IdeaValidator LLC DBA Nexus OS — Version 2026.04.2 — Effective: April 16, 2026
1. DATA WE COLLECT
This Privacy Policy applies to NexusOS.ai (also referred to as “Nexus OS”), operated by IdeaValidator LLC at nexus-os.ai. NexusOS.ai collects and processes data as described below when you use our platform and connected services including TikTok, Instagram, Facebook, YouTube, X (Twitter), LinkedIn, Reddit, and other social platform integrations.
Voice DNA: Writing samples you upload for voice cloning, and the extracted voice profile (tone, vocabulary, rhythm patterns).
Content Data: AI-generated text, images, video, audio, funnels, knowledge base entries, and scheduled posts.
Social Account Tokens: OAuth access tokens and refresh tokens for all connected platforms, including TikTok, Instagram, Facebook, YouTube, X, LinkedIn, and Reddit. These tokens are stored encrypted (AES-256-GCM) on our servers to enable content publishing on your authorized platforms. Tokens are immediately revoked and deleted when you disconnect a platform from your Nexus OS dashboard.
TikTok-Specific Data: When you connect your TikTok account via OAuth, we collect only data authorized by the scopes you approve: user.info.basic (your TikTok Open ID, display name, avatar URL, and profile link), video.upload (permission to upload content to your TikTok account as drafts), and video.publish (permission to directly publish content to your TikTok profile). We also store metadata returned after publishing, such as post IDs, publish timestamps, and delivery status. We do not collect your TikTok password, private messages, follower lists, or any data beyond the scopes you explicitly authorize.
Your API Keys (Bring Your Own Key): Nexus OS uses a Bring Your Own Key (“BYOK”) model for AI services. If you choose to use AI-powered features, you provide your own third-party API key (e.g., Google Gemini). Your API key is stored exclusively in your browser’s localStorage on your device. It is never transmitted to, stored on, or accessible by Nexus OS servers. All AI requests using your key are sent directly from your browser to the third-party AI provider. You are solely responsible for the security and usage of your API key.
Usage Data: Content generation counts, API usage metrics, feature interactions, and queue history.
Payment Data: Processed by Stripe. We store your Stripe customer ID and subscription ID. We never store credit card numbers, CVVs, or full payment details on our servers. See Stripe’s Privacy Policy.
Client Management Data (Agency Plan): If you manage client sub-accounts, we store each client’s account data, content, and usage metrics separately. Sub-account data is isolated.
Marketplace Data: If you list assets on the Yield Portal, we store listing details, transaction history, and sales analytics.
Credits Data: NEX Credit balances, transaction history, and resource usage are stored for account management.
2. HOW WE STORE YOUR DATA
Server-Side Storage: Your data is stored in a PostgreSQL database on a Google Cloud Platform (GCP) Confidential VM with AMD SEV-SNP hardware encryption.
Encryption at Rest: Sensitive data (Voice DNA, Digital Soul profiles, all OAuth tokens including TikTok access and refresh tokens) is encrypted using AES-256-GCM with per-user encryption keys.
Row-Level Security: Database access is enforced through PostgreSQL Row-Level Security (RLS) policies — each user can only access their own data.
Browser Storage: We store authentication tokens (nexus_token, nexus_vault_token), basic user info (nexus_user), a local cache of your Digital Soul profile (nexus_digital_soul), WebAuthn/Passkey credentials (nexus_hardware_id, nexus_webauthn_cred, nexus_webauthn_email), and your BYOK API key (nexus_byok_gemini) in your browser’s localStorage. Authentication data is used for session persistence and biometric login. Your BYOK API key is stored only in your browser and is used to make AI requests directly from your device to the third-party provider — it is never sent to Nexus OS servers.
HttpOnly Cookie: A secure, HttpOnly, SameSite=Strict cookie (nexus_auth) is used for API authentication and cannot be accessed by JavaScript.
3. HOW WE USE YOUR DATA
To provide the service: content generation, voice cloning, social media posting (including to TikTok via the Content Posting API), funnel hosting, and agent automation. AI-powered features (text generation, image generation, research) operate under a Bring Your Own Key model: your browser sends requests directly to the third-party AI provider (e.g., Google Gemini) using your own API key. Nexus OS servers do not process, intercept, or store these AI requests or responses. Your prompts and AI-generated outputs for these features travel directly between your browser and the AI provider, subject to that provider’s privacy policy.
To publish content to your connected platforms strictly within the scopes you authorize.
To process payments via Stripe.
To send transactional emails: welcome messages, payment confirmations, subscription changes, and security alerts.
To enforce rate limits and plan-based usage caps.
We do NOT use your data, including TikTok user data, to train public AI models. Your Voice DNA and content are used exclusively for your account.
We do NOT sell, rent, or share your personal data with third parties for advertising.
4. TIKTOK INTEGRATION AND HANDLING OF TIKTOK USER DATA
Nexus OS integrates with TikTok through the official TikTok for Developers platform, using Login Kit and Content Posting API. When you use the TikTok integration, we act as a data processor for the TikTok user data you authorize us to access. Our handling of TikTok user data complies with the TikTok Developer Terms of Service and TikTok’s data handling requirements.
Scopes we request (only with your explicit consent during OAuth authorization):
user.info.basic — allows us to display your TikTok profile (Open ID, display name, avatar) inside Nexus OS.
video.upload — allows Nexus OS to share content to your TikTok account as a draft for you to further edit and post from within TikTok.
video.publish — allows Nexus OS to directly post content to your TikTok profile after you review and approve it in the Content Queue.
Purpose limitation: TikTok user data is used solely to provide the integration features you authorize. We do not use TikTok user data for advertising, resale, profiling, or any purpose beyond the scopes you approved.
Token storage: TikTok OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM with per-user keys, and encrypted in transit via TLS 1.3. They are used only to make API requests on your behalf.
Token revocation: You may disconnect your TikTok account at any time from your Nexus OS dashboard. Upon disconnection, we immediately revoke the OAuth tokens with TikTok, delete the stored access and refresh tokens from our database, and cease all API activity on your behalf.
User review requirement: No content is published to your TikTok profile without your explicit review and approval in the Content Queue. Auto-approval, if enabled by you, requires prior manual configuration and can be disabled at any time.
Retention: TikTok user data is retained only as long as necessary to provide the Services, or until you disconnect your TikTok account or request account deletion.
Google Gemini / Google AI (BYOK — Client-Side): Under the Bring Your Own Key model, AI features such as text generation, image generation, and research are powered by your own Google Gemini API key. Requests are sent directly from your browser to Google’s API — Nexus OS servers do not proxy, log, or store these requests or their responses. Your use of Google Gemini is governed by your own agreement with Google and subject to Google’s Privacy Policy. Nexus OS does not act as a data processor for AI data handled under BYOK.
Account data is retained for the lifetime of your account.
Generated content (posts, images, video) is retained until you delete it or delete your account.
Voice DNA profiles are retained until you delete them or delete your account.
Connected platform OAuth tokens (including TikTok) are deleted immediately upon disconnection of that platform.
TikTok user data (profile info, post metadata) is deleted within 30 days of disconnecting your TikTok account or deleting your Nexus OS account.
Usage metrics are retained for 12 months for billing and analytics purposes.
Security audit logs are retained for 90 days.
7. YOUR RIGHTS
Access: You may request a copy of all data associated with your account, including any TikTok data we hold on your behalf.
Deletion: You may request complete deletion of your account and all associated data by emailing [email protected]. Deletion is processed within 30 days. Upon account deletion, all connected platform tokens (including TikTok) are immediately revoked.
Disconnect a platform: You may disconnect any connected platform (including TikTok) at any time from your Nexus OS dashboard. This immediately revokes our access and deletes the associated tokens.
Delete BYOK API keys: You may delete your stored API key at any time from Settings or by clearing your browser’s localStorage. Since your key is stored only on your device, deletion is immediate and does not require a server request.
Portability: You may export your content, knowledge base entries, and Voice DNA profile.
Correction: You may update your account information at any time through Settings.
Withdraw consent: You may revoke previously granted scopes through your TikTok account settings at https://www.tiktok.com/setting or directly in the Nexus OS dashboard.
7.1 GDPR — Rights of EU/EEA Residents
If you reside in the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR with respect to your personal data:
Right of access (Art. 15) — request a copy of your personal data we hold.
Right to rectification (Art. 16) — correct inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data.
Right to restrict processing (Art. 18) — limit how we use your data.
Right to data portability (Art. 20) — receive your data in a machine-readable format.
Right to object (Art. 21) — including objecting to profiling or automated decision-making.
Right to withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful processing.
Right to lodge a complaint with your local data protection authority.
Our legal bases for processing under GDPR are: (a) consent (Art. 6(1)(a)) — for marketing emails and optional features; (b) contract necessity (Art. 6(1)(b)) — to provide the Services you subscribed to; (c) legitimate interests (Art. 6(1)(f)) — for fraud prevention, security, and product improvement. International data transfers from the EEA/UK to our US infrastructure are protected by Standard Contractual Clauses (SCCs).
To exercise any of these rights, email [email protected]. We respond within 30 days as required by law.
7.2 CCPA / CPRA — Rights of California Residents
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
Right to know — what personal information we collect, the sources, and how it's used.
Right to delete — request deletion of personal information we have collected from you.
Right to correct — request correction of inaccurate personal information.
Right to opt out of sale or sharing — Nexus OS does not sell or share your personal information for cross-context behavioral advertising.
Right to limit use of sensitive personal information — restrict how we use sensitive data.
Right to non-discrimination — exercising any CCPA right will not result in any adverse change to your service or pricing.
To exercise California rights, email [email protected] with the subject line "California Privacy Request". We verify identity before processing and respond within 45 days. You may also designate an authorized agent to make a request on your behalf.
8. SECURITY MEASURES
FIDO2/Passkey biometric authentication.
Five AI security agents monitoring for threats in real-time (CERBERUS, REAPER, WRAITH, HOUND, ORACLE).
AES-256-GCM encryption for sensitive data at rest, including all OAuth tokens (TikTok, Meta, YouTube, X, LinkedIn, Reddit).
Nexus OS is not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors. If we learn that we have collected data from a person under 18, we will delete it promptly.
10. INTERNATIONAL DATA TRANSFERS
Nexus OS operates globally and may transfer your personal data to countries outside your jurisdiction, including the United States, for processing and storage. Where required, we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission to protect your data during international transfers.
11. CHANGES
We may update this Privacy Policy at any time. Material changes will be communicated via email or in-app notification. The version number and date at the top of this document reflect the most recent revision.
12. CONTACT
For privacy inquiries, data requests, or concerns related to TikTok data or any other matter: