Privacy Policy

nSpace is a consumer app made by NextTry, a small Hong Kong based team. nSpace is where you share Moments with the few people who matter and join small-group Spaces. You can reach us anytime at hakest@nexttryhk.com. This Privacy Policy applies to the nSpace app at hknexttry.com/nspace.

• Account: your email, name, optional avatar (from Google or your own upload), a hashed password (we use bcrypt with 12 rounds, your real password never reaches our database), the sign in method you used, and your sign up date.
• Profile: avatar color, mission text (up to 500 characters), topics you think about, what you are open to, and your share code.
• Activity: moments you post (with photos and tags), reactions, comments, friend connections (pending and accepted), meetups (proposed and confirmed), and 1 on 1 messages.
• Analytics events: an append only log of meaningful actions (signup, moment created, connection accepted, meetup proposed, message sent, and so on) with your user ID, action type, contextual JSON, and a truncated SHA 256 hash of your IP address. We do not store raw IPs.
• Billing (when enabled): Stripe customer ID and current subscription status. Card numbers and full payment details are handled entirely by Stripe. We never see them.

For most of what we collect, the lawful basis is contract. We need this data to give you the service you signed up for. For analytics events, the basis is our legitimate interest in understanding how the product is used, and we keep them de identifiable. We never store raw IPs, and you can delete your account entirely. For optional things like uploading a custom avatar, the basis is your consent, which you can withdraw any time by removing it.

Moments are visible only to people you have accepted as connections. Direct messages are visible only to you and the friend you are messaging. Your name, share code, and avatar are visible to anyone who has the code. You choose who to give it to. There is no public search by name. Connections happen by sharing your code in person, by message, or however else you choose.

• Database: Supabase (managed Postgres), Singapore region.
• File storage: Supabase Storage. Avatars and moment photos sit at unguessable URLs in public read buckets.
• Email: Resend for transactional email (sign in, password reset, account events, meetup reminders).
• Sign in: NextAuth sessions in encrypted HttpOnly + SameSite=Lax + Secure cookies. Google sign in is optional and uses Google’s OAuth flow.
• Hosting: Vercel.
• Payments (when enabled): Stripe.

These subprocessors may store or process data outside Hong Kong (typically Singapore, the EU, or the US). Each one operates under its own privacy policy, linked above.

We send email only when it serves you. Transactional email (sign in, password reset, account events) goes out the moment it is needed. We also send a friendly meetup reminder if you and a connected friend have chatted but have not met up in a while, with a link to propose something. You can opt out at any time by emailing us. We never sell your email or send marketing on behalf of a third party.

• Account data: kept while your account exists. When you delete your account, it is removed across all related tables and storage buckets.
• Deleted moments: soft deleted for 30 days, then permanently purged. This lets us help you recover accidental deletes.
• Analytics events: kept for up to 24 months, then purged. They are also removed when your account is deleted.
• Backups: Supabase keeps automated backups following its own retention policy. Your deletion request will be honored, but backups may take longer to age out.

• We do not sell, rent, or share your data with advertisers.
• We do not use third party tracking cookies that follow you across the web.
• We do not read or analyze your messages for ad targeting or profiling.
• We do not train AI models on your content.

We use first party cookies for sign in sessions and CSRF protection only. They are HttpOnly (not readable by JavaScript), SameSite=Lax (CSRF protection), and Secure in production (HTTPS only). No third party trackers, no advertising cookies. For the full breakdown see our Cookie Policy.

• Passwords hashed with bcrypt (12 rounds).
• Row Level Security (RLS) enabled on every nSpace table.
• Rate limits on writes (messages, moments, friend requests, meetups).
• HttpOnly + SameSite=Lax + Secure cookies.
• TLS encryption in transit. Database encryption at rest by Supabase.
• Server side input validation with Zod, parameterised queries via Supabase.
• Friends only visibility enforced server side, not just in the UI.

You can do these from Settings in the app at any time:

• Access: download a JSON export of everything we have about you.
• Correct: edit your profile, your mission, your topics, your avatar. Edit a moment within 15 minutes of posting.
• Delete: delete a moment any time (soft deleted for 30 days, then purged). Delete your entire account, which cascades through every related table and removes your storage objects.
• Withdraw consent: sign out, or delete your account.

If you are in the EU or UK, GDPR rights apply (access, rectification, erasure, restriction, portability, objection). If you are in California, CCPA rights apply (know, delete, opt out, non discrimination). If you are in Hong Kong, your rights under the Personal Data (Privacy) Ordinance (PDPO) apply, including the right to access and correct your data, and the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD).

We will let you know about meaningful changes through an in app notice and an email at least 30 days before they take effect. Minor edits (typos, clarifications) may go live without notice. The “Last updated” date at the top will always reflect the current version.

You must be at least 16 years old to use NextTry. If you are between 16 and 18, you may use it only with the permission of a parent or guardian. We do not knowingly collect personal information from anyone under 16. If we learn that we have, we delete it. If you are a parent or guardian and believe your child has given us information, contact us at hakest@nexttryhk.com.

Questions about your data? Email us at hakest@nexttryhk.com. We read everything.