--- title: Platform Privacy Policy description: How the NEXUS platform collects, processes, and protects your personal data. canonical: https://hour-timebank.ie/platform/privacy generated: 2026-05-14T11:58:38.883Z ---# Platform Privacy Policy How Project NEXUS handles data at the platform infrastructure level Effective 1 March 2026 Project NEXUS Platform ## Platform Provider Notice This document governs the relationship between you and Project NEXUS (the platform provider). It is separate from any terms established by Timebank Ireland (your community operator). View Timebank Ireland's legal documents ## Contents ## 1Introduction This Platform Privacy Policy explains how **Project NEXUS** , operated by Jasper Ford (the "Platform Provider"), collects, uses, stores, and protects personal data at the **platform infrastructure level** . It applies to all users who access services delivered through the Project NEXUS platform. This policy covers only the data processing that occurs at the platform infrastructure layer — server logs, error monitoring, security events, and similar operational data. It does **not** govern how your Community Operator collects or uses your personal data within their community. Your Community Operator (the organisation that runs your timebank or community) maintains their own privacy policy, which covers community-level data such as your profile information, messages, exchanges, and other content you create within the community. You should review your Community Operator's privacy policy for details on how they handle your data. If you have questions about this Platform Privacy Policy, you can reach us through [project-nexus.ie](https://project-nexus.ie) . ## 2Data Controller vs Data Processor Under the General Data Protection Regulation (GDPR), different parties bear different responsibilities depending on their role in data processing. Within the Project NEXUS ecosystem, responsibilities are divided as follows: **Community Member Data** — For personal data that community members provide within a community (profiles, messages, exchange records, and similar content), the Platform acts as a **Data Processor** . The Community Operator who runs your timebank or community is the **Data Controller** . This means your Community Operator determines the purposes and means of processing your personal data, while the Platform processes it only on their behalf and in accordance with their instructions. **Platform Infrastructure Data** — For data generated by the platform infrastructure itself (server logs, error reports, performance metrics, and security event records), the Platform Provider (Jasper Ford) is the **Data Controller** . This data is collected to ensure the security, stability, and proper functioning of the platform. Community Operators are independently responsible for their own GDPR compliance, including maintaining a lawful basis for processing, publishing their own privacy policies, and responding to data subject requests concerning community-level data. The Platform does not make decisions about how community-level personal data is used — those decisions rest with the Community Operator. ## 3Data We Collect at Platform Level At the platform infrastructure level, we collect and process the following categories of data: - Server access logs — IP addresses, timestamps, HTTP request methods and URLs, response status codes, and referrer headers. These logs are essential for security monitoring, abuse prevention, and diagnosing technical issues. - Error reports via Sentry — When errors occur, our error tracking service (Sentry) captures stack traces, browser information, operating system details, and anonymised user context. This data helps us identify and resolve bugs quickly. - Performance monitoring metrics — Response times, server resource utilisation, and application performance indicators. These metrics are used in aggregate to maintain platform reliability. - Aggregate usage analytics — We collect aggregate, non-identifying usage statistics (such as total page views or feature adoption rates) to improve the platform. We do not perform individual user tracking at the platform level. - Security event logs — Records of rate-limiting actions, failed authentication attempts, suspicious request patterns, and other security-relevant events. These logs are critical for protecting the platform and its users from malicious activity. **Note:** Member profile data, messages, time credit exchanges, group memberships, event registrations, and other community-level content are processed by the Platform on behalf of your Community Operator. The collection and use of that data is governed by your Community Operator's privacy policy, not this document. ## 4Legal Basis for Processing We process platform-level personal data under the following legal bases as defined by the GDPR: - Legitimate interests (Article 6(1)(f) GDPR) — We have a legitimate interest in maintaining the security, stability, and integrity of the platform. This includes monitoring for and preventing abuse, detecting security threats, diagnosing errors, and ensuring the platform performs reliably for all users and Community Operators. We have assessed that these interests are not overridden by the rights and freedoms of data subjects, given the limited scope and operational nature of the data processed. - Contract performance (Article 6(1)(b) GDPR) — Processing is necessary for the provision of platform infrastructure services to Community Operators and, by extension, to the members of those communities. Without this processing, we would be unable to deliver the platform services. - Legal obligation (Article 6(1)(c) GDPR) — In certain circumstances, we may be required to process or retain data to comply with applicable laws, regulations, or lawful requests from law enforcement authorities. ## 5Data Sharing We share platform-level data with the following third-party service providers, each of which is necessary for the operation, security, or reliability of the platform: - Sentry (Functional Software Inc.) — Error tracking and application monitoring. Sentry receives error reports, stack traces, and anonymised user context to help us diagnose and fix issues. Data is stored in Sentry's EU data region. - Cloudflare Inc. — Content delivery network (CDN), distributed denial of service (DDoS) protection, web application firewall (WAF), and SSL/TLS termination. Cloudflare processes request metadata (IP addresses, headers, URLs) to protect the platform from malicious traffic. - Pusher Ltd. — Real-time WebSocket communications. Pusher facilitates instant messaging, notifications, and live updates within the platform. Connection metadata is processed to maintain real-time channels. - Microsoft Azure — Cloud hosting infrastructure. All primary platform services are hosted on Microsoft Azure within the EU region. Azure provides the compute, storage, and networking resources on which the platform operates. We do **not** sell personal data to third parties. We will never monetise user data through advertising, data brokerage, or any other commercial arrangement. Data may be disclosed to third parties if we are required to do so by law, regulation, or valid legal process, or if disclosure is reasonably necessary to protect the rights, property, or safety of the Platform Provider, Community Operators, users, or the public. ## 6International Data Transfers Our primary hosting infrastructure is located in the **EU region** on Microsoft Azure. We make every effort to keep personal data within the European Economic Area (EEA). However, some of our sub-processors may process limited data outside the EU. In particular: - Cloudflare operates a global network of data centres. While traffic is typically routed to the nearest point of presence, request metadata may be processed in non-EU locations as part of Cloudflare's security and CDN services. - Pusher may process WebSocket connection data in data centres outside the EU to ensure low-latency real-time communications. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V. These safeguards include the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions where applicable, or other recognised transfer mechanisms. We regularly review the data protection practices of our sub-processors to ensure continued compliance. ## 7Data Retention We retain platform-level data only for as long as necessary to fulfil the purposes described in this policy. Specific retention periods are as follows: - Server access logs: 90 days. After this period, logs are permanently deleted. - Sentry error reports: 90 days. Error data is automatically purged by Sentry after this retention window. - Security event logs: 12 months. A longer retention period is necessary to support security investigations and identify patterns of abuse over time. - Performance metrics: 30 days. These metrics are aggregated and contain no personally identifiable information. - Community member data: Retained for as long as the Community is active on the platform. Upon community closure or deactivation, data is handled in accordance with the Community Operator's instructions and any applicable data processing agreement. When retention periods expire, data is securely deleted or irreversibly anonymised. We do not retain data longer than necessary for the stated purposes. ## 8Your Rights Under GDPR Under the General Data Protection Regulation, you have the following rights in relation to your personal data: - Right of access (Article 15) — You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the processing. - Right to rectification (Article 16) — You have the right to request correction of inaccurate personal data and to have incomplete data completed. - Right to erasure (Article 17) — You have the right to request the deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected. - Right to restriction of processing (Article 18) — You have the right to request that processing of your personal data be restricted in certain situations, for example while the accuracy of the data is being verified. - Right to data portability (Article 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. - Right to object (Article 21) — You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. **For platform-level data** (server logs, error reports, security events): Contact the Platform Provider (see the Contact section below) to exercise your rights. **For community-level data** (your profile, messages, exchanges, and other content within your community): Contact your Community Operator directly. As Data Controller, they are responsible for handling your data subject requests. You also have the right to lodge a complaint with a supervisory authority. The relevant authority for the Platform Provider is the Data Protection Commission (Ireland), or you may contact the supervisory authority in the EU Member State of your habitual residence or place of work. ## 9Security Measures We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: - Encryption in transit — All data transmitted between users, the platform, and third-party services is protected by SSL/TLS encryption. HTTPS is enforced across all platform domains. - Web Application Firewall and DDoS protection — Cloudflare's WAF and DDoS mitigation services protect the platform from malicious traffic, injection attacks, and volumetric attacks. - Database encryption at rest — Databases storing personal data are encrypted at rest using industry-standard encryption algorithms. - Access controls and least privilege — Access to production systems, databases, and infrastructure is strictly limited to authorised personnel and follows the principle of least privilege. - Security monitoring and vulnerability assessment — We conduct regular security monitoring, review access logs, and assess the platform for vulnerabilities. Error tracking via Sentry enables rapid detection and response to application-level issues. - Rate limiting on sensitive endpoints — Authentication endpoints, API routes, and other sensitive operations are protected by rate limiting to prevent brute force attacks and abuse. - Multi-tenant data isolation — The platform enforces strict data isolation between communities (tenants). Each community's data is logically separated so that one community cannot access another community's data. While we take security seriously and implement robust protections, no system is entirely immune to risk. We continuously review and improve our security measures in response to evolving threats. ## 10Contact If you have questions about this Platform Privacy Policy or wish to exercise your rights regarding platform-level data, you can reach the Platform Provider through the following channels: - Platform Provider: Jasper Ford - Website: project-nexus.ie For privacy queries specific to your community — such as questions about how your profile data, messages, or exchange records are handled — please contact your Community Operator directly. As the Data Controller for community-level data, they are best placed to assist you. If you are not satisfied with our response, or if you believe that your data protection rights have been infringed, you have the right to lodge a complaint with the relevant supervisory authority: - Data Protection Commission (Ireland)21 Fitzwilliam Square South, Dublin 2, D02 RD28, Irelandwww.dataprotection.ie You may also contact the supervisory authority in the EU Member State of your habitual residence or place of work if different from Ireland. ## Related Platform Documents Platform Terms of Service Platform Disclaimer ## Questions About This Document? If you have questions about this platform-level document, contact the Project NEXUS team. For questions about your community's policies, contact Timebank Ireland directly. Project NEXUS Website Contact Timebank Ireland