NERVE (“we”, “us”, or “our”) operates the platform available at nervecorehq.com (the “Service”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data. By accessing or using the Service you agree to this Policy. If you do not agree, please stop using the Service.
Information We Collect
1.1 Information you provide directly
- Account data. Full name, email address, and password (or OAuth credentials) when you create an account.
- Workspace data. Business name, description, goals, tone of voice, ideal customer profile, and any configuration you enter when setting up your workspace.
- Content. Messages, prompts, task inputs, agent configurations, system prompts, and any files or images you upload to the Service.
- Payment data. Billing name, address, and card details processed by Stripe. We never store raw card numbers on our own servers.
- Communications. Any emails or support requests you send to us.
1.2 Information collected automatically
- Usage data. Pages visited, features used, button clicks, and interaction sequences within the Service.
- Log data. IP address, browser type and version, device identifiers, referring URLs, and timestamps.
- Cookies. Session cookies required for authentication and analytics cookies (PostHog) to understand feature usage. You can disable non-essential cookies in your browser settings.
- Agent activity logs. Records of tasks dispatched, agent outputs, approval decisions, and memory entries generated by your agents.
1.3 Information from third-party integrations
When you connect a third-party service (e.g. Gmail, Facebook Pages), we receive an OAuth access token and the minimum data required to operate that integration on your behalf. Tokens are stored in AES-256-GCM encrypted form. We do not read or store third-party data beyond what is necessary to complete the tasks you request.
How We Use Your Information
- Provide, operate, and improve the Service.
- Authenticate your identity and maintain your session.
- Execute agent tasks you initiate, including calling connected third-party APIs on your behalf.
- Store agent memory and task history so your agents accumulate context over time.
- Send transactional notifications — task completions, approval alerts, and account communications.
- Process billing and enforce subscription limits.
- Monitor system health, debug errors, and prevent abuse.
- Analyse aggregate, anonymised usage patterns to guide product decisions.
- Comply with legal obligations and enforce our Terms of Service.
We do not use your content to train AI models. We do not sell your personal data.
Third-Party Services
The Service integrates with the following third-party providers. Each processes data under its own privacy policy, which we encourage you to review before connecting an integration.
Powers AI agent responses. Prompts and task outputs are transmitted to Anthropic's API. Anthropic does not use API data to train models by default.
Used for AI image generation (gpt-image-1) and as a model-agnostic fallback. Prompts and images are transmitted to OpenAI's API.
When you connect a Facebook Page, we store your page access token (encrypted) and use it to read posts, comments, and publish content on your behalf via the Meta Graph API.
When you connect Gmail, we store OAuth tokens (encrypted) and use them to read, draft, and send emails on your behalf. We access only the scopes you explicitly grant.
Used for AI text-to-speech synthesis. Text content may be transmitted to ElevenLabs to generate audio responses within the Service.
Handles user authentication and session management. Stores your email address and hashed credentials.
Our primary database and file storage provider. Data is stored in encrypted, SOC 2-compliant infrastructure with row-level security enforcing multi-tenant isolation.
Processes subscription payments. We share only the minimum data required to create and manage your billing account.
Hosts the Service frontend. Vercel may process request metadata (IP address, headers) in the course of serving web traffic.
Anonymised product analytics. No personally identifiable information is intentionally transmitted. You can opt out via your browser's Do Not Track setting.
Error monitoring and crash reporting. Error reports may include stack traces and request metadata. Personally identifiable data is scrubbed where possible.
Data Storage and Security
We implement the following safeguards:
- AES-256-GCM encryption of all OAuth access tokens at rest.
- TLS 1.2+ for all data in transit between your browser, our servers, and third-party APIs.
- Row-level security (RLS) in our database ensuring strict multi-tenant isolation — one organisation cannot access another's data.
- Principle of least privilege applied to all internal service accounts and API keys.
- Automated error alerting and a 24-hour incident response target for security events.
Data is stored primarily on Supabase infrastructure in the United States and European Union. If you are located outside these regions, your data may be transferred and processed in jurisdictions with different data protection laws. We rely on Standard Contractual Clauses and equivalent mechanisms where required.
No system is completely secure. If you believe your account has been compromised, contact us immediately at legal@nervecorehq.com.
Data Retention
- Account and workspace data is retained for as long as your account is active. Upon account deletion we remove or anonymise personal data within 30 days, subject to legal hold obligations.
- Agent memory and task logs are retained for the lifetime of your workspace. You can delete individual memory entries or clear all workspace data at any time from Settings.
- Short-term memory entries expire automatically after 7 days unless promoted to a longer retention tier.
- Billing records are retained for 7 years to satisfy financial reporting obligations, even after account deletion.
Cookies
- Strictly necessary. Session and authentication cookies set by Clerk. Required to use the Service and cannot be disabled.
- Analytics. PostHog cookies that help us understand how features are used in aggregate. You can opt out by enabling Do Not Track in your browser.
We do not use advertising cookies, retargeting pixels, or sell data to ad networks.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access. Request a copy of the personal data we hold about you.
- Correction. Request that we correct inaccurate or incomplete data.
- Deletion. Request deletion of your personal data. You can delete your account from Settings → Account, or by emailing us. See also our Data Deletion page.
- Portability. Request an export of your data in a structured, machine-readable format.
- Restriction. Request that we restrict processing of your data in certain circumstances.
- Objection. Object to processing based on our legitimate interests.
- Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email legal@nervecorehq.com. We will respond within 30 days. We may need to verify your identity before processing a request.
Children's Privacy
The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the effective date at the top of this page and, where appropriate, by sending an email to the address on your account. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
Contact
For privacy-related questions or to exercise your rights: