This page explains what data Nexalix Guard collects, why, and what control you have over it. Guard is an anti-sybil scoring API operated by Nexalix Labs.
1. Who we are
Nexalix Labs (sole operator) develops and runs Nexalix Guard. Founder & data controller: Vladislav Rahmanov. Contact: legal@nexalix.io.
2. What we collect
From the marketing site (guard.nexalix.io):
- Standard server access logs (IP, user-agent, referrer, timestamp). Retained 30 days.
- Email and message body if you contact us via
hello@nexalix.ioor other listed addresses. - Form submissions (waitlist, pilot interest) — only what you type.
From the API (during pilot):
- Telegram
tg_user_id,init_data, optionalwallet_address, optionalipanduser_agentas supplied by your backend. - Derived signals (Telegram account age, device fingerprint hashes, on-chain graph data).
- Score requests/responses — minimum needed for billing, abuse prevention, and model improvement.
3. Why we collect it
- Score users — the core service the API exists for.
- Improve the model — accuracy improvements benefit all clients via shared graph (see § 5 on aggregation).
- Operate the site — serve pages, prevent abuse.
- Reply to you — when you write in.
We do not sell data. We do not run ad-targeting pixels.
4. Legal basis (GDPR)
Site traffic — legitimate interest in operating a secure website. API processing — performance of the contract between Nexalix Labs and the merchant whose API key is used; the end-user is a data subject for which the merchant is the joint controller per their own privacy notice.
5. Sharing & processors
We use a small audited set of vendors:
- Hosting — Timeweb (RU), our nginx origin server.
- Email — Google Workspace (US/EU).
- Source & CI — GitHub (US).
- Telegram Bot API — used to verify
init_datahashes and read public profile fields. - TON public RPC / TON Center API — read-only on-chain data.
Cross-merchant graph: signals derived from one merchant's traffic are used in aggregate to flag known farm clusters across all merchants. We do not share raw merchant traffic with other merchants — only binary "this entity is a known sybil" verdicts via the API response.
6. Retention
- Server access logs — 30 days.
- Score request logs — 90 days for active accounts; aggregated/hashed beyond that.
- Email correspondence — kept while the conversation is relevant or as required for legal/accounting reasons (max 5 years).
7. Your rights
Wherever you live, you can ask us to:
- Access the data we hold about you.
- Correct inaccuracies.
- Delete your data (subject to lawful retention requirements).
- Object to or restrict processing.
- Port your data in a machine-readable format.
- Withdraw consent at any time, without affecting prior lawful processing.
To exercise any right, email legal@nexalix.io. We respond within 30 days.
8. Security
- TLS 1.2+ for all traffic in transit.
- Encryption at rest for databases and backups.
- Least-privilege access controls and audit logs.
- Pilot API keys can be rotated or revoked at any time.
No system is perfectly secure. If you discover a vulnerability, please disclose responsibly to security@nexalix.io.
9. Cookies
The marketing site does not set tracking cookies. Strictly necessary cookies may be used for security and form handling. The pilot dashboard, when launched, will use a session cookie required for authentication.
10. Changes
We may update this policy as the product evolves. Material changes are timestamped above and announced in the dashboard for active customers. The git history of this page is public.
11. Contact
Privacy questions: legal@nexalix.io.
General contact: hello@nexalix.io.
Security disclosure: security@nexalix.io.