N
Nexus

Privacy Policy

Last updated: February 18, 2026

Introduction

Nexus ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, store, and protect your personal information when you use our productivity platform and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Service. This Privacy Policy should be read in conjunction with our Terms of Service.

If you are using the Service on behalf of an organization, you acknowledge that this Privacy Policy applies to both you and the organization. The workspace owner or administrator may have additional responsibilities regarding the personal data of workspace members, as described in this policy.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: Name, email address, password (stored as a bcrypt hash — we never store plaintext passwords), and profile picture when you create an account.
  • OAuth Provider Data: If you sign up via Google, Apple, Microsoft, or GitHub, we receive your name, email address, and profile image from the provider. We do not receive or store your OAuth provider password.
  • Student Verification: If you register for a student plan, we collect your .edu email address and process a verification code to confirm your enrollment status.
  • Workspace Content: Documents, pages, tasks, projects, comments, discussion posts, database entries, calendar events, workflow configurations, and any other content you create within the Service.
  • Financial Data: If you use Finance features, we collect account names, institution names (not full account numbers — only masked last 4 digits), balances, transaction details (amounts, dates, categories, merchants), budget configurations, savings goals, investment holdings, crypto holdings, tax records, and business expense receipts that you voluntarily enter. We do not store bank login credentials.
  • File Uploads: Images, documents, videos, audio files, PDFs, receipts, and other files you upload. Files are stored in our cloud infrastructure with access restricted to authorized users.
  • Payment Information: When you purchase a subscription, payment is processed by Stripe, Inc. We receive your Stripe customer ID, subscription status, billing interval, and invoice history. We do not directly store your credit card number, CVC, or full billing details — Stripe handles this.
  • Communications: If you contact us for support or feedback, we collect the content of your messages, your email address, and any attachments you provide.
  • AI Inputs: When you use AI-powered features, we transmit your prompts and relevant context to third-party AI providers for processing. See Section 8 for details on AI data practices.

1.2 Information Collected Automatically

  • Device & Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and device identifiers.
  • Usage Data: Pages visited, features used, actions taken (e.g., creating documents, completing tasks), timestamps, click patterns, and session duration.
  • Log Data: Server logs that record requests, errors, referral URLs, and other diagnostic information.
  • Cookies & Session Data: Authentication session cookies (HTTP-only, secure) managed by NextAuth.js with a maximum session duration of 7 days and token refresh every 24 hours.
  • Local Storage: Browser local storage to persist your preferences (sidebar state, theme, workspace identifiers, notification settings, and other UI state) via our state management system.
  • Real-Time Connection Data: WebSocket connection metadata for real-time collaboration features, including presence status, cursor positions, and typing indicators.

1.3 Information from Third-Party Sources

  • Calendar Providers: If you connect Google Calendar, Microsoft Outlook, or Apple Calendar, we access your calendar events, attendees, and scheduling data as needed to provide sync functionality. We store OAuth tokens and refresh tokens to maintain the connection.
  • Connected Services: If you connect integrations (Google Drive, GitHub, Slack, Microsoft 365), we access data from those services as authorized by you through their OAuth consent screens.
  • Stripe: We receive webhook notifications from Stripe about payment events, subscription status changes, and invoice updates.

1.4 Audit & Compliance Data

We maintain audit logs that record significant account and workspace events, including: authentication events, subscription changes, payment processing, permission changes, member management actions, terms acceptance (including IP address and user agent at the time of acceptance), rate limit enforcement, and system events. These logs are retained for security, compliance, and dispute resolution purposes.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Operation: To provide, maintain, and operate the Service, including storing and displaying your content, processing your tasks and calendar events, and enabling real-time collaboration.
  • Authentication & Security: To verify your identity, manage sessions, enforce rate limits, detect fraud and abuse, and protect the security of your account and our infrastructure.
  • AI Features: To process your AI requests through third-party providers and return generated content. We do not use your content to train generalized AI models (see Section 8).
  • Communications: To send you transactional emails (account verification, password resets, PIN resets, payment receipts, subscription confirmations, workspace invitations, comment and mention notifications, security alerts) and, with your consent, marketing communications.
  • Push Notifications: If you opt in, to deliver web push notifications about mentions, comments, task deadlines, and other activity within the Service.
  • Billing & Payments: To process subscriptions, add-ons, invoices, and related billing operations through Stripe.
  • Product Improvement: To analyze usage patterns (in aggregate and anonymized form) to improve features, fix bugs, and optimize performance.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests, and to enforce our Terms of Service.
  • Audit & Accountability: To maintain audit logs for security monitoring, compliance, and dispute resolution.

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

3.1 Service Providers

We share data with third-party service providers who assist in operating the Service:

  • Supabase: Database hosting, storage, and real-time infrastructure. Your content and account data are stored on Supabase's PostgreSQL servers.
  • Stripe, Inc.: Payment processing. Stripe receives your payment method details, billing address, and transaction amounts. Governed by Stripe's Privacy Policy.
  • Resend: Transactional email delivery. Resend receives recipient email addresses and email content for delivery purposes.
  • Sentry: Error monitoring and performance tracking (if configured). Sentry may receive error logs, stack traces, and limited user context (user ID, IP address) for debugging purposes.

3.2 AI Providers

When you use AI features, your prompts and relevant context are transmitted to the configured AI provider. Supported providers include Groq, OpenAI, Anthropic, and Google AI. Each provider has its own privacy policy governing how it processes your data. We recommend reviewing their policies. We do not control and are not responsible for how third-party AI providers handle your data beyond our contractual agreements with them.

3.3 Calendar & Integration Providers

When you connect external services (Google Calendar, Microsoft Outlook, Apple Calendar, Google Drive, GitHub, Slack, Microsoft 365), data is exchanged between the Service and those providers as necessary for the integration to function. We store OAuth tokens to maintain connections.

3.4 Workspace Members

Within a shared workspace, your name, profile picture, email address, role, and presence status are visible to other workspace members. Content you create or share within a workspace is accessible to members based on the permissions configured by workspace administrators.

3.5 Public Pages

If you publish a page publicly, its content is accessible to anyone on the internet without authentication. We are not responsible for the further distribution of publicly published content.

3.6 Legal Requirements

We may disclose your information when required by law, subpoena, court order, or governmental request, or when we believe in good faith that disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of the Company, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service.

3.7 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

4. Cookies & Tracking Technologies

We use the following cookies and storage technologies:

TypePurposeDuration
Session cookieAuthentication (NextAuth.js JWT session)7 days (refreshes every 24h)
CSRF cookieOAuth state verification (nexus_oauth_state)Session-based
Local storageUI preferences (sidebar, theme, workspace IDs, settings)Persistent until cleared
Session storagePIN lock verification tokensBrowser session

We do not use advertising cookies, cross-site tracking, or third-party analytics cookies for advertising purposes. Our cookies are strictly functional and necessary for the Service to operate.

Third-party widgets (such as TradingView financial charts) embedded in the Service may set their own cookies according to their own privacy policies. We do not control these cookies.

5. Data Storage & Security

We implement industry-standard security measures to protect your personal information:

  • Encryption in Transit: All data is transmitted over TLS/HTTPS encrypted connections.
  • Encryption at Rest: Data stored in our database is encrypted at rest using standard PostgreSQL encryption.
  • Password Security: Passwords are hashed using bcrypt with salt before storage. We never store plaintext passwords.
  • PIN Security: PIN locks are stored as HMAC tokens using the Web Crypto API. PINs are not stored in plaintext or reversible form.
  • Row-Level Security (RLS): Database-level access controls ensure that users can only access data within their own workspace and scope.
  • Rate Limiting: API endpoints are protected by sliding-window rate limiting to prevent abuse and brute-force attacks.
  • Input Validation: All API inputs are validated using Zod schemas to prevent injection attacks and malformed data.
  • Content Sanitization: User-generated HTML content is sanitized using an allowlist-based sanitizer to prevent cross-site scripting (XSS) attacks.
  • CSRF Protection: OAuth flows use state parameters with timing-safe comparison to prevent cross-site request forgery.
  • Session Management: JWT-based sessions with automatic expiration and rotation.

While we strive to protect your information using commercially reasonable measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and applicable authorities as required by law.

6. Data Retention

We retain your data as follows:

  • Account Data: Retained for as long as your account is active. Upon account deletion, personal information is deleted within 30 days except where we are required to retain it by law.
  • User Content: Retained while your account is active. Content moved to trash is retained for 30 days (configurable by workspace settings) before permanent deletion.
  • Audit Logs: Retained for a minimum of 12 months for security and compliance purposes, or longer if required by law.
  • Payment Records: Retained for a minimum of 7 years for tax and accounting compliance.
  • Terms Acceptance Records: Retained indefinitely as proof of consent.
  • Backups: Database backups may retain data for up to 90 days after deletion from the production system.
  • OAuth Tokens: Integration tokens are deleted when you disconnect an integration or delete your account.

When data is no longer needed for the purposes described in this policy or required by law, we will securely delete or anonymize it.

7. International Data Transfers

Your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your country of residence.

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we will ensure that transfers of your personal data to countries outside of these regions are subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions as described in this policy.

8. AI Data Practices

8.1 How AI Features Process Your Data. When you use AI features (such as content generation, summarization, or workflow automation), your prompts and relevant document context are transmitted to a third-party AI provider for processing. The AI provider returns generated content which is displayed within the Service.

8.2 No Training on Your Data. We do not use your workspace content, documents, tasks, or other User Content to train, develop, or improve generalized or non-personalized artificial intelligence or machine learning models. Your data is processed solely to provide the specific AI feature you requested.

8.3 Third-Party AI Provider Practices. Third-party AI providers (including Groq, OpenAI, Anthropic, and Google AI) have their own data retention and processing policies. Some providers may temporarily retain your inputs for abuse monitoring or debugging purposes as described in their own privacy policies. We recommend reviewing the privacy policy of the AI provider configured for your workspace.

8.4 User-Provided API Keys. Workspace administrators may configure their own AI provider API keys. When a user-provided API key is used, AI requests are made directly under your provider account and are subject to your agreement with that provider.

8.5 AI Data Retention. We do not persistently store your AI prompts or outputs beyond what is necessary to display them within the Service as part of your workspace content. AI interaction metadata may be included in usage tracking for billing and rate-limiting purposes.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

  • Right to Access: Request a copy of the personal information we hold about you.
  • Right to Correction: Request correction of inaccurate or incomplete personal information.
  • Right to Deletion: Request deletion of your personal information and account, subject to legal retention requirements.
  • Right to Data Portability: Export your data in a structured, machine-readable format using our workspace export feature.
  • Right to Object: Object to or restrict certain processing of your personal data.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of prior processing.
  • Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment.

To exercise any of these rights, please contact us at privacy@nexus.app. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

  • Identifiers: Name, email address, IP address, account ID, device identifiers
  • Commercial Information: Subscription plan, payment history, purchase records
  • Internet/Electronic Activity: Browsing history within the Service, usage data, interactions with features
  • Geolocation Data: Approximate location derived from IP address
  • Professional Information: Organization/workspace name (if provided)
  • Financial Information: Bank account names and masked numbers, transaction data, budget data (voluntarily entered by you)
  • Inferences: Derived information about usage patterns and preferences

Your California Rights

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to Limit Sensitive Personal Information: You may request we limit use of sensitive personal information to what is necessary to provide the Service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, contact us at privacy@nexus.app. You may also designate an authorized agent to make requests on your behalf. We may verify your identity before fulfilling any request.

11. Additional U.S. State Privacy Rights

Residents of states with comprehensive privacy laws — including Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia — may have additional rights similar to those described in Section 10, including the right to access, correct, delete, and opt out of certain processing.

To exercise these rights, contact us at privacy@nexus.app. If we deny your request, you may have the right to appeal. We will provide instructions for the appeal process in our response.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, the following additional provisions apply:

Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contractual Necessity: Processing necessary to perform our contract with you (providing the Service, processing payments, managing your account).
  • Legitimate Interests: Processing necessary for our legitimate interests (security, fraud prevention, product improvement, analytics), provided these interests are not overridden by your fundamental rights.
  • Consent: Processing based on your explicit consent (marketing emails, push notifications, optional integrations). You may withdraw consent at any time.
  • Legal Obligation: Processing necessary to comply with our legal obligations (tax records, audit logs, responding to lawful requests).

Your GDPR Rights

In addition to the rights in Section 9, you have the right to:

  • Request restriction of processing of your personal data
  • Object to processing based on legitimate interests
  • Receive your personal data in a structured, commonly used, machine-readable format (data portability)
  • Lodge a complaint with your local data protection authority (supervisory authority)

Data Controller / Data Processor

For individual users, we act as the data controller for your personal data. When a workspace is operated by an organization, the organization acts as the data controller for data within that workspace, and we act as a data processor on their behalf. In such cases, the organization is responsible for ensuring an appropriate legal basis for processing within their workspace.

13. Third-Party Services

The Service integrates with or links to third-party services. Each has its own privacy practices:

  • Authentication: Google, Apple, Microsoft (for OAuth sign-in)
  • Calendar Sync: Google Calendar, Microsoft Outlook, Apple Calendar (CalDAV)
  • Integrations: Google Drive, GitHub, Slack, Microsoft 365
  • Payments: Stripe, Inc.
  • Email: Resend
  • AI Providers: Groq, OpenAI, Anthropic, Google AI
  • Error Monitoring: Sentry (if configured)
  • Widgets: TradingView (financial charts)
  • Database/Hosting: Supabase

We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies before connecting them to your account.

14. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we become aware that we have inadvertently collected personal information from a child without verifiable parental consent, we will take steps to delete that information as soon as possible. If you believe a child has provided us with personal information, please contact us at privacy@nexus.app.

15. Email Communications

We may send you the following types of email communications:

  • Transactional Emails (cannot be unsubscribed): Account verification, password resets, PIN resets, security alerts, payment receipts, subscription changes, and critical service notifications.
  • Activity Emails (configurable): Comment notifications, mention notifications, workspace invitations, page update notifications, discussion post notifications, and task assignment notifications.
  • Digest Emails (opt-in): Periodic summaries of workspace activity.
  • Announcement Emails (opt-in): Product updates, new feature announcements, and company news.

You can manage your email preferences in Settings > Notifications. You may unsubscribe from non-essential emails at any time. We will always send transactional emails necessary for the operation and security of your account.

16. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no uniform standard for how DNT signals should be interpreted, the Service does not currently respond to DNT signals. However, as described in this policy, we do not engage in cross-site tracking or use tracking cookies for advertising purposes.

17. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice by: (a) posting the revised policy with a new "Last Updated" date; (b) sending a notification through the Service; or (c) emailing you at your registered email address.

Your continued use of the Service after the effective date of any modifications constitutes your acceptance of the revised Privacy Policy. If you do not agree to the updated policy, please stop using the Service and contact us to delete your account.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (supervisory authority).