πŸ”’ Privacy First πŸ“… Effective: July 2, 2026

Privacy Policy

Your privacy matters to us. Here's exactly what data we collect, why we collect it, and how we protect it.

TL;DR β€” In Plain English

We use a session cookie only to keep you logged in. We collect minimal data to run the service β€” your email, name, usage stats, and monthly request counts. We never sell your data to anyone. You can delete everything anytime.

1. What Data We Collect

We collect only what's necessary to provide you with a secure, functional AI assistant.

Data Type What We Collect Why
Account Info Email, Name, Profile Picture (from Google) To identify you and personalize your experience
Session Data Device info, IP address, location (city), login time To keep you logged in and show your active sessions
API Keys Nexus API keys, Groq API key (encrypted) To power the AI assistant and secure your credentials
Usage Analytics Number of requests, tokens used, models called To monitor performance and improve the service
Monthly Usage Request count per month (for limit enforcement) To enforce free‑tier limits and manage upgrades
Cookies Session cookie (HttpOnly, Secure, SameSite=Strict) To authenticate you across requests

We DO NOT collect: Browsing history, search queries, messages you send to the AI, or any content from your website.

2. Why We Collect This Data

Every piece of data serves a clear purpose β€” no hidden agendas.

Authentication

Your email and session cookie keep your account secure and accessible only to you.

Service Improvement

Usage stats help us understand how the AI is performing and where to improve.

Security

IP and device info help us detect unusual activity and keep your account safe.

API Management

Your API keys are stored encrypted so you can securely integrate AI into your websites.

Usage Limits Enforcement

Monthly request counts ensure fair usage of the free tier and enable future upgrades.

3. How We Protect Your Data

Security is baked into everything we do.

Encryption

Your Groq API key is encrypted in Firestore. Session cookies are signed and secure.

HttpOnly Cookies

Your session cookie is invisible to JavaScript β€” preventing XSS attacks.

Secure & SameSite

Cookies are only sent over HTTPS and only for same-site requests β€” blocking CSRF attacks.

Limited Access

Only core team members have access to production systems. Third parties never see your data.

4. Third-Party Services We Use

We rely on trusted partners to run the service. Each one is committed to data privacy.

Service Purpose Data Shared Privacy Policy
Firebase Authentication, Database, Hosting Email, Name, Profile Photo, UID, Session Data, Monthly Usage View β†’
Groq AI Model Inference Your messages (only when you use the AI) View β†’
Vercel Deployment & Serverless Functions IP address, Request logs (anonymous) View β†’
Cloudflare Turnstile Bot Protection (CAPTCHA) No personal data β€” only verification tokens View β†’

Important: Your Groq key is stored encrypted in Firestore and never shared with anyone β€” including us.

5. Your Privacy Rights

Under GDPR, CCPA, and similar laws, you have full control over your data.

Right to Access

You can see all your data in the Dashboard at any time.

Right to Rectify

Update your profile info anytime through Google or the Dashboard.

Right to Delete

Delete your Groq key, API keys, and revoke all sessions from the Dashboard.

Right to Portability

Request a copy of your data by emailing us (see contact below).

6. Cookie Policy

We use minimal cookies β€” just what's needed to keep you logged in.

Cookie Purpose Duration Type
nexus_session Keeps you logged in 7 days (renewed on each request) Strictly Necessary
__Secure-next-auth Vercel session management Session Strictly Necessary

No tracking cookies. We do not use Google Analytics, Facebook Pixel, or any marketing cookies. You are not being tracked.

7. How Long We Keep Your Data

We keep data only as long as needed to provide the service.

Session cookie 7 days (automatically renewed)
Account & API keys Until you delete your account or revoke the key
Usage logs (anonymized) 30 days (for debugging & improvement)
Monthly usage counters Reset each month; historical data retained for billing/limit enforcement
Session history (active sessions) Deleted when you log out or revoke the session

8. Children's Privacy

Nexus is not intended for children under 13. We do not knowingly collect personal information from children. If you are a parent and believe your child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this policy occasionally. The latest version will always be posted here with the effective date at the top. Significant changes will be notified through the Dashboard or via email.

Last updated: July 2, 2026

10. Contact Us

Have questions about privacy? Concerns about your data? We're here to help.

We respond to privacy-related inquiries within 48 hours.