nekta
Privacy Policy
Version 2026-06-13 · Effective 13 June 2026
We keep this policy under review and may update it from time to time.
This Privacy Policy explains how Nekta collects, uses, shares, and protects your personal data when you use the Nekta platform. It also sets out your rights over your data and how to exercise them. We have written it to reflect how the service actually works rather than in generic terms.
Nekta is a direct artist-to-fan and music-industry social network. Using the service is voluntary, and most of the data we hold is data you choose to give us by creating an account and using the platform's features.
1. Who we are
Nekta is operated by Nekta Lab Ltd, a company incorporated in the United Kingdom. Nekta Lab Ltd is the data controller responsible for your personal data.
Our application servers and primary database are hosted in Melbourne, Australia, and our media files (such as images and audio) are stored in London, United Kingdom. This means your data is processed across borders — see International transfers below.
For any privacy question, or to exercise a right described in this policy, contact us at info@nekta.vip.
2. What we collect
We collect the following categories of personal data:
- Account & identity — your email address, username, password (stored only as a secure hash, never in plain text), display name, optional bio, optional location, avatar image, and your date of birth (used to confirm you meet the minimum age — see Children & age).
- Authentication & security — login sessions, device information, and IP address (used to keep your account secure and detect abuse); email-verification and password-reset tokens.
- Content you create — posts, comments, reactions, follows, brands you own, event RSVPs, and any media you upload.
- Direct messages — the chat messages you send and receive, stored encrypted at rest (see Chat encryption).
- Preferences & discovery data — genre preferences, location/region for discovery, appearance settings, and onboarding progress.
- Consent & compliance records — a timestamped, versioned record of the policies and cookie choices you have accepted.
- Connected accounts — where you connect a third-party service (such as Google sign-in or a Dropbox brand integration), the access tokens and profile metadata needed to operate that connection.
- Email delivery logs — records of the transactional and mailout emails we send you, for deliverability and troubleshooting.
We do not intentionally collect special-category data (such as health, biometric, racial, political, religious, or sexual-orientation data). Free-text fields such as your bio, posts, or messages could contain such information if you choose to share it — please do not share sensitive information you do not want stored.
3. How and why we use your data
We process your personal data for the following purposes, on the following legal bases under the UK GDPR / EU GDPR.
| Purpose | Lawful basis |
|---|---|
| Creating and running your account; delivering the core platform features | Performance of a contract |
| Keeping accounts and the platform secure; preventing abuse and fraud | Legitimate interests |
| Sending transactional email (verification, password reset, notifications) | Performance of a contract |
| Analytics to understand and improve the service | Consent (you opt in via the cookie banner) |
| Marketing communications, where offered | Consent |
| Confirming you meet the minimum age; complying with legal obligations | Legal obligation / legitimate interests |
Where we rely on consent, you can withdraw it at any time — for cookies and analytics, from the cookie preferences in your settings; the withdrawal does not affect processing already carried out.
4. Who processes your data for us
We use a small number of carefully chosen service providers ("processors") to run the service. They process personal data only on our instructions and under a data-processing agreement.
| Provider | Purpose | Location |
|---|---|---|
| Akamai / Linode | Application & database hosting (Melbourne); media object storage (London) | Australia & United Kingdom |
| Twilio SendGrid | Email delivery | United States |
| Sign-in (OAuth) and Google Analytics (analytics only after you opt in) | United States | |
| Cloudflare | Turnstile CAPTCHA — bot & abuse protection at signup | United States |
| Dropbox | Optional brand integration (release-file detection) | United States |
| Redis (self-hosted) | Session & cache store | Australia (our own infrastructure) |
Each of our US providers (SendGrid, Google, Cloudflare, Dropbox) is certified under the EU-US Data Privacy Framework (and its UK Extension), with Standard Contractual Clauses as a contractual fallback. We do not sell your personal data, and we do not share it with third parties for their own marketing.
5. International transfers
Nekta Lab Ltd is a UK controller, but your data is processed in more than one country:
- EU/UK → Australia (our app server & database). Australia does not have an EU/UK adequacy decision, so these transfers are protected by our hosting provider's data- processing agreement, which incorporates the 2021 EU Standard Contractual Clauses, together with our own transfer impact and risk assessments and supplementary safeguards (encryption in transit, encrypted chat at rest, and strict access controls).
- EU → United Kingdom (our media object store). The UK benefits from an EU adequacy decision (renewed to 27 December 2031), so no additional transfer mechanism is required for media stored in London.
- EU/UK → United States (email, analytics, sign-in, CAPTCHA, integrations). These providers are certified under the EU-US Data Privacy Framework and its UK Extension, with Standard Contractual Clauses as a fallback.
You can ask us for more detail about the safeguards in place for any transfer by contacting info@nekta.vip.
6. How long we keep your data
We keep most account data for as long as your account is active. The following data is kept for a shorter, code-enforced period and is automatically removed when it is no longer needed:
- IP addresses recorded against login sessions are erased (nulled) after 30 days.
- Stale login sessions are deleted 7 days after they expire.
- Email-verification and password-reset tokens are deleted 1 day after they expire or are used.
- Email delivery logs are pruned after 90 days.
When you delete your account, we erase or irreversibly anonymise your personal data (see Your rights). A limited set of records is kept after deletion because the law requires or permits it:
- Email-suppression (unsubscribe) records — kept so we continue to honour your choice not to be emailed.
- Security records of banned IP addresses — kept for abuse prevention.
- A non-identifying audit record that an erasure took place — this contains no personal data, only confirmation of what was done.
7. Your rights
Under the UK GDPR / EU GDPR you have the right to access, rectify, erase, restrict, and object to the processing of your personal data, and the right to data portability. We have built these into the product where we can:
- Access & portability. You can download a machine-readable copy of your data (JSON and CSV) yourself from Settings → Privacy & Data.
- Erasure. You can delete your account from Settings → Privacy & Data. We erase your personal data and irreversibly anonymise the content you have shared, replacing your identity with an anonymous "Deleted user", so the conversations and posts others relied on remain intact without identifying you.
- Rectification. You can correct most of your profile data directly in your settings.
- Other requests. For any right you cannot exercise in-app, or to object to or restrict processing, contact info@nekta.vip.
We respond to data-subject requests within one month. Where a request is especially complex or you make several requests, we may extend this by up to a further two months and will tell you within the first month if we need to.
You also have the right to complain to a data-protection supervisory authority — in the UK, the Information Commissioner's Office (ICO); in the EU, your local supervisory authority.
9. Chat encryption
Direct messages (chat) are stored encrypted at rest. Message content is held as an encrypted envelope in our database rather than as plain text. When you download your data, your own messages are decrypted for you so the export is readable.
10. Children & age
Nekta is not intended for children. A minimum age applies depending on your region — 16 by default and across the EU, in line with the GDPR. We collect your date of birth at signup to confirm you meet the applicable minimum age, and signups below the threshold are refused. If you believe a child has created an account, contact us and we will remove it.
11. Security & data breaches
We protect your data with encryption in transit, encryption at rest for the most sensitive data (chat), least-privilege access controls, and secure password hashing. No system is perfectly secure, but we take reasonable steps to keep your data safe.
If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where required, within 72 hours, and we will tell affected users where the breach is likely to result in a high risk to them.
12. Changes to this policy
We may update this policy as the service evolves or as the law changes. Each version carries a version number and effective date at the top. When we make a material change, we will ask you to review and re-accept the updated policy the next time you use Nekta.
13. Contact us
For any question about this policy or your personal data, or to exercise any of your rights, contact us at info@nekta.vip. Our Terms and Conditions are available at /legal/terms.