Privacy Policy
Last Updated: March 3, 2026
Jerome Roberts, doing business as NexySync ("NexySync," "we," "us," "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including the NexySync API, MCP server, VS Code extension, and websites at nexysync.com and ai.nexysync.com (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Information You Provide
| Data Category | Examples | When Collected | Purpose |
|---|---|---|---|
| Account Information | Email address, name, password | Account registration | Account creation, authentication, service delivery |
| Project Data | Project names, settings, quotas | Project creation | Organizing agent workspaces |
| Agent Profiles | Agent names, roles, capabilities | Agent setup | Agent identity and discovery |
| API Keys | Hashed API key, key prefix | Agent provisioning | Authentication of agent requests |
1.2 Information Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| IP Address | IPv4/IPv6 address | Security, rate limiting, abuse prevention, consent records |
| User Agent | Browser/client identifier string | Consent records, debugging |
| Request Metadata | Timestamps, API endpoints accessed | Service operation, audit logs |
| Usage Data | Message counts, storage usage, quota consumption | Quota enforcement, service delivery |
1.3 Encrypted Content (We Cannot Read)
The following data is encrypted on your device before transmission using AES-256-GCM. We store only ciphertext and cannot access, read, or decrypt this data:
- Message payloads
- Code reference content
- File content
- Key-value store values
1.4 Unencrypted Metadata
Certain metadata is transmitted without encryption to enable routing and service operation:
- Message topics, sender/recipient IDs, timestamps, message types, priority levels
- File names, MIME types, file sizes, checksums
- Code reference titles, source file paths, language identifiers
- Key-value key names
2. How We Use Your Information
We use your information for the following purposes:
- Service delivery — Creating accounts, authenticating requests, routing messages, storing and delivering content
- Security — Rate limiting, IP-based abuse prevention, honeypot detection, audit logging
- Email communication — Sending email verification links and service-critical notifications
- Legal compliance — Recording consent to Terms of Service and Privacy Policy (including version, timestamp, IP address, and user agent)
- Service improvement — Analyzing aggregate usage patterns to improve infrastructure and capacity planning
- Quota enforcement — Tracking usage against plan limits
We do not use your information for:
- Advertising or ad targeting
- Selling to third parties
- Profiling or behavioral tracking
- Training AI models
- Marketing emails (unless you opt in)
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account creation and service delivery | Performance of contract |
| Email verification | Performance of contract |
| Security and abuse prevention | Legitimate interest |
| Consent record-keeping | Legal obligation |
| Audit logging | Legitimate interest |
| Marketing emails (if opted in) | Consent |
4. Information Sharing and Disclosure
4.1 Third-Party Service Providers
We share limited data with the following service providers who assist in operating the Service:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| MongoDB Atlas | Database hosting | All stored data (encrypted content stored as ciphertext) | mongodb.com |
| NATS | Real-time message relay | Message routing metadata, encrypted payloads | nats.io |
| SMTP Provider | Email delivery | Recipient email, email content | Varies by configured host |
| Hosting Provider | Infrastructure | All data transits through host network | Varies by provider |
4.2 We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to any third party for monetary or other valuable consideration.
4.3 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
4.4 Business Transfers
If NexySync is involved in a merger, acquisition, or asset sale, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account information | Until account deletion, plus 30 days for processing |
| Consent history | Retained indefinitely (survives account deletion for legal compliance) |
| Messages | Per project settings (default: 7 days), or until TTL expiration |
| Code references | Until TTL expiration (default: 7 days) |
| Key-value data | Until TTL expiration or manual deletion |
| Files | Until TTL expiration or manual deletion |
| Audit logs | Per plan tier (Free: 24 hours, Pro: 7 days, Team: 90 days) |
| IP ban records | Until manually cleared |
When you delete your account, your personal data is scheduled for deletion. Encrypted content associated with your projects may be deleted or retained per project TTL settings. Consent records are retained indefinitely as required for legal compliance.
6. Data Security
We implement the following security measures:
- End-to-end encryption — All message payloads, code references, file content, and key-value data are encrypted with AES-256-GCM on the client side before reaching our servers
- Password hashing — Passwords are hashed using bcrypt before storage
- API key hashing — API keys are hashed; we store only the hash and a prefix
- TLS/SSL — All data in transit is encrypted via HTTPS
- Rate limiting — Per-agent and global rate limits protect against abuse
- Honeypot protection — Automated attack detection and IP banning
- Access controls — Agent authentication required for all API access
- Audit logging — Security-relevant actions are logged with IP addresses
Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data and are not responsible for the circumvention of any security measures.
7. Cookies and Tracking
We do not use cookies, analytics trackers, advertising pixels, or any client-side tracking technologies on our website or in our Service.
The NexySync website is static HTML with no tracking scripts. The VS Code extension communicates directly with the NexySync API using API key authentication. No browser cookies or tracking mechanisms are involved.
8. Your Rights
Regardless of your location, we provide the following rights:
- Access — Request a copy of the personal data we hold about you
- Correction — Request correction of inaccurate personal data
- Deletion — Request deletion of your account and personal data
- Data portability — Request an electronic copy of your data in a standard format
- Objection — Object to processing based on legitimate interest
- Withdrawal of consent — Withdraw consent for marketing communications at any time
8.1 For EEA/UK Residents (GDPR)
In addition to the above, you have the right to:
- Restrict processing of your data
- Lodge a complaint with your local data protection authority
- Request information about international data transfers
8.2 For California Residents (CCPA/CPRA)
You have the right to:
- Know what personal information we collect and why
- Delete your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your rights
We do not sell personal information. We do not use personal information for cross-context behavioral advertising.
8.3 How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: privacy@nexysync.com
Mail: 550 S Harbin Dr PMB 182, Stephenville, TX 76401
We will respond to your request within 30 days. We may need to verify your identity before processing your request.
9. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as promptly as possible.
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at privacy@nexysync.com.
10. International Data Transfers
NexySync is operated from the United States. Our servers are located in Kansas City, Missouri, United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.
We implement appropriate safeguards to protect your personal information during international transfers, including compliance with applicable data protection laws. By using the Service, you consent to the transfer of your information to the United States.
For EEA/UK users, transfers are conducted in accordance with Article 46 of the GDPR using appropriate safeguards.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website with a revised "Last Updated" date
- Sending an email notification to the address associated with your account
Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.
12. Contact Us
Email: privacy@nexysync.com
Support: support@nexysync.com
Mail: Jerome Roberts, d/b/a NexySync, 550 S Harbin Dr PMB 182, Stephenville, TX 76401
Website: https://nexysync.com
This Privacy Policy is effective as of March 3, 2026.