Privacy Policy

1. Introduction

NexChat ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our real-time messaging platform.

By using NexChat, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address — Used for account identification and OTP verification (if email-based registration is chosen).
• Phone number — Used for account identification and OTP verification via SMS (if phone-based registration is chosen).
• Password hash — If you set a password, it is hashed using bcrypt with a salt factor of 10. The plaintext password is never stored.
• Display name — Your chosen public profile name.
• Avatar URL — Your profile picture (stored as a URL reference).
• Public key — Your E2EE public key, stored to enable encrypted communication with other users.
• FCM token — A Firebase Cloud Messaging token used for push notifications (optional).

2.2 Message Data

We collect and store the content of messages sent through the Service, including:

• Message text content.
• Message type (text, image, audio, video, file).
• Media URLs (references to uploaded files).
• Message timestamps and delivery status.
• Read receipts (which messages you have read and when).
• Reply relationships (which message a reply references).

2.3 Usage Data

We automatically collect certain information when you use the Service:

• Last seen timestamps — When you were last active on the platform.
• Online presence — Whether you are currently online, stored temporarily in Redis.
• IP address — Used for rate limiting and security monitoring.
• Conversation metadata — Who you communicate with and when.

3. How We Use Your Information

We use the collected information to:

• Provide, maintain, and improve the Service.
• Authenticate your identity and secure your account.
• Deliver messages and notifications in real-time.
• Enforce rate limits and protect against abuse.
• Detect, prevent, and address fraud, security issues, and technical problems.
• Comply with legal obligations.

4. Data Storage and Security

We implement the following measures to protect your data:

• Encryption at rest — Data is stored in PostgreSQL and Redis, both of which support encryption at rest.
• Encryption in transit — All API traffic should be served over HTTPS in production.
• Password hashing — Passwords are hashed with bcrypt (10 salt rounds) before storage.
• JWT token rotation — Refresh tokens are revoked and rotated on each use.
• OTP timeouts — Verification codes expire after 5 minutes.
• Input validation — All data is validated with Zod schemas to prevent injection attacks.
• Rate limiting — API requests are rate-limited to prevent abuse.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data in the following circumstances:

• With your consent — We will share information when you have given us explicit permission.
• Service providers — We engage third-party providers (hosting, email, SMS, push notifications) who process data on our behalf under strict contractual agreements.
• Legal requirements — We may disclose information if required by law, court order, or governmental regulation.
• Protection of rights — To protect the rights, property, or safety of NexChat, our users, or the public.

6. Third-Party Services

NexChat uses the following third-party services that may process your data:

• PostgreSQL — Primary database (self-hosted or cloud provider).
• Redis — Caching, presence, and real-time message queuing.
• Cloudflare R2 — File and media storage.
• Twilio — SMS delivery for OTP verification.
• Resend / Nodemailer — Email delivery for OTP verification.
• Firebase Cloud Messaging — Push notifications (fallback to browser notifications).

Each of these providers has their own privacy and security practices. We recommend reviewing their policies for more information.

7. Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. Message data is retained to maintain conversation history. You may request deletion of your account and associated data by contacting us.

Temporary data:

• OTP codes — Deleted after 5 minutes or immediately upon successful verification.
• Presence data — Stored temporarily in Redis and updated on each user action.
• Refresh tokens — Stored until revoked or expired (30 days).

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate or incomplete data.
• Deletion — Request deletion of your account and associated data.
• Portability — Request transfer of your data to another service provider.
• Objection — Object to the processing of your personal data.

To exercise any of these rights, contact us at support@nexchat.app.

9. Children's Privacy

NexChat is not intended for use by individuals under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes through the Service or via email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at:

support@nexchat.app