Privacy Policy
1. Who We Are
NDS Solutions Ltd ("we", "us", "Nexus") is the data controller for personal data collected through the Nexus Global Safety Platform. We are registered in England and Wales with our principal place of business in Liverpool, United Kingdom. Contact Us
2. What Data We Collect
2.1 Account Data
When you register, we collect your name, email address, password (hashed), country, and any optional profile information you choose to provide.
2.2 Location Data
With your permission, we collect precise GPS location data to power core safety features including SOS alerts, BLE mesh participation, and missing person coordination. Location data is collected in the foreground and, where you have granted permission, in the background to enable continuous safety monitoring.
2.3 Device and Technical Data
We collect your device type, operating system version, app version, Bluetooth signal data (anonymised), battery level (for SOS context), and crash/diagnostic data.
2.4 Alert and Case Data
If you submit an SOS alert, missing person report, or Rapid Alert, we collect the information you provide including descriptions, photographs, and location at time of submission.
2.5 Volunteer and Witness Data
If you register as a volunteer or witness, we collect your occupation, skills, and any contact information you provide for coordination purposes.
2.6 Communications
We may collect messages sent through the Platform's coordination features. We do not read private messages between users except where required for safety, legal compliance, or fraud investigation.
3. How We Use Your Data
We use your personal data to:
• Provide, operate, and improve the Platform and its safety features
• Send and relay SOS alerts and emergency notifications
• Coordinate missing person searches and Rapid Alert broadcasts
• Verify your identity and maintain account security
• Enable BLE mesh relay functionality (using anonymised signals only)
• Communicate with you about your account, alerts, and Platform updates
• Comply with legal obligations and cooperate with law enforcement where required
• Detect and prevent fraud, abuse, and misuse of the Platform
4. Legal Basis for Processing
4.1 United States (CCPA and State Privacy Laws)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. Your CCPA rights are described in Section 11.
We collect and use personal data as described in this Policy for the following business purposes: providing the Platform, safety coordination, fraud prevention, legal compliance, and improving our services.
4.2 United Kingdom and European Union (UK/EU GDPR)
For users in the UK or EU, we rely on the following legal bases under UK GDPR / EU GDPR:
• Contract — processing necessary to provide the Platform services you have signed up for
• Legitimate interests — improving the Platform, fraud prevention, and network security
• Legal obligation — complying with applicable law and cooperating with authorities
• Consent — for background location access and marketing communications (you may withdraw consent at any time)
5. Location Data — Special Notice
Location data is central to the safety purpose of the Platform. We treat it with the highest level of care:
• Precise location is only shared with other users in the context of active SOS alerts or missing person coordination, and only to the extent necessary
• Historical location trails are retained for a limited period to support ongoing cases and are then deleted
• We do not sell your location data to advertisers or third-party data brokers
• You can disable location permissions at any time via your device settings, though this will significantly limit Platform functionality
6. BLE Mesh Relay
When your device participates in the BLE mesh network, it may relay encrypted safety signals from other users. These signals contain no personally identifiable information in their relayed form. Your device does not store or process the content of relayed signals beyond the relay action itself.
7. Data Sharing
We do not sell your personal data. We share data only in the following circumstances:
7.1 Emergency and Law Enforcement
Where an active SOS alert or missing person case involves risk to life, we may share relevant data with law enforcement or emergency services without prior notice. We will cooperate fully with valid legal requests.
7.2 Service Providers
We use trusted third-party providers to operate the Platform, including:
• Amazon Web Services (AWS) — cloud infrastructure and data storage (US East region)
• Amazon Cognito — identity and authentication
• Google Maps — mapping and location display
• UltraMsg — WhatsApp notification delivery
• Anthropic Claude — AI-assisted coordination briefings (anonymised case data only)
All providers are contractually bound to handle your data securely and only for the purposes we specify.
7.3 Tier 2 and Tier 3 Operators
If you are a user of a venue or organisation that holds a Tier 2 Operator Hub account, relevant safety information may be shared with that operator in the context of an active incident at their venue.
8. International Data Transfers
The Platform's primary infrastructure is hosted in the United States (AWS us-east-1). This is where your data is stored and processed by default.
If you are based in the UK or EU, your data is transferred to the United States. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses (SCCs) where required under UK GDPR or EU GDPR.
9. Data Retention
We retain your data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations. Specific retention periods:
• Account data — retained for the duration of your account plus 2 years
• Location trail data — retained for 30 days then deleted, unless attached to an active case
• SOS and missing person case data — retained for the duration of the case plus 7 years for legal compliance
• Rapid Alert data — retained for 7 years
You may request deletion of your data at any time (see Section 11).
10. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
• JWT-based authentication on all API endpoints
• Encryption of data in transit (TLS) and at rest
• AWS Point-in-Time Recovery (PITR) enabled on all databases
• CloudTrail audit logging across all infrastructure
• Regular security reviews and penetration testing
No system is completely secure. If you believe your account has been compromised, contact us immediately.
11. Your Privacy Rights
11.1 All Users
Regardless of your location, you may:
• Access and update your account information via the app settings
• Delete your account at any time via app settings or by contacting us
• Opt out of marketing communications at any time
• Disable location permissions via your device settings
11.2 California Residents (CCPA/CPRA)
As a California resident you have the right to:
• Know what personal information we collect, use, disclose, and sell (we do not sell)
• Delete your personal information (subject to legal retention requirements)
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information (we do not sell or share for advertising)
• Non-discrimination for exercising your privacy rights
To submit a CCPA request, contact us at privacy@nexus-global.ai. We will respond within 45 days.
11.3 UK and EU Users (UK/EU GDPR)
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. To exercise these rights contact privacy@nexus-global.ai. We will respond within 30 days.
UK users may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. EU users may contact their local supervisory authority.
12. Children's Privacy
The Platform is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please Contact Us immediately and we will delete it.
13. Cookies and Tracking
The Nexus mobile application does not use advertising cookies or third-party tracking. The Nexus web console (nexus-global.ai) uses essential cookies only, required for authentication and session management. We do not use cookies for advertising or behavioural tracking.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. The effective date at the top of this document indicates when the current version came into effect.
15. Contact Us
For any privacy-related queries or to exercise your rights:
NDS Solutions Ltd
Liverpool, United Kingdom
Contact Us