Privacy Policy • NexudeIT

1. Introduction

NexudeIT ("we," "us," or "our") operates the NexudeIT marketplace platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website, mobile applications, and services (collectively, the "Platform"). By accessing or using the Platform, you agree to the terms of this Privacy Policy.

2. Information We Collect

Account Information: When you register, we collect your name, email address, username, and password (stored as a cryptographic hash). You may also provide optional profile details such as gender, avatar image, and cover image.

Transaction Data: When you buy or sell on the Platform, we collect billing and shipping addresses, payment method details (processed securely by Stripe — we do not store full card numbers), order history, and communication between buyers and sellers.

Usage Data: We automatically collect information about how you interact with the Platform, including pages visited, products viewed, search queries, device type, browser, IP address, and referring URLs.

User-Generated Content: Reviews, ratings, messages, feedback, media uploads (images, videos), and community posts you create on the Platform.

Cart & Checkout Activity: To power cart reminders and enable a smooth resume-at-checkout experience, we record a snapshot of your shopping cart (item identifiers, quantities, thumbnail URLs, prices at the time of addition) together with the time of last activity. For signed-in users this is tied to your account. For guests, it is tied to a randomly generated "nx_cart_session" cookie; no personal identifiers are attached. You can disable cart reminders at any time in Account → Settings → Email preferences, or by clearing the cookie.

Carrier & Shipping Data: When a seller links a carrier account (USPS, UPS, FedEx, DHL, Canada Post, Royal Mail, EasyPost, Shippo, etc.) we store their carrier API keys, account numbers, and meter numbers encrypted at rest with AES-256-GCM. These credentials are decrypted in memory only when generating a rate quote, buying a label, or pulling tracking events on the seller's behalf. When a buyer purchases an item, we share the buyer's shipping address, the parcel weight, and the order reference with the carrier (or aggregator) chosen for that shipment so they can produce a rate, label, and tracking events. We do not share carrier credentials between sellers, and we never share buyer payment data with carriers.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Platform and its features
Process transactions, payments, and fulfillment between buyers and sellers
Verify your identity and prevent fraud or unauthorized access
Send transactional communications (order confirmations, shipping updates)
Remind you about items left in your cart — on-site/in-app banners for all users, plus re-engagement emails for signed-in users who have opted in. These reminders highlight items whose availability may be about to change (timed deals, low stock, one-of-a-kind listings) and may include clearly labelled sponsored suggestions from NexudeIT advertisers. You can disable both the banner and the email at any time in Account → Settings → Email preferences
Personalize your experience, including product recommendations and search results
Respond to support requests and feedback
Comply with legal obligations and enforce our Terms of Service

4. Cookies and Tracking Technologies

We use cookies and similar technologies to maintain your session, remember your preferences (language, currency, theme), and analyze usage patterns. Essential cookies are required for the Platform to function. You may manage cookie preferences through our cookie consent banner or your browser settings.

Essential Cookies: Session authentication (nexude_session), shopping cart persistence, locale preferences, theme settings.

Functional Cookies: nx_cart_session — a random identifier set for guests so that, if you return to the site without logging in, we can recognise the same browser and show you the items you left in your cart. It contains no personal information. It lasts 90 days, and clearing it or disabling cart reminders in settings stops the reminder flow.

Analytics Cookies: Anonymous usage statistics to help us improve the Platform. These are only used with your consent.

5. Messaging and Communication Data

When you use the Platform's messaging features to communicate with sellers, buyers, or NexudeIT support, the content and metadata of those messages (timestamps, participants, read status) are stored to facilitate communication, provide customer support, and resolve disputes.

Messages may be reviewed by NexudeIT in cases involving reported abuse, fraud, policy violations, or dispute mediation. We do not sell or share private message content with third parties except as required by law or to protect the safety of our users.

6. Gifting and Recipient Data

When you send an item as a gift, we collect the greeting message you provide. This message is included with the delivery to the recipient. We do not use gift messages for marketing purposes or share them with parties other than the delivery provider and the recipient.

If you are the recipient of a gift, the sender's identity and your delivery address may be shared with the seller for fulfillment purposes. Your personal data as a recipient is treated with the same protections as all user data under this policy.

7. Coupons, Promotions, and Preferences

We collect data about your use of coupons, promotional codes, and discount offers, including which codes you apply, redemption history, and promotional eligibility. This data is used to prevent fraud, enforce coupon terms (per-user limits, first-order restrictions), and improve promotional offerings. Coupon usage data is not shared with third parties except the issuing seller, who may see redemption counts for their own coupons.

7a. Cart Reminders and Sponsored Content

What we store. If you add items to your cart and do not complete checkout, we keep a snapshot of those items (identifiers, quantities, prices, thumbnail URLs), the time of last activity, and a record of when we last reminded you. For signed-in users this is linked to your account. For guests it is linked only to the nx_cart_session cookie.

How we remind you. When you return to NexudeIT (web or mobile app) with a recently abandoned cart we may show you a dismissable banner on the home screen. If you are signed in and have opted in, we may also email you after several hours of inactivity, not more than once every 24 hours per cart. Reminders highlight scarcity signals such as deals ending soon, low stock, and one-of-a-kind items so you can act before availability changes.

Sponsored suggestions. Cart reminders may include clearly labelled sponsored content from NexudeIT advertisers. Advertisers do not receive your identity, email address, cart contents, or any other personal information — they pay for a placement slot and NexudeIT serves the ad on their behalf. Sponsored suggestions are only shown to users who have not opted out of promotional content. Opting out of promotional offers reduces the sponsored portion of the reminder but does not affect your ability to receive the cart reminder itself.

Your controls. In Account → Settings → Email preferences you can (a) turn off on-site/in-app cart reminders, (b) separately turn off cart reminder emails, and (c) toggle general promotional offers on or off. Disabling cart reminders also disables the reminder email. Clearing your cookies (or signing out and clearing cookies as a guest) removes the association between our snapshot and your browser.

Retention. Abandoned cart snapshots are retained only as long as needed to deliver the reminder flow. A snapshot is cleared when you complete checkout, when you manually empty your cart, or after extended inactivity. You can also request deletion at any time by contacting support.

8. Returns and Refund Data

When you initiate a return, we collect return request details (reason, item condition, timestamps) and communicate these to the relevant seller. Return and refund history is retained in your account for reference and may be used to detect patterns of abuse. This data is accessible only to you, the seller, and NexudeIT support staff.

9. Third-Party Services

We share information with third-party service providers only as necessary to operate the Platform. Each provider operates under its own privacy policy:

Stripe — Payment processing, including the optional Stripe Connect onboarding for sellers receiving payouts. Stripe collects and processes card and bank data directly; NexudeIT does not store full card numbers. (Stripe Privacy Policy)
PayPal — Alternative payment method when enabled by sellers. (PayPal Privacy Policy)
Square — Alternative payment method when enabled by sellers. (Square Privacy Policy)
AWS S3 / CloudFront — Optional cloud storage and CDN for user-uploaded media (images and videos). Media is encrypted in transit and at rest.
flagcdn.com — Country flag images for the locale picker. Only your IP address is sent (a normal HTTP request).
QR generation API — Server-side QR code generation for product, store, and authenticity tags. Only the encoded URL is transmitted; no personal data is sent.
SMTP / Email Provider — Used to send verification, password reset, order confirmation, 2FA codes, cart reminder emails (opt-in, see Section 7a), and re-engagement campaigns.
Cloud Hosting Provider — Servers securely store your data with industry-standard encryption.
VPN / Geolocation Detection Provider — Detect VPNs and approximate location for fraud prevention and registration analytics. Only IP-derived signals are processed; no precise GPS data is collected.

We do not sell or rent your personal information to third parties. The transfers above are limited to what is strictly necessary to deliver the service you requested.

10. Data Security and Encryption

We implement comprehensive technical and organizational measures to protect your data, including:

At-Rest Encryption: Sensitive personal data (messages, email addresses, phone numbers, physical addresses) is encrypted using AES-256-GCM before storage. Encryption keys are managed separately from data stores
Password Security: Passwords are stored as cryptographic hashes using PBKDF2 with unique salts — we never store plaintext passwords
Transport Security: All data transmitted between your device and our servers is encrypted using HTTPS/TLS
Session Security: Session-based authentication with httpOnly cookies, Content Security Policy headers, and automatic session expiration
Regular Audits: We conduct regular security audits and update our practices in response to emerging threats

In the event of a security incident, encrypted data remains unreadable without the corresponding decryption keys. We will notify affected users in accordance with applicable data breach notification laws.

11. Automated Safety Monitoring

To protect the safety of our users and the community, NexudeIT employs automated systems that periodically scan user-generated content — including messages, comments, reviews, and live chat — for patterns that may indicate:

Threats of violence or planned harm
Self-harm or suicidal ideation
Child exploitation or grooming
Fraud, scams, or identity theft
Illegal trade (drugs, weapons, counterfeit goods)
Emergency distress situations (kidnapping, domestic violence, active threats)
Severe targeted harassment, stalking, or doxxing

How This Data Is Used: Flagged content is encrypted and stored securely for review by NexudeIT administrators. It is not used for advertising, profiling, or any purpose other than user safety and legal compliance. Content that is determined to be safe after review is resolved in the system and the flagged status removed.

Law Enforcement: NexudeIT may report credible threats, criminal activity, or child exploitation material to relevant law enforcement authorities as required by law or deemed necessary for the immediate safety of users.

Your Rights: You may contact us to inquire about safety flags on your account. False positives are reviewed and resolved promptly.

11a. Automated Decision-Making

NexudeIT uses automated systems in several places. We are transparent about each use and provide a path to human review where decisions could meaningfully affect you:

Auto-fill from image — When you upload an image to the sell form and tap "Auto-fill," the image is sent to a third-party image-analysis provider that returns a suggested title, description, category, tags, and price range. These suggestions are never auto-published; you must review and confirm before submitting
Automated content moderation — Reviews, messages, comments, and listings are scanned for prohibited content (Section 11). High-confidence violations may be temporarily hidden pending human review
Threat detection — Pattern matching on messages and chat for threats of violence, exploitation, fraud, and self-harm. Critical matches escalate to human moderators
Search ranking and recommendations — Product search results and "Suggested for you" sections use behavioural signals (your views, searches, purchases) to rank content. Rankings are not based on protected characteristics
Carbon / sustainability score — Listing carbon estimates use category baselines and condition multipliers. Estimates are informational only and not audited
Loyalty tier calculation — Buyer loyalty tier is calculated automatically from lifetime spend
VPN / fraud detection — Risk signals on registration and login may trigger CAPTCHA, additional verification, or account holds
Community Jury (optional) — Disputes can be routed to a randomized jury of opted-in users who vote on the outcome. Jury decisions are advisory; NexudeIT administrators retain final decision authority

No solely automated decisions with legal effects: NexudeIT does not make decisions that produce legal or similarly significant effects on you (account suspension, ban, payment refusal) without human review, except where strictly necessary to prevent imminent harm or fraud.

Human review: If you believe an automated system has made an incorrect decision affecting you, contact us at support and request human review. We will respond within 14 days.

12. Data Retention

We retain different categories of personal data for different periods, based on the purpose for which we collected them and applicable legal obligations:

Account profile data — retained while your account is active. On account deletion, profile fields are erased within 30 days. A minimal record (user ID + deletion timestamp) is kept for fraud prevention
Transaction records (orders, payments, invoices) — retained for 7 years after the transaction date to comply with tax, accounting, and consumer protection laws
Messages and chat threads — retained for 2 years after the last message. Encrypted at rest. You may request earlier deletion of message history via the Contact page
Authentication logs (login events, IP, user agent) — retained for 365 days for security investigations
Pageview / analytics events — retained for 180 days in raw form, then aggregated indefinitely with no personal identifiers
Flagged content for safety review — retained for 2 years in encrypted storage
Banned IPs / Level-3 banned accounts — retained indefinitely to enforce platform bans
Cookies — see Section 4 for individual cookie expirations

When the retention period expires, data is securely deleted or anonymised. You may request earlier deletion at any time via the Contact page (subject to legal hold exceptions).

12a. Legal Bases for Processing (GDPR Article 6)

For users in the European Economic Area, United Kingdom, and Switzerland, NexudeIT relies on the following lawful bases under Article 6 of the GDPR:

Contract (Art 6(1)(b)) — to provide the marketplace services you requested: account creation, order processing, payment, shipping, dispute resolution
Legitimate interests (Art 6(1)(f)) — to prevent fraud, secure the Platform, detect VPN/proxy abuse, conduct safety monitoring of public content, defend against legal claims, and improve the service. We balance our interests against your fundamental rights and you may object at any time
Consent (Art 6(1)(a)) — for non-essential cookies, marketing emails, optional features (newsletter subscription, auto-fill from image), and any processing where consent is the most appropriate basis. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal
Legal obligation (Art 6(1)(c)) — to comply with tax, accounting, anti-money-laundering, consumer protection, and law enforcement requests
Vital interests (Art 6(1)(d)) — in rare safety incidents involving threats of harm to a person, we may process and disclose information necessary to protect that person

We do not process special categories of personal data (health, religion, political opinions, biometric, etc.) except where you voluntarily disclose them in user-generated content, in which case Article 9(2)(e) applies (data manifestly made public by you).

13. Your Rights

Depending on your jurisdiction, you have the following rights:

For all users:

Access — Request a copy of the personal data we hold about you
Rectification — Request correction of inaccurate or incomplete data
Erasure ("right to be forgotten") — Request deletion of your data, subject to retention periods required by law
Portability — Export your data in a structured, machine-readable format (JSON)
Restriction — Ask us to limit how we process your data
Objection — Object to processing based on legitimate interests, including profiling and direct marketing
Withdraw consent — For any processing based on consent, withdraw at any time
Lodge a complaint — File a complaint with your local data protection authority. EU users can find their authority at edpb.europa.eu
Not be subject to automated decisions — Where decisions about you are made solely by automated means with significant effects, you may request human review (see Section 11a)

For California residents (CCPA / CPRA):

Right to know — Categories of personal information collected, sources, purposes, and third parties to whom it is disclosed. See Sections 2 and 9
Right to delete — Subject to exceptions (e.g. completing a transaction, complying with legal obligations)
Right to correct — Update inaccurate personal information
Right to opt out of sale or sharing — NexudeIT does not sell personal information and does not share personal information for cross-context behavioural advertising. No opt-out is required because we do not engage in those activities. If this changes in the future, we will provide a "Do Not Sell or Share My Personal Information" link prominently on the Platform
Right to limit sensitive personal information — We do not use sensitive PI (e.g. precise geolocation, government IDs, biometrics) for purposes beyond the necessary operation of the Platform
Right to non-discrimination — NexudeIT will not deny service, charge different prices, or provide a lower quality of service in retaliation for exercising any privacy right
Authorised agent — You may designate an authorised agent to make a request on your behalf with proof of authorisation

How to submit a request: Use our Contact page, email [email protected], or use the in-app data export tool at Account > Settings > Export My Data. We respond within 30 days (extendable to 60 days for complex requests).

Identity verification: To protect your data, we will verify your identity before fulfilling rights requests. We may ask for your account credentials and a second form of verification.

14. Children's Privacy

NexudeIT is intended for users aged 16 and over. The minimum age (16) is enforced at registration and aligns with the GDPR's default age of digital consent. In jurisdictions with a higher minimum age (e.g. some U.S. states require 13 under COPPA, but NexudeIT applies the stricter 16+ rule globally), the higher age applies.

We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will delete the information and the associated account promptly.

Parents and guardians who believe their child has created an account on NexudeIT or provided personal data should contact us at support or [email protected]. We will verify the request and act within 14 days.

15. International Data Transfers

Your data may be stored and processed in countries other than your own, including the United States. When personal data is transferred outside the European Economic Area, United Kingdom, or Switzerland, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) — We rely on the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) for transfers to processors in third countries
Adequacy decisions — Where the European Commission has determined a country provides an adequate level of protection, we rely on those decisions
Supplementary measures — Encryption in transit and at rest, access controls, and minimisation of personal data sent to third countries

You may request a copy of the safeguards in place for transfers affecting your data via the Contact page.

15a. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, NexudeIT will:

Notify the relevant supervisory authority (e.g. Data Protection Commission, ICO) within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33
Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
Provide details of the nature of the breach, the categories and approximate number of users affected, the likely consequences, and the measures taken or proposed
Document all breaches internally regardless of notification obligations

15b. Data Protection Officer and EU Representative

For all data protection enquiries, including requests to exercise your rights under the GDPR and complaints about how we handle your data, you may contact:

Data Protection Officer (DPO): [email protected]
EU Representative (if applicable when serving EU users): To be appointed once NexudeIT establishes regular and substantial monitoring of EU data subjects in accordance with GDPR Article 27. Until then, EU users may direct enquiries to [email protected]
Supervisory Authority: You have the right to lodge a complaint with the data protection authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement

15c. In-App Feedback Widget

NexudeIT offers an in-app feedback widget (a floating message button on most screens, plus a form in Account → Settings → Help). When you submit feedback we collect: the message text, any screenshot you choose to attach, the page URL it was sent from, your locale, your client version, and — if you are signed in — your account identifier so we can reply.

We do not silently capture passwords, payment details, or messages from your inbox. Feedback is used to triage bugs, prioritise features, reply to you, and produce anonymised aggregate trends; it is not shared with sellers, advertisers, or third parties unrelated to fixing the issue you raised. Retention is for the lifetime of the underlying issue plus a reasonable archival window. Email [email protected] to request deletion of your individual feedback. The legal framework for the widget is in Terms § 30h.

15d. Beta and Closed-Test Programs

NexudeIT runs invitation-only beta programs (closed Android tests, early-access feature flags, Founder cohorts). Participation is optional and may include data handling that differs from general availability:

Beta features may produce additional diagnostic logs (performance traces, crash dumps, anonymised event streams) used solely to evaluate the feature
Cohort recruitment is sometimes outsourced to a vendor (for example, TestersCommunity). Vendors operate under their own privacy and terms during the program
Test-only content (listings, messages, transactions) created inside a beta program may be reset, archived, or migrated when the program ends, with reasonable notice if user-created content is affected
You may exit a beta program at any time via Account → Settings or by emailing [email protected]. Exiting may delete program-specific state that does not transfer to general availability

The legal framework for beta programs is in Terms § 30g.

15e. Privacy Assurance Summary

A glanceable list of the protections in place by default for every NexudeIT user, regardless of plan:

End-to-end encrypted buyer–seller messaging — ECDH key exchange + AES-256-GCM; NexudeIT staff cannot read message content
PBKDF2-SHA256 password hashing — 200,000 iterations and unique salts; no plaintext passwords ever stored
Personally identifiable information encrypted at rest — AES-256-GCM on emails, phone numbers, shipping addresses
HTTPS/TLS everywhere — API, mobile app, and CDN
Two-factor authentication available via TOTP
No sale of personal data — no cross-context behavioural advertising

This summary is non-binding shorthand for the full commitments described elsewhere in this Policy. If anything below the surface conflicts with this summary, the specific section governs.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through a notice on the Platform. Your continued use of the Platform after changes constitutes acceptance of the updated policy.

17. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please reach out through our Contact page.