Privacy Policy
// effective 2026-05-26 · version 41. Who runs NOX
NOX is operated by an individual maintainer ("we", "us", "operator") on hardware they control. There is no parent corporation. By using a NOX instance you are interacting with that operator. If you are using a third-party-run instance, that operator — not us — is your data controller for any data you submit there.
2. What we collect
When you create an account, NOX stores:
- Your username (chosen by you, public to other users)
- Your display name (public)
- A bcrypt-hashed copy of your password (never the original)
- A bcrypt-hashed copy of your recovery phrase (never the original; the phrase is shown to you once and is never recoverable from us)
- A privacy-policy acceptance timestamp
- Optional profile fields: avatar URL, banner URL, bio, accent colors, custom status, pronouns, online-status preference
- The messages you send (channel and DM). Direct messages may be end-to-end encrypted in transit and at rest depending on your account's eligibility (see Section 4a). When E2E is active, the server stores only opaque ciphertext and cannot read those DMs even with database access. Channel messages and group DMs remain server-readable in this phase of the rollout.
- The files you upload (stored on the operator's disk, addressed by content hash for deduplication)
- Servers, channels, reactions, pins, friends list, read state, mention counts
- For voice / video calls: see Section 4 below — call media is peer-to-peer and not retained by the server, but call presence events are logged briefly
- Server logs: HTTP access logs, error logs, and socket connect / disconnect events. Logs include IP address (necessary for transport), user agent, request path, and timestamps. Logs are retained for up to 30 days for debugging and abuse mitigation, then deleted
- Per-user activity bucket counters (day-of-week, hour) for the optional public heatmap on your profile. Off by default.
3. What we do NOT collect
- Email address, phone number, government ID, or real name
- Precise GPS or street-level location
- Device advertising IDs (IDFA, AAID)
- Your contacts list, calendar, photos library, or any data outside the app's own UI
- Third-party tracking pixels, behavioural-ad SDKs, or social-network share buttons
- Browser fingerprinting beyond the user agent recorded in transport logs
4. Voice, video, and screen sharing
NOX voice / video / screen-share uses WebRTC. When you join a voice channel or DM call:
- Your microphone audio (and, if you turn them on, your camera or screen capture) is encrypted in transit (DTLS-SRTP) end-to-end between the call participants. We do not record, transcribe, or store call media.
- By default, call media is routed through a TURN relay run by the operator, so other call participants only ever see the relay's IP, not yours. Your IP is visible to the operator (which it already is via the WebSocket connection) but not to the people you're talking to.
- If the operator has not configured a TURN relay, NOX falls back to direct peer-to-peer connections to keep calls working. In that fallback mode your IP IS exposed to the other call participants — this is how peer-to-peer WebRTC establishes a connection. The fallback is intended only as a temporary state during operator setup; if you can't tell which mode you're in, ask your operator. As an extra safety net, a VPN hides your real IP in either mode.
- Screen-share content travels over the same media channel, so the same protections apply. Be careful what's visible on your screen before clicking Share — the relay doesn't redact it for you.
- The server sees that you joined / left a call (presence) and routes the initial WebRTC signaling. That signaling is logged in transport logs (Section 2) and rotated within 30 days.
4a. End-to-end encryption (direct messages)
Direct messages are end-to-end encrypted when the feature flag is enabled for your account. The implementation is the Signal Protocol (X3DH key exchange + Double Ratchet), the same protocol used by Signal and WhatsApp.
- Your private keys never leave your device. They live in your browser / app's local storage (IndexedDB). The server holds only your public keys, used so other users can encrypt messages to you.
- Encrypted DMs are stored on the server as opaque ciphertext. The operator cannot read them, even with full database access.
- Recovery caveat: if you lose your password and reset using the recovery phrase, your encrypted DM history on this device becomes unreadable. New messages after sign-in work normally. This tradeoff is intentional — if the server could re-derive your private key from the recovery phrase, the server could read your messages too. Same model as Signal.
- What's NOT yet encrypted: server-channel messages, group DMs, file attachments, message metadata (sender, recipient, timestamp, size). Those are scheduled for Phase 2 of the public roadmap (MLS protocol).
- When you report an encrypted message for abuse, the report includes the decrypted plaintext that you chose to send to NOX support. The server cannot decrypt the message itself.
- You can verify that you're talking to the right person by comparing identity fingerprints with them out of band (Settings → Privacy → end-to-end encryption pill in the DM header). If the fingerprints match on both sides, no one is intercepting your conversation.
5. Cookies, local storage, and push
- JWT auth token stored in your browser's
localStorageso you stay signed in. Cleared on logout. - Appearance preferences (theme, font size, sounds, etc.) stored in
localStorage. Never sent to the server. - Per-user volume settings for voice peers stored in
localStorage. - Web push subscription, if you opt in to browser notifications: we store your browser-generated push endpoint, p256dh public key, and auth secret. You can revoke it any time from Settings or in your browser's notification permissions.
- We do not use cookies for tracking.
6. Third-party services we touch
NOX itself does not embed advertising or social SDKs. We do rely on a small set of operational vendors:
- Cloudflare — reverse proxy / TLS / Turnstile (the captcha widget on register and waitlist). Cloudflare receives request metadata necessary to serve traffic. Cloudflare's privacy policy.
- Google Fonts — typography (Cairo on the marketing site; the app loads fonts locally). Google receives a hit when fonts load. Google's privacy policy.
- KLIPY — the in-app GIF picker. When you search for a GIF, the query is sent to KLIPY. KLIPY's privacy policy.
- GitHub Releases — desktop app auto-update. The Electron app pings the public release feed for new versions; GitHub sees your IP and the request. GitHub's privacy policy.
- Google Play — if you install the Android app, Google's policies apply alongside ours.
- STUN / TURN servers for WebRTC connection establishment. Currently public Google STUN; metadata travels through these to negotiate peer connections.
7. Where data lives and how long
- Account, messages, files, profile — kept until you delete them or your account.
- Transport logs — up to 30 days, then deleted.
- Database backups — encrypted snapshots may be kept for up to 35 days for disaster recovery, then rotated out.
- Deleted account remnants — when you delete your account, your user row, sent messages, owned servers, friendships, and read state are removed within 24 hours. Files you uploaded that other users' messages still reference may persist as orphan attachments until those messages are also deleted.
- All data is stored on hardware physically located with the operator. There is no cross-region replication. There is no "NOX cloud."
8. Who can see your data
- Other users in shared servers can see your username, display name, profile fields, and messages you send in shared channels.
- The other party in a DM can see DM messages and (during a call) your IP — see Section 4.
- The instance operator has root access to the host and could read the database directly. Pick your operator carefully.
- Nobody else. We do not sell, rent, license, or trade your data. We do not send marketing.
- We may disclose information when compelled by valid legal process (subpoena, court order) issued in a jurisdiction we recognize, and only the minimum necessary to comply. We will publish an aggregate transparency note when this happens, unless legally prohibited.
9. Security
- Passwords and recovery phrases are hashed with bcrypt (cost factor 10–12). We never store plaintext.
- All network traffic uses HTTPS / WSS (TLS).
- Stored secrets that the user can recover (e.g. third-party AI API keys for bots) are encrypted with AES-256-GCM using a key held only by the operator.
- JWT auth tokens are signed with a server-side secret and bound to your last password-change time, so changing your password invalidates older tokens.
- NOX is not end-to-end encrypted. Messages and DMs are stored on the server in plaintext (so search and notifications work). If you need E2EE, use Signal.
- If we discover a security breach affecting user data, we will notify affected users in-app and, where applicable law requires, within the legally mandated window (e.g. 72 hours for GDPR).
10. Account recovery
Because we do not store an email or phone, there is exactly one way to recover a lost password: the 6-word recovery phrase shown to you once at registration. If you lose both your password and your recovery phrase, your account cannot be recovered. This is intentional: no recovery channel = no recovery vulnerability.
11. Account deletion
You can delete your account from Settings → My Account → Delete Account. Deletion permanently removes your user record, sent messages, DMs, owned servers, friendships, and read state. See Section 7 for retention nuance.
12. Children
NOX is not directed at children under 13. If we learn that a user under 13 has created an account, we will delete it. In the EU/UK and other jurisdictions where the digital age of consent is 16, NOX is not directed at users under 16 without verifiable parental consent. The instance operator is responsible for community moderation.
13. Your rights (GDPR / UK GDPR)
If you are in the EU, EEA, UK, or another jurisdiction with similar rights, you may:
- Access the personal data we hold about you
- Rectify inaccurate data — most fields are editable in
Settings → My Account / Profile - Erase your account (Section 11)
- Restrict or object to processing
- Port your data — request an export of your messages and profile
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with your local data-protection authority
To exercise these rights, contact the operator via the channels listed in Section 16. We will respond within 30 days.
14. California rights (CCPA / CPRA)
If you are a California resident: you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to not be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising (and never have). Submit requests via the contact channel in Section 16.
15. International users
NOX servers are physically located with the operator. Using NOX from outside that country means your data is transferred to and processed there. Where required (e.g. EU users), we rely on appropriate safeguards for cross-border transfer.
16. Contact
Privacy questions, data-subject access / deletion requests, CCPA and GDPR correspondence, and any other communication about this policy can be sent to:
In-app DMs are also available as an alternative channel. We aim to respond to verifiable requests within 30 days.
17. Changes to this policy
We may update this policy as NOX evolves. The "effective" date and version number above will move forward on every change. Material changes (anything that meaningfully changes what we collect, who sees it, or what you can do about it) will trigger an in-app notice and a re-prompt to accept the new version. Continued use after the effective date constitutes acceptance.