PRIVACY POLICY - nself-org/nchat GitHub Wiki
Effective Date: [INSERT DATE] Last Updated: [INSERT DATE]
Welcome to [YOUR COMPANY NAME] ("Company", "we", "our", "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our nself-chat application (the "Service").
IMPORTANT: This is a template privacy policy that must be customized for your specific use case. Please consult with legal counsel before publishing this document. Replace all [PLACEHOLDERS] with your actual information.
When you register for and use the Service, we may collect:
- Account Information: Name, email address, username, password (encrypted)
- Profile Information: Profile picture, display name, bio, role, timezone
- Communication Data: Messages, files, images, and other content you share through the Service
- Workspace Information: Organization name, company details (if applicable)
When you access the Service, we automatically collect:
- Usage Data: IP address, browser type, operating system, device information
- Log Data: Access times, pages viewed, actions taken, errors encountered
- Cookies and Tracking: We use cookies and similar technologies (see Cookie Policy)
- Performance Data: Application performance metrics, crash reports (via Sentry)
If you authenticate using third-party services (Google, GitHub, etc.), we receive:
- OAuth Data: Email address, name, profile picture from the authentication provider
- Public Profile: Information you've made publicly available on that service
We use your information for the following purposes:
- Provide, operate, and maintain the Service
- Process and deliver messages and communications
- Authenticate users and manage accounts
- Enable collaboration and team communication
- Analyze usage patterns to improve features
- Monitor and analyze trends and user preferences
- Develop new features and functionality
- Test and troubleshoot technical issues
- Send administrative information (service updates, security alerts)
- Respond to inquiries and support requests
- Send marketing communications (with your consent, where required)
- Detect, prevent, and address fraud, abuse, and security issues
- Enforce our Terms of Service
- Comply with legal obligations
- Protect rights, property, and safety of our users
- Monitor application performance and errors (via Sentry)
- Conduct analytics to understand user behavior
- Generate anonymized usage statistics
If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data based on:
- Consent: Where you have given explicit consent (e.g., marketing emails)
- Contract: To perform our contractual obligations under the Terms of Service
- Legitimate Interests: For fraud prevention, security, analytics (where not overridden by your rights)
- Legal Obligation: To comply with applicable laws and regulations
We do NOT sell your personal information. We may share your information in the following circumstances:
We share information when you explicitly consent to the sharing.
We share data with third-party vendors who perform services on our behalf:
- Infrastructure: [AWS/Google Cloud/Azure] for hosting
- Database: PostgreSQL for data storage
- Authentication: Nhost Auth for user authentication
- Monitoring: Sentry for error tracking and performance monitoring
- Email: [Mailgun/SendGrid/AWS SES] for transactional emails
- Storage: MinIO/S3 for file storage
- Analytics: [Google Analytics/Mixpanel] (if applicable)
All service providers are contractually required to protect your data and use it only for specified purposes.
We may disclose your information if required by law or in response to:
- Court orders, subpoenas, or legal processes
- Law enforcement requests
- Protection of our rights, property, or safety
- Investigation of fraud or security issues
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. You will be notified of any such change.
We may share aggregated or anonymized data that cannot reasonably be used to identify you.
We retain your information for as long as necessary to:
- Provide the Service and fulfill the purposes described in this policy
- Comply with legal obligations (e.g., tax, accounting, audit requirements)
- Resolve disputes and enforce agreements
Retention Periods:
- Active Accounts: Data retained while account is active
- Deleted Accounts: Most data deleted within 30 days; some data retained for up to [7 years] for legal/audit purposes
- Logs and Analytics: Retained for [90 days to 2 years] depending on type
- Backups: May persist in backups for up to [90 days] after deletion
Depending on your location, you may have the following rights:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your account and data (subject to legal retention requirements)
- Data Portability: Export your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Restrict: Request restriction of processing in certain circumstances
- Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
- Right to Complain: Lodge a complaint with your local data protection authority
- Right to Know: Know what personal information is collected, used, and shared
- Right to Delete: Request deletion of personal information (subject to exceptions)
- Right to Opt-Out: Opt-out of the sale of personal information (we do NOT sell data)
- Right to Non-Discrimination: Not receive discriminatory treatment for exercising rights
To exercise any of these rights, please contact us at:
- Email: [[email protected]]
- Support Portal: [INSERT URL]
- In-App Settings: Account Settings > Privacy & Data
We will respond to requests within 30 days (or as required by applicable law).
We implement appropriate technical and organizational measures to protect your data:
- Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
- Authentication: Secure password hashing (bcrypt), JWT tokens
- Access Controls: Role-based access control (RBAC), principle of least privilege
- Infrastructure: Firewalls, intrusion detection, regular security audits
- Monitoring: Real-time error tracking and security monitoring (Sentry)
No method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
In the event of a data breach, we will notify affected users and relevant authorities as required by law within 72 hours of discovery.
We use cookies and similar technologies to:
- Authenticate users and maintain sessions
- Remember preferences and settings
- Analyze usage and performance
- Provide security features (CSRF protection)
For more information, see our Cookie Policy.
- Essential Cookies: Required for the Service to function (authentication, security)
- Functional Cookies: Remember preferences and settings
- Analytics Cookies: Understand usage patterns (can be disabled)
- Performance Cookies: Monitor application performance (Sentry)
You can manage cookies through:
- Browser settings (block or delete cookies)
- In-app cookie consent banner
- Third-party opt-out tools (e.g., Google Analytics opt-out)
The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
The Service is NOT intended for users under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately, and we will delete it.
Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): For transfers outside the EEA
- Adequacy Decisions: Transfers to countries recognized by the EU Commission
- Privacy Shield (if applicable): For U.S. transfers (subject to legal developments)
By using the Service, you consent to the transfer of your information to [INSERT COUNTRIES WHERE DATA IS PROCESSED].
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
See Section 1 for categories of personal information collected.
See Section 2 for how we use your information.
See Section 4 for third parties with whom we share information.
We do NOT sell your personal information.
See Section 6.4 for how to submit requests.
We will not discriminate against you for exercising your CCPA rights.
If you are a Nevada resident, you have the right to opt-out of the sale of your personal information. We do NOT sell personal information. If you still wish to submit an opt-out request, contact us at [[email protected]].
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will:
- Notify you via email (if you have provided an email address)
- Display a prominent notice in the Service
- Require you to accept the new policy before continuing to use the Service
Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:
[YOUR COMPANY NAME] Address: [INSERT PHYSICAL ADDRESS] Email: [[email protected]] Phone: [INSERT PHONE NUMBER] Support Portal: [INSERT URL]
Name: [INSERT DPO NAME] Email: [[email protected]]
Name: [INSERT EU REP NAME] Address: [INSERT EU ADDRESS] Email: [[email protected]]
- Service: The nself-chat application and all related services
- Personal Data/Information: Information that identifies or can identify an individual
- Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
- Controller: The entity that determines the purposes and means of processing personal data
- Processor: The entity that processes personal data on behalf of the controller
- User/You: Any individual using the Service
| Data Type | Purpose | Legal Basis | Retention | Third Parties |
|---|---|---|---|---|
| Account Info | User authentication | Contract | Account lifetime + 30 days | Nhost Auth |
| Messages | Communication | Contract | Account lifetime + [X] days | PostgreSQL, MinIO |
| Usage Logs | Analytics, debugging | Legitimate interest | 90 days | Sentry |
| IP Address | Security, fraud prevention | Legitimate interest | 30 days | Infrastructure provider |
| Cookies | Session management | Consent/Essential | Session or 1 year | N/A |
- Data Controller: [YOUR COMPANY NAME]
- Legal basis: See Section 3
- Data Protection Authority: [INSERT RELEVANT DPA]
- Rights: See Section 6.2
- Business: [YOUR COMPANY NAME]
- CCPA compliance: See Section 12
- Do Not Sell My Personal Information: We do not sell data
- PIPEDA compliance: This policy complies with PIPEDA requirements
- Privacy Commissioner: Office of the Privacy Commissioner of Canada
This is a template document. Consult with legal counsel to ensure compliance with applicable laws in your jurisdiction.
Document Version: 1.0 Template Created: January 31, 2026 Last Reviewed: [INSERT DATE]