Legal
Privacy Policy
We collect as little as possible. We keep it only as long as needed. We share it with no one.
Introduction & Privacy Commitment
Nexvara ('we', 'us', or 'our') operates nexvara.pro and provides digital services including web development, app development, and scripting/automation. Privacy is not a feature for us — it is a foundational operating principle.
Our approach is deliberately minimalist: we collect only what is strictly necessary to deliver your project, we do not retain data beyond its immediate purpose, and we do not share it with anyone — including third-party platforms, advertisers, data brokers, or government and law enforcement agencies. We design our systems so that we do not accumulate data that could be compelled or compromised. This policy exists to make that commitment explicit and binding.
By using nexvara.pro or engaging our services, you acknowledge you have read and understood this Privacy Policy.
Definitions
- 'Personal Data' means any information that identifies or could identify a living individual, directly or indirectly (e.g., name, email address, IP address).
- 'Processing' means any operation performed on Personal Data, including collection, storage, use, and deletion.
- 'Data Subject' means any individual whose Personal Data is processed under this policy.
- 'Minimal Data' refers to our operating principle of collecting only the absolute minimum data required for a defined, specific purpose.
Legal Framework & Compliance
This Privacy Policy is designed to be consistent with internationally recognized data protection principles, including but not limited to:
- General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679: We apply GDPR principles of lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, and integrity/confidentiality to all personal data processing, regardless of the data subject's location.
- Personal Data Protection Act (PDPA) — applicable to clients and data subjects located in Singapore and other PDPA-framework jurisdictions: We process personal data only for purposes for which it was provided, and we do not transfer it outside the engagement context.
- California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA): California residents retain the right to know what data is collected, to request deletion, and to opt out of sale. We do not sell personal data under any circumstances.
- Children's Online Privacy Protection Act (COPPA): We do not knowingly collect data from individuals under 13 (or under 18 in applicable jurisdictions). Our services are directed exclusively at adults.
Regardless of your jurisdiction, Nexvara applies the highest applicable standard of privacy protection to all clients and site visitors. If there is a conflict between applicable local law and this policy, we will comply with the more protective standard where operationally feasible.
What We Collect — And What We Don't
4.1 Data You Provide Directly
The only personal data we hold is what you voluntarily provide to initiate or manage a project:
- Name and email address — for project communication.
- Company name or project context — where relevant to the engagement.
- Files, assets, or materials you submit for use in the project.
We collect nothing speculatively. We do not ask for more than what is necessary for the task at hand. Legal basis for processing: contractual necessity (Article 6(1)(b) GDPR) and legitimate interest in communicating with prospective clients (Article 6(1)(f) GDPR).
4.2 Website Visits
nexvara.pro does not deploy tracking pixels, behavioral analytics, session recording, fingerprinting, or third-party advertising scripts. We do not log visitor IP addresses for identification purposes. Any transient technical data processed by server infrastructure to serve page requests is not stored, profiled, or associated with identifiable individuals.
4.3 Data We Never Collect
- Payment card numbers or banking credentials — handled directly by independent payment processors.
- Government-issued identification numbers or passport/ID data.
- Health, biometric, racial, religious, or other special category data under GDPR Article 9.
- Location data beyond what is voluntarily disclosed in communications.
- Any data from individuals under 18 years of age.
Purpose & Legal Basis for Processing
All personal data processing is limited to explicitly defined, lawful purposes:
- Purpose: Responding to project inquiries. Basis: Legitimate interest / pre-contractual necessity.
- Purpose: Delivering and managing agreed project work. Basis: Performance of contract.
- Purpose: Issuing invoices and maintaining minimum billing records. Basis: Legal obligation (accounting/tax law compliance).
We do not process personal data for marketing, profiling, behavioral analysis, product improvement, or any purpose beyond the specific engagement. We do not use automated decision-making or profiling that produces legal or similarly significant effects on data subjects.
Data Retention — Minimal by Design
We operate on a strict minimal-retention principle. We do not maintain databases of client profiles, historical correspondence, or past project records beyond what is operationally active or legally required.
- Active project data: Retained only for the duration of the active engagement.
- Post-project communications: Deleted upon project completion and final settlement.
- Billing records: Minimum identifying information (e.g., client name, invoice amount, date) retained for the period required by applicable tax and accounting law — typically 5–7 years depending on jurisdiction — and no longer.
- Inquiry data (no project initiated): Deleted within 90 days if no engagement proceeds.
You may request deletion of any personal data we hold at any time. Because our retention is minimal by design, most deletion requests can be fulfilled immediately and completely.
Your Rights as a Data Subject
Regardless of your location, Nexvara recognizes and will honor the following data subject rights:
- Right of Access (GDPR Art. 15 / CCPA): Request a copy of any personal data we hold about you.
- Right to Rectification (GDPR Art. 16): Request correction of inaccurate or incomplete data.
- Right to Erasure / 'Right to be Forgotten' (GDPR Art. 17 / CCPA): Request deletion of your personal data. We will comply without undue delay, subject only to minimum legal retention obligations.
- Right to Restriction of Processing (GDPR Art. 18): Request that we limit processing of your data in certain circumstances.
- Right to Data Portability (GDPR Art. 20): Request your data in a structured, commonly used, machine-readable format.
- Right to Object (GDPR Art. 21): Object to processing based on legitimate interests.
- Right to Non-Discrimination (CCPA): Exercising your privacy rights will not result in denial of service or differential treatment.
To exercise any of these rights, contact us through nexvara.pro. We will acknowledge your request within 72 hours and fulfill it within the timeframe required by applicable law (typically 30 days under GDPR). We do not charge fees for rights requests.
Security
The most secure data is data that does not exist. Our minimal-collection and minimal-retention approach constitutes the primary layer of our security posture. For the limited personal data we do handle:
- All client communications are conducted over encrypted channels (TLS/SSL).
- Access to project data is restricted to personnel directly involved in the engagement.
- We do not store client data in shared or public-accessible systems.
- No centralized client databases are maintained.
While no system can guarantee absolute security, our architecture is intentionally designed to minimize the attack surface. In the unlikely event of a data breach affecting personal data, we will notify affected individuals and relevant authorities as required by applicable law, within the legally prescribed timeframes (e.g., 72 hours under GDPR Art. 33).
Third-Party Links
Our website may contain hyperlinks to external websites or services. Nexvara has no control over, and assumes no responsibility for, the content, privacy practices, or data handling of any third-party sites. We encourage you to review the privacy policy of any external site before providing any personal information.
Children's Privacy
Nexvara's services are directed exclusively at adults (18 years of age or older). We do not knowingly collect, process, or retain personal data from individuals under 18. If we become aware that personal data from a minor has been submitted, it will be deleted immediately. If you believe such data has been provided, please contact us immediately through nexvara.pro.
International Data Transfers
Nexvara operates with clients globally. We do not transfer personal data to third parties or across borders as part of our operations. Where limited cross-border communication occurs in the normal course of a client engagement (e.g., email), this is at the direction and initiation of the client. We do not operate international data pipelines, cloud sync, or data warehousing systems that would constitute a regulated transfer under GDPR Chapter V.
Applicable Legal Frameworks
This Privacy Policy is designed to reflect the highest standards of applicable data protection law globally. The following frameworks inform our practices:
14.1 Data Protection & Privacy Law
- General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679: Governs processing of personal data of EU/EEA residents. Our practices align with all GDPR principles including lawfulness, purpose limitation, data minimization, accuracy, storage limitation, and integrity. Data Subject rights referenced in Section 8 are drawn directly from GDPR Articles 15–22.
- UK GDPR / Data Protection Act 2018: The retained UK equivalent of GDPR, applying the same substantive protections for UK residents following Brexit.
- California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), Cal. Civ. Code § 1798.100 et seq.: California residents have the right to know, delete, and opt out of sale of personal information. We do not sell personal information under any circumstances. No discrimination will result from exercising CCPA rights.
- Personal Data Protection Act (PDPA) — Singapore (Act 26 of 2012) and equivalent frameworks in Malaysia, Thailand, and other PDPA-framework jurisdictions: We process personal data only for disclosed purposes and do not transfer it outside the engagement context.
- Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.: We do not knowingly collect personal data from individuals under 13. Our services are directed exclusively at adults.
14.2 Breach Notification Laws
- GDPR Article 33–34: In the event of a personal data breach that poses a risk to individuals' rights, we will notify the relevant supervisory authority within 72 hours of becoming aware, and affected individuals without undue delay where the risk is high.
- U.S. State Breach Notification Laws (e.g., California Civil Code § 1798.82, NY SHIELD Act, and equivalents in 50 U.S. states): We will notify affected individuals in accordance with applicable state law notification requirements in the event of a qualifying breach.
- Given our minimal-retention architecture, the realistic scope of any breach is extremely limited. We maintain no large-scale client databases that would constitute a significant breach event.
14.3 Cybersecurity Standards
- NIST Cybersecurity Framework (NIST CSF 2.0): Our internal data handling practices are aligned with NIST CSF principles of Identify, Protect, Detect, Respond, and Recover, scaled appropriately for our operating model.
- ISO/IEC 27001 Principles: While Nexvara does not currently hold ISO 27001 certification, our data handling practices are informed by its information security management principles, including access control, data classification, and incident response.
- OWASP Security Principles: All web and application development work delivered by Nexvara incorporates OWASP (Open Web Application Security Project) secure coding guidelines to protect end-user data within client systems.
14.4 Electronic Privacy Law
- Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510 et seq.: Nexvara does not intercept, monitor, or disclose the contents of electronic communications. All client communications are treated as private and confidential.
- EU ePrivacy Directive 2002/58/EC (Cookie Law): Our cookie practices described in Section 10 are designed in compliance with ePrivacy requirements. No non-essential tracking cookies are deployed without informed consent.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. All changes will be posted on nexvara.pro with an updated effective date. We will never make changes that materially reduce your privacy protections without providing clear and prominent notice. Where changes are material, we will notify active clients directly.
Your continued use of nexvara.pro or engagement with our services following the effective date of any revision constitutes your acknowledgment of the updated policy.
Contact & Data Subject Requests
For any privacy-related questions, data subject rights requests, or concerns about our data practices, please contact us through nexvara.pro. Given our minimal-retention architecture, most requests are fulfilled immediately. We are committed to transparent and prompt communication on all privacy matters.
© 2026 NEXVARA. ALL RIGHTS RESERVED.
