers are GDPR-compliant. Data Processing Agreements (DPA) are in place with each. Data is transferred under Standard Contractual Clauses where applicable.
5. Your rights
Under GDPR (and equivalent regulations in your country) you have the right to:
- Access — request a copy of all your data
- Rectification — correct inaccurate data
- Erasure — delete your account and all linked data
- Restriction — pause processing while we investigate a complaint
- Portability — receive your data in a machine-readable format (JSON)
- Objection — opt out of legitimate-interest processing
- Withdraw consent — for analytics, marketing, push notifications
- Lodge a complaint — with your local data-protection authority
To exercise any of these rights email privacy@nexorahft.com. We respond within 30 days.
6. Retention
- Active account data: while your subscription is active + 90 days after cancellation
- Invoices and tax records: 7 years (legal obligation)
- Audit logs: 2 years (security)
- Analytics: 90-day rolling window, then aggregated anonymously
- Inactive trial accounts (never converted): 12 months after expiry
7. Security
- End-to-end TLS 1.3 for everything that crosses the network
- Encrypted at rest (AES-256) on all providers
- Row-Level Security on every Supabase table (you only see your own rows)
- Service-role keys rotate quarterly; admin actions are logged with IP + user agent
- Two-factor authentication available (TOTP)
8. Children
Nexora is not intended for users under 18 years of age. If you believe a minor has registered, email privacy@nexorahft.com and we will remove the account.
9. International transfers
Some providers (Stripe, Sentry) may process data in the US. These transfers are protected by Standard Contractual Clauses and supplementary measures consistent with the Schrems II ruling.
10. Changes to this policy
Material changes are communicated by email at least 30 days before they take effect. Minor edits (typos, link fixes) are reflected by updating the date at the top.