Privacy Policy for nuvexonix.com

Data Controller

The controller in the sense of GDPR is:

Nuvexonix (sole proprietorship)
Proprietor: Florian Bläsius
Erlenweg 6
83624 Otterfing
Germany

Email: support@nuvexonix.com
Website: https://nuvexonix.com/en

Scope of this policy

This privacy policy applies to content under nuvexonix.com (for example /de, /en) where this policy is referenced (home, product pages, help/FAQ, contact, legal pages, and Clubster Business web flows).

The mobile Clubster app is covered by a separate app-specific privacy policy.

General data processing principles

Legal bases

• Art. 6(1)(b) GDPR - contract or pre-contract (for example support and account handling).
• Art. 6(1)(f) GDPR - legitimate interest (technical operation, security, abuse prevention).
• Art. 6(1)(c) GDPR - legal obligation (for example retention requirements).

Categories of personal data

• Technical access data (log files),
• Account and authentication data for Clubster Business web areas (for example email, username, login and verification status),
• Communication data (emails and contact requests),
• Consent/preference data (cookie notice acknowledgement),
• Meta and traffic data (timestamps, browser/OS, status codes).

Data collection when visiting our website

Server log files (Firebase Hosting / Google Cloud)

When pages are requested, technical log data can be processed automatically, including: IP address, date/time, requested URL/resource, referrer URL (if provided), browser/OS, and status code.

Purpose: secure and reliable delivery, system stability, error analysis, and abuse/attack detection. Legal basis: Art. 6(1)(f) GDPR.

Retention: log data is stored only as long as required for these purposes, then deleted or anonymized, unless longer storage is required in an individual case.

Clubster Business web areas (registration, login, account dashboard, checkout)

In Clubster Business web flows (/clubster/business-register.html, /clubster/business-login.html, /clubster/business-account.html, checkout pages), additional data is processed to provide account, verification, and subscription workflows.

• Registration: email, username, optional bio, optional invite code, and email verification code.
• Login: email/password and a security code (2FA-style email verification).
• Dashboard: verification requests, submitted evidence/documents, status history.
• Session data: technically required login/session state in local storage.

Legal bases: Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR, and where applicable Art. 6(1)(c) GDPR.

No optional marketing analytics currently active

At this time, we do not run optional first-party marketing analytics categories. If this changes, this policy will be updated and consent will be obtained where required.

Firebase and Google Cloud

Hosting and technical infrastructure are provided through Google services, including Google Ireland Limited (Dublin, Ireland) and potentially Google LLC (USA).

Data processing agreements and third-country transfer

Google may act as a processor. If data is transferred to third countries, this is based on mechanisms under Art. 44 et seq. GDPR (for example standard contractual clauses, where applicable).

reCAPTCHA v3 and Firebase App Check (security and abuse prevention)

Clubster Business web flows use Google reCAPTCHA v3 together with Firebase App Check to protect against automated abuse and fraudulent activity. Technical metadata may be processed (for example IP address, browser/device signals, referrer, interaction signals, and risk classification data).

Legal basis: Art. 6(1)(f) GDPR. More information: Google Privacy Policy and Google Terms.

Contact and support inquiries

If you contact us by email or via contact channels, we process your provided data (for example email, name, message content) to handle your request.

Legal basis: Art. 6(1)(b) GDPR (where contract-related) or Art. 6(1)(f) GDPR (legitimate interest in processing communication).

Cookies and similar technologies

We currently do not run optional first-party marketing tracking categories. Technically required mechanisms can still be used for security and session handling.

Security checks (for example reCAPTCHA/App Check) may involve technically required cookies, such as _GRECAPTCHA.

Clubster Business web pages also store technically required local state (for example authentication/session status and cookie-banner acknowledgement) to keep web workflows functional and secure.

How long we store data

• Log files: limited period, then deletion/anonymization unless longer retention is required in a specific case.
• Security metadata (reCAPTCHA/App Check): according to technical necessity and provider standards.
• Support/contact requests: as long as needed for processing/documentation, then deletion unless legal duties apply.
• Legal retention obligations: remain unaffected (for example tax/commercial law obligations).

Who can receive data

• Internal teams (support, operations, development) where required.
• Processors (hosting/infrastructure, email services if applicable), especially Firebase/Google.
• Authorities/third parties where legally required or necessary to enforce legal rights.

Data subject rights under GDPR

• Right of access (Art. 15 GDPR),
• Right to rectification (Art. 16 GDPR),
• Right to erasure (Art. 17 GDPR),
• Right to restriction of processing (Art. 18 GDPR),
• Right to data portability (Art. 20 GDPR),
• Right to object (Art. 21 GDPR),
• Right to withdraw consent at any time (Art. 7(3) GDPR, where consent applies),
• Right to lodge a complaint with a supervisory authority.

Technical and organizational measures

We use appropriate technical and organizational measures to protect personal data, including access controls, secure transport channels, and security checks in sensitive web flows.

Changes to this policy

We may update this privacy policy if legal requirements, infrastructure, or product flows change. The latest version is always available on this page.

Last update: March 2026