Privacy Policy
1. Who we are
This Privacy Policy is published by Nexus Foundation, a Cayman Islands foundation company, registered c/o Walkers Corporate Limited, 190 Elgin Avenue, George Town, Grand Cayman KY1-9008, Cayman Islands (the "Foundation"). The Foundation is the data controller of personal data described in this Privacy Policy. This Privacy Policy supersedes any prior privacy policies published in connection with the Services.
This Privacy Policy applies to personal data the Foundation processes in connection with the Services, as those terms are defined in the Terms of Use.
This Privacy Policy is supplemental to the Terms of Use. In the event of a conflict between this Privacy Policy and the Terms of Use, this Privacy Policy controls with respect to the handling of personal data; the Terms of Use control otherwise.
2. What we collect
The Foundation collects the following categories of personal data:
Information you provide to us. When you opt in to communications from the Foundation (for example, by signing up for an email list), you provide your email address. If you contact the Foundation, you provide whatever information is in your message.
Wallet addresses. When you transact on the Chain, request a drip from a Faucet, participate in proving activity, or otherwise interact with on-chain or Foundation-mediated functionality, your wallet address is observed. Wallet addresses are public on the Chain by design and may also appear in publicly accessible Foundation-operated interfaces (such as proving-activity leaderboards or Program participation displays). Where a Program or Foundation-operated workflow involves sending tokens or other balances to a user-provided wallet address, the Foundation may use the wallet address you provide for that purpose.
Network metadata. When you access the Site, the RPC, or the Faucets, the Foundation observes network-level information including your IP address, the `X-Forwarded-For` header value, the HTTP method and path of each request, the response code, geographic country and region as derived by an industry-standard geolocation library, and the outcome of any role-based-access-control or rate-limiting decision applied to the request.
Browser and device metadata via cookies and similar technologies. The Site uses cookies and similar technologies. See the Cookie Policy for details.
Usage telemetry from compute-contribution clients. When you use the Foundation's compute-contribution clients — including the CLI and any browser-based clients made available by the Foundation — the client reports compute-contribution metrics and network identifiers used to track the client's interactions with the Foundation's testing and benchmarking infrastructure. The client assigns your machine a unique identifier used to recognise the client across sessions; this identifier is stored locally on your machine (in your web browser for browser-based clients, or in a Foundation-specific folder such as `~/.nexus` for the CLI).
Account, onboarding, and engagement data. When you sign up, request waitlist access, redeem an access code, refer other users, complete proving activity, receive welcome bonus or similar grants, or interact with Foundation emails, the Foundation captures the related event data — including, where applicable, signup timestamps, wallet addresses, country code, referral relationships, access-code redemption history, proving-activity timestamps, badge or quest completion records, and email-delivery and click metrics.
Some of the categories above are collected through third-party sub-processors operating on the Foundation's behalf. See Section 5 and the public sub-processor list for details.
The list above describes the categories the Foundation can identify today. It is not represented as exhaustive. The Foundation is conducting a more complete inventory of personal data processing as part of its post-mainnet program and will update this Privacy Policy as that inventory completes.
3. How we use the data
The Foundation uses personal data for the following purposes:
- to operate, maintain, secure, and improve the Services;
- to respond to questions, requests, or other communications from you;
- to send you communications you have opted in to receive;
- to detect, prevent, and address abuse, fraud, security incidents, and breaches of the Terms of Use;
- to enforce sanctions, restricted-jurisdiction, and other access-control requirements applicable to the Services;
- to understand how the Services are used (analytics);
- to comply with applicable law and respond to lawful requests from authorities; and
- for other purposes disclosed at the point of collection or otherwise consistent with the purposes above.
Certain access decisions are made automatically, including geo-restriction, rate-limiting, and sanctions screening, in accordance with the Terms of Use and the Restricted Jurisdictions List.
The Foundation does not sell personal data.
4. Cookies and similar tracking technologies
The Site uses cookies and similar tracking technologies for strictly necessary, performance and analytics, functional, and marketing and advertising purposes. Cookie controls are available through your browser and through the third-party platforms whose cookies are set on the Site.
For details on the cookies in use, the categories, the third parties involved, and how to manage them, see the Cookie Policy.
5. Sub-processors
The Foundation uses third-party service providers ("sub-processors") to operate parts of the Services. Sub-processors include, without limitation, infrastructure providers, content delivery networks, email-marketing platforms, analytics providers, and geolocation providers.
A current list of sub-processors that handle personal data on the Foundation's behalf is published at `https://nexus.xyz/data-processors`. The Foundation maintains and updates the list as sub-processors are added, removed, or materially changed.
The published list is a transparency disclosure. Under the Foundation's current Phase 1 posture, it is not represented as evidencing formal Article 28 (or equivalent) data-processing contracts with each listed sub-processor. The Foundation is developing a fuller sub-processor governance program post-mainnet (see Section 7).
Third-party platforms. The Foundation operates surfaces hosted on third-party platforms. For example, the Foundation blog at `blog.nexus.xyz` is hosted on Ghost; Programs are run on partner platforms identified in the relevant program terms; and the Foundation operates community channels on platforms such as Discord, Telegram, and X. Your use of those platforms is governed by the platforms' own terms and privacy practices. The Foundation, as operator of its surfaces on those platforms, processes information visible within those surfaces (such as member lists, public messages, and direct messages sent to Foundation accounts) for the purposes described in Section 3. Where a platform handles personal data on the Foundation's behalf, it is identified in the public sub-processor list.
6. Cross-border data transfers
In the course of operating the Services, personal data may be processed, stored, or transferred between jurisdictions, including jurisdictions outside the Cayman Islands and outside the European Economic Area or the United Kingdom. Different jurisdictions may afford different levels of legal protection to personal data.
The Foundation uses sub-processors selected for their relevance, reliability, and operational fit. The Foundation does not, in this Privacy Policy, represent that any specific data-transfer mechanism — including, without limitation, Standard Contractual Clauses, International Data Transfer Agreements, adequacy decisions, or similar instruments — is in place across all sub-processor relationships. The post-mainnet program (see Section 7) addresses cross-border transfer mechanisms vendor-by-vendor.
7. Your choices
You have practical means to engage with the Foundation about your personal data. The Foundation honours these in good faith.
Access, correction, deletion. You can email the Foundation at the address in Section 14 to request information about, correction of, or deletion of personal data the Foundation holds about you. The Foundation will review such requests, verify your identity to the extent reasonable, and respond as soon as reasonably practicable.
Opting out of communications. You can opt out of marketing communications by following the unsubscribe link in any such communication. Operational communications about the Services may continue.
Cookie preferences. You can manage cookies through your browser and through the third-party platforms whose cookies are set on the Site. See the Cookie Policy.
Wallet addresses on the Chain. Wallet addresses and on-chain activity are public by design on the Chain. The Foundation cannot delete, redact, or otherwise alter on-chain records.
The Foundation is developing a fuller privacy-compliance program post-mainnet; this Privacy Policy describes current practice and will be updated as that program lands.
8. RPC request logs
When you use the Foundation-operated RPC, the Foundation captures request metadata at the network edge for operational, security, and abuse-prevention purposes.
At the edge (envoy access log). The following fields are captured: IP address; `X-Forwarded-For` header value; HTTP method; HTTP path; response code; geo-country and geo-region as derived by an industry-standard geolocation library; and the outcome of any role-based access-control decision applied to the request.
Upstream node logging. The upstream node software operates at its default operational logging level, capturing protocol-level operational events; JSON-RPC method parameters (such as wallet addresses, transaction hashes, signed payloads, or `eth_call` inputs) are not part of the upstream node's container output at this logging level. The Foundation has also confirmed defensive measures at the metrics layer, including label-stripping for `block_hash`, `code_hash`, `request_id`, `state_root`, `tx_hash`, and similar high-cardinality identifiers.
Retention. Edge access logs and upstream node operational logs are retained for 30 days in operational log storage, after which they are archived to an industry-standard archival object store and retained indefinitely for security and compliance purposes.
Linkage. RPC request logs are operated at the network layer; in the ordinary course of operating the RPC, user identities are not separately attached to the logs beyond what the network layer already captures.
9. Children's privacy
The Services are not intended for children under 13 years of age (or such higher age as applicable local law specifies for the processing of children's personal data). The Foundation does not knowingly collect personal data from children under that age. If you believe the Foundation has collected personal data from a child under that age, please contact the Foundation at the address in Section 14 and the Foundation will take reasonable steps to delete such data.
10. Security
The Foundation takes reasonable security measures appropriate to the nature of the data processed and the risks involved. No system, however, is perfectly secure, and the Foundation cannot guarantee that personal data will be free from unauthorized access, disclosure, alteration, or loss. In the event of a security incident, the Foundation will respond in good faith and in accordance with applicable law.
11. Retention
The Foundation retains personal data for as long as needed for the purposes described in this Privacy Policy, or as required by applicable law. Specific retention periods vary by data category and operational context. Where specific retention periods are stated elsewhere in this Privacy Policy (such as in Section 8 for RPC request logs), those periods apply. The same network-edge log retention described in Section 8 applies to other Foundation-operated network surfaces (such as `nexus.xyz`, `app.nexus.xyz`, and Faucet endpoints).
Foundation-operated databases that hold account, onboarding, referral, proving-activity, and email-engagement data do not currently apply a defined deletion horizon; that data is retained for as long as needed for the purposes described in Section 3. Telemetry data collected from compute-contribution clients is retained in accordance with the applicable client terms; no defined deletion horizon currently applies. Third-party sub-processors apply their own retention policies, as set out in their respective privacy policies (linked from the public sub-processor list.
12. Third-party links and integrations
The Services may include links to, or integrations with, third-party websites and services. The Foundation does not control, and is not responsible for, the privacy practices of those third parties. You should review the privacy notices of any third parties whose websites or services you access.
13. Changes to this Privacy Policy
The Foundation may update this Privacy Policy from time to time. The Foundation will post the updated Privacy Policy at `https://nexus.xyz/privacy-policy` and update the "Last Updated" date in the header. Continued access to or use of the Services after an update takes effect constitutes acceptance of the updated Privacy Policy.
14. Contact
For questions about this Privacy Policy or about your personal data, you may contact the Foundation at:
Nexus Foundation
c/o Walkers Corporate Limited
190 Elgin Avenue
George Town, Grand Cayman KY1-9008
Cayman Islands
Email: `privacy@nexusfnd.org`