GDPR Policy

1. About Nexa Group

Vexor is a platform owned and operated by Nexa Group, an international digital media organization headquartered at Nexa-Group.org. Nexa Group acts as the primary Data Controller for all personal data processed through Vexor.

Where applicable, Nexa Group appoints trusted third-party processors under legally binding Data Processing Agreements (DPAs), ensuring GDPR-compliant operations across all regions.

2. Scope of This Statement

This GDPR statement applies to all:

• Vexor mobile apps (iOS, Android)
• Vexor’s web platform and APIs
• Any features, services, analytics systems, and back-end infrastructure
• User-generated content and metadata
• Internal processing performed by Nexa Group

3. Lawful Basis for Processing Personal Data

Vexor processes personal data only under one or more legally valid bases:

• Consent: For permissions such as camera, microphone, notifications, advertising preferences, or location use.
• Contractual Necessity: To create and manage your account, deliver features, and ensure platform functionality.
• Legitimate Interests: Including fraud prevention, system security, analytics, and content personalization.
• Legal Obligation: When required to respond to regulators, law enforcement, or comply with statutory requirements.
• Vital Interests: When necessary to protect users from imminent harm.

4. Categories of Data We Process

The types of data processed may include:

• Account Data: Email, username, password, phone number, verification status.
• User Content: Uploaded videos, captions, comments, messages, audio, and engagement metrics.
• Behavioral Data: Searches, likes, watch time, recommendations, interests, and algorithm signals.
• Technical Data: Device identifiers, IP address, OS version, network provider, crash logs.
• Location Data: Approximate or precise location depending on device permissions.
• Cookies & Tracking: Analytics, optimization, security, session management.

5. Data Minimization & Purpose Limitation

Nexa Group adheres to strict minimization principles:

• We collect only the data required to operate and improve Vexor.
• We do not collect sensitive categories of data unless required for safety or legal compliance.
• We do not use data for unrelated purposes without a new legal basis or explicit user consent.

6. How We Use Personal Data

Vexor may process data for the following purposes:

• Platform operation, performance, account management, and optimization.
• Security enforcement, fraud detection, and abuse prevention.
• Recommendation algorithms and personalized content feeds.
• Product analytics and feature development.
• Moderation, trust & safety, and policy enforcement.
• Compliance with regulatory or legal requirements.

7. Automated Decision-Making & Profiling

Vexor’s recommendation system uses algorithmic profiling to personalize content feeds. Users have the right to opt out of certain personalization processing, depending on regional laws.

8. Your GDPR Rights

Under GDPR, all EU/EEA users have the following rights:

• Right to Access – Obtain a copy of your personal data.
• Right to Rectification – Correct inaccurate or incomplete data.
• Right to Erasure (“Right to be Forgotten”) – Request full deletion of your account and personal data.
• Right to Restrict Processing – Limit how your data is used under certain conditions.
• Right to Data Portability – Export your data in machine-readable format.
• Right to Object – Object to processing, including profiling or personalization.
• Right to Withdraw Consent – At any time, without affecting prior lawful processing.
• Rights Related to Automated Decisions – Request human review where processing has significant effects.

9. How to Submit GDPR Requests

Users can submit GDPR-related requests through the following dedicated channels:

Email: privacy@vexor.to
DPO Contact: dpo@vexor.to
Support: support@vexor.to
Parent Company Legal: legal@nexa-group.org

10. International Data Transfers

As a global platform, some data may be processed in regions outside the EU. Nexa Group ensures compliance through:

• EU Standard Contractual Clauses (SCCs)
• Data Processing Agreements with all external processors
• Vendor due-diligence and continuous monitoring
• Encryption, anonymization, and access controls

11. Data Security Measures

Nexa Group maintains an enterprise-grade security framework including:

• End-to-end encryption where appropriate
• Secure global data centers with EU availability zones
• Zero-trust architecture and internal access limitations
• 24/7 security monitoring and intrusion detection
• Regular penetration testing and security audits
• Automated anomaly and abuse detection systems

12. Data Breach Notification Protocol

In the event of a breach affecting EU users, Nexa Group will:

• Notify the relevant Supervisory Authority within 72 hours
• Notify affected individuals without undue delay
• Provide details of the breach, risks, and mitigation steps
• Perform full forensic investigation and apply remediation

13. Data Retention Policy

Personal data is retained only as long as necessary for:

• Account operation
• Compliance with legal obligations
• Fraud prevention and safety enforcement
• Contractual requirements

When retention is no longer required, data is securely deleted or fully anonymized.

14. Supervisory Authorities

You may lodge a complaint with your national Data Protection Authority (DPA).

The lead authority for Nexa Group operations in the EU/EEA is:
Datatilsynet — The Norwegian Data Protection Authority
Website: https://www.datatilsynet.no

15. Contact Information

For GDPR inquiries or data rights requests, contact:

Privacy Team: privacy@vexor.to
DPO: dpo@vexor.to
Parent Company (Nexa Group): legal@nexa-group.org
Support: support@vexor.to