What we collect
- If you visit without signing in: standard server logs (IP address, request path, user agent, timestamp), retained 14 days for security and debugging. Anonymous aggregated traffic data via Google Analytics 4 (see Third-party services below).
- If you use the claim checker without signing in: the text of your claim, the structured claim our analyzer extracted from it, the descriptive answer we returned, the timestamp, and your IP. The claim text and its analysis are retained indefinitely so we can serve cached results for viral claims and study what topics readers care about. Your IP is retained for 30 days for abuse prevention and quota enforcement, then scrubbed; the request timestamp and analysis stay after the IP is removed.
- If you create a free account: your email address, a signed session cookie, and any watchlist or bookmarks you create.
- If you sign up for the free daily briefing by email: we create a free account tied to your address and send you the daily briefing. You can unsubscribe anytime from your account or from any briefing email.
- If you subscribe to Nexus Pro or Pro+: all of the above plus, for web purchases, your Stripe customer ID; for App Store purchases, the Apple transaction identifiers Apple shares with us. We also store your current tier, subscription status, state-digest selections, briefing-request history, and email delivery logs. We never receive your card or Apple Account payment details.
- If you use the mobile app and enable notifications: a device push-notification token and the device platform, stored so we can deliver the alerts you turned on, plus your per-event notification preferences. The token is bound to your account; it is removed when you disable notifications on that device or delete your account. The app uses the same signed session cookie as the website.
- If you request a Nexus API key: your name, email address, and the reason or use-case you give us. We send a verification email to confirm the address, then store these alongside your issued key to operate and support the API, enforce rate limits, prevent abuse, and send you key-related notices. We don’t use this for marketing and don’t sell it.
How we use it
To operate the service: sign-in magic links, watchlist alerts, push notifications you enable, the daily briefing email, weekly state digests, briefing generation, claim checking, API key issuance and support, billing, and replies to your support emails. That’s it.
Third-party services
To run the service we rely on:
- Stripe processes payments made on the web. Card details go directly to Stripe; we never see them.
- Apple processes in-app purchases on iPhone and iPad through the App Store, and delivers app push notifications via the Apple Push Notification service (APNs). Apple handles App Store payment data under its own policy; we receive only transaction identifiers and subscription status, never payment details. Sending a notification routes its content through APNs to your device.
- SendLayer delivers our transactional and digest emails.
- Anthropic processes the AI generation behind on-demand briefings, the daily briefing email, claim-checker responses, and other synthesized outputs. Anthropic does not retain API request data beyond approximately 30 days per their data policy.
- Google Analytics 4 records anonymous aggregated traffic (pageviews, referrers, session duration) so we can see what people read and where they come from. Standard GA4 first-party cookies. No user-identifying data is sent; we do not advertise.
- Cloudflare provides DDoS protection, edge caching, bot mitigation, and WAF filtering. Cloudflare may briefly inspect request metadata (IP, user agent, headers) to apply those protections; we do not retain Cloudflare-specific logs beyond their default retention window.
- DigitalOcean hosts the public site.
We do not sell, rent, or share your data with marketing third parties.
Cookies
A single signed session cookie (nexus_session) is set when you sign in. It expires after 60 days. Google Analytics sets its own first-party cookies (_ga, _ga_*) for anonymous traffic measurement. In the EU, UK, and other regions that require it, these analytics cookies are set only after you accept them in our cookie banner, and Google Consent Mode keeps them off until you do; you can change your choice at any time by clearing the site’s storage. No third-party advertising cookies, no tracking pixels.
Embeddable widgets
Our embeddable widgets (e.g., /embed/intercept) render as iframes on third-party sites. We do not set cookies or collect identifying data from visitors who view a Nexus widget on an external page. The widget makes a single server-side request to refresh content every few minutes; that request is logged with the embedder’s domain and the visitor’s IP under the same 14-day server-log retention as the main site.
Your rights
- Cancel your Pro or Pro+ subscription anytime — from your account page for web subscriptions, or in Settings → Apple Account → Subscriptions for App Store purchases. Access continues through the end of the billing period.
- Turn push notifications off (and remove this device’s push token) anytime from Account → Notifications.
- Delete your account at any time from Account → Delete account (in the app or on the web), or ask us via the contact form at thenexus.news/contact or
[email protected]. Deletion removes your account and personal data immediately; see Data retention for the limited de-identified and security-related exceptions. - Request a copy of your data through the same contact form or support email.
Data retention
Active account: as long as the account remains active. Deleted account: subscriber row, email log, and personal data purged within 30 days. Aggregated, de-identified usage data may persist for service operations. Server logs: 14 days. Claim-checker submissions: claim text and analysis kept indefinitely (de-identified after 30 days by scrubbing IP and account linkage); the request timestamp is preserved.
Security and abuse exception: where we detect activity that appears malicious, fraudulent, or otherwise abusive (for example, an attempt to attack or probe the service), we may retain the relevant request data (including the submitted input, IP address, and request metadata) beyond the windows above, for as long as needed to investigate, respond to, and where appropriate report the incident, or to establish, exercise, or defend legal claims. This applies even after an account is deleted. Such data is access-restricted, used only for security and abuse prevention, and deleted once it is no longer needed for that purpose.
Children
The Nexus is not directed to children under 16. We do not knowingly collect data from minors.
Contact
Use the contact form at thenexus.news/contact, or email [email protected]. Our emails are sent from a no-reply address, so replies to them aren’t monitored.