Privacy Policy

NEXUS by My Stripes Digital

Last updated: 3 April 2026 Effective date: 3 April 2026

Plain English Summary

Before the legal language: here's what you need to know.

Your data is yours. We don't sell it, share it, or use it to train AI models.

Each user is isolated. No other user can ever see your data. Period.

Your conversations are encrypted. We use industry-standard encryption at rest and in transit.

You can delete everything. Request full data deletion at any time and we'll wipe it within 30 days.

We only collect what we need to make NEXUS work for you.

Now, the formal version:

1. Who We Are

NEXUS is operated by My Stripes Digital (ABN 81 972 900 602), based in Mont Albert, Melbourne, Victoria, Australia.

Contact: hello@mystripesconnect.com.au

Phone: +61 403 700 965

Address: 3-7 Hamilton St, Mont Albert VIC 3127, Australia

In this policy, "we", "us", and "our" refers to My Stripes Digital. "You" and "your" refers to you, the user.

2. What We Collect

2.1 Account Information

Email address (for authentication and communication)

Full name (optional, for personalisation)

2.2 Onboarding Data

When you create your AI agent, you provide personal information through our onboarding flow. This may include:

Your agent's name and personality preferences

Information about yourself (life context, work, interests)

Preferences and boundaries (topics to avoid, communication style)

Optional: health, financial, and emotional context

This data is the most sensitive thing we hold. It is encrypted at rest using per-user encryption keys (see Section 5).

2.3 Conversations

All messages between you and your AI agent are stored to maintain context and memory. Conversations may contain highly personal information.

Conversations are encrypted at rest and completely isolated per user.

2.4 Agent Memories

Your AI agent extracts key facts and preferences from your conversations to improve its responses over time. These memories are stored encrypted and are visible only to you.

2.5 Files

If you upload documents (spreadsheets, PDFs, text files), we store them in your isolated storage bucket and extract text content for your agent to reference.

2.6 Integration Credentials

If you connect third-party services (e.g., Gmail, Google Calendar), we store OAuth tokens to maintain those connections. These tokens are encrypted and stored in Supabase Vault.

We never store your third-party passwords. OAuth means we receive a limited-access token — we can't see or change your password.

2.7 Usage Data

We track basic usage metrics (message counts, token usage) for billing and rate limiting. This data is numerical only — it contains no message content.

2.8 Payment Information

Payment is processed by Stripe. We do not store your credit card number, CVV, or full card details. Stripe handles all payment data under their own PCI-DSS compliant security.

We store only: Stripe customer ID, subscription status, and billing period dates.

3. What We DON'T Collect

We do not track your browsing activity outside NEXUS

We do not use cookies for advertising or tracking

We do not collect device fingerprints

We do not sell, rent, or share your personal data with third parties

We do not use your data to train AI models

4. How We Use Your Data

| Purpose | Data Used | Legal Basis |

|---------|-----------|-------------|

| Provide the NEXUS service | All data listed above | Contract (you signed up for the service) |

| Maintain your AI agent's memory and context | Conversations, memories, onboarding data | Contract + Legitimate interest |

| Process payments | Stripe customer ID, subscription data | Contract |

| Send service-critical emails (e.g., magic link, billing) | Email address | Contract |

| Improve the service | Aggregated, anonymised usage statistics only | Legitimate interest |

| Comply with legal obligations | As required | Legal obligation |

We will never use your personal conversations, onboarding data, or agent memories for marketing, advertising, analytics, or AI model training.

5. How We Protect Your Data

5.1 Encryption at Rest

All sensitive data is encrypted at rest using AES-256 encryption. Sensitive columns (conversations, onboarding data, memories, integration credentials) are additionally encrypted using Supabase Vault with per-user encryption keys.

5.2 Per-User Key Isolation

Each user has a unique encryption key derived using HKDF (HMAC-based Key Derivation Function). This means:

Even in the event of a database breach, one user's data cannot be used to decrypt another's

Your encryption key is managed by Supabase Vault — it never appears in application code or logs

5.3 Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS). We enforce HSTS headers to prevent downgrade attacks.

5.4 Tenant Isolation

Every database query is scoped to your authenticated user ID. Row-Level Security (RLS) is enforced at the database level — not just the application level. This means even a bug in our code cannot expose another user's data.

5.5 Authentication

We use magic link authentication (passwordless). There is no password to leak, brute-force, or phish. Sessions use short-lived JWT tokens (15-minute access tokens with 7-day refresh tokens).

5.6 Infrastructure

Database: Supabase (PostgreSQL), hosted in Sydney, Australia (ap-southeast-2)

Application: Vercel (Edge network with global CDN)

Payments: Stripe (PCI-DSS Level 1 compliant)

AI Processing: Anthropic Claude API (data processed per Anthropic's commercial API terms — not used for training)

6. Third-Party Services

| Service | Purpose | Their Privacy Policy |

|---------|---------|---------------------|

| Supabase | Database, authentication, file storage | https://supabase.com/privacy |

| Anthropic | AI conversation processing (Claude API) | https://www.anthropic.com/privacy |

| Stripe | Payment processing | https://stripe.com/au/privacy |

| Vercel | Application hosting | https://vercel.com/legal/privacy-policy |

Anthropic (Claude API) — Important Note

Your conversations are processed by the Anthropic Claude API to generate AI responses. Under Anthropic's commercial API terms:

Your data is NOT used to train Anthropic's models

Your data is NOT stored by Anthropic beyond the API request

Anthropic may retain data for up to 30 days for safety monitoring, after which it is deleted

Full details: https://www.anthropic.com/api-data-policy

7. Data Retention

| Data Type | Retention Period |

|-----------|-----------------|

| Account & profile | Until you delete your account |

| Conversations & messages | Until you delete your account |

| Agent memories | Until you delete your account |

| Uploaded files | Until you delete your account |

| Integration tokens | Until you disconnect the integration or delete your account |

| Usage/billing records | 7 years after account closure (Australian tax law requirement) |

| Security audit logs | 2 years |

8. Your Rights

You have the right to:

8.1 Access Your Data

Request a complete copy of all data we hold about you. We will provide this within 30 days in a machine-readable format (JSON).

8.2 Correct Your Data

Update your onboarding answers, agent settings, or profile information at any time through the NEXUS dashboard.

8.3 Delete Your Data

Request complete deletion of your account and all associated data. We will:

Delete all conversations, memories, files, agent data, and integration credentials within 30 days

Cancel any active subscription

Retain only billing records required by Australian tax law (anonymised where possible)

To request deletion, email hello@mystripesconnect.com.au with subject "Data Deletion Request" or use the "Delete Account" option in your NEXUS settings.

8.4 Export Your Data

Request a full export of your data in a portable format. We'll provide conversations, memories, uploaded files, and agent configuration.

8.5 Withdraw Consent

You can disconnect integrations, clear memories, or delete conversations at any time without deleting your entire account.

8.6 Lodge a Complaint

If you believe we have breached your privacy, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: https://www.oaic.gov.au

Phone: 1300 363 992

9. Data Breach Response

In the event of a data breach that poses a risk to your rights:

1. We will notify affected users within 72 hours of becoming aware of the breach

2. We will notify the OAIC as required under the Notifiable Data Breaches (NDB) scheme

3. We will provide clear information about what data was affected and what steps we're taking

4. We will offer practical guidance on steps you can take to protect yourself

10. Children

NEXUS is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors. If we discover that a user is under 18, we will delete their account and all associated data.

11. International Data

NEXUS is an Australian service. Your data is primarily stored in Australia (Sydney region). Some processing may occur internationally through our service providers (Anthropic — USA, Vercel — global edge). All international transfers are protected by encryption in transit and contractual data protection agreements.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes:

We will notify you by email

We will post the updated policy on our website with a new effective date

We will give you 30 days' notice before changes take effect

13. Contact Us

For any privacy-related questions, concerns, or requests:

My Stripes Digital

Email: hello@mystripesconnect.com.au

Phone: +61 403 700 965

Address: 3-7 Hamilton St, Mont Albert VIC 3127, Australia

This Privacy Policy is governed by the laws of Victoria, Australia, including the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). My Stripes Digital — "We build the systems that set businesses free." 🦓