Privacy notice

The data controller under the GDPR is NexKyn, established in Barendrecht, the Netherlands. Contact: privacy@nexkyn.app.

We process only the data strictly necessary for the product:

• Account: name, email address and the OAuth identifier from Google or Microsoft (we never store passwords).
• Profile: first name, last name, date of birth (required — we verify you are 16 or older), city, country, optional bio and optional profile-photo URL.
• Terms acceptance: the date you accepted this privacy notice and the terms of use, plus the version you accepted at the time. We keep this as proof of valid consent.
• Phone: mobile number — verified with a one-time SMS code, then stored only as a hash (SHA-256 + pepper) for duplicate-account checks. Your raw number is visible only to you and to admins of networks where you’ve shared it.
• Memberships: which networks you’re part of, who let you in (endorsement chain) and your role.
• Content you add: services, experiences, private feedback, invitations.
• Technical: IP address at sign-in (kept max 30 days), user agent, crash reports (optional, via Sentry — see §7).

• Service delivery: making your account work, showing your memberships, generating search results, publishing experiences.
• Security: detecting fraudulent logins, blocking duplicate accounts, applying rate limits.
• Communication: invitation emails, SMS verification codes, critical account alerts (e.g. new device).
• Product improvement: anonymised usage statistics and crash reports, only if you opt in.

We base our processing on Article 6 GDPR: performance of the user agreement (1b), legal obligations (e.g. tax retention rules, 1c), legitimate interest for security and age verification (1f) and your consent for optional tracking (1a). We process your date of birth specifically to verify you are at least 16, in line with Article 8 GDPR.

As few parties as possible. In concrete terms:

• Other network members see whatever you’ve enabled per network (name, bio, shared services, shared experiences).
• Processors: Microsoft Azure (hosting, EU West), Google / Microsoft (OAuth flow only), Brevo (transactional email and SMS verification), PostHog (anonymous in-app usage statistics, only with your consent). Each processor has a signed DPA. PostHog stores analytics data in the EU; any onward processing is covered by EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
• Never: advertisers, data brokers, AI-training companies.

Our infrastructure runs on Microsoft Azure in West Europe (Netherlands). Backups stay inside the EEA. Source code and logs are kept in the EU. Anonymous in-app usage statistics (PostHog, only with your consent) are stored in the EU; any onward processing is covered by EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

• Account + profile: until you delete your account. After that we delete within 30 days, except what’s legally required to keep.
• Experiences you wrote: kept anonymously (your name is removed) so other members can still read them.
• Login IP addresses: 30 days.
• Crash reports: 90 days, only if you opted in.

You have the right to access, rectification, erasure, data portability and objection:

• Access / portability: from your profile page you can download a JSON export of everything we hold about you.
• Rectification: you edit profile fields directly in the app.
• Erasure: one click under “Delete account” — we ask for confirmation and complete it within 30 days.
• Objection: email privacy@nexkyn.app.

If you feel we’re not respecting your rights adequately, you can lodge a complaint with the Dutch Data Protection Authority.

We use four functional cookies: nexkyn_access_token + nexkyn_refresh_token (session; httpOnly, SameSite=Lax), nexkyn_locale (language preference) and nexkyn_theme (light/dark). No tracking cookies. No third-party cookies.

If we make material changes to this notice, you’ll get an in-app message plus an email. Small editorial tweaks are published directly with a new “last updated” date at the top.

Questions about this notice? Email privacy@nexkyn.app or use the contact form.