Privacy Policy

1. Data controller

Riverlab S.L.U. (“Riverlab”, “we”, “our”) is the data controller for the personal data we process through the NXO mobile application (the “app”).

• Legal name: Riverlab S.L.U.
• Tax ID: B18050955
• Registered address: Calle Santa Bárbara 18, 18001 Granada (Spain)
• Contact email: riverlabsl@gmail.com

2. Data we collect

To run the service we collect the following categories of data:

• Account data (handled by our identity provider, Clerk): first name, last name, email address and, if you upload one, profile picture.
• Profile data (stored in our database): date of birth (mandatory), bio, headline, skills, projects you create, availability, remote/in-person preference, links, location (optional) and phone number (optional).
• Usage data: matches, connection requests sent and received, and feed interactions.
• Device data: push notification token, platform (iOS or Android), app version and operating system.
• Technical data: server logs, errors and IP addresses needed to operate the service.

3. Purposes and legal bases

We process your data for the following purposes, on the indicated legal basis:

• To provide the service (account creation, matching, messaging and other features): performance of the contract you enter into when accepting our Terms (art. 6.1.b GDPR).
• To verify the minimum age: compliance with a legal obligation (arts. 6.1.c and 8 GDPR).
• To send push notifications about relevant activity: your consent at the operating system level (art. 6.1.a GDPR), revocable at any time from your device settings.
• To keep the service secure and prevent abuse or fraud: our legitimate interest (art. 6.1.f GDPR).
• Technical diagnostics via logs: our legitimate interest in maintaining service availability and quality.

4. Camera and gallery permission

On Android, the system permission to read your images is labelled as “camera”. NXO requests it for a single purpose: to let you pick and upload a profile picture. The image is sent directly to our identity provider (Clerk), which hosts it as part of your account; we do not keep an additional copy on our servers. You can deny the permission and continue using the app without a photo, or remove the image at any time from the profile editor.

5. Processors and third-party providers

We do not sell your data. To run the service we rely on the following processors, all bound by the corresponding data processing agreements:

• Clerk, Inc. — authentication, identity management and profile image hosting.
• Railway Corp. — PostgreSQL database hosting, where profile and usage data are stored.
• Expo (650 Industries, Inc.) — push notification delivery.
• Axiom — technical log storage and querying.
• Apple Inc. and Google LLC — app distribution through the App Store and Google Play.

6. International transfers

Some of the providers above are established outside the European Economic Area, mainly in the United States. These transfers are covered by the safeguards set out in articles 45 and 46 GDPR: Standard Contractual Clauses approved by the European Commission, or the EU–U.S. Data Privacy Framework where applicable.

7. Retention periods

We keep your data for as long as your account is active. When you delete your account from within the app, all profile data, projects, connections and messages are wiped immediately from our database.

Technical logs may be retained for a short period (typically no more than 30 days) for security and diagnostic purposes before automatic deletion.

8. Your rights

Under the GDPR and LOPDGDD you may at any time:

• Access your personal data.
• Correct inaccurate or incomplete data.
• Erase your data. You can do this directly by deleting your account from within the app.
• Object to or restrict processing.
• Port your data to another controller in a structured format.
• Withdraw any consent you have given, without retroactive effect.

To exercise any of these rights, write to riverlabsl@gmail.com. If you believe your request has not been properly handled, you may lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es).

9. Minimum age

NXO is intended for people aged 16 or older. That is why date of birth is mandatory at sign-up: it allows us to verify that you meet that requirement. We will remove any account that does not, along with its associated data.

10. Security

We apply reasonable technical and organisational measures to protect your data: HTTPS encryption in transit, secure credential storage on the device (Expo SecureStore, Android Keystore or Apple Keychain), database access controls and periodic reviews. No system is 100% bulletproof, but we work to keep risks as low as possible.

11. Changes to this policy

We may update this policy to reflect legal, technical or functional changes. If the changes are material, we will give you at least 15 days' notice by email or in the app. The “last updated” date in the header always indicates the version in force.

12. Contact

For any question about this policy or how we handle your data, write to riverlabsl@gmail.com. Postal address: Riverlab S.L.U., Calle Santa Bárbara 18, 18001 Granada (Spain).