Privacy Policy

Last updated: April 2026 · Version 1.2

Summary: NEXO is a medical diagnosis game. We only collect the data necessary for the application to function: account, game performance and notifications. We do not collect personal health data. The diagnoses made in the game are gameplay attempts, not your clinical information.

1. Controller Identification

The party responsible for processing your personal data (Controller) is:

Legal name: Aphelios Group
Address: Porto Alegre, RS, Brazil
E-mail: privacy@nexo.wiki.br
Institutional website: apheliosgroup.com

2. Data Protection Officer (DPO)

The party responsible for receiving communications about data processing is the controller's privacy structure:

Officer: Data Protection Officer of Aphelios Group
Contact: privacy@nexo.wiki.br

3. Data Collected

3.1 Account Data

When creating an account, we collect data provided by your chosen authentication provider (Sign in with Apple or Google):

Name (as registered with the provider)
Email address
Unique provider identifier (not a password, an authentication token)

NEXO does not store passwords. Authentication is managed entirely by the provider (Apple or Google).

3.2 Game Data

To calculate statistics and display rankings, we collect:

Answers submitted in each case (diagnostic attempts)
Number of clues used per case
Punctuation and sequence (streak) of days played
Match date and time

Important: diagnostic attempts are gameplay data (responses to a game) and does not constitute personal health information of the user. NEXO does not collect anamnesis, medical history or any actual clinical data.

3.3 Push Notification Tokens

If you allow notifications, we collect the device token provided by the operating system (APNs on iOS) solely for sending daily game reminders.

3.4 Technical Usage Data

For stability and debugging, we automatically collect:

Application and operating system version
Error logs (no personally identifiable data)
Anonymous installation identifier

For information security purposes, the website also keeps a 30-day internal ledger of scanner events and form traps, such as requests to paths like /.env or /wp-login.php and automated submission of hidden fields. These records store only a rotating pseudonymized IP hash, requested country/host/path, a truncated user agent, and technical metadata derived from HTTP headers, such as browser, operating system, device, city, region, timezone, and referer when available. Legal basis: legitimate interest for security (LGPD, Art. 7, IX).

3.5 Local Storage

The application stores the case of the day cache and interface preferences (e.g. light/dark mode) locally on the device. This data is not passed on to third parties.

4. Purposes of Treatment

Service provision: authenticate users, save progress and view daily case
Ranking and performance: display your score on public leaderboard with name and profile photo
Notifications: send daily case reminders if authorized
Security and integrity: detect abuse, fraud and misuse of the platform
Product improvements: aggregated, anonymous analysis of usage patterns
Administrative audit: records of administrator actions in backoffice tools
Legal Compliance: compliance with legal and regulatory obligations

5. Legal Bases (LGPD, Art. 7)

Contract execution (item V): to authenticate account and provide game features
Legitimate interest (item IX): for security, prevention of abuse and improvement of the service
Consentimento (item I): for sending push notifications and public display in the ranking
Compliance with legal obligation (item II): when required by law or competent authority

6. Data Sharing

NEXO does not sell personal data. We only share with:

Supabase Inc.: database and authentication (cloud infrastructure). Supabase processes data as an operator under a data protection contract.
RevenueCat Inc.: Managing subscriptions and iOS in-app purchases. RevenueCat processes anonymized transaction data for signature validation.
Stripe, Inc.: payment processing for subscriptions contracted at nexo.wiki.br. Stripe processes payment data under its own privacy policy. NEXO does not store credit card data.
Expo (820 Labs Inc.): Delivery of app updates and routing of push notifications. Expo processes device tokens and application metadata to distribute updates.
Google LLC: authentication via Google Sign-In and, if used, editorial AI services in the backoffice (Gemini API). End user data is not sent to the AI API.
DeepSeek (Hangzhou DeepSeek Artificial Intelligence Co., Ltd.): generation of editorial content (clues and explanations of clinical cases) by the curation team. End user data is not sent to the AI API.
Apple Inc.: authentication via Sign in with Apple and distribution via the App Store.
Vercel Inc.: hosting and delivery of the web interface (nexo.wiki.br). Vercel processes HTTP request headers as an infrastructure operator.
Public authorities: when required by law, court order or applicable regulation.

7. International Data Transfer

Supabase servers may be located in the United States or other countries. This transfer takes place based on standard contractual clauses and appropriate safeguard mechanisms, as permitted by the LGPD (Art. 33).

8. Data Retention

Account and game data: kept while the account is active and for up to 90 days after deletion, for backup and compliance purposes
Notification Tokens: deleted immediately when revoking permission or deleting account
Administrative audit logs: maintained for 12 months
Technical logs: kept for 30 days

9. Your Rights (LGPD, Art. 18)

You have the right to:

Confirmation and access: know what data we process about you
Correction: request the correction of incomplete or incorrect data
Anonymization, blocking or deletion: of unnecessary data or processed in non-compliance
Portability: receive your data in a structured format
Elimination: delete data processed based on consent
Information: about shares made
Revocation of consent: at any time, without prejudice to previous use
Opposition: processing carried out based on legitimate interest

Para exercer qualquer direito, entre em contato pelo e-mail privacy@nexo.wiki.br. We will respond within 15 business days.

You can also delete your account directly through the app under Settings → Delete account.

10. Security

We adopt technical and organizational measures to protect your data, including:

Encrypted transmission (TLS/HTTPS)
Access control with role-based authentication (Row-Level Security in the database)
Restricted and audited administrative access
Passwords and API keys never stored in source code

No system is 100% secure. In the event of an incident that affects your rights, we will notify the ANPD and the affected holders as required by the LGPD.

11. Cookies and Similar Technologies

The iOS app does not use cookies. The website nexo.wiki.br may use technical cookies essential for the functioning of the pages. We do not use tracking cookies or behavioral advertising.

12. Children and Adolescents

NEXO is aimed at students and professionals in the healthcare field. We do not direct the service to children under 13 years of age. If we identify that a user under 13 has created an account without parental consent, we will delete the data as soon as possible.

13. User Responsibilities

By using NEXO, you agree to:

Provide truthful information when registering
Do not share your access credentials
Do not use the application for fraudulent purposes or that violate the rights of third parties
Notify staff if you suspect unauthorized use of your account

14. Public Ranking

By participating in the ranking, your display name and profile photo are visible to other users of the application. You can opt out of the ranking in the application settings.

15. AI tools in the Backoffice

The editorial team uses artificial intelligence tools to assist in the creation of clinical cases: Gemini API (Google) for editorial research and DeepSeek API (Hangzhou DeepSeek AI) for generating clinical leads and explanations. These cases are fictional and reviewed by doctors before publication. End user data is not sent to AI APIs.

16. Changes to this Policy

We may update this Policy from time to time. Relevant changes will be communicated via the app at least 7 days in advance. Continued use of the service after this period implies acceptance of the changes.

The current version is always available at nexo.wiki.br/privacy.

17. Contact and Complaints

For questions, requests or complaints related to privacy:

E-mail: privacy@nexo.wiki.br

If you are not satisfied with our response, you may file a complaint with the National Data Protection Authority (ANPD): www.gov.br/anpd.