Privacy Policy

Last updated: February 11, 2026

1. Introduction

Organic Intelligence Labs ("Company", "we", "us", "our") operates the Nexus platform ("the Service"). This Privacy Policy describes how we collect, use, share, and protect personal information when you use our Service.

By using the Service, you consent to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password (hashed). If you sign up via Google OAuth, we receive your name, email address, and profile picture from Google.

2.2 Workspace Content

We store the content you create within the Service, including tasks, pages, databases, comments, file attachments, and workspace configurations. This content is necessary to provide the Service and is stored securely on our infrastructure.

2.3 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, actions taken, timestamps, and performance metrics. This data helps us improve the Service and diagnose issues.

2.4 Device and Technical Information

We collect device information such as your browser type and version, operating system, screen resolution, IP address, approximate geographic location (derived from IP address), and referring URLs.

2.5 AI Interaction Data

When you use AI features, we process the prompts you send and the workspace context included in those requests. AI queries and responses may be logged for quality assurance and abuse prevention, but are not used to train AI models.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process and manage your account and subscriptions
  • Process AI queries by sending relevant workspace context to third-party AI providers
  • Send you service-related communications, such as account notifications, security alerts, and billing updates
  • Analyze usage patterns to improve the Service, fix bugs, and develop new features
  • Detect, prevent, and address fraud, abuse, security issues, and technical problems
  • Comply with legal obligations and enforce our Terms
  • Provide customer support and respond to your inquiries

We do not sell your personal data to third parties. We do not use your workspace content for advertising purposes.

4. Data Sharing and Disclosure

We may share your information with the following parties:

4.1 Service Providers

  • AI Processing (Anthropic): Workspace content is sent to Anthropic's Claude API to power AI features. Data is processed under Anthropic's data processing terms and is not used for model training.
  • Payment Processing (Stripe): Billing information is processed by Stripe. We do not store complete credit card numbers on our servers.
  • Cloud Infrastructure (Vercel, Railway, Neon): The Service is hosted on cloud infrastructure providers that process your data as part of providing their hosting services.
  • Email Delivery (Resend): We use Resend to send transactional emails such as notifications, invitations, and password resets.
  • Analytics and Monitoring (PostHog, Sentry, Axiom): We use these tools for usage analytics, error tracking, and log management.

4.2 Legal Requirements

We may disclose your information when required to do so by law, in response to valid legal process (such as a subpoena, court order, or government request), or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your information.

5. Data Retention

5.1. We retain your account data for as long as your account is active or as needed to provide the Service.

5.2. When you delete content (tasks, pages, etc.), it is moved to trash and retained for 30 days before permanent deletion.

5.3. When you delete your account, we retain your data for 30 days to allow for account recovery, after which all personal data is permanently deleted.

5.4. We may retain aggregated, anonymized data that cannot identify you indefinitely for analytical purposes.

5.5. Backup copies of data may persist for up to 90 days in our backup systems before being overwritten.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Right to Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format (JSON, CSV, or Markdown).
  • Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.
  • Right to Object: Object to the processing of your data for certain purposes, including direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@nexus.app. We will respond to your request within 30 days.

7. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Preference Cookies: Store your settings such as theme preference, sidebar state, and language. These enhance your experience.
  • Analytics Cookies: Help us understand how the Service is used. We use PostHog for privacy-focused analytics. You can opt out of analytics cookies through your account settings.

We do not use advertising cookies or third-party tracking for ad targeting. You can control cookie preferences through your browser settings, though disabling essential cookies may prevent you from using the Service.

8. Security Measures

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit using TLS 1.3
  • Encryption at rest using AES-256
  • Password hashing using bcrypt with 12 salt rounds
  • HIBP (Have I Been Pwned) breach checking during password creation
  • Rate limiting and brute-force protection on authentication endpoints
  • Regular security audits and dependency vulnerability scanning
  • Role-based access control at workspace, project, and resource levels
  • Secure session management with JWT tokens

Despite these measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

9. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe that we may have collected information from a child under 16, please contact us at privacy@nexus.app.

10. International Data Transfers

Your data may be transferred to and processed in countries other than the country in which you reside. Our primary data processing occurs in the United States. When we transfer data internationally, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all service providers
  • Assessment of the legal framework in the receiving country

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that transfers comply with applicable data protection regulations, including the GDPR and UK GDPR.

11. GDPR and Regional Compliance

For users in the EEA, UK, or Switzerland, we process personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you subscribed to.
  • Legitimate Interests: Processing for analytics, security, and service improvement, balanced against your privacy rights.
  • Consent: Processing based on your explicit consent, such as optional analytics cookies.
  • Legal Obligation: Processing required to comply with applicable laws.

For California residents, we comply with the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect, request its deletion, and opt out of any data sales (we do not sell personal data).

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

  • Posting the updated policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes that affect your rights
  • Displaying an in-app notification for 30 days after the change

Your continued use of the Service after any changes constitutes acceptance of the updated policy.

13. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

  • Data Protection Officer: dpo@nexus.app
  • Privacy inquiries: privacy@nexus.app
  • Address: Organic Intelligence Labs, 251 Little Falls Drive, Wilmington, DE 19808, United States

For users in the EEA, you may also lodge a complaint with your local data protection authority.