NEXUSATS
Home Terms Acceptable Use Risk Performance Privacy Cookies Billing Cancellation DMCA Support

Privacy Policy

Version: 2.2  ·  Effective Date: July 1, 2026

Provider / Data Controller: NexusATS — sole-proprietor business established in Canada. Privacy contact: [email protected]. Legal contact: [email protected]. The operator's postal address is provided on written request and is disclosed to EU/UK data subjects per GDPR Art. 13(1)(a) and to EU/UK consumers per Directive 2011/83/EU prior to contract conclusion.

NexusATS ("we", "us") is the controller of personal data described in this policy.

1. Scope

This Policy describes what personal data we collect from website visitors, account holders, and customers; how we use it; the legal bases on which we rely; how long we keep it; the third parties we share it with; and the rights you have. It is intended to satisfy our obligations under the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25, Brazil's LGPD, South Africa's POPIA, and similar laws.

2. Categories of personal data we collect

  • Identity & contact data: first and last name, email, billing address, phone number, country.
  • Account data: hashed password, account creation date, sign-in timestamps, IP address used to sign in.
  • Transaction data: order ID, plan purchased, price, currency, payment processor (Whop / crypto partner), processor customer ID, processor charge or subscription ID, applied taxes, promo codes. We do not store raw card numbers; the processor does.
  • License & device data: license key, generation timestamp, activation timestamp, an installation/device identifier derived from your machine (a "hardware ID" — a non-reversible hash of stable hardware attributes, used to bind a license to a single computer and detect unauthorized sharing), software version, telemetry of license-validation events.
  • Technical data: IP address, browser user-agent, device type, language, referring URL, pages visited, timestamps, cookies and similar identifiers (see Cookie Policy).
  • Communications: support tickets, emails, Discord messages you send to our team, and our responses.
  • Compliance data: sanctions and fraud-screening results, dispute and chargeback evidence.

We do not knowingly collect data from anyone under 18.

3. Purposes and legal bases

PurposeLegal basis (GDPR Art. 6)
Provide the Software, create your account, issue and activate a licensePerformance of contract (Art. 6(1)(b))
Process payments and recurring billingPerformance of contract (Art. 6(1)(b))
Detect license sharing, fraud, sanctions exposureLegitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))
Customer supportPerformance of contract (Art. 6(1)(b))
Send service emails (renewal reminders, security notices)Performance of contract / legitimate interests
Send marketing emails to existing customers about similar productsLegitimate interests (with opt-out); consent where required
Tax invoicing, accounting and recordkeepingLegal obligation (Art. 6(1)(c))
Defend chargebacks and legal claimsLegitimate interests; legal claims (Art. 9(2)(f))
Analytics and product improvementLegitimate interests; consent where required by ePrivacy

4. Cookies and similar technologies

See the Cookie Policy. EU/UK/Quebec visitors will see a consent banner allowing granular choices for non-essential cookies.

5. How we share data — categories of recipients

  • Payment processors: Whop Inc. (card payments) and our crypto payment partner (crypto). Each is an independent controller for raw payment data and a processor for transactional metadata routed to us.
  • Infrastructure: Supabase Inc. (database, auth, edge functions), Cloudflare, Inc. (CDN, security, Turnstile bot screening), and our email and hosting providers. These are processors acting on our instructions.
  • Communications: Discord, Inc. (community and crypto checkout flow) where you choose to interact with us there.
  • Professional advisors (lawyers, accountants) under confidentiality.
  • Regulators, courts, law enforcement where required by valid legal process or to protect rights, property, safety, or to enforce our Terms.
  • Buyers in a corporate transaction (merger, sale of assets), subject to equivalent confidentiality.

We do not sell personal data and do not share it for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA.

6. International transfers

Personal data may be processed in the United States, Canada, the European Economic Area, and other countries where we or our processors operate. Where data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum, together with supplementary measures as appropriate. Copies of these mechanisms are available on request.

7. Retention

  • Account and license data: while the account is active and for 24 months thereafter, then deletion or anonymization.
  • Transaction and tax records: 7 years (or longer where required by local tax law).
  • Chargeback and fraud evidence: 5 years from last activity.
  • Support tickets: 3 years from resolution.
  • Analytics: 14 months.
  • Backups: rolling cycles, overwritten in the ordinary course.

Retention periods may be extended where necessary to defend a legal claim or comply with a regulator.

8. Your rights

Depending on where you live, you may have rights to: access your personal data; correct inaccurate data; delete data ("right to be forgotten" / right to erasure); restrict or object to certain processing; data portability; withdraw consent (without affecting prior lawful processing); not be subject to solely automated decisions producing legal effects; lodge a complaint with your data protection authority. California, Virginia, Colorado and similar US-state residents may also opt out of "sharing" (which we do not do), correct, and delete.

To exercise any right, email [email protected]. We respond within 30 days (or sooner where required) and may need to verify your identity. If you request deletion, your license will no longer authenticate and the Software will cease to function on your machine; we will retain limited transactional records as required by law (see §7).

9. Quebec Law 25 — specific disclosures

Person in charge of personal information protection: [email protected]. We have completed a privacy-impact assessment for our collection of device identifiers. Quebec residents may request a list of third parties to which personal data has been disclosed, may request transfer of computerized personal data, and may file a complaint with the Commission d'accès à l'information du Québec.

10. Children

NexusATS is not directed to children. We do not knowingly process the personal data of anyone under 18. If you believe we have, contact us and we will delete it.

11. Security

We use industry-standard administrative, technical and physical safeguards, including TLS in transit, access controls, hashed credentials, and least-privilege access by staff. No system is perfectly secure; we cannot guarantee absolute security.

12. Changes

We will update this Policy from time to time. Material changes will be notified by email and posted with an updated "Version" and "Effective Date" at least 14 days before they take effect.

13. Contact

Privacy: [email protected]. Legal: [email protected]. Postal address available on written request.