BlueNexus – Global Privacy Policy

BlueNexus Tech Pty Ltd (“BlueNexus,” “we,” “us,” or “our”) provides privacy-first infrastructure that enables individuals and developers to control data routing, encrypted compute, and permissions. This Privacy Policy describes how we collect, use, disclose, protect, and transfer Personal Information in accordance with the Australian Privacy Act 1988 (Cth), GDPR and UK GDPR, U.S. state privacy laws, and other applicable privacy regulations.

This Policy applies to:

• Visitors to BlueNexus websites and documentation
• Users of BlueNexus applications
• Developers and Builders integrating the BlueNexus Platform
• End Users interacting with applications that use BlueNexus
• Individuals creating Sovereign BlueNexus Accounts

Processing conducted by BlueNexus as a Data Processor is governed by the BlueNexus Data Processing Agreement (“DPA”). Developers are responsible for providing notices, obtaining consents, and establishing a lawful basis for Developer Application Data.

1. Definitions

BlueNexus Platform / Services

The BlueNexus infrastructure, APIs, SDKs, confidential compute environments (Trusted Execution Environments or “TEEs”), routing and storage layers, authentication modules, and related features.

Personal Information / Personal Data

Information relating to an identified or identifiable individual, as defined by GDPR, UK GDPR, the Australian Privacy Act, CPRA/CCPA, and other relevant laws.

Sovereign BlueNexus Account

An End User–controlled, non-custodial account where data stored in the “Sovereign Vault” is encrypted with keys controlled exclusively by the User.

Sovereign Vault

A secure, user-controlled storage and compute environment bound to a Sovereign Account. BlueNexus cannot access or decrypt data stored or processed inside a Sovereign Vault.

Developer-Managed Account

A custodial account controlled by the Developer, where the Developer is the Data Controller and BlueNexus acts as a Data Processor.

Developer / Builder

Any entity integrating or using the BlueNexus Platform.

End User

Any individual interacting with a Developer application or BlueNexus interfaces.

Trusted Execution Environment (TEE)

A hardware-backed confidential compute environment providing encrypted-in-use processing, memory isolation, remote attestation, and protections against operator or host access.

Developer Application Data

Data submitted to BlueNexus through a Developer integration, including user-generated content, files, sensor/health data, or outputs from other services.

Subprocessor

A third-party service provider engaged by BlueNexus to support platform functionality.

2. Roles and Responsibilities

2.1 Sovereign Vault Data

Data stored or processed within a Sovereign Vault is encrypted and controlled exclusively by the End User. BlueNexus does not determine the purposes or means of processing and therefore does not act as a Controller or Processor under GDPR, UK GDPR, the Australian Privacy Act, or U.S. state privacy laws for Sovereign Vault content.

To support usability and secure access, BlueNexus uses a trusted third-party authentication provider to manage identity verification and cryptographic key-release workflows. These mechanisms allow users to authenticate using familiar methods (such as social login or email-based authentication) without requiring users to create, store, or manually manage cryptographic keys.

Neither BlueNexus nor the authentication provider can access decrypted Sovereign Vault content or override user permissions. Key release occurs only following successful user authentication and according to the policies configured by the User.

End Users are responsible for:

• Managing the data they store in their Sovereign Vault
• Setting and adjusting permissions for applications or developers that request access
• Selecting regions and compute modes (TEE or non-TEE)
• Maintaining control of their authentication credentials (e.g., email, passkeys, or social login accounts)
• Complying with legal requirements if they store or process personal data about other individuals

The authentication provider facilitates secure login and key-release, but Users remain the sole party controlling when and how data is accessed or processed.

BlueNexus has no practical ability to view, modify, or decrypt Sovereign Vault content.

2.2 Developer-Managed Accounts & Developer Application Data

For Developer Application Data:

• The Developer is the Controller
• BlueNexus is the Processor
• Processing is performed strictly per Developer instructions under the DPA

Developer Application Data is typically processed inside TEEs or other encrypted compute pathways. BlueNexus never accesses decrypted data.

2.3 BlueNexus as Controller

BlueNexus acts as Controller for:

• Website analytics and operational telemetry
• Authentication and account metadata
• Security logs and fraud detection
• Billing and financial records
• Customer support records

No special category data is processed by BlueNexus as Controller.

3. Privacy Principles

• User sovereignty: Users control permissions, routing, and access.
• Data minimisation: Only minimal operational metadata is collected.
• Security by design: Encryption, isolation, and confidential compute.
• Purpose limitation: Process only for legitimate, disclosed purposes.
• Zero-access compute: No access to decrypted TEE data at any time.
• Transparency: Clear explanation of data flows and roles.

4. Information We Collect

4.1 Account & Identity Data

For Sovereign and Developer-Managed Accounts:

• Email address
• Authentication metadata
• Public keys
• Session metadata
• Optional recovery details

BlueNexus does not ingest or intercept Developer Application Data unless the Developer submits it for compute.

4.2 Operational Metadata & Logs

Collected solely for:

• routing and compute orchestration
• debugging and performance optimisation
• fraud detection
• security integrity monitoring
• billing accuracy

BlueNexus does not log:

• content processed within TEEs
• decrypted user content
• LLM prompts, responses, or intermediate states

Operational logs contain no decrypted application data.

4.3 Developer Application Data

Submitted by Developers to execute compute or routing functions, including:

• user-generated content
• structured/unstructured files
• EMR/HMR or health-related data
• wearable or sensor data
• outputs from external APIs or LLMs

Processed strictly as instructed and typically inside TEEs. BlueNexus personnel cannot view or decrypt this data.

4.4 Website Analytics

We use privacy-preserving analytics without:

• cross-site tracking
• fingerprinting
• advertising cookies
• sale or sharing of analytics data

5. Personal Information

BlueNexus uses Personal Information to:

• authenticate and manage accounts
• provide compute, routing, and infrastructure services
• execute Developer or User instructions
• maintain platform security and detect fraud
• provide customer support
• process payments and billing
• comply with legal obligations
• ensure continuity, reliability, and integrity of the platform

We do not, without explicit consent from the End User:

• train BlueNexus AI models on Personal Data
• sell or share Personal Information for advertising
• inspect or access TEE content

6. Data Sovereignty Models

6.1 Sovereign Accounts

Users control:

• authorization
• permissions
• region selection
• routing
• data storage and deletion
• key management
• compute modes (TEE or non-TEE)

BlueNexus enforces User-selected settings and does not override them.

6.2 Developer-Managed Accounts

Developers control all aspects of processing and must provide notices and obtain consents. BlueNexus processes data solely for Developer-requested operations.

7. Processing Locations & International Transfers

Processing may occur in:

• Australia
• European Union / UK regions
• United States
• Regions selected by Users or Developers

BlueNexus never expands routing or region settings beyond what Users or Developers select.

Where legally required, BlueNexus uses:

• EU Standard Contractual Clauses (SCCs), Modules 2 and 3
• UK Addendum
• Additional technical measures (TEE processing, encryption at rest, encryption in transit, hardware identity protection)
• Zero-access designs supporting EDPB Recommendations 01/2020

8. Sharing with Third Parties

We share only the minimum necessary data with:

• TEE infrastructure providers
• Compute partners
• Developer-selected LLMs or third-party APIs
• Payment processors
• Security vendors
• Support tooling providers

Subprocessors are listed in Annex E.

BlueNexus cannot share decrypted TEE content because it is technically inaccessible.

9. Legal Bases for Processing (GDPR / UK GDPR)

BlueNexus acts as Controller under:

• Contract (Art. 6(1)(b)) — authentication, account access, support
• Legitimate Interests (Art. 6(1)(f)) — security logs, performance
• Legal Obligation (Art. 6(1)(c)) — regulatory compliance
• Consent (Art. 6(1)(a)) — optional contact interactions

Developers determine lawful basis for Developer Application Data. Special category data is processed only when Developers supply an Article 9 basis.

Details are provided in Annex A.

10. Your Rights

Depending on jurisdiction, you may have rights to:

• access your data
• correct it
• delete it
• port it
• restrict processing
• object to processing
• withdraw consent
• opt out of certain uses under U.S. state laws
• appeal decisions

Sovereign Users

Exercise rights directly through their Sovereign Vault settings.

Developer-Managed Users

Must contact the Developer (Controller). BlueNexus will support Developer compliance under the DPA.

Contacting BlueNexus

Email: legal@bluenexus.ai

Response timelines follow GDPR and U.S. state laws (1 month / 45 days).

11. Data Retention

BlueNexus retains data only as long as needed for stated purposes.

Authentication & Account Data

Deleted within 30 days after account closure unless legally required.

Operational & Security Logs

Retained 30–90 days.

Billing & Financial Records

Retained 7 years.

Support Communications

Retained 24 months.

Developer Application Data

Not retained beyond the compute operation unless instructed by the Developer.

Sovereign Vault Data

Retention fully controlled by the User.

Backups

Rolling 30-day overwrites.

12. Security

BlueNexus implements extensive technical and organisational controls, including:

• encryption at rest, in transit, and in use
• TEEs for confidential compute
• hardware identity protection
• remote attestation
• zero-trust networking
• least-privilege RBAC
• continuous monitoring
• penetration testing
• secure development lifecycle

If acting as Processor, BlueNexus will notify Controllers without undue delay of a personal data breach. If acting as Controller, we notify Users under applicable laws.

13. Children’s Privacy

We do not knowingly allow Sovereign Accounts for:

• children under 13 (U.S. COPPA)
• children under 16 (EU/UK default)
• children under 15 (Australia, depending on processing)

Developers must comply with COPPA, GDPR-K, APA, and other laws when processing children’s data.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to Users and Developers.

15. Contact Information

Email: legal@bluenexus.ai
Website: https://www.bluenexus.ai

CCPA/CPRA Annex with Statutory Category Mapping

Notice at Collection – Statutory Category Mapping

CPRA Required Statements

• No sale or sharing of PI
• No use of SPI beyond essential service purposes
• Support for GPC signals
• Right to Limit SPI (not applicable because SPI is not used beyond essential service purposes)
• Non-discrimination statement

Annex A — GDPR & UK GDPR Compliance Annex

This Annex supplements the Global Privacy Policy for processing subject to the EU General Data Protection Regulation (GDPR) and UK GDPR.

1. Data Controller and Data Processor Roles

• For Sovereign Account data, the End User is the Controller.
• For Developer Application Data, the Developer is the Controller and BlueNexus is the Processor.
• For website usage, security logs, fraud detection, billing, and account management, BlueNexus is the Controller.

BlueNexus does not become a joint controller unless the parties jointly determine purposes and means, in which case a Joint Controller Addendum may apply.

2. Lawful Bases for Processing (Article 6)

When BlueNexus acts as Controller

BlueNexus does not process special category data as Controller.

When BlueNexus is a Processor

• Developers must define the lawful basis.
• BlueNexus processes only as instructed under Article 28.

3. Special Category Data (Articles 9 & 10)

• BlueNexus does not determine any lawful basis for such data.
• When Developers route health, biometric, EMR/HMR, or other sensitive data, they must supply an Article 9 basis.
• BlueNexus processes such data only in encrypted form or within TEEs.

4. Data Subject Rights (Articles 12–23)

Rights include:

• Access
• Rectification
• Erasure
• Restriction
• Objection
• Portability
• Withdraw consent
• Lodge complaint with supervisory authority

For Sovereign users: rights exercised directly in the user-controlled vault.

For Developer-Managed Accounts: users contact the Developer. BlueNexus assists Controllers as required under Article 28(3)(e).

5. International Transfers (Chapter V)

BlueNexus uses:

• SCC Module 2 (Controller → Processor)
• SCC Module 3 (Processor → Processor)
• UK Addendum for UK transfers

Supplementary Measures

• Encryption-at-rest
• Encryption-in-transit
• Encrypted-in-use processing via TEEs
• Hardware isolation and attestation
• Strict role-based access controls
• Zero-access architecture (no reading TEE memory)

These measures comply with EDPB Recommendations 01/2020.

6. Processor Commitments (Article 28)

BlueNexus shall:

• Process data only on documented instructions
• Maintain confidentiality
• Implement security (Art. 32)
• Assist with rights requests and DPIAs
• Return or delete data at end of processing
• Provide subprocessors only with Controller authorisation
• Maintain records of processing (Art. 30)

7. EU/UK Supervisory Authority Contacts

• EU Lead Supervisory Authority: Determined by the Controller
• UK ICO: www.ico.org.uk

Annex B — CCPA / CPRA Annex (including statutory category mapping)

This Annex supplements the Privacy Policy for California residents under the CCPA/CPRA.

1. Statutory “Notice at Collection”

Personal Information Categories We Collect

2. Required CPRA Statements

No Sale or Sharing

BlueNexus does not sell or share personal information for cross-context behavioural advertising.

Sensitive Personal Information

SPI may be processed only for essential service purposes, including secure routing, authentication, and encrypted compute.

GPC Support

BlueNexus honours Global Privacy Control (GPC) signals for website interactions.

Right to Limit Use of SPI

Not applicable because SPI is not used for non-essential purposes.

Non-Discrimination

BlueNexus does not discriminate against users for exercising privacy rights.

3. California Consumer Rights

Rights include:

• Right to Know
• Right to Delete
• Right to Correct
• Right to Opt-Out of Selling/Sharing (not applicable, but mechanism available)
• Right to Limit SPI (not applicable)
• Right to Data Portability
• Right to Non-Discrimination

4. Appeals Process

For denied requests, users may submit an appeal by emailing legal@bluenexus.ai.

Annex C — Australian Privacy Act (APA) Annex

This Annex supplements the Privacy Policy to outline compliance with the Australian Privacy Principles (APPs).

1. Management of Personal Information (APP 1)

BlueNexus maintains internal policies, staff training, governance frameworks, and security controls to handle Personal Information responsibly.

2. Anonymity & Pseudonymity (APP 2)

Users may access public website content anonymously but must identify themselves to create accounts.

3. Collection of Solicited Personal Information (APP 3)

BlueNexus collects only what is necessary for providing the Platform or fulfilling legal obligations.

4. Dealing with Unsolicited Personal Information (APP 4)

If unsolicited Personal Information is received and not required, it will be securely deleted.

5. Notification (APP 5)

BlueNexus provides clear notice at or before collection, including:

• identity and contact information
• purposes of collection
• consequences if information is not provided
• usual disclosures
• cross-border transfers

6. Use & Disclosure (APP 6)

Personal Information is only used or disclosed for:

• the primary purpose
• related (or directly related, for sensitive information) secondary purposes
• legal requirements
• user consent

7. Direct Marketing (APP 7)

BlueNexus does not use Personal Information for direct marketing without consent.

8. Cross-Border Disclosures (APP 8)

BlueNexus takes reasonable steps to ensure overseas recipients (e.g., compute providers) protect information comparably.

9. Integrity & Security (APP 10–11)

BlueNexus employs encryption, TEEs, RBAC, monitoring, and secured development lifecycle processes to protect data.

10. Access & Correction (APP 12–13)

Users may access or correct Personal Information by contacting BlueNexus. Sovereign users operate independently through their vault.

Annex D — U.S. State Privacy Laws (VCDPA, CPA, CTDPA, UCPA) Annex

This Annex supplements the Policy for residents of Virginia, Colorado, Connecticut, Utah, and other similar states.

1. Rights Provided

Residents have rights to:

• Access
• Correction
• Deletion
• Portability

And to opt-out of:

• targeted advertising
• sale of data
• profiling that produces legal effects

BlueNexus does not engage in targeted advertising or sales.

2. Sensitive Data

Where Developers route sensitive data (health, biometric, children’s data), they must obtain affirmative consent.

3. Appeals Process

Denied requests may be appealed via email: legal@bluenexus.ai. A written decision will be provided within the statutory period (e.g., 60 days under VCDPA).

4. Duties of Processors (Virginia, Colorado, Connecticut)

BlueNexus shall:

• Follow Controller instructions
• Assist with rights requests
• Implement appropriate safeguards
• Enable audits
• Disclose subprocessors

These obligations are implemented via the DPA.

ANNEX E — SUBPROCESSOR ANNEX

BlueNexus engages the following Subprocessors to support operation of the BlueNexus Platform and related Services. These Subprocessors may process Personal Information on behalf of Developers and End Users in accordance with the BlueNexus Data Processing Agreement (DPA) and this Privacy Policy.

BlueNexus conducts due diligence on all Subprocessors, enters into data protection agreements with them, and implements appropriate contractual and technical safeguards. BlueNexus may update this list from time to time. Where required by the DPA or Applicable Data Protection Laws, BlueNexus will provide notice of material changes and give Developers an opportunity to object.

For clarity, only third parties that process Personal Information on behalf of BlueNexus in order to provide the BlueNexus Platform and Services (where BlueNexus acts as a Processor) are treated as Subprocessors for the purposes of this Annex.