Nextbridge← Back to home
Legal

Privacy Policy

How Next Bridge collects, uses, stores, and shares personal information. This document describes the operational controls in force on the platform today.

1. Scope and applicability

This privacy policy describes how Next Bridge collects, uses, stores, and discloses personal information from users of the demonstration platform at nextbridge.exchange. Next Bridge is a university senior project; the policy is provided to articulate the data handling that would apply if this platform were operated as a regulated exchange. The same controls are nonetheless enforced today.

2. Information we collect

The platform collects the following categories of information:

  • Account data — email address, hashed password, two-factor authentication state.
  • Identity verification data — government identification document images and selfie images, processed through Sumsub. See section 5.
  • Activity data — trade history, peer-to-peer trade chat messages, deposit and withdrawal records, notification preferences, price-alert configuration.
  • Technical data — Internet Protocol address, user-agent string, and session timestamps for security auditing.
  • Optional data — Telegram chat identifier (only if the user binds a Telegram account), Application Programming Interface key labels (set by the user when creating keys).
3. Purposes

Data is collected solely to operate the platform: authenticating sessions, executing trades, maintaining wallet balances, enforcing rate limits and security policies, surfacing audit trails to the user in Settings → Security, and generating operational metrics. Personal data is not sold, rented, or shared for advertising purposes.

4. How data is stored

Account data is stored in an encrypted PostgreSQL database hosted by Supabase in the Asia-Pacific (Tokyo) region. Passwords are hashed using bcrypt with a twelve-round work factor; raw passwords are never logged or stored. Two-factor secrets are stored encrypted at rest. Application Programming Interface keys are stored as SHA-256 hashes, not raw values. Session tokens are stored as hashes; the raw refresh token exists only in the user's browser cookie.

5. Identity verification (KYC) data

Identity verification is implemented via Sumsub, the same provider used by Binance and Kraken. When a user initiates KYC, document images are transmitted directly to Sumsub through their embedded software development kit; Next Bridge never receives the raw image bytes. The platform stores only the verification status, the Sumsub applicant identifier, and the decision metadata Sumsub returns. Every administrative view of a document is recorded in a danger-action audit log. As a university project, users are asked not to submit real government-issued identification; use the Sumsub sandbox test documents instead.

6. Disclosures to third parties

The platform shares data with the following service providers, each under a defined operational purpose:

  • Supabase — primary database hosting.
  • Vercel — application hosting, function execution, log retention.
  • Cloudflare — edge-layer identity verification for administrative routes.
  • Sumsub — identity verification provider.
  • Resend — transactional email delivery (account verification, password reset, admin invites).
  • Sentry — error reporting.
  • Upstash — Redis instance for rate limiting and ephemeral state.
  • Helius and Ankr — blockchain remote-procedure-call providers for on-chain receipt verification.
  • Anthropic — the assistant's underlying language model. Chat content is sent to Anthropic at request time; see the assistant disclosure.
7. User rights

Users may, at any time, view their full transaction history via /transactions (with comma-separated value export), revoke individual sessions and Application Programming Interface keys in Settings, request deletion of their account through Settings → Close account, or contact the operators directly. KYC documents and their derived metadata are retained per Sumsub's policy.

8. Cookies and local storage

The platform sets two authentication cookies on the user's browser: a short-lived (fifteen-minute) access token and a long-lived (thirty-day) refresh token, both HttpOnly, Secure, and SameSite=Lax. No third-party analytics or advertising cookies are used. The Vercel Analytics integration writes only first-party anonymous pageview counters.

9. Children

The platform is not intended for users under the age of eighteen. Identity verification is required before any trading or settlement operation, and the verification provider rejects underage documents.

10. Changes to this policy

This policy may be updated to reflect changes to the platform's data handling. Material changes will be surfaced to logged-in users via the notification system on the platform.

11. Contact

For privacy-related inquiries, security disclosures, or data access requests, contact devs@nextbridge.exchange. Security-specific reports follow the disclosure path documented at /security.

Last updated: May 2026 · Nextbridge Exchange — University Senior Project · ICT 499 · AUST