Privacy, plainly.

When you join Nexus Club we collect your email address and a hashed password. If you connect an Instagram account, we also store your Instagram user ID, username, account type, and an encrypted long-lived access token issued by Meta. Application notes you write are stored with the campaign you applied to.

We do not see or store your Instagram password. We do not scrape your Instagram content outside of what Meta's official APIs return with your consent. We do not sell your data to third parties.

Connection uses Meta's official OAuth flow. When you click "Connect Instagram" you are sent to Instagram's consent screen, which lists the exact permissions requested. On approval Meta returns a short-lived access token, which we exchange for a long-lived token (~60 days) and encrypt at rest with AES-256-GCM.

You can revoke access at any time in Instagram → Settings → Apps and websites, or by clicking "Disconnect" in your dashboard.

When you choose to connect Gmail, Nexus Club requests the single scope gmail.send via Google's OAuth flow. This lets us send email from your address for approved campaigns only. We cannot read your inbox, drafts, or sent folder.

Refresh tokens are encrypted at rest with AES-256-GCM. Revoke access at myaccount.google.com/permissions — no sign-in with us required.

We send transactional email — welcomes, application updates, password resets — through our email provider. We do not run a marketing list.

Write to support@thenexusclub.org to request a copy, correction, or deletion of your data. We respond within thirty days.

We use a single session cookie to keep you signed in. It is HTTP-only and signed. No third-party analytics or advertising cookies.

Member records, encrypted access tokens, applications, campaigns, support tickets, and withdrawal requests live in our primary database — Neon Postgres on AWS, region ap-southeast-1 (Singapore) — co-located with the registered office. Daily encrypted snapshots are taken in the same region. Application requests transit Vercel's global edge before reaching the database; Vercel's cache windows are stated in our subprocessor list.

Email is sent through Resend (United States). Support-ticket attachments are stored on Vercel Blob (multi-region under Vercel). Where personal data leaves a member's region of residence in the course of normal operation, the transfer is covered by the safeguards in our Data Processing Addendum. The full vendor list, what each touches, and the region of each is at /subprocessors.

If you live in the European Economic Area or the United Kingdom, you hold the rights under the GDPR / UK GDPR — access, rectification, erasure, restriction, portability, objection, and to lodge a complaint with your local supervisory authority. If you live in California, you hold the rights under the CCPA / CPRA — to know, to delete, to correct, to opt out of sale or sharing (we do not sell or share), and to limit use of sensitive personal information. If you live in India, you hold the rights under the Digital Personal Data Protection Act, 2023.

The route is the same for all three: write to support@thenexusclub.org. We respond within thirty days, in writing.