Nexory Privacy Policy

This Privacy Policy (the “Policy“) describes how Nexory (“Nexory“, “we“, “us“, or “our“) collects, processes, uses, stores, and discloses information in connection with access to and use of the Nexory.io platform, including all subdomains, applications, interfaces, tools, and related services (collectively, the “Platform“).

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Cyprus Law 125(I)/2018.

By accessing or using the Platform, you confirm that you have read, understood, and agree to the terms of this Policy. If you do not agree, please cease using the Platform immediately.

Data Controller

Unless otherwise stated, the data controller of your personal information is:

Nexory
Email: privacy@nexory.io

How We Collect Personal Information

We may collect personal data about you when you:

Visit our website or Platform.
Contact us by any means (email, support, etc.).
Request or use any of our services.

Sources of Collection

Directly from you through forms, communications, or service interactions.
Through third-party sources such as social media platforms, partners, or public databases.
Automatically via cookies, tracking technologies, or system logs.

We do not knowingly engage in automated decision-making or profiling.

Categories of Personal Data We Collect and Process

In accordance with the General Data Protection Regulation (GDPR), we collect and process the following categories of personal data, depending on your interactions with our services:

1. Data You Voluntarily Provide

These are data you actively submit to us through forms, registrations, communications, or participation in our services:

Contact details such as your name and email address.
Account identifiers, including usernames, pseudonymous IDs, or similar login credentials.
User-generated content, including messages, inquiries, feedback, or any communication you send to us.

2. Data Collected Automatically

Certain data are collected automatically through your use of our digital platforms. These may include:

Technical identifiers such as IP address, device ID, and cookies or similar tracking technologies.
System and usage data including browser type, operating system, referring URLs, time of access, session duration, and interaction logs.
Usage analytics and activity data, such as page views, click patterns, and participation in non-identifying features or events (e.g., submitting predictions).

3. Special Categories of Personal Data

We do not intentionally collect, or process special categories of personal data as defined in Article 9(1) of the GDPR (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health information, or sexual orientation).

Purposes of Processing and Legal Bases

We only process your personal data where we have a valid legal basis to do so under Article 6 of the GDPR. These legal bases are explained below, along with the specific purposes for which we process your data.

Purpose of Processing	Legal Basis under GDPR
To provide you with access to the Platform.	Contractual necessity (Article 6(1)(b)) – Required to fulfill our agreement with you.
To deliver the services you have requested, respond to your inquiries, or handle specific requests.	Contractual necessity (Article 6(1)(b)) – To provide services you have actively requested.
To operate and manage the Platform and its functionalities.	Legitimate interests (Article 6(1)(f)) – To ensure the stable and efficient operation of our services.
To maintain system integrity, detect fraud, and prevent misuse.	Legitimate interests (Article 6(1)(f)) – To protect the Platform and its users from fraudulent or malicious activity.
To communicate with users who have requested or opted in for support or assistance.	Contractual necessity (Article 6(1)(b)) – If related to a service request; Consent (Article 6(1)(a)) – If you have explicitly agreed to be contacted.
To comply with applicable legal obligations and resolve disputes.	Legal obligation (Article 6(1)(c)) – For compliance with legal and regulatory requirements.
To enhance the user experience through diagnostic assessments and aggregated analytics.	Legitimate interests (Article 6(1)(f)) – To improve our services, provided such use does not override your rights and freedoms.

Where we rely on legitimate interests, we carefully assess the potential impact on your rights and ensure that those interests do not override your fundamental freedoms. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to its withdrawal.

Cookies and Tracking Technologies

We use essential, functional, and limited analytics cookies to ensure the proper functioning and improvement of the Platform.
Where legally required, we obtain your explicit consent before placing any non-essential cookies on your device.

You can manage or withdraw your consent to non-essential cookies at any time through the cookie preference banner accessible on our website. Further details about the types of cookies we use, their purposes, retention periods, and the identity of any third-party cookie providers are outlined in our Cookies Policy.

The legal basis for using essential cookies is our legitimate interest (Article 6(1)(f) GDPR) in maintaining the security and functionality of the website.

For non-essential cookies (e.g., analytics), we rely on your consent (Article 6(1)(a) GDPR).

Data Sharing and Third-Party Access

We do not sell or rent your personal data to third parties under any circumstances.

We may share your personal data with the following categories of recipients, strictly for the purposes outlined in this Privacy Policy, and only where a valid legal basis and appropriate safeguards are in place:

Hosting and infrastructure providers, who support the operation and maintenance of our Platform.
(Legal basis: contractual necessity or legitimate interests)
Analytics service providers, who help us improve our services through aggregated usage data.
(Legal basis: consent, where applicable)
Professional advisors (e.g., legal counsel, auditors), who are bound by confidentiality obligations.
(Legal basis: legitimate interests or legal obligations)
Legal, regulatory, or governmental authorities, where we are required by law to disclose personal data.
(Legal basis: legal obligation)

All data sharing is governed by Data Processing Agreements (DPAs) or equivalent contractual arrangements. Where possible, data is shared in pseudonymized or aggregated form to reduce identifiability.

International Transfers

Where data is transferred outside of the European Economic Area (EEA), we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms, to ensure compliance with applicable data protection standards.

Unless the individual has specifically consented to the transfer, we will only transfer personal data outside the European Economic Area (EEA) where:

we transfer the data to a country or international organisation which the EU Commission has decided to ensure an adequate level of protection for your personal data;
The transfer of your personal data is subject to adequate safeguards, which may include binding corporate rules or standard data protection clauses adopted by the EU Commission. (The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.); or
one of the derogations in the GDPR to transfer personal data outside the EEA applies.

You may request more information or obtain a copy of the relevant safeguards by contacting us at privacy@nexory.io

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by applicable laws and regulations, such as tax, accounting, anti-money laundering (AML), or other legal obligations. Retention periods may vary depending on the nature, category, and use of the data.

For example:

Account information is retained for as long as your account remains active and for a limited period thereafter (e.g., up to 12 months) in order to facilitate account reactivation, respond to legal claims, or resolve disputes.
Transaction data (e.g., invoices, payment confirmations, billing records) is retained for 6 years after the end of your relationship with us, in accordance with Cyprus tax law.
Data collected under Anti-Money Laundering (AML) laws, where applicable, is retained for a period of 5 years in line with the relevant AML/CTF legal framework.
Support communications (e.g., help desk or contact form submissions) are retained for up to 24 months, to help us respond to recurring issues and improve service.
Analytics and usage data may be retained in aggregated or anonymized form for internal reporting and platform optimization. This data does not identify you personally.

When personal data is no longer necessary for the purposes for which it was collected, we take appropriate technical and organizational measures to ensure its secure deletion, anonymization, or—where appropriate—pseudonymization.

Retention periods are periodically reviewed to ensure they remain appropriate and compliant with applicable legal requirements.

You may request the deletion of your personal data at any time, subject to our legitimate interests and legal obligations. See the “Your Rights” section below for details on how to exercise this right.

Your Rights Under the GDPR

Υou have the following rights with respect to your personal data:

Right of Access – You can request confirmation of whether we process your personal data, and obtain a copy of that data.
Right to Rectification – You can request correction of inaccurate or incomplete data.
Right to Erasure – You can request the deletion of your data, under certain conditions.
Right to Restriction – You can request that we temporarily or permanently stop processing some or all of your personal data.
Right to Data Portability – You can request your data in a structured, commonly used, and machine-readable format and, where technically feasible, have it transferred to another controller.
Right to Object – You can object to processing based on our legitimate interests or for direct marketing purposes.
Right to Withdraw Consent – Where processing is based on your consent, you have the right to withdraw it at any time, without affecting the lawfulness of prior processing.

We will respond to your request within one month, in accordance with Article 12(3) of the GDPR. In complex cases, this may be extended by a further two months, and we will inform you of the reason for the delay.

To exercise any of these rights, please contact us at privacy@nexory.io. We may require you to verify your identity before responding, in order to protect your privacy.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. Our Regulator Authority is CY Commissioner and further information you might find helpful here www.dataprotection.gov.cy

Security Measures

We implement a range of appropriate technical and organizational measures (TOMs) in accordance with Article 32 of the GDPR, based on the nature of the data we process, the risks involved, and industry best practices. These measures aim to protect personal data against unauthorized access, disclosure, alteration, or destruction.

Technical Measures

Data Encryption: All personal data is encrypted both in transit (via HTTPS/TLS 1.3) and at rest (using AES-256 or equivalent).
Access Control: Role-based access control (RBAC) is enforced. Production environments are strictly separated from staging/development. Access is granted on a least-privilege basis.
Authentication: All internal/admin access requires two-factor authentication (2FA). End-user authentication is managed via OAuth (e.g., Google, Telegram) or secure email-based login.
Monitoring & Logging: All access to infrastructure is logged, monitored, and subject to regular audits and anomaly detection.
Security Testing: We conduct regular vulnerability assessments, automated dependency updates, and third-party penetration testing.
Hosting & Infrastructure: Data is hosted with GDPR-compliant providers (e.g., Digital Ocean) on secure servers protected by industry-standard firewalls and DDoS protection.
Data Minimization & Pseudonymization: We collect only what is necessary. Where applicable, we use UUIDs instead of direct identifiers, and separate personal data from behavioral data.
Anonymization: Aggregated analytics are anonymized in a non-reversible, non-attributable format.

Organizational Measures

Personnel Access: Only authorized staff have access to systems handling personal data. All staff and contractors are subject to NDAs and confidentiality agreements.
Training & Awareness: Security and data protection training is provided to all employees.
Data Protection Governance: Data Protection Impact Assessments (DPIAs) are conducted where required.

Data Breach Preparedness

We have a documented incident response plan in place. In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours, and affected individuals when required under Articles 33 and 34 of the GDPR.

Sub-Processor Governance

We engage third-party service providers (sub-processors) only after appropriate due diligence and enter into Data Processing Agreements (DPAs) with all such providers, including contractual safeguards such as Standard Contractual Clauses (SCCs) where required.

International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), such transfers are made in compliance with Chapter V of the GDPR, using SCCs, adequacy decisions, or other legally recognized safeguards.

Data Retention & Deletion

Personal data is retained only as long as necessary for the purposes for which it was collected, and then securely deleted or anonymized according to our retention policy.

Enabling Data Subject Rights

Our technical infrastructure supports the exercise of data subject rights under the GDPR, including the rights of access, rectification, erasure, restriction, and data portability.

Children’s Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will promptly delete it.

Changes to this Policy

We reserve the right to update this Policy at any time. If material changes are made, we will notify users by updating the “Effective Date” above and, where appropriate, via direct communication. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

Contact Information

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact: privacy@nexory.io