Privacy Policy

// last updated 2026-04-17

NOX is built around a no-PII principle. We do not collect email addresses, phone numbers, real names, IP geolocation, or any cross-app identifiers. The only thing we ask for is a username and password.

1. What we collect

When you create an account, NOX stores:

Your username (chosen by you, public to other users)
Your display name (public)
A bcrypt-hashed copy of your password (never the original)
A bcrypt-hashed copy of your recovery phrase (never the original; phrase is shown to you once and never recoverable from us)
Optional profile fields: avatar URL, bio, accent color, banner color, custom status, online status
The messages you send (channel + DM)
The files you upload (stored on the server's disk, addressed by content hash)
Servers you create or join, channels, reactions, pins, friends list, read state

2. What we do NOT collect

Email address
Phone number
Government ID
Location / GPS
Device advertising IDs (IDFA, AAID)
Contacts list, calendar, photos library (the app only sees what you explicitly upload)
Microphone / camera (voice features are visual stubs only — no audio is captured)
Any third-party tracking pixels, analytics SDKs, or ad networks

3. How we use it

Strictly to deliver chat functionality: route your messages, render attachments, show your friends list, push notifications about messages addressed to you. That's the whole list.

4. Where it lives

NOX is self-hosted. Your data sits on the host machine of the NOX instance you signed up to. If your community is hosting their own NOX instance, ask the operator where the box lives. There is no "NOX cloud" — there is no central database that aggregates users across instances.

5. Who sees your data

Other users in the same server: can see your username, display name, profile fields, and the messages you send in shared channels.
The other party in a DM: can see the messages you send in that DM.
The instance operator: has root access to the host machine and could read the SQLite database directly. Pick your operator carefully.
Nobody else. No advertisers, no governments, no vendors. NOX has no external API integrations.

6. Account recovery

Because we don't store an email or phone, there is exactly one way to recover a lost password: the 6-word recovery phrase shown to you once at registration. If you lose both your password and your recovery phrase, your account cannot be recovered. This is intentional: no recovery channel = no recovery vulnerability.

7. Account deletion

You can delete your account from Settings → My Account → Delete Account. Deletion permanently removes your user record, your sent messages, your DMs, your owned servers, friendships, and read state. The only artifacts that may remain are uploaded files referenced by other users' messages (since each upload becomes its own attachment row).

8. Children

NOX is intended for users 13+. The instance operator is responsible for community moderation.

9. Changes

This policy may be updated as NOX evolves. Material changes will be announced in the official server and on this page.

10. Contact

Reach the project maintainer through the GitHub repository linked from the homepage. There is no central contact email by design.

END_OF_DOCUMENT