How Next Bridge collects, uses, stores, and shares personal information. This document describes the operational controls in force on the platform today.
This privacy policy describes how Next Bridge collects, uses, stores, and discloses personal information from users of the demonstration platform at nextbridge.exchange. Next Bridge is a university senior project; the policy is provided to articulate the data handling that would apply if this platform were operated as a regulated exchange. The same controls are nonetheless enforced today.
The platform collects the following categories of information:
Data is collected solely to operate the platform: authenticating sessions, executing trades, maintaining wallet balances, enforcing rate limits and security policies, surfacing audit trails to the user in Settings → Security, and generating operational metrics. Personal data is not sold, rented, or shared for advertising purposes.
Account data is stored in an encrypted PostgreSQL database hosted by Supabase in the Asia-Pacific (Tokyo) region. Passwords are hashed using bcrypt with a twelve-round work factor; raw passwords are never logged or stored. Two-factor secrets are stored encrypted at rest. Application Programming Interface keys are stored as SHA-256 hashes, not raw values. Session tokens are stored as hashes; the raw refresh token exists only in the user's browser cookie.
Identity verification is implemented via Sumsub, the same provider used by Binance and Kraken. When a user initiates KYC, document images are transmitted directly to Sumsub through their embedded software development kit; Next Bridge never receives the raw image bytes. The platform stores only the verification status, the Sumsub applicant identifier, and the decision metadata Sumsub returns. Every administrative view of a document is recorded in a danger-action audit log. As a university project, users are asked not to submit real government-issued identification; use the Sumsub sandbox test documents instead.
The platform shares data with the following service providers, each under a defined operational purpose:
Users may, at any time, view their full transaction history via /transactions (with comma-separated value export), revoke individual sessions and Application Programming Interface keys in Settings, request deletion of their account through Settings → Close account, or contact the operators directly. KYC documents and their derived metadata are retained per Sumsub's policy.
The platform sets two authentication cookies on the user's browser: a short-lived (fifteen-minute) access token and a long-lived (thirty-day) refresh token, both HttpOnly, Secure, and SameSite=Lax. No third-party analytics or advertising cookies are used. The Vercel Analytics integration writes only first-party anonymous pageview counters.
The platform is not intended for users under the age of eighteen. Identity verification is required before any trading or settlement operation, and the verification provider rejects underage documents.
This policy may be updated to reflect changes to the platform's data handling. Material changes will be surfaced to logged-in users via the notification system on the platform.
For privacy-related inquiries, security disclosures, or data access requests, contact devs@nextbridge.exchange. Security-specific reports follow the disclosure path documented at /security.
Last updated: May 2026 · Nextbridge Exchange — University Senior Project · ICT 499 · AUST