Privacy Policy
Nexus Pen LLC ("Nexus Pen," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Nexus Pen hardware device, Donna AI assistant, our mobile application, and our website at nexuspen.org (collectively, the "Services").
1. Data We Collect
We collect the following categories of information:
Account Information
- Name and email address (provided at registration)
- Password (stored as a salted hash — never in plaintext)
- Subscription tier and billing history
- Profile preferences and selected AI mode
- Organization affiliation (for School and Enterprise accounts)
Usage Data
- Query counts and timestamps
- AI modes used and session durations
- App version and device operating system
- Crash reports and performance diagnostics
- Feature interactions (which settings you adjust)
Device Data
- Nexus Pen firmware version
- BLE connection events (connect/disconnect timestamps)
- Battery level readings (for diagnostics)
- OLED display interaction events
Payment Information
Payment card details are processed entirely by Stripe. We never store raw card numbers, CVVs, or full account numbers. We retain only the last 4 digits, card brand, and expiration date as provided by Stripe for display purposes.
2. Voice Recordings
We do not store your voice recordings. Audio captured by your Nexus Pen microphone is streamed in real time to our backend, transcribed using OpenAI Whisper, and immediately discarded. The raw audio is never written to disk or retained after transcription is complete.
Specifically:
- Audio is processed in memory only — no audio files are saved on our servers
- Transcribed text (your query) is sent to our AI pipeline
- Transcribed text may be retained as part of your conversation history (see Data Retention)
- We do not use your voice for voice-print identification or biometric profiling
- We do not share audio recordings with any third party
Push-to-talk is the only activation method. The microphone is never open without you holding the button.
3. How We Use Your Data
We use your information to:
- Provide the Services — authenticate your account, process queries, deliver AI responses, manage subscriptions
- Improve Donna AI — aggregate, anonymized usage patterns help us tune response quality and add new modes
- Provide customer support — resolve issues and respond to inquiries
- Send transactional communications — receipts, password resets, subscription renewal notices
- Maintain security — detect and prevent abuse, enforce rate limits, protect accounts
- Comply with law — respond to lawful requests from government authorities
We will never sell your data. We will never use your data for advertising targeting. We will never share your conversation history with third parties for marketing purposes.
4. Data Storage & Security
All user data is stored in Supabase, a cloud database platform with encryption at rest (AES-256) and encryption in transit (TLS 1.2+).
- Databases are hosted in the United States
- Access is restricted to authenticated backend services only
- Passwords are hashed using bcrypt before storage
- API authentication uses short-lived JWT tokens with refresh rotation
- We conduct periodic security reviews and promptly patch known vulnerabilities
While we implement industry-standard security measures, no system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to NexuspenLLC@gmail.com.
5. Third-Party Services
We share limited data with the following service providers, solely to operate the Services:
| Provider | Purpose | Data Shared |
|---|---|---|
| OpenAI | AI query processing, speech transcription (Whisper), text-to-speech (TTS) | Transcribed query text, AI responses |
| Stripe | Payment processing and subscription management | Name, email, billing address |
| Supabase | Database and authentication infrastructure | All account and usage data |
| Expo (EAS) | Mobile app distribution and push notifications | Push token, device ID |
| Shopify | E-commerce (hardware purchases only) | Name, shipping address, purchase data |
We do not permit third parties to use your data for their own marketing or purposes beyond the scope of what is described above. Each provider is bound by a data processing agreement.
6. FERPA Compliance
For School accounts used by educational institutions, Nexus Pen acts as a "school official" under the Family Educational Rights and Privacy Act (FERPA). We:
- Use student data only to provide the Services to the school
- Do not disclose student education records to third parties without consent, except as permitted by FERPA
- Allow schools to access, review, and delete student data upon request
- Do not build profiles on students for non-educational purposes
- Return or delete student data upon termination of a school agreement
Schools are responsible for obtaining any required parental consents under FERPA before using Nexus Pen with students.
7. COPPA & Children's Privacy
Nexus Pen complies with the Children's Online Privacy Protection Act (COPPA). Our Services are not directed to children under 13 without verifiable parental consent.
- We do not knowingly collect personal information from children under 13 outside of school accounts with institutional oversight
- School accounts with students under 13 require the school to act as the authorized representative
- If you believe we have inadvertently collected data from a child under 13 without proper consent, contact us at NexuspenLLC@gmail.com and we will delete it promptly
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Voice audio | Not stored — discarded immediately after transcription |
| Conversation history (Free tier) | Last 10 conversations |
| Conversation history (Plus tier) | 90 days |
| Conversation history (Pro tier) | 1 year |
| Usage logs (query counts, timestamps) | 90 days |
| Account information | Until account deletion |
| Billing records | 7 years (required by tax law) |
| Crash & diagnostic logs | 30 days |
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your account and associated data
- Portability — receive your data in a machine-readable format
- Objection — object to certain types of processing
- Restriction — request that we limit processing of your data
California residents have additional rights under the CCPA, including the right to know what categories of personal information are sold or disclosed (we do neither).
To exercise any of these rights, contact us at NexuspenLLC@gmail.com.
10. Data Export & Deletion
You have full control over your data:
- Export — go to Settings → Account → Export My Data in the Nexus Pen app to download all your conversation history, usage data, and account information as a JSON file
- Delete account — go to Settings → Account → Delete Account to permanently delete your account and all associated data. This action is irreversible. Billing records are retained for legal compliance per the retention schedule above.
Deletion requests are processed within 30 days. You will receive an email confirmation when deletion is complete.
11. Cookies & Tracking
Our website (nexuspen.org) uses cookies for:
- Essential cookies — session management, authentication state
- Analytics cookies — anonymous aggregate traffic data (pages visited, referral source)
We do not use third-party advertising cookies or cross-site tracking. You can disable cookies in your browser settings; some site features may not function correctly without them.
The Nexus Pen mobile app does not use cookies. Analytics are limited to anonymous in-app event tracking.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to registered users
- Display an in-app notice for 30 days after the change
Continued use of the Services after changes take effect constitutes acceptance of the revised policy.
13. Contact Us
For privacy-related questions, requests, or concerns:
Nexus Pen LLC
Privacy Team
Illinois, United States
We aim to respond to all privacy inquiries within 5 business days.