Your data, in plain language.
At Nexus, we treat your personal data as something that belongs to you. This Privacy Policy explains what we collect when you register and use Nexus, why we need it, how long we keep it, and how you can exercise control at any time.
It applies to the Nexus web app at getnexus.me, the Nexus Discord bot, and all associated APIs (together, the "Service"). It must be read alongside our Terms of Service.
This policy is aligned with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and, where applicable, the UK Data Protection Act 2018 and the French Loi Informatique et Libertés.
Who's responsible for your data.
The entity responsible for processing your personal data is the operator of Nexus. For any question about how we handle personal data, or to exercise your GDPR rights, contact us at privacy@getnexus.me.
A dedicated Data Protection Officer will be appointed before general availability and listed here. Until then, data-protection requests are handled by the Nexus team at the same address.
Only what we actually need.
We collect only what is necessary to authenticate you, run the Service, keep it secure, and deliver the features you opt into. We do not collect special-category data (health, religion, political opinions), and we never knowingly collect data from users below the applicable minimum age.
Account data
When you register, we store your email address, a username of your choice, and a salted password hash (we never store the password itself). You may optionally add a bio and locale from the profile page.
Two-factor authentication
If you enable 2FA, we store an encrypted TOTP secret and a set of one-time-use backup codes (hashed). Disabling 2FA erases both.
Discord linking
If you link a Discord account, we receive your Discord user ID, username, global name and avatar URL, and the timestamp at which linking occurred. We also store the resulting OAuth access and refresh tokens, encrypted at rest, to operate the bot on your behalf. You can unlink at any time from the profile page, which revokes the tokens.
Session & security metadata
Each active session records the IP address and user-agent of the device that created it, along with creation and last-seen timestamps. This data is used strictly for session management, rate-limiting, and detecting suspicious sign-ins.
Transactional emails
To deliver account emails (email verification, password reset, security alerts), your email address is transmitted to our email provider as described in the sub-processors section.
Why we process each category.
Every processing activity has a lawful basis under Article 6 GDPR. Ours are as follows:
How long we keep each type of data.
We apply the principle of storage limitation: data is kept only as long as necessary for the purpose it was collected for, then deleted or anonymized.
When data leaves the EU.
Our primary database is hosted in the European Union. Some sub-processors (notably Discord, Resend, and Vercel's global edge) operate from outside the European Economic Area, mainly in the United States.
These transfers rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46 GDPR, complemented by technical measures: encryption of data in transit (TLS) and at rest, encrypted OAuth tokens, and strict access control.
How we protect your data.
Article 32 GDPR requires appropriate technical and organizational measures. Measures currently in place include:
- Password hashing — passwords are never stored in clear; they are hashed with a modern algorithm (bcrypt / argon2-class) with a per-user salt.
- Encryption in transit — TLS on every endpoint.
- OAuth tokens at rest — Discord access and refresh tokens are encrypted before being persisted.
- Two-factor authentication — optional TOTP plus one-time backup codes for the web app.
- Session management — short-lived sessions, IP and user-agent bound, revocable from the profile page.
- Rate limiting — applied to login, registration, password reset, and 2FA endpoints to deter brute force.
- Audit logs — sensitive actions are logged for 90 days for incident response.
The rights, always yours.
Under the GDPR, you have the following rights over the personal data we hold about you. We respond within one month of receipt (Art. 12(3)).
The French supervisory authority is the CNIL, 3 place de Fontenoy, 75007 Paris — cnil.fr. In the United Kingdom, the ICO — ico.org.uk.
Age requirements.
Nexus is not intended for children under 13. You must be at least 13 (or the minimum age required in your country to use Discord) to create an account. Where local law sets a higher digital-consent age (typically 15 or 16 in some EU states), that higher age applies.
If we become aware that we have inadvertently collected personal data from a child below the applicable age without verified parental consent, we delete it promptly. If you believe this has happened, email privacy@getnexus.me.
If something goes wrong.
In the unlikely event of a personal-data breach likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours (Art. 33 GDPR).
If the breach is likely to result in a high risk, we also notify affected users without undue delay, with clear information on what happened, what data was exposed, what we are doing about it, and how you can protect yourself (Art. 34 GDPR).
When this document evolves.
We may update this Privacy Policy as the Service evolves or as regulations change. Any material change (new processing purpose, new sub-processor, extended retention) is notified at least 30 days in advance by email or via the web app, and you may object or delete your account at that point.
The last-updated date is always displayed at the top of this page.
One inbox for data requests.
To exercise a right, ask a question, or raise a concern about your personal data, write to privacy@getnexus.me.
We respond within one month of receipt. For complex or numerous requests we may extend that deadline by two additional months and will let you know if we do.