mpowr nexus

Legal

Privacy Policy

The protection of your personal data is important to us. We process your data strictly and in accordance with applicable data protection law — in particular the General Data Protection Regulation (GDPR) — and this privacy policy.

Last updated: April 2026

1. Data controller

MPOWR IT GmbH
Enderstr. 94
01277 Dresden
Germany

Trade Register: HRB 43777
Registry Court: Amtsgericht Dresden
VAT ID: DE359347772

Email: privacy@mpowr.it

MPOWR IT GmbH is the data controller within the meaning of Art. 4 (7) GDPR for all personal data processed in connection with mpowr nexus. The person responsible for data protection matters is Patrick Paechnatz. For data protection inquiries, contact us at the email address above. We will respond within the statutory timeframe (one month, extendable by two further months for complex requests).

2. Hosting and content delivery

mpowr nexus is hosted by Netlify, Inc., 2325 3rd Street, Suite 215, San Francisco, CA 94107, United States.

When you access the platform, Netlify automatically processes the following data as part of standard server operations:

  • Your IP address (anonymised after a short period)
  • Browser type, version, and operating system
  • Referrer URL (the page you visited before)
  • Date and time of the request
  • HTTP status code and data volume transferred

This data is technically necessary to deliver the service, ensure its availability, and maintain its security. It is not used for profiling or advertising.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in secure and efficient platform operation). Netlify processes data under Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. Netlify's privacy policy: netlify.com/privacy

Web font delivery

mpowr nexus uses the Switzer typeface, loaded from Fontshare (api.fontshare.com). When you load a page, your browser makes a request to Fontshare to retrieve font files. Fontshare receives your IP address and standard HTTP headers as part of this request. Fontshare's privacy policy: fontshare.com/privacy

3. Authentication and user accounts

Authentication is handled by Supabase (Supabase Inc., 970 Toa Payoh North, #07-04, Singapore 318992). Supabase provides our PostgreSQL database, authentication service, and row-level security enforcement. Our Supabase project is hosted in the AWS EU region (eu-central-1, Frankfurt).

mpowr nexus uses GitHub OAuth as its authentication method:

  • GitHub OAuth — when you sign in via GitHub, we receive your GitHub username, public email address, avatar URL, and display name from GitHub's OAuth API. We store only the minimum necessary data in your user profile. We do not access your repositories, organisations, or any private GitHub data beyond what you explicitly authorise during the OAuth flow. We request only the read:user and user:email scopes.

Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract — provision of the authenticated service you requested).

Supabase privacy policy: supabase.com/privacy

4. Data we store about you

When you create an account and use mpowr nexus, we store the following data in our Supabase database:

DataPurposeLegal basis
Email address, display name, avatar URLAccount identification, collaboration UIArt. 6(1)(b) GDPR
Project memberships and rolesAccess control and collaborationArt. 6(1)(b) GDPR
Session entries and knowledge itemsProject memory and audit trailArt. 6(1)(b) GDPR
Architectural decisions (ADRs)Governance workflowArt. 6(1)(b) GDPR
Vault letter messagesAgent and human coordinationArt. 6(1)(b) GDPR
API key metadataDelegated agent accessArt. 6(1)(b) GDPR
Audit eventsSecurity and operational loggingArt. 6(1)(f) GDPR

5. Transactional email

We send transactional emails via Resend (Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, United States).

Emails are sent only in direct response to actions you take on the platform or system events related to your account. We send no marketing emails, newsletters, or unsolicited communications. The following transactional messages may be sent:

  • Welcome email on first login
  • Project invitation notifications
  • Vault letter delivery notifications
  • API key expiry warnings

Resend receives your email address solely for delivery of these service-critical messages. Resend acts as a data processor under a data processing agreement.

Legal basis: Art. 6 (1) lit. b GDPR (contract performance). Resend processes data under Standard Contractual Clauses. Resend privacy policy: resend.com/privacy

6. GitHub OAuth integration

Authentication via GitHub OAuth is handled by Supabase acting as an intermediary. We request only the minimum necessary scopes (read:user, user:email). We do not access your repositories, organisations, issues, pull requests, or any private GitHub data.

GitHub's privacy policy applies to the OAuth authorisation step: GitHub General Privacy Statement

You can revoke mpowr nexus's GitHub OAuth access at any time in your GitHub account under Settings → Applications → Authorized OAuth Apps. Revoking GitHub access does not delete your mpowr nexus account.

7. Cookies and session data

mpowr nexus uses strictly necessary cookies for authentication and security. With your consent, we also set analytics cookies to understand how the platform is used and where to improve it. No advertising cookies are used.

CookiePurposeLifetimeType
sb-*-auth-tokenSupabase session JWT — maintains authenticated session1 hour (auto-refreshed)Strictly necessary
nexus_consentStores your cookie consent preferences (Klaro)180 daysStrictly necessary
_gaGoogle Analytics — distinguishes unique visitors2 yearsAnalytics (opt-in)
_ga_*Google Analytics 4 — session and engagement data2 yearsAnalytics (opt-in)

Session cookies (sb-*-auth-token) are httpOnly and secure — inaccessible to JavaScript and transmitted only over HTTPS. Analytics cookies are only set after you grant consent in the cookie banner and can be withdrawn at any time via the “Privacy settings” link in the footer.

Legal basis: Art. 6 (1) lit. b GDPR for strictly necessary cookies. Art. 6 (1) lit. a GDPR (consent) for analytics cookies.

8. Document storage

Documents uploaded to mpowr nexus are stored in Amazon S3 (Amazon Web Services, Inc.) in the EU region (eu-central-1, Frankfurt). Files are served through Amazon CloudFront for content delivery.

Uploaded documents are scoped to projects and subject to the same access control as other project data. Only authenticated users with appropriate project permissions can access uploaded documents.

Legal basis: Art. 6 (1) lit. b GDPR (contract performance). AWS processes data under Standard Contractual Clauses per Art. 46 GDPR.

9. Data retention

We retain personal data only for as long as is necessary for the purposes described in this policy, or as required by law:

  • Account data — retained for the lifetime of your account
  • Project data (sessions, decisions, letters) — retained while the project is active; may be anonymised rather than deleted to preserve audit trail integrity
  • Audit events — retained for up to 2 years for security purposes
  • Transactional email logs (Resend) — as per Resend's data retention policy
  • Server logs (Netlify) — as per Netlify's data retention policy

Upon account deletion, personal identifiers are removed. Anonymised project data may be retained to maintain the integrity of shared project histories.

10. Your rights under the GDPR

You have the following rights with respect to your personal data:

Art. 15
Right of accessYou may request confirmation of whether we process your personal data and obtain a copy.
Art. 16
Right to rectificationYou may request correction of inaccurate or completion of incomplete data.
Art. 17
Right to erasureYou may request deletion of your personal data where the legal basis no longer applies.
Art. 18
Right to restrictionYou may request that we restrict processing of your data in certain circumstances.
Art. 20
Right to data portabilityYou may request your data in a structured, machine-readable format.
Art. 21
Right to objectYou may object to processing based on legitimate interest (Art. 6(1)(f)) at any time.
Art. 7(3)
Right to withdraw consentWhere processing is based on consent, you may withdraw it at any time without affecting past processing.

To exercise any of these rights, contact us at privacy@mpowr.it. We will respond within one calendar month.

11. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data violates the GDPR. The competent supervisory authority for Saxony, Germany is:

Sächsischer Datenschutzbeauftragter (SächsDSB)
Devrientstraße 5
01067 Dresden
Germany
www.datenschutz.sachsen.de

12. SSL / TLS encryption

All communication with mpowr nexus is encrypted in transit using TLS 1.2 or higher (TLS 1.3 preferred). HTTP requests are automatically redirected to HTTPS. HSTS (HTTP Strict Transport Security) is enforced. Certificates are provisioned and renewed automatically by Netlify.

13. International data transfers

Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred to third countries, we ensure appropriate safeguards are in place:

  • Netlify (USA) — Standard Contractual Clauses (SCCs) per Art. 46 GDPR
  • Supabase (Singapore/EU) — project hosted in AWS eu-central-1 (Frankfurt); Supabase Inc. is subject to SCCs
  • Resend (USA) — Standard Contractual Clauses per Art. 46 GDPR
  • AWS (EU) — S3 and CloudFront in eu-central-1; SCCs per Art. 46 GDPR

14. Updates to this policy

This privacy policy may be updated as the platform evolves or as legal requirements change. The date at the top of this page reflects the most recent revision. We will notify registered users via email of material changes where reasonably practicable.

ImprintPrivacy PolicyTerms of Service