Last updated: October 7, 2025
2. What This Policy Covers
This policy explains how we collect, use, share, and secure information when you use Nexus, Forge, our website, APIs, and connected integrations.
3. Data We Process
- Account data: name, email, authentication identifiers, role, and plan tier.
- Billing data: payments via Stripe (we do not store full card numbers).
- Product telemetry: timestamps, run IDs, feature flags, non-sensitive logs, error traces, and aggregate metrics.
- Content data you provide: prompts, inputs, plans, outputs, update sets, and related metadata.
- Integration data: minimal ServiceNow connection details (instance URL, authentication method, scoped tokens), tool handshake metadata (token validation status, role checks, update set eligibility).
- Device and network data: IP address, user agent, and coarse location for security and abuse prevention.
- Cookies: authentication/session and first-party analytics cookies.
4. How We Use Data
- Provide and improve the service, including planning, generation, deployment, and telemetry.
- Secure the platform through abuse detection, incident response, and audit trails.
- Manage billing and accounts via Stripe.
- Perform product analytics to understand feature usage at an aggregate level.
- Comply with legal obligations.
5. AI and Model Providers
We may send prompts and necessary context to model providers to generate outputs. We minimize payloads and avoid sending secrets unless strictly required for a requested action. Providers operate under contractual terms prohibiting misuse, and we select vendors with enterprise controls.
6. Retention
- Account and billing data: retained while your account is active and as required by law.
- Logs and telemetry: typically retained for 30 to 180 days, with shorter windows for high-volume traces.
- Artifacts (plans and outputs): retained to power history, idempotent redeploys, and auditability; you can request deletion.
7. Sharing
- Processors: hosting, logging, analytics, email, payments, and model providers.
- Legal: disclosures required by law or to protect rights and safety.
- We do not sell personal data.
8. Security
- Encryption in transit and at rest for stored artifacts and tokens.
- Scoped tokens, least-privilege service accounts, and audit logging.
- No absolute guarantees; you are responsible for appropriate data classification before sending it to us.
9. Your Choices
- Access or update your profile; download or delete your account on request.
- Opt out of non-essential analytics cookies when presented with that option.
- Unsubscribe from non-transactional emails.
10. Regional Notes
If you are in the EEA or UK, we act as a processor for your content and a controller for account and billing data. We use Standard Contractual Clauses or equivalent mechanisms with vendors for cross-border transfers.
11. Children
The service is not intended for individuals under 16, and we do not knowingly collect personal data from children.
12. Changes
We will update this policy as our service evolves. Continued use after an update means you accept the changes. Material updates will be signposted.