LEGAL Transparency & Trust

Privacy Policy

We value your privacy and are committed to protecting your personal information. This policy explains exactly how we collect, use, and safeguard your data.

Effective Date: January 1, 2026  |  Last Updated: May 28, 2026

1. Introduction

NETRA NEXUS ("NETRA NEXUS," "we," "our," or "us") operates a software-as-a-service platform available at nexusnetra.com (the "Platform"). The Platform is designed to help network marketing professionals manage their teams, prospect pipelines, appointments, and business activities.

This Privacy Policy explains what personal information we collect and why; how we use, store, and protect that information; with whom we share it; and what rights you have with respect to your personal information.

This policy applies to all users of the NETRA NEXUS Platform, regardless of where you are located. By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

This policy is intended to comply with applicable Canadian privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act respecting the protection of personal information in the private sector (Law 25), as well as the European Union's General Data Protection Regulation (GDPR) to the extent applicable to our international users.

2. Who We Are — Data Controller

NETRA Nexus Inc. is the data controller responsible for the personal information collected through the NETRA NEXUS Platform.

For the purposes of Quebec Law 25, NETRA Nexus Inc. is the enterprise responsible for the protection of personal information.

For the purposes of the GDPR (where applicable), NETRA Nexus Inc. is the data controller.

Contact details for privacy-related requests are set out in Section 20 below.

3. Information We Collect

3.1 Information You Provide at Registration

When you create a NETRA NEXUS account, we collect:

  • Full name — required to identify your account.
  • Email address — required for sign-in and service communications.
  • Password — if you use email/password sign-in. Stored only as a cryptographic hash by our authentication provider; we never have access to your plaintext password.

If you sign in using Google or Apple, we receive basic profile information (name, email address, and a unique identifier) from those providers. We do not receive your Google or Apple passwords.

3.2 Information You Provide During Onboarding

After creating your account, you may provide the following information during onboarding. Fields noted as optional are not required to use the Platform:

  • Phone number (optional)
  • Province / region and country (optional)
  • Gender (optional)
  • Profile avatar / photo (optional) — stored in publicly accessible storage; see Section 10.
  • Business rank (optional) — platform-defined role categories.
  • Referral / recruiter code (optional) — links your account to an upline member.
  • External tracking sheet URL (optional) — access to this field is restricted within the Platform.
  • Language preference — defaults to English.

3.3 Information Generated Through Platform Use

As you use the Platform, we collect and store:

  • Messages — content of direct messages you send to and receive from other Platform users. See Section 9.
  • Appointments and calendar entries — titles, notes, scheduled times, and associated contacts.
  • To-do items and personal notes — free-text content you create within the Platform.
  • Quick links — URLs, labels, and associated icons you upload.
  • Prospect and team data — information you enter about third-party individuals. See Section 4.
  • Notification history — in-app notifications generated by platform activity, which may contain information about other users (such as the name, rank, and contact details of a user who sent you a connection request).
  • Activity metadata — your last-active timestamp, used to support presence features within the Platform.

3.4 Information Collected Automatically

When you access the Platform, our infrastructure providers process standard technical data associated with your request, including IP address and browser or device metadata. We do not operate any independent analytics platform, advertising network, behavioral tracking system, or telemetry service. We do not use cookies, tracking pixels, or similar technologies for advertising or behavioral profiling.

Your authentication session (including a JWT access token and refresh token) is stored in your browser's localStorage. See Section 8 for details.

4. Information You Enter About Third Parties

NETRA NEXUS is designed for network marketing professionals who manage contacts, prospects, and team members. As part of your normal use of the Platform, you may enter personal information about individuals who are not NETRA NEXUS users. This includes, but is not limited to:

  • Full names, phone numbers, and email addresses
  • Province / region and country
  • Gender and age group
  • Relationship labels (e.g., colleague, prospect)
  • Pipeline stage, market type, and follow-up tracking data
  • Free-text notes about interactions

This information is stored under your account and is subject to the access controls described in Section 11.

Your Responsibility for Third-Party Data You are solely responsible for ensuring that you have an appropriate legal basis to collect and enter personal information about third parties into the Platform, and for complying with any applicable privacy laws when doing so — including, where relevant, providing notice to those individuals. NETRA NEXUS acts as a data processor with respect to third-party contact data you store, processing it only on your instructions and in accordance with this policy.

5. How We Use Your Information

We use the personal information we collect for the following purposes:

  • Account management and authentication: To create and maintain your account, verify your identity, manage your sign-in sessions, and enable platform access.
  • Service delivery: To provide all Platform features, including team hierarchy management, prospect tracking, direct messaging, appointment scheduling, quick-link management, and related tools.
  • Subscription and billing: To manage your subscription tier, process payments, handle billing events, and display billing information within the Platform.
  • Team hierarchy and sharing: To enable connections between upline and downline members and to support the explicit, user-controlled data-sharing features of the Platform.
  • In-app notifications: To deliver notifications about messages, follow-up reminders, connection requests, and other platform activity relevant to you.
  • Platform security and integrity: To detect and respond to unauthorized access, enforce our Terms of Service, and protect the security of user data.
  • Platform operations and improvement: To maintain the reliability and performance of the Platform. We use only internal operational data for this purpose.
  • Legal compliance: To comply with applicable laws, respond to lawful requests from public authorities, and fulfill our obligations under applicable financial and tax regulations.
We Do Not Sell Your Data We do not sell your personal information. We do not use your information for advertising, behavioral profiling, or any purpose not described in this policy.

6. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases under the GDPR or UK GDPR to process your personal data:

Processing Activity Legal Basis
Account registration and authentication Performance of a contract — Art. 6(1)(b): necessary to provide the service
Core Platform features (messaging, appointments, prospect management, sharing) Performance of a contract — Art. 6(1)(b)
Subscription management and billing Performance of a contract — Art. 6(1)(b)
Optional profile fields (phone number, gender, avatar) Consent — Art. 6(1)(a): you provide this information voluntarily
Platform security and fraud prevention Legitimate interests — Art. 6(1)(f): protecting the security and integrity of the Platform
Legal compliance (e.g., financial record-keeping) Legal obligation — Art. 6(1)(c)

Where we rely on consent as a legal basis, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

7. Payments & Billing

Payments for NETRA NEXUS subscriptions are processed by Stripe, Inc. ("Stripe"). When you subscribe to a paid plan, you are directed to a Stripe-hosted checkout page. Your full payment card details are entered directly on Stripe's secure servers and are never transmitted to or stored on our systems.

We store the following Stripe-related data to manage your subscription:

  • Stripe customer identifier, subscription identifier, price identifier, and schedule identifier
  • Subscription status, plan type, and cancellation flags
  • Billing period dates and upcoming invoice information
  • Discount eligibility and redemption status
  • Dunning and grace period status for past-due accounts

Full Stripe payment event data (including customer and subscription identifiers) is logged in a secure audit table that is inaccessible to Platform users and is available only to our system-level service account for audit and reconciliation purposes.

Stripe operates under its own privacy policy, available at stripe.com/privacy. Stripe is an independent data controller for the payment data it processes.

8. Authentication & Account Security

You may sign in to NETRA NEXUS using any of the following methods:

  • Email address and password — your password must be at least 8 characters. It is stored only as a secure cryptographic hash by our authentication provider; we never have access to your plaintext password.
  • Google (OAuth) — Google returns your name, email address, and a unique identifier to our authentication system. We do not receive your Google password.
  • Apple (OAuth) — Apple returns your name, email address, and a unique identifier to our authentication system. We do not receive your Apple password.

Session storage: Your authentication session — including a JWT access token and a refresh token — is stored in your browser's localStorage. This storage is local to your device and browser, is not transmitted to third parties, and is not shared across devices or browsers.

We recommend using NETRA NEXUS only on trusted personal devices, signing out when you finish your session (particularly on shared devices), and keeping your browser and operating system up to date.

No Cookies Used for Authentication The Platform does not set cookies. Your session is stored exclusively in browser localStorage on your device.

9. Communications & Messaging

NETRA NEXUS includes a direct messaging feature that allows you to send and receive text messages with other Platform users.

⚠️ Important — Messages Are Not End-to-End Encrypted In-app messages are stored in our database in plaintext and are not end-to-end encrypted. Messages are technically accessible to database administrators and our infrastructure provider (Supabase) as part of normal database operations. We do not read your messages for commercial purposes. However, please do not transmit highly sensitive personal or financial information through the in-app messaging system, including:
  • Government identification numbers (such as Social Insurance Numbers or Social Security Numbers)
  • Banking credentials or full financial account details
  • Medical or health information
  • Passwords or security credentials

10. Profile Images & Public Storage

Profile avatars — for your own account and for any prospect or team member records you create — and quick-link icons are stored in publicly accessible cloud storage. This means that any person with the direct URL to one of these images can access it without authentication.

You should only upload images that you are comfortable making publicly accessible. If you upload a profile photo of yourself or of another individual, please ensure you have their appropriate consent to do so and that you understand the public nature of the storage.

11. Data Sharing & Disclosure

We do not sell your personal information to third parties. We may share your information only in the following limited circumstances:

User-Controlled Sharing Within the Platform

NETRA NEXUS includes a built-in data-sharing system that allows you to grant other Platform users access to specific portions of your data (such as your prospect list or tracking sheet URL). Any such sharing is explicit — you must actively grant access — scoped to the categories of data you choose, and revocable at any time. No sharing occurs without your affirmative action.

Team Hierarchy Access

If you are part of an organizational hierarchy within the Platform, users above you in that hierarchy (your "upline") may have access to certain account-level information as governed by the Platform's hierarchical access model. The scope of any such access is defined within the Platform and does not extend beyond permissions explicitly configured by users.

Service Providers

We share data with the third-party service providers described in Section 12, only to the extent necessary for them to deliver their respective services.

Legal Requirements

We may disclose personal information if required to do so by applicable law, regulation, subpoena, court order, or governmental or regulatory authority. We may also disclose information where we believe in good faith that disclosure is necessary to protect our rights, the rights of other users, or the safety of any person, or to detect or prevent fraud or illegal activity.

Business Transfers

In the event that NETRA NEXUS or its parent company is acquired, merged with, or otherwise transferred to another organization, your personal information may be transferred as part of that transaction. We will provide reasonable notice before your information becomes subject to a materially different privacy policy and will seek your consent where required by applicable law.

12. Service Providers

We work with the following third-party service providers to operate the Platform. Each provider processes personal data only as necessary to deliver their services and is subject to appropriate contractual data protection obligations.

Provider Role Personal Data Shared
Supabase (via Lovable Cloud) Database hosting, user authentication, file storage, server-side computing, and real-time data delivery All Platform data, including user profiles, prospect data, messages, and subscription information
Stripe, Inc. Subscription payment processing Email address, user identifier, and subscription metadata
Google LLC OAuth sign-in (if you choose to use Google sign-in) Name, email address, and OAuth identifier returned to Supabase Auth
Apple Inc. OAuth sign-in (if you choose to use Apple sign-in) Name, email address, and OAuth identifier returned to Supabase Auth
Lovable Application hosting and delivery Standard web traffic data

We do not use advertising networks, behavioral analytics platforms, email marketing services, SMS providers, session recording services, error-tracking services, or AI / machine-learning processing services in connection with the Platform.

13. International Data Transfers

The NETRA NEXUS Platform is built on infrastructure managed by Supabase (via Lovable Cloud) and Stripe, which may store and process data in data centers located outside of Canada. The specific geographic region(s) of our database infrastructure are determined by our infrastructure providers.

Quebec residents: Personal information you provide to NETRA NEXUS may be communicated outside of Quebec for processing by our service providers. We take steps to ensure that personal information shared with providers outside Quebec receives a level of protection comparable to that afforded under Quebec's Law 25, primarily through contractual provisions with those providers.

EEA and UK users: If you are located in the European Economic Area or the United Kingdom, your personal data may be transferred to and processed in countries that are not subject to an adequacy decision by the European Commission. Where such transfers occur, we rely on the appropriate safeguards established by our service providers, including Standard Contractual Clauses (SCCs) as adopted by the European Commission or equivalent mechanisms under UK law.

You may request more information about the safeguards applicable to international transfers by contacting us at the address listed in Section 20.

14. Data Retention

We retain your personal information for as long as your account is active or as otherwise necessary to provide the services you have requested and to comply with applicable legal obligations.

  • Account data: Retained for the duration of your account. No automatic account or data deletion is currently implemented.
  • User-generated content (messages, notes, appointments, prospect records): Retained until you or another authorized user deletes the record through the Platform interface, or until account deletion is processed.
  • Billing and subscription records: Retained as required by applicable financial and tax regulations, which may require retention beyond the termination of your account.
  • Stripe webhook event logs: Retained in a system-level audit log accessible only to our service-level account for reconciliation and compliance purposes.

Account and data deletion: A self-serve account deletion or data-export feature is not currently available within the Platform interface. If you wish to request deletion of your personal information, please contact us using the information in Section 20. We will respond to deletion requests within the timeframe required by applicable law, subject to any legal obligations that require us to retain certain information.

15. Security Measures

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, use, disclosure, alteration, and destruction. These measures include:

  • Row-Level Security (RLS): Every database table is subject to access controls that ensure each user can only read and modify their own authorized data.
  • Privileged server-side functions: Sensitive data operations (for example, accessing tracking sheet URLs) are governed by server-side functions that perform explicit authorization checks before returning data.
  • CORS restrictions: Our server-side API functions accept requests only from known, authorized application origins.
  • Stripe webhook signature verification: All incoming Stripe payment events are cryptographically verified before processing, preventing spoofed webhook attacks.
  • Hierarchical access model: Access to team data is governed by a depth-limited organizational hierarchy combined with an explicit, user-controlled access-grant system.
  • Server-side secret management: API keys and service credentials are stored as server-side secrets and are never exposed to client-side code.
  • Minimal client-side storage: The application does not set cookies. The only browser-level storage used is localStorage for your authentication session and a small number of UI preferences.

Despite these measures, no method of electronic storage or internet transmission is completely secure. We cannot guarantee the absolute security of your information. In the event of a data breach, we will notify affected users and applicable regulatory authorities in accordance with applicable law.

16. Your Privacy Rights

Rights Under Canadian Law (PIPEDA and Quebec Law 25)

If you are a Canadian resident, you have the following rights with respect to your personal information:

  • Right of access: Request access to the personal information we hold about you and information about how it is being used.
  • Right to correction: Request that we correct inaccurate or incomplete personal information.
  • Right to withdraw consent: Where our processing is based on your consent, you may withdraw it at any time.
  • Right to complain: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) or, if you are a Quebec resident, with the Commission d'accès à l'information (CAI).

Quebec residents have additional rights under Law 25, including the right to request destruction or anonymization of data no longer needed for its original purpose; the right to data portability (where technically feasible); and the right to be informed when your personal information is communicated outside of Quebec.

Rights Under the GDPR (EEA and UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR or UK GDPR:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data where there is no overriding legitimate reason for us to retain it.
  • Right to restriction of processing (Art. 18): Request that we limit our processing of your data in certain circumstances.
  • Right to data portability (Art. 20): Receive personal data you have provided to us in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: File a complaint with your local data protection supervisory authority.

How to Exercise Your Rights

To exercise any of the rights described in this section, please contact us at privacy@netranexus.com. Please include your name and the email address associated with your account so we can verify your identity before processing your request. We aim to respond to all requests within 30 days of receipt, or such shorter period as may be required by applicable law.

Office of the Privacy Commissioner of Canada

www.priv.gc.ca

Commission d'accès à l'information (Quebec)

www.cai.quebec.ca

17. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

  • Right to know: The right to know what categories of personal information we collect, the purposes for which it is used, and with whom it is shared.
  • Right to delete: The right to request deletion of personal information we hold about you, subject to certain legal exceptions.
  • Right to correct: The right to request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: The right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising.
  • Right to non-discrimination: The right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.
We Do Not Sell or Share Your Data for Advertising We do not sell your personal information and do not share it for cross-context behavioral advertising.

To submit a CCPA/CPRA request, please contact us at privacy@netranexus.com. We will verify your identity before processing your request.

18. Children's Privacy

NETRA NEXUS is not directed at, and is not intended for use by, children under the age of 16 (or under 13 in jurisdictions where that is the applicable threshold).

We do not knowingly collect personal information from children below these ages. If you are a parent or guardian and you believe your child has provided us with personal information without appropriate consent, please contact us at privacy@netranexus.com. We will take prompt steps to delete such information from our records.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Platform's features, or applicable legal requirements. When we make material changes, we will:

  • Post the updated policy on this page with a new "Last Updated" date.
  • Notify registered users via in-app notification or email at least 14 days before the changes take effect.
  • Provide a plain-language summary of the key changes for transparency.

Your continued use of NETRA NEXUS after any changes become effective constitutes your acceptance of the revised policy. If you disagree with the changes, you may request account deletion by contacting us at the address in Section 20. Prior versions of this policy are available upon request.

20. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:

Privacy Officer — NETRA Nexus Inc.

Email: privacy@netranexus.com
Response Time: We aim to respond within 30 days of receipt.
Mailing Address: NETRA Nexus Inc., 4517 Washington Ave, Suite 300, Manchester, KY 40962, United States

For users in the EEA or United Kingdom, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights under the GDPR or UK GDPR have been violated. A list of EEA supervisory authorities is available at edpb.europa.eu.

Office of the Privacy Commissioner of Canada

www.priv.gc.ca

Commission d'accès à l'information (Quebec)

www.cai.quebec.ca