Privacy Policy

1. Controller

Nicholas George Stockhammer
Dom-Pedro-Str. 18
80637 München (Munich), Germany

Email: hello@nexusintel.app

(hereinafter "we", "us", or "controller")

2. Data Protection Officer

A Data Protection Officer (DPO) has not been appointed. Appointment is not required under Art. 37 GDPR in conjunction with § 38 BDSG (German Federal Data Protection Act) because:

• fewer than 20 persons are regularly engaged in the automated processing of personal data (§ 38(1) BDSG),
• no large-scale regular and systematic monitoring of data subjects takes place (Art. 37(1)(b) GDPR),
• no large-scale processing of special categories of personal data occurs (Art. 37(1)(c) GDPR).

For data protection inquiries, please contact: hello@nexusintel.app

3. Overview of Processing Activities

4. Website Provision and Server Log Files

4.1 Hosting (Vercel)

Our website is hosted by Vercel Inc., San Francisco, CA, USA. Each time you access our website, Vercel automatically collects:

• IP address of the requesting device
• Date and time of access
• Requested URL and referrer URL
• Browser and operating system (User-Agent)
• Amount of data transferred
• HTTP status code

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in the secure and error-free provision of the website and protection against attacks.

Retention: Server logs are deleted after 30 days.

Third-country transfer: Vercel is based in the USA. Data transfer is based on the EU–US Data Privacy Framework (adequacy decision, Commission Implementing Decision (EU) 2023/1795) and Standard Contractual Clauses (SCC, Module 2: Controller → Processor) per Vercel's DPA.

4.2 DNS & CDN (Cloudflare)

We use Cloudflare Inc., San Francisco, CA, USA, as our DNS provider and content delivery network (CDN). Cloudflare processes:

• IP addresses
• HTTP request metadata (headers, URL paths, TLS version)
• DNS queries

Cloudflare does not have access to application-layer data (form content, user data, etc.).

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security, performance, and availability.

Retention: DNS/CDN logs: up to 72 hours.

Third-country transfer: EU–US Data Privacy Framework + SCC per Cloudflare's DPA.

5. User Account and Authentication

5.1 Email Registration (Supabase)

When registering a user account, we process:

• Email address
• Hashed password (plaintext is not stored)
• Display name
• Profile metadata

This data is stored in a Supabase database (Supabase Inc., San Francisco, CA, USA; project region: eu-central-1, Frankfurt am Main, Germany).

Legal basis: Art. 6(1)(b) GDPR — contract performance (provision of user account).

Retention: Duration of user account + 30 days after deletion. Authentication logs: 90 days.

Third-country transfer: Primary data is processed in the EU (Frankfurt). Supabase as a US entity: SCC in the DPA as safeguard.

5.2 Google OAuth Sign-In

You may optionally register or sign in via "Sign in with Google" (Google OAuth 2.0). Google transmits the following data to us:

• Email address
• Display name
• Profile picture URL
• Google account ID (sub claim)

Google is not a processor of NEXUS Labs. Google authenticates the user under Google's own privacy policy and then sends the listed data to NEXUS via token. NEXUS does not transmit any user data back to Google. This is a federated-identity relationship, not a controller–processor relationship.

Legal basis: Art. 6(1)(a) GDPR — consent. Consent is given by the user's active selection of the Google sign-in option.

Withdrawal: You may disconnect Google in your account settings at any time. Previously transmitted data remains in your NEXUS profile until you delete your account.

Google Privacy Policy: https://policies.google.com/privacy

6. Task and Planning Data

When you create tasks, plans, notes, or other content in NEXUS, we process that data to provide the service.

Data processed: Task titles, descriptions, due dates, planning summaries, notes, user preferences.

Legal basis: Art. 6(1)(b) GDPR — contract performance.

Retention: Duration of user account. Upon account deletion, data is deleted within 30 days.

Storage location: Supabase database, region eu-central-1 (Frankfurt), Germany.

7. AI Planning Assistant (Anthropic)

NEXUS offers AI-powered planning features (planning assistant, research assistant, context-aware suggestions). These features use the API of Anthropic PBC, San Francisco, CA, USA.

7.1 Data Processed

• Inputs: User-submitted prompts (may contain task titles, plan descriptions, free-text queries)
• Outputs: Model-generated responses (suggestions, plans, summaries)

7.2 Anthropic's Data Processing

Anthropic does not retain API inputs or outputs for model training on the paid API tier (zero-retention policy per Anthropic API Terms, §4). Abuse-monitoring logs may be retained for up to 30 days.

7.3 Legal Basis

Art. 6(1)(b) GDPR — contract performance. AI features are an integral part of the booked subscription. Each AI processing operation is actively triggered by the user submitting a prompt; without this user input, no AI processing occurs.

7.4 Automated Decision-Making

The AI features in NEXUS serve an assistive and recommendatory function, not automated individual decision-making within the meaning of Art. 22 GDPR. No user is subject to a decision based solely on automated processing that produces legal effects concerning them or similarly significantly affects them. The user always decides independently whether to adopt AI suggestions.

Third-country transfer: Anthropic is based in the USA. EU–US Data Privacy Framework + SCC per Anthropic's DPA.

8. Payment Processing (Stripe)

For payment processing, we use Stripe Inc., San Francisco, CA, USA.

8.1 Data Processed

• Email address
• Billing name and address
• Payment method (card number: last 4 digits only; expiry date)
• Subscription status (plan, billing period, renewal date)
• Invoice history and payment transactions

8.2 Legal Basis

• Art. 6(1)(b) GDPR — contract performance (payment processing for subscription)
• Art. 6(1)(c) GDPR — compliance with legal obligation (tax and commercial record-keeping requirements)

8.3 Retention

• Payment records: 6–10 years per § 147 AO (German Fiscal Code) and § 257 HGB (German Commercial Code)
• Subscription status: duration of subscription + 30 days
• Card tokens: until the customer removes the payment method

8.4 Third-Country Transfer

EU–US Data Privacy Framework + SCC (Module 2) per Stripe's DPA. EU-originating card data is processed in Stripe's EU data center.

9. Transactional Emails (Resend)

For sending transactional emails (welcome messages, password resets, subscription confirmations, billing notifications), we use Resend Inc., San Francisco, CA, USA.

Data processed: Recipient email address, email subject, email body content, delivery status metadata.

Legal basis: Art. 6(1)(b) GDPR — contract performance (transactional notifications for account operations).

Retention: Delivery logs: 30 days. Email content: transient (not stored persistently after delivery).

Third-country transfer: SCC (Module 2) per Resend's DPA.

10. Cookies and Local Storage

10.1 Technically Necessary Cookies

NEXUS uses only technically necessary cookies:

10.2 No Tracking Cookies

NEXUS does not use analytics, advertising, remarketing, or social-media tracking cookies. No third-party tracking scripts are embedded.

10.3 Local Storage

NEXUS uses your browser's local storage (localStorage) for two purposes:

Browser-level preferences. Settings that only affect how the application looks and behaves in your browser (theme mode, accent color, sidebar density, calendar format) are stored locally only and are not transmitted to our servers.

Client-side cache of your account data. For faster rendering, NEXUS additionally stores a local copy of your account data (including tasks, notes, journal entries, habits, weekly plans, AI-generated daily briefs, project and widget settings) in localStorage. This copy is not the authoritative record; primary storage is in our Supabase database (region eu-central-1, Frankfurt am Main) as described in §§ 5–7.

Shared-device protection. When you sign out, or when a different user signs in on the same browser, all user-specific nexus:* entries in localStorage are automatically removed to prevent accidental access to another user's data. Browser-level preferences (above) are retained.

11. Recipients of Personal Data

11.1 Processors (Art. 28 GDPR)

Data processing agreements pursuant to Art. 28 GDPR are in place with all processors.

11.2 Other Recipients

Personal data is not disclosed to other third parties unless we are legally obligated to do so (e.g., to law enforcement under court order) or the data subject has given explicit consent.

12. Transfers to Third Countries

Personal data is transferred to processors in the USA (see § 11.1). Transfers are based on the following safeguards:

1. EU–US Data Privacy Framework (DPF) — Adequacy decision by the European Commission, Implementing Decision (EU) 2023/1795. Applies to DPF-certified US companies (Vercel, Stripe, Cloudflare, Anthropic).

2. Standard Contractual Clauses (SCC) — Standard data protection clauses per Commission Implementing Decision (EU) 2021/914, Module 2 (Controller → Processor). Included in all DPAs.

13. Rights of Data Subjects

As a data subject, you have the following rights:

To exercise your rights, please contact: hello@nexusintel.app

We will respond to your request within one month (Art. 12(3) GDPR).

14. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.

Competent supervisory authority:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany

Phone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Website: https://www.lda.bayern.de

15. Obligation to Provide Personal Data

The provision of your personal data is partly required by law (e.g., tax obligations for payment transactions) or arises from contractual requirements (e.g., email address for account creation).

Without providing the data required for account creation (email address), no contractual relationship can be established. Use of AI features requires user input; without input, no AI assistance can be provided.

16. Changes to This Privacy Policy

We reserve the right to amend this privacy policy as needed to reflect changes in legal requirements, technical changes, or new processing activities. The current version is always available at nexusintel.app/privacy. In the event of material changes, registered users will be notified by email.

Source Citations

• [GDPR] — Regulation (EU) 2016/679 (General Data Protection Regulation)
  • Art. 6 — Lawfulness of processing
  • Art. 7 — Conditions for consent
  • Art. 12 — Transparent information and communication
  • Art. 13 — Information to be provided where data is collected from the data subject
  • Art. 14 — Information to be provided where data has not been obtained from the data subject
  • Art. 15–22 — Rights of the data subject
  • Art. 28 — Processor
  • Art. 30 — Records of processing activities
  • Art. 37 — Designation of the data protection officer
  • Art. 45 — Transfers on the basis of an adequacy decision
  • Art. 46 — Standard contractual clauses
  • Art. 77 — Right to lodge a complaint
• [BDSG] — German Federal Data Protection Act (Bundesdatenschutzgesetz)
  • § 38 — Data protection officers of non-public bodies
• [TDDDG] — German Telecommunications Digital Services Data Protection Act
  • § 25 — Protection of privacy in terminal equipment
• [AO] — German Fiscal Code (Abgabenordnung)
  • § 147 — Record-keeping requirements
• [HGB] — German Commercial Code (Handelsgesetzbuch)
  • § 257 — Retention of records
• [EU–US DPF] — Commission Implementing Decision (EU) 2023/1795
• [SCC] — Commission Implementing Decision (EU) 2021/914
• [EDPB Guidelines 07/2020] — Concepts of controller and processor in the GDPR