Privacy Policy

Last updated: August 12, 2025

Scope

This Privacy Policy explains how Nerve collects, uses, shares, and safeguards information when you use our websites, apps, and proxy platform (the “Service”).

What We Collect

  1. Account Data – name, email, organisation, hashed password, billing address, payment-processor tokens.
  2. Registrar Credentials – API key / secret encrypted via Google Cloud KMS; never stored in plaintext.
  3. Usage & Audit Logs – timestamp, action, domain, registrar, IP address, user-agent, token scope, success/failure; hashed identifiers. Stored immutably on AWS.
  4. Analytics Data – pseudonymous cookies & event data via Google Analytics (page views, buttons clicked, referral source).
  5. AI Query Logs – prompts and responses from the natural-language assistant; stored for model improvement and security review.
  6. Communications – support tickets, emails (via Amazon SES), SMS (via TBCCompany).

How We Use Data

  • Provide, secure, and troubleshoot the Service.
  • Enforce rate limits and detect abuse.
  • Generate aggregated, de-identified statistics.
  • Send transactional messages (audit alerts, token expiry, security notifications).
  • Improve UX and capacity planning (analytics).

We never sell personal information or registrar credentials.

Legal Bases (GDPR)

  1. Performance of contract (account creation, API proxy).
  2. Legitimate interests (security, analytics, product improvement).
  3. Consent (marketing emails).
  4. Legal obligation (tax, bookkeeping).

Third-Party Processors

Provider Purpose Location
Google Cloud KMS Encryption of secrets USA / EU regions
Amazon Web Services (S3 + QLDB) Immutable audit log & backups USA
WPMU DEV WordPress hosting USA
Google Analytics Site analytics (IP anonymised) USA
Amazon SES Transactional & support emails USA
TBCCompany (SMS) Two-factor & alert texts USA
Stripe (or Paddle) Payments USA / EU
OpenAI / Anthropic (LLM) Natural-language assistant inference USA / EU

We sign DPAs with each processor and require equivalent GDPR safeguards.

Cookies & Tracking

We use necessary cookies for login and CSRF protection, and Google Analytics cookies for statistics. Opt-out link provided in cookie banner.

Data Retention

  • Vaulted API keys: deleted immediately on account closure.
  • Audit logs: 12 months then aggregated.
  • Billing records: 7 years (tax).
  • Analytics: 26 months rolling.

Your Rights

You can access, correct, export, or delete your personal data from the dashboard or by emailing [email protected]. EU/UK users may lodge complaints with their supervisory authority.

Security

We implement encryption in transit and at rest, least-privilege IAM, periodic penetration tests, and continuous monitoring. No method is 100 % secure and we cannot guarantee absolute security.

International Transfers

Data may be processed in the United States. We rely on SCCs or UK IDTA as appropriate.

Changes

Changes will be posted on this page. Continued use after that date constitutes acceptance.

Contact

privacy at nerve.io | Nerve.io, 321 High School Rd NE, STE D3-281, Bainbridge Island, WA 98110, USA

Secret Link