Privacy Policy
Effective date: [EFFECTIVE_DATE]
At [COMPANY_NAME] ("Nectios", "we", "us", or "our"), we are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use the Nectios platform ("Service"), in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR).
1. Data Controller
The data controller responsible for your personal data is:
- Entity: [COMPANY_NAME]
- Registered address: [COMPANY_ADDRESS]
- Email: [CONTACT_EMAIL]
- Data Protection Officer (DPO): [DPO_EMAIL]
2. Data We Collect
We collect the following categories of personal data:
2.1 Account Data
When you register, we collect:
- Email address
- Password (stored as a cryptographic hash — we never store plain-text passwords)
- First and last name (optional)
- Username (optional)
2.2 Profile Data
You may optionally provide:
- Profile picture (avatar) and background image
- Headline and biographical summary
- Language and timezone preferences
2.3 Usage and Technical Data
We automatically collect:
- IP address
- Device type, operating system, and browser
- Session information (login timestamps, session duration)
- Geographic location (country, region, city — derived from IP address)
2.4 Authentication Data
If you use third-party login (OAuth), we receive:
- Provider name (Google, LinkedIn, Microsoft, or Facebook)
- Provider user identifier
- Access and refresh tokens (encrypted at rest)
2.5 Platform and Membership Data
When you create or join platforms and spaces:
- Display name, avatar, headline, and bio within each platform
- Role and membership status
- GDPR consent status for each platform
2.6 Push Notification Data
If you enable push notifications, we store:
- Browser push subscription endpoint
- Encryption keys (p256dh and auth)
3. Legal Basis for Processing
We process your data based on the following legal grounds under GDPR Article 6(1):
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6.1.b) |
| Providing the platform service | Performance of a contract (Art. 6.1.b) |
| Security (fraud prevention, reCAPTCHA) | Legitimate interest (Art. 6.1.f) |
| Session and login tracking | Legitimate interest (Art. 6.1.f) |
| Push notifications | Consent (Art. 6.1.a) |
| Cookies and tracking technologies | Consent (Art. 6.1.a) |
| Legal compliance | Legal obligation (Art. 6.1.c) |
4. How We Use Your Data
We use your personal data to:
- Create and manage your account
- Authenticate you via email/password, OAuth, magic links, or two-factor authentication (2FA)
- Provide, maintain, and improve the Nectios platform
- Enable platform and space creation, membership, and collaboration
- Send transactional notifications (email, in-app, push)
- Protect the security and integrity of the Service (including Google reCAPTCHA v3 for bot detection)
- Comply with legal obligations
5. Data Sharing and Third Parties
We do not sell your personal data. We share data only with the following categories of recipients when necessary:
5.1 OAuth Providers
If you authenticate via a third-party provider (Google, LinkedIn, Microsoft, Facebook), your data is shared with that provider as required by the OAuth protocol.
5.2 Payment Processors
When payment features are active, billing data is processed by Stripe, PayPal, and/or Redsys. These processors act as independent data controllers for payment data and are subject to their own privacy policies.
5.3 Infrastructure Providers
We use third-party cloud infrastructure providers to host and operate the Service. These providers process data on our behalf under data processing agreements (DPAs).
5.4 Google reCAPTCHA
We use Google reCAPTCHA v3 to protect against automated abuse. This service may collect hardware and software information, such as device and application data, and send it to Google for analysis. Google's use of this data is governed by their Privacy Policy.
6. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place, including:
- European Commission adequacy decisions
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional technical and organizational measures as appropriate
7. Data Retention
We retain your personal data as follows:
- Active accounts: data is retained for as long as your account is active and needed to provide the Service.
- Deleted accounts: when you request account deletion, your account is soft-deleted (deactivated) immediately. All associated personal data is permanently purged after [RETENTION_PERIOD].
- Session data: login events and session records are retained for up to 12 months for security purposes.
- Legal obligations: certain data may be retained longer if required by applicable law (e.g., tax or accounting requirements).
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): request that we limit the processing of your data.
- Right to data portability (Art. 20): request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7): withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
- Right to lodge a complaint: file a complaint with your local Data Protection Authority (DPA). In Spain, this is the Agencia Española de Protección de Datos (AEPD).
To exercise any of these rights, contact us at [DPO_EMAIL]. We will respond within 30 days.
9. Security Measures
We implement appropriate technical and organizational measures to protect your data, including:
- Passwords are hashed using industry-standard cryptographic algorithms
- Two-factor authentication (2FA) is available for all accounts
- Session management with device tracking and the ability to revoke sessions
- Encrypted data transmission (HTTPS/TLS)
- OAuth tokens are encrypted at rest
- Regular security reviews and infrastructure monitoring
10. Cookies
We use cookies and similar technologies to operate the Service. For full details, please read our Cookie Policy.
11. Children's Privacy
The Nectios platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without verified parental consent, we will take steps to delete that information promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
- Update the "Effective date" at the top of this page
- Notify you via email and/or an in-platform notification
We encourage you to review this policy periodically.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
- Email: [CONTACT_EMAIL]
- Data Protection Officer: [DPO_EMAIL]
- Postal address: [COMPANY_ADDRESS]