Privacy Policy

NEXOIC is a secure service for storing personal and shared notes. We respect your right to privacy and are committed to providing maximum security for your data.

1. Data Minimization

We intentionally avoid storing unnecessary information. During registration, you do not provide an email, phone number, or password in the traditional sense. All notes are encrypted and accessible only to you.

2. Right to Access

You can view all saved notes and activity logs directly in your personal account. We have no technical means to read your notes — they are encrypted with your key on your device.

3. Right to Erasure

You can delete your account and all associated data through the website interface. We store nothing beyond what is necessary, and recovery after deletion will not be possible.

4. What We Store

To provide our service, we store the following information:

• For user authentication: A cryptographically secure hash (generated using Argon2id) of your unique composite secret. This composite secret is derived from your username, graphical pattern, selected color, and your answer to the hint question.
• For note encryption: Your individual enc_salt (this is used alongside a global salt and your composite secret within your browser to derive the key for encrypting and decrypting your notes).
• Your encrypted notes: The content of your notes is encrypted on your device before being sent to our servers.
• Login logs: For security monitoring, we log activity such as IP addresses, browser headers (User-Agent), and timestamps of login attempts.
• Hint label: The type of hint question you selected during registration (not the answer itself).

5. What We Don't Store

• Your composite secret (derived from the graphical key, color, hint answer etc.) in its plain form.
• Traditional passwords.
• Phone number, email, or your real name (unless you voluntarily include such information within your encrypted notes, which we cannot access).
• Browse history outside of actions directly related to our service (like login attempts).

6. Encryption

All notes are encrypted on the client side (your device) using:

• AES-GCM (Advanced Encryption Standard - Galois/Counter Mode) for the note content.
• PBKDF2 (Password-Based Key Derivation Function 2) with 600,000 iterations to derive the encryption key.
• SHA-512 as the underlying hash function for PBKDF2.
• A global salt combined with your individual enc_salt and your composite secret to derive the unique encryption key for your notes.

Decryption of your notes is only possible in your browser using your unique composite secret.

7. Cookies and Sessions

The site uses secure cookies (HttpOnly, Secure, SameSite=Strict) for session management and authentication. Sessions are protected against fixation, and we monitor for suspicious activity related to IP addresses and User-Agents to help detect potential session hijacking.

8. Security and Compliance

• 🔐 All note data is encrypted on the client side before transmission.
• 🛡 Server-side authentication uses Argon2id, a modern, strong password hashing algorithm.
• 🧪 OWASP ZAP: We aim for 0 vulnerabilities (regularly tested, e.g., ZAP 2.16.1).
• 💡 A+ rating on SecurityHeaders.com (target).
• 🛡 Failed login attempts, suspected XSS, potential session spoofing, and other security-relevant events are logged.
• ⚙ Protection through robust HTTP security headers and a strict PHP configuration.
• 📦 We strive to follow best practices and standards such as those from OWASP. While we aim for high security, formal certifications like PCI DSS (not applicable as we don't process payments) or GDPR compliance would require independent audits. We are committed to GDPR principles regarding data subject rights.

The project code is written following security best practices, including strict typing, configuration validation, appropriate error handling, and protection from common web vulnerabilities like SQL injections and XSS.

9. Shared Notes

NEXOIC allows users to create public notes with unique secret links, such as:

• https://nexoic.com/bad78f3d67b8da247f2eba2250d6c958

All public links to notes are protected from bot viewing.

These notes are created voluntarily by users through the Shared Notes section of their account. The content of public notes is entirely user-generated. The NEXOIC administration does not review or moderate such content, as it is accessible only via the secret link and is not indexed or searchable.

If you discover content that violates the law or our terms of use, you may submit a formal complaint or takedown request — see contact details below.

10. Contact

If you have any questions about privacy, security, or wish to report an issue with shared notes, please contact us at [email protected].