Privacy Policy

When you create an account or use our services, we collect:

• Account information — your name, email address, and password (stored as a secure bcrypt hash, never in plain text).
• Creator profile data — your channel handle, niche, bio, social links, and other details you add to your Media Kit or profile.
• Content you create — scripts, repurposed posts, scheduled content, captions, and any text generated or saved within Nexora OS.
• Brand deal information — deal names, brand names, contract values, invoices, notes, and pipeline stages entered in the Brand Deals CRM.
• Earnings data — revenue figures you manually enter or that sync from connected platforms such as YouTube AdSense.
• Support communications — messages you send to our team via email or contact forms.

When you use Nexora OS, we automatically collect limited technical information to operate and secure the platform:

• Usage data — pages visited, features used, session duration, and navigation paths within the platform (anonymized in aggregate).
• Device information — browser type, operating system, and screen resolution.
• IP address — used to detect your approximate country for compliance purposes and to prevent unauthorized access.
• Session and authentication data — login timestamps and encrypted session tokens.
• Error logs — technical error reports used to diagnose and fix bugs (no personal content is included).

When you connect social media accounts via OAuth, we may receive:

• Your public profile information (name, username, profile picture) from those platforms.
• Channel or account analytics data you explicitly authorize (views, follower counts, engagement metrics).
• OAuth access tokens, which are encrypted with AES-256 before being stored.

We use the information we collect solely to operate and improve Nexora OS for you.

We do not use your data to:

• Sell your personal information to advertisers, data brokers, or any third parties.
• Train AI models with your content, brand deal information, or personal data.
• Send unsolicited marketing or share your email with third-party marketers without consent.
• Profile you for targeted advertising on external platforms.

We take data security seriously and implement multiple layers of technical protection.

Your data is stored in Supabase (PostgreSQL), hosted on secure cloud infrastructure with enterprise-grade protections:

• All data is encrypted at rest using AES-256 encryption.
• All data in transit is encrypted using TLS 1.3 (HTTPS).
• Automated database backups are performed daily and stored securely.
• Profile images and uploaded media are stored in Supabase Storage with access-controlled private URLs.

• Password hashing — Passwords are hashed using bcrypt with per-user salting. We cannot read your password.
• OAuth token encryption — Social media access tokens are encrypted with AES-256 before storage.
• Environment variable secrets — All API credentials (Groq, Stripe, Resend) are stored in environment variables, never in source code or repositories.
• Row-level security (RLS) — Supabase RLS policies ensure each user can only access their own data — database-level enforcement.
• Session management — Sessions expire after inactivity. All sessions are invalidated immediately upon password change.
• HTTPS enforcement — All communication between your browser and our servers is encrypted end-to-end.
• GitHub secret scanning — Our repositories are protected against accidental credential commits via GitHub push protection.

Nexora OS relies on the following trusted third-party services to operate. We share your data with these services only to the extent required to deliver platform functionality.

• Supabase — Database, authentication, and file storage. Primary data residence. Privacy Policy ↗
• Groq AI — Powers AI content repurposing, scriptwriting, and tool features. Content submitted is processed via API and not used for model training. Privacy Policy ↗
• OpenAI Whisper (via Groq) — Audio transcription for the Auto Clip Generator. Audio is processed temporarily and not stored beyond the processing request.
• Stripe — Subscription payment processing. We never see or store your full card number. Privacy Policy ↗
• Resend — Transactional email delivery (welcome emails, invoices, notifications). Your email address is shared with Resend for this purpose only. Privacy Policy ↗
• Netlify — Frontend web application hosting. Privacy Policy ↗
• Railway — Backend API server hosting. Privacy Policy ↗

We do not share your personal information with any other third parties without your explicit consent, except as required by applicable law or legal process.

Nexora OS uses only the minimal cookies necessary for the platform to function properly.

• Authentication cookies — Essential cookies that maintain your login session. Cannot be disabled without preventing platform access.
• Preference cookies — Store your in-app settings such as display preferences.
• Analytics cookies — Basic, anonymized analytics to understand aggregate platform usage. No personally identifiable information is used.

You can manage cookie preferences through your browser settings. Disabling essential authentication cookies will prevent you from using the platform.

• YouTube — Channel analytics, video list, and content upload capability (when you authorize). We do not access your private Google data or Gmail.
• Twitter / X — Post creation and engagement metrics (when you authorize). We do not access your direct messages.
• LinkedIn — Post creation and basic profile analytics (when you authorize).
• Instagram / TikTok — Scheduling and inbox DM access limited to what you explicitly authorize during the OAuth flow.

• All OAuth access tokens are encrypted with AES-256 before being stored.
• Tokens are stored per-user and are never accessible to other users or our staff.
• Tokens are deleted immediately and permanently when you disconnect a social account.

You can disconnect any social account at any time from your Nexora OS Settings page. You can also revoke access directly from each platform's security settings (e.g. Google Account Permissions, Twitter Connected Apps). Upon disconnection, we permanently delete all stored tokens for that platform within 24 hours.

You have full ownership of and control over your personal data. The following rights are available to all users:

To exercise any of these rights, email us at syedsafeer830@gmail.com. We respond to all data requests within 30 days.

• Active accounts — Your data is retained for as long as your account remains active.
• After account deletion — Personal data is deleted within 30 days. Encrypted backups may hold data for up to 90 days before being permanently purged.
• Financial records — Invoices and billing records are retained for up to 7 years for legal and accounting compliance.
• Anonymized analytics — Aggregate usage data that cannot be traced back to any individual may be retained indefinitely for platform research.
• Legal holds — If required by law or legal proceedings, certain data may be retained beyond standard periods.

Nexora OS is not designed for or directed at children under the age of 13. We do not knowingly collect personal information from anyone under 13. If we become aware that a child under 13 has provided us with personal data, we will delete it promptly.

If you are a parent or guardian and believe your child has registered on Nexora OS, please contact us immediately at syedsafeer830@gmail.com.

Users between 13 and 18 should use the platform only with parental or guardian consent and supervision.

Nexora OS is operated from Karachi, Pakistan and serves a global user base. If you are located outside Pakistan, your data may be transferred to and processed in Pakistan and in countries where our service providers (Supabase, Groq, Stripe, Resend) operate.

We ensure that all international data transfers are conducted with adequate safeguards in place to protect your personal information consistent with applicable data protection laws.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements.

• We will notify you of material changes by email at least 14 days before they take effect.
• We will post a notice within the Nexora OS platform when significant changes are made.
• The "Last Updated" date at the top of this page reflects when the most recent revision was made.
• Continuing to use Nexora OS after the effective date of any changes constitutes your acceptance of the updated policy.

If you disagree with any changes, you may close your account before the effective date.

If you have any questions, concerns, or requests about this Privacy Policy or how we handle your data, please contact us. We are committed to resolving all inquiries promptly and transparently.