How CorroNexus handles personal data.

01Who we are

CorroNexus is an independent engineering practice based in Egypt. For the purposes of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and Egypt's Personal Data Protection Law (Law No. 151 of 2020), CorroNexus is the data controller for personal data submitted through this website and the gated engineering platform. You can reach the controller at info@corronexus.com.

02What personal data we collect

CorroNexus collects personal data in three contexts:

• (a) The public website contact form. When a visitor voluntarily submits the contact form on the homepage, the following fields are collected: name, company, email address, topic of enquiry, and the free-text message.
• (b) The gated engineering platform. When an authorised user accesses the gated platform, the following technical data is processed automatically for authentication, rate limiting, and audit purposes: the access credential submitted at sign-in, a time-bounded session token, the IP address of the request, a timestamp of the request, the tool module requested, and the user agent string reported by the browser.
• (c) Engineering inputs submitted to platform tools. When an authorised user runs a screening or assessment tool, the tool receives the engineering inputs that the user supplies. This data is treated as confidential commercial information of the user and, unless it directly contains personal data (which would be unusual in engineering-tool inputs), is handled under the Terms of Use confidentiality provisions rather than under this privacy notice.

CorroNexus does not operate cookies for tracking, advertising, behavioural analytics, or profiling. CorroNexus does not deploy third-party analytics scripts (Google Analytics, Meta Pixel, Hotjar, Mixpanel, Plausible, or similar). CorroNexus does not fingerprint visitors or attempt to identify returning anonymous users.

03Why we collect it — lawful basis

Contact-form data is processed on the lawful basis of legitimate interest (GDPR Article 6(1)(f)) — specifically, the legitimate interest of responding to unsolicited enquiries about CorroNexus engineering services, platform access, and related professional matters. Where a subsequent engagement is entered into, personal data necessary to perform that engagement is processed on the basis of contract performance (GDPR Article 6(1)(b)).

Platform authentication and audit data is processed on the lawful bases of contract performance (Article 6(1)(b)) — required to provide the gated service requested — and legitimate interest (Article 6(1)(f)) in protecting the platform from abuse, unauthorised access, and scraping.

Enquiries and platform activity submitted through CorroNexus are not used for marketing, are not sold or rented to third parties, and are not processed for any purpose outside of the purposes stated above.

04How long we retain it

• Contact-form submissions that do not lead to an engagement — up to 12 months from the last correspondence, then deleted.
• Contact-form submissions that lead to an engagement — duration of the engagement plus any statutory record-keeping period (typically 5–7 years under Egyptian commercial law).
• Platform authentication logs (IP, timestamp, session ID, tool accessed) — 90 days for security-audit purposes, then deleted or aggregated beyond identification.
• Platform rate-limiting counters — rolling windows of up to 24 hours; ephemeral.
• Engineering inputs submitted to platform tools — retained only for the duration of the authenticated session unless the user explicitly saves an assessment; saved assessments are retained at the user's discretion and deleted on request.

05Who we share it with

CorroNexus uses the following third-party data processorsin support of delivering the website and platform. Each is bound by the processor's own contractual commitments and, where applicable, by a data-processing agreement with CorroNexus.

• Formspree, Inc. — handles the homepage contact form; forwards submissions to CorroNexus. Data handled: contact-form data only. Location: United States. See formspree.io/legal/privacy-policy.
• Vercel Inc. — hosts the website and platform application. Data handled: all platform data in transit and at rest on application servers. Location: primarily European regions; global edge network.
• Cloudflare, Inc. — authoritative DNS for corronexus.com; email routing for info@corronexus.com. Data handled: DNS query logs (not linked to individuals); email message metadata in transit. Location: global anycast network.
• Upstash, Inc. — rate-limit counter and session-token backing store for the platform. Data handled: hashed tokens, IP-address-bound counters, timestamps. Location: Frankfurt, EU (eu-central-1).

CorroNexus does not share submitted personal data with any third party outside of the processors listed above except where required by law (for example, a valid court order or a lawful request from a regulator).

06International transfers

Formspree, Inc.is headquartered in the United States. Contact-form submissions are therefore transferred to and stored on servers in the United States. CorroNexus relies on the processor's own contractual safeguards and, where they publish one, on their adherence to the EU–US Data Privacy Framework.

Vercel and Cloudflare operate global networks. Requests to the corronexus.com site may be routed through the nearest point of presence to the visitor.

Upstash for CorroNexus is provisioned in the Frankfurt region (EU), which is the default for European data residency.

Visitors in the European Economic Area, the United Kingdom, or other jurisdictions with cross-border-transfer restrictions are advised of these transfers before choosing to submit the contact form or to authenticate to the platform.

07Your rights

Under the GDPR, the UK Data Protection Act 2018, Egypt's Law No. 151 of 2020, and analogous legislation, data subjects have the right to:

• Access — request a copy of the personal data held about them.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of personal data, subject to applicable exceptions.
• Restriction — limit how CorroNexus processes the data.
• Portability — receive a structured copy of the data.
• Objection — object to processing based on legitimate interest.
• Withdrawal of consent — where processing is based on consent (not currently applicable to any CorroNexus processing).
• Complaint — lodge a complaint with the relevant data-protection supervisory authority.

To exercise any of these rights, email info@corronexus.com from the email address associated with the request (or provide an alternative means of verifying identity). CorroNexus aims to respond to verified requests within thirty days, as required under the GDPR.

Supervisory authorities. Complaints may be lodged with: (EEA) the data-protection supervisory authority of the visitor's country of residence — a directory is available at edpb.europa.eu/about-edpb/about-edpb/members_en; (UK) the Information Commissioner's Office (ICO), ico.org.uk; (Egypt) the Personal Data Protection Centre under the Ministry of Communications and Information Technology, established under Law No. 151 of 2020.

08Cookies, tracking, and fonts

This website does not set tracking cookies, does not run third-party analytics or advertising trackers, and does not fingerprint visitors.

The platform uses a small number of strictly necessary browser-storage items to deliver authenticated access: a session token stored in sessionStorage (cleared when the tab is closed), and — on the NH₄HS Verdict tool — an assessments list stored in localStoragewhich contains only engineering inputs the user has saved and no personal data. Neither of these is a tracking cookie and both are removable by clearing the browser's site data for corronexus.com.

Typography fonts. Display typography on this site is served from the CorroNexus domain itself (self-hosted via Next.js build-time font optimisation); no requests are made to fonts.googleapis.com, fonts.gstatic.com, or any third-party font CDN. Visitors therefore do not have their IP address disclosed to a third-party font provider as a side effect of page load.

The only third-party network request a page load will generate is the contact-form submission to Formspree — and that request occurs only at the moment a visitor clicks Send, not on page load.

09Security

CorroNexus applies the following technical and organisational measures to protect personal data and platform activity:

• TLS encryption on all website and platform traffic (HTTP Strict Transport Security with a two-year max-age).
• HMAC-signed session tokens with an eight-hour time-to-live for platform authentication.
• Server-side validation of every API request; client-side input is never trusted as authoritative.
• Rate limiting on authentication and tool endpoints to slow brute-force and scraping attempts.
• Source-map generation disabled in production to limit the exposure of internal code paths.
• Separation between public-website traffic and gated platform traffic.
• Access-controlled storage of correspondence and engagement records.
• Periodic rotation of platform credentials and secrets.

No security programme is absolute. CorroNexus commits to notifying affected data subjects and the relevant supervisory authority without undue delay, and in any event within 72 hours, in the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, as required under GDPR Article 33.

10Children and minors

The CorroNexus website and engineering platform are directed at qualified engineering professionals and are not intended for, targeted to, or suitable for persons under the age of 18. CorroNexus does not knowingly collect personal data from minors. Any personal data identified as belonging to a minor will be deleted promptly on discovery or on notification.

11Changes to this notice

This privacy notice may be revised to reflect changes in practice, law, or the services offered. Material revisions are indicated by an updated date at the top of this page and a version number. Enquirers and engagement clients are notified separately of changes that affect the processing of their specific data.

12Contact

For any question relating to this notice or to CorroNexus's handling of personal data, please write to info@corronexus.com.

For requests exercising any of the rights set out in Section 07, please state clearly in the subject line which right is being exercised (for example, "GDPR — Access Request" or "GDPR — Erasure Request").