Data Protection and Privacy Policy
Last Updated: 28 April 2026
OVERVIEW
Nox ("Platform", "we", "us", "ours") is an AI-powered personal coaching application accessible only via mobile applications on the Apple App Store and Google Play Store. Our website https://www.nox.today provides marketing information about the Platform and download links to these mobile applications, and is not itself a means of accessing the Platform. The Platform is owned and operated by M/s Mowgli Brothers Studios Private Limited ("Company"), a company incorporated under the laws of India.
This Data Protection and Privacy Policy ("Policy") explains what personal data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have. This Policy applies to all users of the Platform, regardless of location.
We are committed to protecting your privacy in compliance with:
- India: Digital Personal Data Protection Act, 2023 ("DPDP Act")
- European Union / United Kingdom: General Data Protection Regulation ("GDPR")
- United States: California Consumer Privacy Act ("CCPA"), Children's Online Privacy Protection Act ("COPPA")
- Global: Apple App Store and Google Play Store privacy requirements
If you do not agree with this Policy, please discontinue use of the Platform immediately.
1. DATA CONTROLLER / DATA FIDUCIARY
Mowgli Brothers Studios Private Limited acts as the Data Fiduciary (under DPDP Act) and Data Controller (under GDPR) for your personal data.
Contact Details:
- Email: support@nox.today
- Grievance Officer: Abhilaksh Sharma, reachable at grievance@nox.today
- Registered Address: D 411, Vrundavan Trade Center, Kudasan, Gandhinagar - 382421, Gujarat, India
For EU/UK users, you may also contact your local supervisory authority if you are unsatisfied with our response to a privacy concern.
2. CONSENT
Giving Consent
By registering on the Platform and accepting the Terms of Use and this Policy as part of account creation and onboarding, you confirm that you have read, understood, and consented to the collection, use, and processing of your personal data as described herein.
The Platform is an AI-powered service. Use of any AI feature on the Platform inherently requires the transmission of your inputs (including chat messages, proof submissions, and related context) to our AI service providers (such as OpenAI) so that Nox AI can generate a response. By accepting this Policy and using the Platform, you consent to such transmission. Nox AI cannot function without it, and there is no separate prompt for this transmission; your acceptance of this Policy on registration is the consent.
Training and Fine-Tuning Opt-Out
The only consent that you may withdraw without ceasing to use the Platform is the consent for Nox to use your eligible Content and related usage data to improve, evaluate, fine-tune, or train Nox-controlled AI systems (Section 4.3). This opt-out is available at any time via Settings > Data Controls.
Withdrawing Consent Generally
If you no longer consent to the processing described in this Policy, your remedy is to delete your account (Section 9). Account deletion terminates ongoing processing of your personal data subject to the limited retention obligations described in Section 10. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
3. WHAT DATA WE COLLECT
3.1 Data You Provide Directly
| Data Category | Specific Fields | Purpose |
|---|---|---|
| Account & Identity | Email address, password (encrypted), full name, username, display name, date of birth, gender | Account creation, authentication, age verification |
| Profile | Profile photograph (avatar), bio text | Personalisation, social features |
| Pact Content | Pact titles, descriptions, goals, rules, deadlines, frequency settings | Pact creation and management |
| Proof Submissions | Photographs, written statements ("bonds"), text descriptions | Goal verification, AI analysis |
| Chat Messages | Nox AI conversation text, Pact Chat messages, voice inputs (converted to text) | AI coaching, group communication |
| Social Connections | Friend requests, group memberships, block lists | Social features, safety |
| Reports & Feedback | Report reasons, feedback text | Content moderation, platform improvement |
| Support Communications | Emails to support@nox.today | Customer support |
3.2 Data We Generate or Derive
| Data Category | Description | Purpose |
|---|---|---|
| Integrity Score (INT / Integrity Points) | Numerical score, expressed in Integrity Points (abbreviated INT), reflecting Pact completion history, difficulty, and closure performance | Gamification, accountability |
| AI Memories | Usage patterns, preferences, goals, habits, and contextual information extracted from your conversations | Personalised AI coaching |
| Proof Metadata | Structured data extracted from proof submissions by AI (e.g., exercise type, reps, weight) | Progress analytics, AI verification |
| Streaks & Rankings | Consecutive completion counts, leaderboard positions | Social accountability |
3.3 Data Collected Automatically
| Data Category | Specific Fields | Purpose |
|---|---|---|
| Device Information | Device model, operating system, app version, platform (iOS/Android) | Compatibility, crash reporting |
| Usage Data | Screens viewed, features used, session duration, interaction events | Analytics, product improvement |
| Push Notification Tokens | Device identifiers for push delivery | Push notification delivery |
| IP Address | IP address at time of access | Approximate geolocation, security, fraud prevention |
| Error & Crash Data | Error reports, device context | App stability and debugging |
| Attribution Data | Install source, campaign identifiers | Marketing attribution |
3.4 Data We Do NOT Collect
We do not collect:
- Precise GPS location data
- Contacts or address book data
- Call or SMS metadata
- Health data via device health integrations
- Biometric data (fingerprints, facial recognition)
- Browser history
- Device-wide app lists
- Permanent hardware identifiers
4. HOW WE USE YOUR DATA
4.1 Purposes and Legal Basis
| Purpose | Data Used | Legal Basis (GDPR) | Legal Basis (DPDP) |
|---|---|---|---|
| Account creation & authentication | Email, name, password, DOB, gender | Contract performance | Consent |
| Nox AI coaching | Messages, pact context, memories, preferences | Consent | Consent |
| Nox AI proof verification | Proof images, text, pact requirements | Consent | Consent |
| Nox AI in Pact Chats | Pact Chat messages, pact context | Consent | Consent |
| Nox AI memory & personalisation | Conversation content, usage patterns | Consent | Consent |
| Pact management | Pact data, deadlines, proof submissions | Contract performance | Consent |
| Social features | Profile info, friend lists, group memberships | Contract performance | Consent |
| Push notifications | Device tokens, notification preferences | Consent | Consent |
| Analytics & product improvement | Usage data, events, aggregated patterns | Legitimate interest | Legitimate uses (Section 7, DPDP Act) |
| Marketing attribution | Install source, campaign IDs | Legitimate interest | Legitimate uses (Section 7, DPDP Act) |
| Error tracking & debugging | Crash data, device context | Legitimate interest | Consent |
| Security & fraud prevention | IP address, usage patterns, rate limiting | Legitimate interest | Consent |
| Legal compliance | Billing records, deletion audit logs | Legal obligation | Legal obligation |
| Email communications | Email address | Consent | Consent |
| Nox AI fine-tuning and training | Your Content (conversations, proof submissions) and usage patterns | Legitimate interest (with opt-out) | Consent (with opt-out) |
4.2 Nox AI: How Your Data is Processed
Nox AI is a single AI system that operates across multiple surfaces within the Platform:
- Coaching Conversations: Your messages, pact context, and AI-extracted memories are sent to our model provider (OpenAI) to generate personalised coaching responses. Nox AI draws on your stored memory to provide contextually relevant guidance.
- Proof Verification: When you submit proof, your photographs or text submissions are sent to OpenAI for automated evaluation against your Pact requirements. Nox AI may extract structured information (e.g., exercise metrics) from your submissions.
- Pact Chat Assistance: In multiplayer Pact group chats, messages and pact context are sent to OpenAI to generate moderation responses, activity announcements, and rule clarifications.
- Long-term Memory and Personalisation: Content from your interactions is analysed and stored to build a profile of your goals, preferences, and usage patterns. This memory improves coaching quality over time and is core to how Nox delivers personalised accountability. All Nox AI memory linked to your account is personal data and will be permanently deleted upon account deletion.
Nox AI, long-term memory, personalisation, proof verification, and Pact Chat assistance are required for the AI-powered Service to function. The transmission of your inputs to our AI service providers is therefore a necessary part of using the Platform; if you do not consent to such transmission, your remedy is to delete your account (Section 9). The training and fine-tuning of Nox-controlled AI systems is a separate use governed by Section 4.3 and may be opted out of without disabling the Service.
4.3 Nox AI Fine-Tuning and Training
For the purposes of this Section, "Content" means the input you provide to the Services and the output you receive from Nox AI (collectively, your conversations, messages, proof submissions, and related in-app interactions).
Separately from the core Nox AI processing described in Section 4.2, Nox may use eligible Content and related usage patterns to improve, evaluate, fine-tune, or train the AI systems that power Nox.
Fine-tuning and training is enabled by default. You may opt out at any time via Settings → Data Controls or by contacting support@nox.today. Opting out applies to future Content going forward. Content that has already been used to train a model version cannot be retroactively removed from that model. Opt-out does not disable Nox AI, long-term memory, personalisation, proof verification, or Pact Chat assistance, because those uses are required for the Service to function.
OpenAI processes Content on our behalf to power Nox AI. OpenAI does not use data submitted through its API to train OpenAI's models. Nox's own training and model-improvement use is governed by your Data Controls setting and this Policy.
We may continue to use aggregated and de-identified data (including for model improvement, analytics, and research) regardless of your opt-out setting. Aggregated and de-identified data is not personal data and is not subject to this Policy.
Where identifiable data is sought for research or external collaboration beyond what is described above, we will request and obtain your express written consent in advance.
4.4 Automated Decision-Making
The Platform uses automated decision-making in the following way:
- Nox AI Proof Verification: Nox AI automatically accepts or rejects proof submissions based on analysis of submitted evidence against Pact requirements.
Your rights regarding automated decisions (GDPR Article 22):
- You have the right to request human review of any automated decision
- You have the right to appeal a rejected or missed proof decision through the in-app Acceptance Token mechanism (see Terms of Use, Section 9)
- You have the right to contest another Participant's accepted proof through the in-app contest mechanism (see Terms of Use, Section 9)
- You have the right to an explanation of the logic involved in the decision
- You may contact support@nox.today to request human intervention
Under the DPDP Act, there is currently no equivalent automated decision-making right; however, we extend the same human review mechanism to all users regardless of jurisdiction.
5. THIRD-PARTY SERVICE PROVIDERS
We share your data with the following categories of third-party service providers, each bound by contractual data protection obligations:
5.1 AI Services
| Provider | Data Shared | Purpose | Retention by Provider |
|---|---|---|---|
| OpenAI (USA) | Conversation text, proof images, pact context | AI coaching, proof verification, speech-to-text | Up to 30 days for safety monitoring; not used for model training |
OpenAI's data processing is governed by their Data Usage Policy and Data Processing Addendum. OpenAI does not use data submitted through its API to train OpenAI's models. Separately, Nox may use eligible Content to improve, fine-tune, evaluate, or train Nox-controlled AI systems as described in Section 4.3 and controlled by your Data Controls setting.
5.2 Authentication
| Provider | Data Shared | Purpose |
|---|---|---|
| Clerk (USA) | Email, name, sign-in credentials | User authentication and session management |
5.3 Payments & Subscriptions
| Provider | Data Shared | Purpose |
|---|---|---|
| RevenueCat (USA) | Subscription status, plan type, transaction IDs | Subscription management, billing via App Store / Play Store |
| Apple App Store / Google Play Store | Payment details (handled directly by Apple/Google) | Payment processing |
We do not directly collect or store credit card numbers, bank account details, or other payment instruments. All payment processing is handled by Apple, Google, and RevenueCat.
5.4 Cloud Infrastructure & Storage
| Provider | Data Shared | Purpose |
|---|---|---|
| Railway (USA) | All application data | Server hosting and database |
| Cloudflare (Global) | Proof images, profile pictures, uploaded documents | File storage and delivery |
5.5 Analytics & Attribution
| Provider | Data Shared | Purpose |
|---|---|---|
| Mixpanel (USA) | Usage events, device info, app version | Product analytics, feature usage tracking |
| AppsFlyer (Israel/Global) | Install source, conversion events, device identifiers | Install attribution, campaign measurement |
Analytics events tracked include actions such as signing up, creating pacts, submitting proof, sending messages, and subscribing. Attribution data is used by Nox to measure the performance of its own marketing campaigns, understand which user cohorts find Nox valuable, exclude existing Users from acquisition campaigns where appropriate, and help Nox reach similar prospective Users through its own acquisition campaigns. These providers act as service providers / data processors and are contractually prohibited from using this data for their own independent purposes, for the benefit of other advertisers, or to advertise their own products or services to you. Nox does not sell personal data. We do not provide your Nox AI conversations, Pact content, proof submissions, profile data, or other content you create on the Platform to advertisers, data brokers, or third parties so they can market their own products or services to you.
5.6 Error Tracking
| Provider | Data Shared | Purpose |
|---|---|---|
| Sentry (USA) | Error reports, device info | Crash reporting and error monitoring |
5.7 Notifications & Email
| Provider | Data Shared | Purpose |
|---|---|---|
| OneSignal (USA) | Device identifiers, notification content | Push notification delivery |
| Resend (USA) | Email address, email content | Transactional emails (welcome, deletion confirmation) |
5.8 Cross-Border Data Transfers
Your data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards for such transfers:
- GDPR: We rely on Standard Contractual Clauses (SCCs) for transfers to countries without EU adequacy decisions (including the USA and India). Where applicable, we rely on the EU-US Data Privacy Framework for certified recipients.
- DPDP Act: Cross-border transfers are currently permitted by default under the DPDP Act, unless the Indian government restricts specific countries by notification. No such restrictions are currently in force.
6. DATA STORED ON YOUR DEVICE
The following data is stored locally on your mobile device using encrypted on-device storage:
| Data Stored | Purpose |
|---|---|
| Authentication session tokens | Keeping you signed in |
| User preferences (theme, notification settings) | Remembering your settings |
| Pending uploads | Resuming uploads when connectivity is restored |
| Cached data | Faster app performance and offline access |
| Secure credentials | Authentication with third-party providers |
This data remains on your device and is not transmitted to our servers unless required for functionality (e.g., syncing pending uploads when connectivity is restored). Clearing your app data or uninstalling the app removes this local storage.
7. COOKIES
Mobile Application
The Nox mobile application does not use browser cookies. Local data storage is handled via encrypted on-device storage as described in Section 6.
Website (nox.today)
Our website may use the following cookies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Session management, security, load balancing | Session |
| Analytics | Understanding website usage patterns (Mixpanel) | Up to 12 months |
| Functional | Remembering user preferences | Up to 12 months |
We do not use advertising or tracking cookies on our website. You may disable cookies through your browser settings, though this may affect website functionality.
For detailed cookie management, see the cookie consent banner displayed on first visit to our website.
8. YOUR RIGHTS
8.1 Rights Under GDPR (EU/UK Users)
If you are located in the European Union or United Kingdom, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your personal data | In-app data export or email support@nox.today |
| Rectification | Correct inaccurate personal data | Edit profile in-app or email support@nox.today |
| Erasure | Request deletion of your personal data | In-app account deletion or email support@nox.today |
| Data Portability | Receive your data in a structured, machine-readable format | In-app data export or email support@nox.today |
| Restriction | Restrict processing of your data | Email support@nox.today |
| Objection | Object to processing based on legitimate interest, including profiling | Email support@nox.today |
| Automated Decision-Making | Request human review of automated decisions (Nox AI proof verification) | In-app appeal or email support@nox.today |
| Withdraw Training Consent | Opt out of use of your Content for Nox AI training and fine-tuning | Settings > Data Controls, or email support@nox.today |
| Withdraw Consent Generally | Withdraw consent for processing under this Policy by deleting your account (the Platform's AI features cannot operate without transmission of your inputs to AI providers; see Section 2) | In-app account deletion, or email support@nox.today |
| Complaint | Lodge a complaint with your supervisory authority | Contact your local Data Protection Authority |
Response timeline: We will respond to rights requests within 30 days, extendable to 90 days for complex requests with prior notification.
8.2 Rights Under DPDP Act (Indian Users)
If you are located in India, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Information | Know what data is processed and who it is shared with | This Policy; or email support@nox.today |
| Correction | Correct inaccurate or incomplete personal data | Edit profile in-app or email support@nox.today |
| Erasure | Request deletion of your personal data | In-app account deletion or email support@nox.today |
| Grievance Redressal | File a complaint about data handling | Email grievance@nox.today |
| Nomination | Nominate another individual to exercise your rights upon death or incapacity | Email support@nox.today |
Response timeline: We will acknowledge and respond to rights requests within 7 days as prescribed by DPDP Rules, with resolution within 90 days.
If you are unsatisfied with our response, you may escalate your complaint to the Data Protection Board of India.
8.3 Rights Under CCPA / CPRA (California Residents)
If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides you specific rights regarding your personal information. This Section supplements Sections 3, 4, and 5 above.
Notice at Collection. In the preceding twelve (12) months, we have collected the following categories of personal information defined by the CCPA. We collect all categories from you directly or from your device, and use them for the purposes set out in Section 4.
| CCPA Category | Examples in Nox | Disclosed To |
|---|---|---|
| Identifiers | Email, name, username, IP address, device identifiers, account ID | Service providers in Section 5 (e.g., Clerk, OpenAI, RevenueCat) |
| Customer records (Cal. Civ. Code § 1798.80(e)) | Name, email, encrypted password, date of birth, gender | Service providers in Section 5 |
| Internet or other network activity | Screens viewed, features used, interaction events, app version | Mixpanel, AppsFlyer, Sentry |
| Geolocation data (approximate only) | IP-based approximate location | Service providers handling the relevant request |
| Visual / audiovisual | Profile photo, proof images, voice inputs (transcribed in-session; audio not retained) | OpenAI (proof verification), Cloudflare R2 (storage) |
| Inferences | Goals, habits, preferences inferred from your conversations | OpenAI (during coaching session); not shared outside Nox otherwise |
| Sensitive personal information | None. Nox does not collect government IDs, financial account numbers, precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers, or health/medical records. | — |
No Sale or Sharing. Nox does not sell your personal information for monetary or other valuable consideration, and does not share your personal information for cross-context behavioral advertising, as those terms are defined by the CCPA. We have not done so in the preceding twelve (12) months. Because we do not sell or share, no "Do Not Sell or Share My Personal Information" link is required. If this changes, we will update this Policy and provide the required opt-out mechanism.
Your California Rights. In addition to the rights described in Section 8.1, California residents have the following:
| Right | Description | How to Exercise |
|---|---|---|
| Right to Know | Request the categories and specific pieces of personal information we have collected, used, disclosed, and shared about you in the preceding 12 months, and the sources, purposes, and recipients | In-app data export or email support@nox.today |
| Right to Delete | Request deletion of your personal information, subject to legal exceptions (e.g., billing records retained for tax compliance) | In-app account deletion or email support@nox.today |
| Right to Correct | Request correction of inaccurate personal information | Edit profile in-app or email support@nox.today |
| Right to Limit Use of Sensitive PI | Not applicable — Nox does not collect or use sensitive personal information | — |
| Right to Opt-Out of Sale/Sharing | Not applicable — Nox does not sell or share personal information | — |
| Right to Non-Discrimination | Exercise CCPA rights without retaliation from Nox in pricing, service quality, or access | Automatic |
Authorized Agents. You may designate an authorized agent to submit a CCPA request on your behalf. We will require the agent to provide written authorization signed by you and may require you to verify your identity directly.
Verification. To protect your privacy, we verify your identity before fulfilling a request to know, delete, or correct. For account-holders, signing in to your Nox account satisfies verification.
Response Timeline. We will acknowledge CCPA requests within ten (10) business days and respond substantively within forty-five (45) days, extendable by another forty-five (45) days where reasonably necessary, with prior notice.
Right to Appeal. If we deny your request in whole or in part, you may appeal by emailing support@nox.today with "CCPA Appeal" in the subject line. We will respond to appeals within sixty (60) days.
8.4 Data Export
You may request a complete export of your personal data at any time. The export is provided as a downloadable archive containing:
- Your account and profile information
- Your notification and AI preferences
- All Pacts you have participated in
- Your Nox AI conversation history
- Your messages in Pact group chats
- Your friend connections
- Your group memberships
- AI memory records associated with your account
9. ACCOUNT DELETION
How to Delete Your Account
You may delete your account at any time through:
- In-app: Account Settings > Delete Account
- Web (without app installed): https://www.nox.today/account-deletion
- Email: support@nox.today
What Happens When You Delete
Immediate (during deletion request):
- Your account is deactivated and all active sessions are revoked
- A deletion confirmation email is sent to your registered email address
- An audit record is created (non-PII, for compliance; see Section 10)
Within 24 hours:
- All personal data is permanently deleted from our systems, including: profile, messages, AI memories, proofs, friendships, groups, notifications, and subscription records
- All uploaded files (proof images, profile pictures) are permanently deleted from our storage
- Your account is removed from our authentication and notification providers
What is NOT deleted:
- Billing audit records (anonymised, non-PII): Retained for 15 years for tax and regulatory compliance (see Section 10)
- Deletion audit log (non-PII): Retained for 15 years for GDPR compliance records
- Accepted proofs in active Pacts: If other Participants have contested or referenced your accepted proofs in ongoing Pacts, those proof records may be preserved until the Pact concludes. Your identity is disassociated from them.
Pre-conditions: If you have an active Pro subscription, you must cancel it through your App Store or Play Store account settings before account deletion can proceed.
10. DATA RETENTION
| Data Category | Retention Period | Basis |
|---|---|---|
| Active user data | For the duration of your account | Service provision |
| Deleted user data | Purged within 24 hours of deletion request | User right to erasure |
| Notifications | 90 days from creation, then hard deleted | Data minimisation |
| AI memories | Per retention policy (some expire; all deleted with account) | AI coaching quality |
| Billing audit records | 15 years after account deletion | Tax compliance (Indian tax law) |
| Deletion audit logs | 15 years after account deletion | Regulatory compliance |
| Data held by AI provider (OpenAI) | Up to 30 days | Safety monitoring |
| Analytics data | Per vendor retention policies | Analytics purposes |
| Error data | Per vendor retention settings | Debugging |
11. CHILDREN'S DATA
Age Restrictions
The Platform is intended for users aged 18 years and older. We do not knowingly collect personal data from anyone under 18 years of age.
- Under the DPDP Act, a child is any person under 18. Processing children's data requires verifiable parental consent, and profiling or behavioural tracking of children is prohibited.
- Under GDPR, the age of digital consent varies by member state (13-16 years). We apply the stricter DPDP standard of 18 globally.
- Under COPPA, we do not knowingly collect data from children under 13.
If We Discover a Child's Data
If we become aware that we have collected personal data from a person under 18 without appropriate parental consent, we will:
- Immediately cease processing that data
- Delete all personal data associated with the account within 24 hours
- Notify the parent or guardian if contact information is available
If you believe a child under 18 has created an account on our Platform, please contact us immediately at support@nox.today.
12. PROOF SUBMISSIONS: SPECIAL CONSIDERATIONS
What Proof Data Includes
Proof submissions may contain photographs of yourself, your environment, or activities. These images may incidentally capture:
- Your physical appearance
- Your location (if visible in the image)
- Other individuals (if present in the image)
- Personal possessions or surroundings
How Proof Data is Processed
- Upload: Proof images are uploaded from your device to our secure cloud storage. Images are compressed on your device before upload.
- Nox AI Verification: Proof images are transmitted to OpenAI for automated analysis by Nox AI. OpenAI retains this data for up to 30 days for safety monitoring.
- Storage: Proof files are securely stored for the lifetime of your account.
- Visibility: Proof submissions are visible to other Participants in the same Pact, and to Nox administrators for moderation purposes.
- Deletion: All proof files are permanently deleted upon account deletion.
Your Responsibilities
- Ensure you have consent from any individuals visible in your proof submissions
- Do not include sensitive personal information (ID documents, financial information) in proof images
- Do not submit explicit, violent, or otherwise inappropriate content
13. DATA SECURITY
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit: All data transmitted between your device and our servers is encrypted
- Encryption at rest: All stored personal data is encrypted, both in our databases and on your device
- Password security: Passwords are securely encrypted; we never store plaintext passwords
- Access controls: Role-based access to systems and data, following the principle of least privilege
- Infrastructure security: Our servers, databases, and storage providers maintain industry-standard security controls
- Rate limiting: Automated abuse prevention to protect against unauthorised access
- Monitoring: Continuous error tracking, application logging, and anomaly detection
No data transmission or storage system is completely secure. While we strive to protect your information using industry-standard practices, we cannot guarantee absolute security against all threats.
14. DATA BREACH NOTIFICATION
In the event of a personal data breach:
- India (DPDP Act): We will notify the Data Protection Board of India and affected users within 72 hours of becoming aware of the breach
- EU/UK (GDPR): We will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- All users: We will notify affected users via email and/or in-app notification, describing the nature of the breach, data affected, measures taken, and recommended protective actions
15. INVITATIONS
How You Can Invite Others
You may invite non-users to join Nox and participate in Pacts by sharing an invite link. When someone joins via your invite:
- We store their registration data as described in this Policy
- Your referral code is recorded for attribution purposes
Your Responsibility
By inviting someone to Nox, you confirm that the invitation is genuine and welcome. Do not use the invitation feature to spam or harass individuals.
16. SHARING AND VISIBILITY
Within the Platform
| Context | What is Visible | To Whom |
|---|---|---|
| Profile | Username, display name, avatar, bio, Integrity Score (INT) | Other users (per privacy settings) |
| Pact participation | Pact membership, proof submissions, streaks, leaderboard ranking | Pact members |
| Pact Chat | Messages you send in group chats | Other Pact members |
| Friends | Activity status, pact participation | Accepted friends |
| Groups | Membership, pact activity within group | Group members |
Public vs Private Pacts
- Public Pacts: Discoverable by all users; membership and progress visible
- Private Pacts: Only visible to invited members
You may manage visibility preferences through your account settings. Participation in multiplayer Pacts requires a minimum level of information disclosure to ensure fair play and accountability.
What We Do NOT Share
- We do not sell your personal data to third parties
- We do not share your data with advertisers for targeted advertising
- We do not provide third-party access to your Nox AI conversation content (except to OpenAI for processing, as described in Section 5.1)
17. DISCLOSING YOUR DATA
We may disclose your personal data in the following circumstances:
- As required by applicable law, regulation, or legal process
- To establish, exercise, or defend our legal rights, including fraud prevention
- In connection with ongoing or anticipated legal proceedings
- To any individual or entity reasonably believed to be entitled to obtain such information through a lawful court or regulatory authority order
- To relevant authorities, financial institutions, or other entities in compliance with legal requirements
- To third-party service providers as described in Section 5, bound by contractual data protection obligations
We do not sell or rent your personal data. Where we share aggregated, anonymised data with partners for analytical purposes, no personally identifiable information is included.
18. THIRD-PARTY LINKS
The Platform may contain links to external websites or services. We do not control and are not responsible for the content, privacy policies, or practices of third-party websites. We encourage you to review the privacy policies of any third-party sites before providing personal data.
19. CHANGES TO THIS POLICY
We reserve the right to update this Policy at any time. Changes will be communicated through:
- In-app notification
- Email notification for material changes
- Updated "Last Updated" date on this Policy
Where material changes require renewed consent under applicable law, we will obtain such consent before the changes take effect.
Continued use of the Platform after notification constitutes acceptance of the updated Policy. If you do not agree with the changes, you should discontinue use of the Platform and may request account deletion.
20. MISCELLANEOUS
- This Policy shall be read in conjunction with our Terms of Use and other Platform Policies
- In the event of conflict between this Policy and any other Platform policy regarding personal data protection, this Policy shall prevail
- The governing law and jurisdiction applicable to this Policy shall be as set forth in our Terms of Use (courts of Gandhinagar, India)
- If any provision of this Policy is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect
- This Policy applies exclusively to personal data processed through the Platform and does not extend to data collected offline or through channels other than the Platform
21. CONTACT US
For any questions, concerns, or requests regarding this Policy or your personal data:
- General Support: support@nox.today
- Grievance Officer (DPDP Act): grievance@nox.today (Grievance Officer: Abhilaksh Sharma)
- Data Protection Queries (GDPR): privacy@nox.today
- Founders: founders@nox.today
We will acknowledge receipt of your query within 7 days and provide a substantive response within 30 days (or 90 days for complex requests, with prior notification).
By using Nox, you acknowledge that you have read and understood this Data Protection and Privacy Policy and consent to the collection, use, and processing of your personal data as described herein.