Privacy Policy
Last updated: June 5, 2026
This Privacy Policy explains how Connex ("we", "us", or "our") collects, uses, stores, and shares your personal information when you use the Connex application and services. It is operated by CONNEX PLATFORMS (OPC) PRIVATE LIMITED, incorporated in India under the Companies Act, 2013.
Registered Address: 36 Lig Phase I, Dharamareddy Colony, Kukatpally, Hyderabad, Telangana 500072, India.
Contact: support@connexapp.io, connexapp.io
Consent
By creating an account or using the Connex application, you confirm that you have read, understood, and consented to the collection, use, and processing of your personal information as described in this Privacy Policy, in accordance with the Digital Personal Data Protection Act, 2023.
1. Information We Collect
1.1 Information You Provide Directly
| Category | Data | Required |
|---|---|---|
| Identity | First name, last name | Yes |
| Contact | Phone number and/or email address | At least one |
| Demographics | Date of birth, gender | Yes (during setup) |
| Location | Country (ISO code) | Yes |
| Profile | About/bio text, profile photo | Optional |
| Professional | Social media handles, website URLs, portfolio links, custom field labels | Optional |
| Files | Custom profile images and PDFs attached to profile fields | Optional |
Note: Date of birth is collected solely to verify that you meet the minimum age requirement of 18 years. Gender is used to personalise your profile display. Neither field is shared with other users without your explicit consent.
1.2 Information Collected Automatically
- Device information: Device name, operating system, and a device identifier (used to manage active sessions)
- IP address and approximate city: Captured at login and recorded per session for security display (e.g., "Last seen from Mumbai")
- Location name: If you use the "Nearby" connection feature, a human-readable location name (e.g., "JNTU College, Hyderabad") is derived from your device's GPS coordinates. Raw GPS coordinates are never transmitted to or stored on our servers.
- Usage metadata: Timestamps of logins, connection requests, and other actions
1.3 Information from Others
- Other users may add a private nickname or note to your connection. These are visible only to that user and never shared with you or third parties.
- Other users may file a report against your account; the report reason is stored for moderation review.
1.4 Payment Data
When you purchase a paid plan on Android or our website, payments are processed by Razorpay Software Pvt Ltd, and Connex receives only a transaction reference ID. When you purchase on iOS, payments are processed by Apple through In-App Purchase, and we use RevenueCat, Inc. to manage and validate the subscription — RevenueCat receives your Connex user ID and purchase details (product, purchase date, country) to activate your plan. In all cases, we do not store your card numbers, CVV, UPI credentials, or any banking details on our servers. We use payment data solely to process your subscription. We do not use payment information for marketing, profiling, or any purpose other than billing.
1.5 Device Permissions
The Connex app requests the following device permissions:
- Camera — Used to scan QR codes when connecting with someone or joining a Board, and for profile photo capture. Not used for any other purpose.
- Photos / Media — Used to let you select an existing photo from your device gallery as your profile picture. We only access photos you explicitly choose; we do not scan or upload your full gallery.
- Location (precise) — Used only during Connex Nearby to identify the venue or building where you are meeting. Raw GPS coordinates are used in-memory to resolve a human-readable place name and are then discarded. Coordinates are never stored on our servers.
- Push Notifications — Used to deliver connection requests, approvals, and board activity alerts.
2. How We Use Your Information
We use your information to:
- Authenticate you via one-time passwords (OTP) delivered by SMS, WhatsApp, or email
- Create and display your professional profile to people you connect with
- Facilitate connection requests (nearby, remote, or board-based)
- Enforce feature limits based on your plan
- Send push notifications (if enabled)
- Process plan subscription payments via Razorpay
- Maintain account security (session management, rate limiting, fraud detection)
- Resolve account disputes and enforce our Terms of Use
- Comply with legal obligations under applicable Indian law
3. How We Store and Protect Your Data
3.1 Encryption at Rest
Your phone number and email address are never stored in plaintext. Each is stored as:
- An AES-256-GCM encrypted ciphertext (with a randomly generated 12-byte IV and 128-bit authentication tag per record)
- An HMAC-SHA256 hash used solely for database lookups — it cannot be reversed to recover the original value
Other profile fields (name, DOB, gender, bio) are stored in plaintext within a secured database.
3.2 Passwords and OTPs
We do not use passwords. All authentication uses one-time passwords (OTP):
- OTPs are 4 digits, expire after 10 minutes, and are hashed using bcrypt (cost factor 8) before storage
- The plaintext OTP is never persisted — only the hash
3.3 Session Tokens
- Access tokens (JWT): Valid for 15 minutes; signed and verified against a per-user token version stored in our cache layer. Logging out immediately invalidates all access tokens.
- Refresh tokens: 64 random bytes, valid for 30 days with a sliding expiry window. Only a SHA-256 hash is stored in our database — the raw token is sent to you once and never retained on our servers.
3.4 Uploaded Files
Profile photos and custom field files (images and PDFs) are stored in AWS S3 with private bucket access. They are accessible only through our backend; direct S3 URLs are never exposed to clients.
3.5 Logs
All application logs automatically redact known PII fields — including phone, email, names, tokens, and OTPs — before writing to storage. PII never appears in log files.
4. Information Sharing and Third Parties
We share your information only as described below. We do not sell your personal data.
| Third Party | Purpose | Data Shared |
|---|---|---|
| MSG91 | SMS OTP delivery to Indian (+91) phone numbers | Phone number, OTP code |
| Twilio | SMS OTP delivery to international phone numbers | Phone number, OTP code |
| Meta Platforms (WhatsApp Cloud API) | WhatsApp OTP delivery when the user chooses WhatsApp as the OTP channel | Phone number, OTP code |
| Resend | Email OTP delivery | Email address, OTP code |
| Razorpay | Payment processing for plan subscriptions (Android/web) | Payment transaction data |
| Apple (App Store / In-App Purchase) | Payment processing for iOS purchases | Purchase transaction data |
| RevenueCat, Inc. | iOS subscription management and receipt validation | Connex user ID, purchase/transaction metadata, device country |
| Amazon Web Services (S3) | Storage of profile photos and uploaded files | File content only |
| Firebase Cloud Messaging | Push notifications (if enabled) | Device push token, notification payload |
| Nominatim / Google Geocoding | Resolving location names for Nearby connections | Location name string (no raw GPS coordinates) |
| DigitalOcean LLC | Cloud infrastructure hosting | All user data resides on DigitalOcean servers located in Bangalore, India |
All third-party services are bound by their own privacy and data processing agreements. We use them solely for the purposes listed above. We transfer data internationally only to countries or services approved under applicable Indian data protection law. Our primary infrastructure is hosted within India (DigitalOcean, Bangalore).
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Until you delete your account |
| Soft-deleted account | 7 days (recoverable within this window) |
| Hard-deleted account | PII purged immediately and permanently |
| ConnexCode (after deletion) | Held in reserve pool for 30 days, then released |
| Expired/rotated refresh tokens | Purged automatically |
| OTP records | Expire after 10 minutes |
| Session records | Deleted when session is revoked or account deleted |
| Audit logs | Retained for 7 years from the date of the logged event, then permanently purged, unless a longer retention period is required by applicable law. |
| Connection reports | Retained until resolved by moderation team |
| Payment transaction records | Retained for 7 years as required by applicable Indian accounting and tax law, even after account deletion |
6. Your Rights and Controls
Account Controls
- Delete (soft): Schedules permanent deletion of your account with a 7-day recovery window. Your connexCode is held in reserve during this period so no one else receives it.
- Restore: Within the 7-day window, you can cancel deletion and fully restore your account.
- Hard delete: Within the 7-day window, you can choose to skip the wait and immediately and permanently purge your encrypted phone, encrypted email, name, DOB, gender, bio, and all uploaded files. This cannot be undone.
Deleting your account also withdraws your consent for further data processing under the Digital Personal Data Protection Act, 2023. We will stop processing your data, except where retention is required by applicable Indian law (e.g., payment records for tax compliance).
Profile and Visibility Controls
- Connection visibility: Set to everyone (anyone can send you a connection request) or nobody (requests are blocked).
Contact Information
- You can change your email address or phone number at any time using OTP verification.
- Each change is logged in your audit trail.
Sessions
- View all active sessions (device name, OS, city, last active time) from your profile.
- Revoke any individual session or all sessions at once.
Data Deletion Request
To request deletion of specific data fields without deleting your entire account, email support@connexapp.io with subject line "Data Deletion Request". We will respond within 15 days.
Right to Nominate (DPDP Act 2023)
Under the Digital Personal Data Protection Act 2023, you may designate a nominee who can exercise your data rights on your behalf in the event of your death or incapacity. To register a nominee, contact support@connexapp.io.
7. Children's Privacy
Connex is not directed at persons under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us at support@connexapp.io and we will delete it.
8. International Data Transfers
Our primary infrastructure is hosted within India (DigitalOcean, Bangalore). Some third-party services we use are located outside India. Your data may be processed in the following countries:
- India — DigitalOcean (hosting), Razorpay (payments), MSG91 (SMS for Indian numbers)
- United States — Twilio (SMS for international numbers), Meta Platforms (WhatsApp OTP), Resend (email), Amazon Web Services (file storage), Google Firebase (push notifications), RevenueCat (iOS subscription management)
Each of these providers operates under their own published Data Processing Agreements, which apply automatically to all customers. We share only the minimum data necessary for each service to function, and we do not permit any provider to use your data for their own purposes.
These transfers are made in accordance with applicable Indian data protection law. By using Connex, you acknowledge that your data may be processed in these countries as described above.
9. Grievance Officer
Under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer:
- Name: Ranjith Sana
- Designation: Grievance Officer, CONNEX PLATFORMS (OPC) PRIVATE LIMITED
- Email: grievance@connexapp.io
- Address: 36 Lig Phase I, Dharamareddy Colony, Kukatpally, Hyderabad, Telangana 500072
- Response Time: Acknowledged within 24 hours; resolved within 15 days
10. Changes to This Policy
We will notify you of material changes to this Privacy Policy by updating the "Last updated" date and, where appropriate, through in-app notification. Continued use of Connex after changes take effect constitutes your acceptance of the updated policy.
11. Contact Us
For privacy-related questions, requests, or complaints:
- General enquiries: info@connexapp.io
- Support: support@connexapp.io
- Grievance: grievance@connexapp.io
- Website: https://connexapp.io