Key points
- We collect account, Guest, event, content, device, purchase, security, and moderation data needed to provide and protect Nysus.
- Event content is visible to the Host and authorised participants and is processed by contracted infrastructure and moderation providers.
- We do not sell personal data or use event media for cross-context behavioural advertising.
- Retention depends on the event tier; deleting a Guest identity anonymises the profile but normally leaves contributions in the Host's album.
- You may request access, correction, deletion, portability, or other rights available where you live.
1. Scope and controller
The controller is Daniel Tiago Fischer (an individual), based in Candelária, Rio Grande do Sul, Brazil, who operates Nysus and determines how and why personal data is processed for platform operation, Host accounts, Guest sessions, security, billing records, moderation, and legal compliance. Contact the privacy team at danieltgfischer@gmail.com.
A Host independently decides the purpose of an event, whom to invite, and how to use or export event media. Depending on the context and applicable law, a Host may have separate privacy responsibilities. Requests about an event may require coordination with its Host.
2. Personal data we collect
We may collect the following categories:
- Host account data: name, email, authentication provider identifiers, account status, and settings.
- Guest identity data: display name, optional avatar, event membership, device-bound Guest identifier and session token, anonymous-posting choice, and connected Apple or Google identity status and identifiers.
- Event and content data: event name, description, date, cover, invitation and participation records, photos, videos, stories, captions, comments, reactions, chat and direct messages, reports, and content metadata.
- Media metadata: file type, size, dimensions, duration, upload time, thumbnails, encryption metadata, moderation status, and retention information. We do not use facial recognition to identify people in event media.
- Device, network, and usage data: IP address, user agent, operating system, language, app version, request and security identifiers, timestamps, feature interactions, diagnostics, and abuse-prevention events.
- Purchase data: event tier, product and transaction identifiers, entitlement, price/currency metadata supplied by the store or purchase provider, and renewal status. Nysus does not receive full payment-card details.
- Moderation and support data: automated safety scores, sampled video frames, blur hashes, reports, appeal or support communications, and enforcement history.
3. Sources of data
We receive data directly from you, from Hosts and other participants, automatically from your device and use of the Service, and from providers such as Apple, Google, app stores, Supabase, Cloudflare, Superwall, and moderation providers.
Other participants may upload images, videos, messages, or reports that contain information about you. Contact the Host or danieltgfischer@gmail.com if you believe event content about you was shared without authority.
4. Purposes and legal bases
We process personal data to provide and authenticate the Service; create and operate events; store and display content; enable comments, reactions, chat, and direct messages; process event purchases; apply event-tier rules; provide support; communicate service notices; secure systems; prevent fraud and abuse; moderate prohibited content; enforce the Terms; comply with law; and establish or defend legal claims.
Where the LGPD or GDPR applies, legal bases may include performance of a contract or pre-contractual steps, compliance with legal obligations, legitimate interests in operating and securing the Service and protecting users, consent where legally required, and the exercise of rights in legal proceedings. We assess and balance legitimate interests against affected rights.
Where processing depends on consent, consent may be withdrawn through the available controls or by contacting us. Withdrawal does not invalidate earlier lawful processing and may make a requested feature unavailable.
5. Event visibility and sharing
The Host and authorised Guests can see content and identity information made available within their event. The Host may download or export media when the tier permits. Participants may take screenshots or redistribute content outside Nysus, which we cannot fully control.
Events are not indexed as public social profiles by design, but a valid event code, QR code, or session can provide access. Do not treat an invitation as a guarantee of confidentiality and share access only with trusted people.
6. Automated and AI-assisted moderation
To protect participants, photos, sampled video frames, messages, event information, and reports may be screened on-device and by automated or AI-assisted systems. Processing may generate safety scores or categories and may reject, blur, hold, or restrict content. A Host or authorised reviewer may also make moderation decisions.
Automated moderation can produce false positives or false negatives. Use reporting or support channels to contest an action. We do not use moderation analysis to identify faces or create advertising profiles. Providers processing content for moderation receive only what is reasonably needed for that function and act under their service terms and contractual safeguards.
7. How we disclose personal data
We disclose data as needed to:
- Hosts and authorised participants in the relevant event.
- Supabase for database, authentication, and related backend services.
- Cloudflare for object storage, edge delivery, network security, and backend processing.
- OpenAI or other configured moderation providers for safety analysis of relevant content.
- Superwall, Apple App Store, and Google Play for paywalls, transactions, and entitlement management.
- Apple and Google when you choose their authentication or social connection services.
- Professional advisers, auditors, insurers, and authorities where necessary to comply with law, protect safety and rights, investigate abuse, or handle claims.
- A successor in a merger, financing, reorganisation, or sale, subject to appropriate confidentiality and notice obligations.
We do not sell personal data. We do not share personal data for cross-context behavioural advertising, and event media is not used to target third-party advertising.
8. International transfers
Nysus and its providers may process data in Brazil, the United States, the European Economic Area, and other countries where they operate. Privacy protections may differ from those in your country.
Where required, we use recognised transfer mechanisms and safeguards, such as adequacy decisions, contractual clauses, or other mechanisms permitted by the LGPD, GDPR, or applicable law.
9. Retention
We retain data only as long as reasonably needed for the purposes described, the event tier, legal requirements, security, dispute resolution, and enforcement. Current product settings retain Free compressed media for up to 7 days, paid compressed media for up to 365 days, Celebration original photos for up to 30 days, and Big Event original photos for up to 60 days. Original videos are not retained as originals. A paid renewal may extend compressed media, but not an expired original-photo window.
A deleted used event may remain in a recoverable trash state for up to 30 days before purge. Backups, security events, transaction records, reports, and limited audit records may remain longer where reasonably necessary or legally required. Actual deletion may take time to propagate through backups and provider systems.
Hosts are responsible for downloading media before an event's expiration. Content removed for a violation may be retained in restricted form where needed to investigate abuse, prevent repeat violations, comply with law, or protect legal rights.
10. Account and identity deletion
Host account deletion is designed to remove the Host profile, events owned by that Host, and associated event content from active systems, subject to a recoverable event-trash period where applicable and limited legal, security, transaction, and backup retention.
Guest identity deletion removes connected social identities and anonymises associated Guest profiles across events. Event contributions normally remain under the Host's control and are attributed to a removed or anonymous Guest until their own deletion or expiration. This distinction is necessary to preserve the shared album and conversation integrity, but it does not override a deletion or objection right that applicable law requires us to honour after considering the rights of others.
You may also ask the Host to remove specific event media. Contact danieltgfischer@gmail.com if the Host cannot be reached or if the request concerns legal or safety rights.
11. Your privacy rights
Depending on your location, you may request confirmation of processing, access, correction, deletion or anonymisation, restriction, objection, portability, information about sharing, withdrawal of consent, and review of certain automated decisions. You may also complain to a data-protection authority, including Brazil's ANPD or the authority where you live.
Send requests to danieltgfischer@gmail.com. Describe your role, event, and request. We may verify identity and authority, coordinate with the Host, and apply legal exceptions. We will respond within applicable deadlines and will not discriminate against you for exercising a right.
12. U.S. state privacy disclosures
This section applies only where required by applicable U.S. state law. Where a U.S. state privacy law applies to Nysus, residents may have rights to know, access, correct, delete, or obtain a copy of personal data, and to opt out of certain sale, sharing, targeted advertising, or profiling. Nysus does not sell personal data or use event data for targeted advertising.
You may exercise applicable rights at danieltgfischer@gmail.com and appeal a refusal by replying to our decision. These disclosures do not state that every U.S. state law applies to Nysus in every circumstance.
13. Children's privacy
Nysus is not directed to anyone under 18, and they must not create an account or use an identity. We do not knowingly collect personal data directly from a user under 18. If we learn that a user is under 18, we will take appropriate steps to restrict access and delete the data.
Photos and videos uploaded by adults may depict children. The uploader and Host must have the permissions required to process and share that media. Parents or guardians may contact danieltgfischer@gmail.com about a child's image or data. Additional consent-age rules, including those in the EEA, UK, and Brazil, apply where relevant.
14. Security
We use technical and organisational safeguards appropriate to the Service, including TLS in transit, encryption of event media before storage using event and media keys, signed storage URLs, token-based Guest sessions, access controls, rate limits, request nonces, monitoring, moderation, and restricted administrative access.
Media encryption is not a promise of end-to-end encryption: authorised Service components must be able to manage keys and process content to deliver, moderate, and export it. No system is completely secure. Protect invitations and devices, use trusted networks, and report suspected incidents to danieltgfischer@gmail.com.
If a security incident occurs that may create a relevant risk or harm to data subjects, we will notify the competent authority (such as Brazil's ANPD) and affected individuals within the time limits and under the conditions required by applicable law.
15. Device storage and permissions
The app uses local storage and similar technologies to keep sessions, preferences, viewed-story state, and temporary media. The website uses only hosting and browser technologies needed to deliver these pages unless additional features are introduced and disclosed. We do not use advertising cookies or third-party tracking on this website.
Camera, microphone, and photo-library permissions are requested through your device when needed for a feature. You can manage permissions in device settings, though disabling one may prevent the related feature from working.
16. Changes and contact
We may update this Policy to reflect product, provider, or legal changes. We will update the date above and provide additional notice for material changes where required.
For privacy questions, requests, complaints, or other legal notices, email danieltgfischer@gmail.com. You may also contact the competent privacy authority in your jurisdiction.