Privacy Policy
Last updated: April 4, 2026
This Privacy Policy explains how Connex (“we”, “us”, or “our”) collects, uses, stores, and shares your personal information when you use the Connex application and services.
1. Who We Are
Connex is a professional networking platform that lets users share digital identity cards through a unique 6-character ConnexCode. This policy applies to all users of the Connex mobile app and associated services.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Data | Required |
|---|---|---|
| Identity | First name, last name | Yes |
| Contact | Phone number and/or email address | At least one |
| Demographics | Date of birth, gender | Yes (during setup) |
| Location | Country (ISO code) | Yes |
| Profile | About/bio text, profile photo | Optional |
| Professional | Social media handles, website URLs, portfolio links, custom field labels | Optional |
| Files | Custom profile images and PDFs attached to profile fields | Optional |
2.2 Information Collected Automatically
- Device information: Device name, operating system, and a device identifier (used to manage active sessions)
- IP address and approximate city:Captured at login and recorded per session for security display (e.g., “Last seen from Mumbai”)
- Location name:If you use the “Nearby” connection feature, a human-readable location name (e.g., “JNTU College, Hyderabad”) is derived from your device's GPS coordinates. Raw GPS coordinates are never transmitted to or stored on our servers.
- Usage metadata: Timestamps of logins, connection requests, and other actions
2.3 Information from Others
- Other users may add a private nickname or note to your connection. These are visible only to that user and never shared with you or third parties.
- Other users may file a report against your account; the report reason is stored for moderation review.
3. How We Use Your Information
We use your information to:
- Authenticate you via one-time passwords (OTP) delivered by SMS or email
- Create and display your professional profile to people you connect with
- Facilitate connection requests (nearby, remote, or board-based)
- Enforce daily connection quotas and feature limits based on your plan
- Send push notifications (if enabled)
- Process plan subscription payments via Razorpay
- Maintain account security (session management, rate limiting, fraud detection)
- Resolve account disputes and enforce our Terms of Service
- Comply with legal obligations
4. How We Store and Protect Your Data
4.1 Encryption at Rest
Your phone number and email address are never stored in plaintext. Each is stored as:
- An AES-256-GCM encrypted ciphertext (with a randomly generated 12-byte IV and 128-bit authentication tag per record)
- An HMAC-SHA256 hash used solely for database lookups — it cannot be reversed to recover the original value
Other profile fields (name, DOB, gender, bio) are stored in plaintext within a secured database.
4.2 Passwords and OTPs
We do not use passwords. All authentication uses one-time passwords (OTP):
- OTPs are 4 digits, expire after 10 minutes, and are hashed using bcrypt (cost factor 8) before storage
- The plaintext OTP is never persisted — only the hash
4.3 Session Tokens
- Access tokens (JWT): Valid for 15 minutes; signed and verified against a per-user token version stored in our cache layer. Logging out immediately invalidates all access tokens.
- Refresh tokens: 64 random bytes, valid for 30 days with a sliding expiry window. Only a SHA-256 hash is stored in our database — the raw token is sent to you once and never retained on our servers.
4.4 Uploaded Files
Profile photos and custom field files (images and PDFs) are stored in AWS S3 with private bucket access. They are accessible only through our backend; direct S3 URLs are never exposed to clients.
4.5 Logs
All application logs automatically redact known PII fields — including phone, email, names, tokens, and OTPs — before writing to storage. PII never appears in log files.
5. Information Sharing and Third Parties
We share your information only as described below. We do not sell your personal data.
| Third Party | Purpose | Data Shared |
|---|---|---|
| Twilio | SMS OTP delivery | Phone number, OTP code |
| Resend | Email OTP delivery | Email address, OTP code |
| Razorpay | Payment processing for plan subscriptions | Payment transaction data |
| Amazon Web Services (S3) | Storage of profile photos and uploaded files | File content only |
| Firebase Cloud Messaging | Push notifications (if enabled) | Device push token, notification payload |
| Nominatim / Google Geocoding | Resolving location names for Nearby connections | Location name string (no raw GPS coordinates) |
| Apache Kafka | Internal event streaming between our own services | User IDs, event types, timestamps — no phone, email, or OTP values |
All third-party services are bound by their own privacy and data processing agreements. We use them solely for the purposes listed above.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Until you delete your account |
| Soft-deleted account | 7 days (recoverable within this window) |
| Hard-deleted account | PII purged immediately and permanently |
| ConnexCode (after deletion) | Held in reserve pool for 30 days, then released |
| Expired/rotated refresh tokens | Purged automatically |
| OTP records | Expire after 10 minutes |
| Session records | Deleted when session is revoked or account deleted |
| Audit logs | Retained indefinitely for legal and compliance purposes |
| Connection reports | Retained until resolved by moderation team |
7. Your Rights and Controls
Account Controls
- Deactivate: Temporarily hides your profile and disables login. Reactivate by logging in again.
- Delete (soft): Schedules permanent deletion with a 7-day recovery window. Your ConnexCode is put on hold so no one else receives it.
- Restore: Within 7 days of soft deletion, you can cancel deletion and fully restore your account.
- Hard delete: Permanently and immediately purges your encrypted phone, encrypted email, name, DOB, gender, bio, and all uploaded files. This cannot be undone.
Profile and Visibility Controls
- Discoverable: Toggle whether your profile appears in people-you-may-know suggestions.
- Connection visibility: Set to
everyone(anyone can send you a connection request) ornobody(requests are blocked).
Contact Information
- You can change your email address or phone number at any time using OTP verification.
- Each change is logged in your audit trail.
Sessions
- View all active sessions (device name, OS, city, last active time) from your profile.
- Revoke any individual session or all sessions at once.
8. Children's Privacy
Connex is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
9. International Data Transfers
Our servers and third-party services may be located outside your country. By using Connex, you consent to the transfer of your information to facilities located in countries that may have different data protection laws than your country of residence. We take appropriate measures to protect your data during any such transfers.
10. Changes to This Policy
We will notify you of material changes to this Privacy Policy by updating the “Last updated” date and, where appropriate, through in-app notification. Continued use of Connex after changes take effect constitutes your acceptance of the updated policy.
11. Contact Us
For privacy-related questions, requests, or complaints, contact us at:
- Email: privacy@connexapp.in
- Website: connexapp.in
© 2026 Connex Platforms Pvt Ltd · Hyderabad, Telangana, India