Privacy Policy

1. Controller (Verantwortlicher)

The controller as defined by GDPR Art. 4(7) is nyxory GmbH, named in our Imprint. For questions regarding data protection, contact privacy@nyxory.com.

2. What personal data we process

We do not process special categories of data (Art. 9 GDPR) such as health, biometric, or political data, and we do not knowingly collect data of children under 16.

3. Why we process it (legal basis)

• Performance of contract (Art. 6(1)(b) GDPR) — providing the hosting service
• Legitimate interest (Art. 6(1)(f) GDPR) — security, abuse prevention, service improvement
• Legal obligation (Art. 6(1)(c) GDPR) — record-keeping, takedown response
• Operational notices — security, outage, policy changes

4. How long we keep it

• Account data — until you delete, then up to 30 days for backup rollover
• Repository content (build clone) — deleted when build completes
• Deployed images — until App deletion, then immediate K8s GC
• Free-tier app uptime — 7 days rolling, intentionally ephemeral
• Deployment logs — 30 days, then aggregated and anonymised
• Agent transcripts — until project deletion; archived but unreachable from UI thereafter
• Technical access data — 14 days for security analysis, then deleted
• Communications — 3 years per §147 AO where applicable
• Billing and invoice records — 10 years per §147 AO / §14b UStG (statutory tax retention)

5. Subprocessors, data flow, and where data lives

5.1 Where your data lives. All persistent data — your account, your deployed applications, your container images, your persistent volumes, our console database, and our internal services — is hosted on Hetzner Online GmbH infrastructure in Germany (Falkenstein and Nuremberg data centres). This is the EU-sovereignty foundation of the Service.

5.2 Cloud-provider flexibility. We reserve the right to change infrastructure providers — including replacing or augmenting Hetzner with another provider — provided the replacement provider meets at least equivalent standards for: (a) EU/EEA data residency, (b) GDPR compliance and DPA terms, (c) operational security, and (d) sovereignty posture (no US-CLOUD-Act exposure for the EU-resident dataset). We will give paid subscribers at least 30 days written notice before a material change of underlying infrastructure provider and update this section accordingly.

5.3 Current subprocessors:

• Hetzner Online GmbH — infrastructure, persistent storage, compute, network. Germany (Falkenstein, Nuremberg). Hosts: account data, deployed apps, container images, persistent volumes, and our internal services.
• Customer.io, Inc. — Transactional and lifecycle email automation (welcome messages, deployment notifications, billing receipts, account communications). EU-Region. Stores: email address, account identifier, deployment events relevant to email triggers.
• Google Ireland Limited (Google Workspace) — Inbound and outbound correspondence email for the addresses listed in the Imprint (hello@, privacy@, abuse@, security@nyxory.com). Stores: message content of correspondence with us. Ireland with backend processing in the EU/EEA and United States under DPF/SCCs.
• Stripe Payments Europe Ltd. — Billing and payment processing for paid tiers. Stores: billing email, payment-method tokens (not the card number itself), invoice records. Ireland with onward processing in the United States under DPF/SCCs.
• OpenRouter, Inc. — LLM inference routing for the concierge tier only. Primarily United States. Sees: prompt content explicitly submitted via the concierge surface. Not used for the self-driving tier (see §5.4).
• Kaneo — Online project-management service used for internal operations and support-ticket triage. May incidentally store customer-correspondence content where relevant to triage. Region per vendor terms at kaneo.app.

5.4 Your AI provider is not our subprocessor (self-driving tier). When you use nyxory in the default self-driving mode, your AI coding agent (e.g. Claude Code, Cursor, Windsurf, Continue) runs on your machine or in your environment of choice, using your own API keys with your chosen large-language-model provider (Anthropic, OpenAI, Google, etc.). nyxory does not act as intermediary, does not store your API keys, and does not see the full reasoning content exchanged between your agent and your LLM provider. In this mode, your LLM provider is your direct controller-to-processor relationship, not nyxory's. nyxory sees only the tool-calls your agent invokes against our MCP server (covered in §10).

5.5 Indirect transmission (concierge tier). If you opt into the concierge tier — where nyxory drives an agent on your behalf — prompt content is transmitted to OpenRouter and onward to model providers (which may include Anthropic, OpenAI, Google, Mistral, or others routed via OpenRouter), primarily in the United States. We rely on the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) for these transfers. If you require strict EU-only inference for sensitive workloads, use the self-driving tier with an EU-resident LLM provider, or contact us about Enterprise sovereignty options.

5.6 Source-code providers (when you connect a repository). If you connect a Git repository, we receive a build-time clone of the repository contents from your source-code provider (e.g. GitHub, Inc. or GitLab, Inc.) via your authorisation. Those providers remain your controller relationship; nyxory acts as processor for the duration of the build only. The build clone is deleted upon completion (see §4). OAuth tokens and webhook secrets are stored encrypted at rest.

Evolution of this list: Our subprocessor list evolves as the platform grows. The list above is the authoritative current state; we update this page within 14 days of any material subprocessor change (addition, removal, replacement, or region change). For paid subscribers we additionally send an email notice for additions of subprocessors that materially affect personal-data processing scope. Continued use of the Service after a subprocessor change constitutes acceptance for purposes of Art. 28 GDPR consent-where-required.

International transfers (Art. 44 ff. GDPR): Material transfers outside the EU/EEA are limited to: (a) concierge-tier prompt content via OpenRouter and onward providers (see §5.5), (b) Google Workspace backend processing, and (c) Stripe payment processing. All other personal data remains in the EU/EEA. We rely on the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) for the limited cross-border transfers identified above.

6. Your rights under GDPR

• Access (Art. 15) — confirmation and a copy
• Rectification (Art. 16) — correction of inaccurate data
• Erasure (Art. 17) — subject to legal obligations
• Restriction (Art. 18)
• Data portability (Art. 20) — structured machine-readable format
• Objection (Art. 21) — to legitimate-interest processing
• Right to withdraw consent (Art. 7(3))
• Right to lodge a complaint with a supervisory authority

To exercise: privacy@nyxory.com. We respond within 30 days; complex requests may extend by 60 days with notice.

7. Cookies, analytics, and ad measurement

The nyxory console uses only strictly necessary session cookies to keep you logged in. For product analytics we use Plausible, which is cookieless and stores no personal data on your device. We set no advertising cookies and use no cross-site tracking pixel in your browser.

To measure which ad campaigns bring people to nyxory, we run server-side conversion measurement with X. When you arrive from an X (Twitter) ad and take an action such as opening the console, our server reports that conversion to X Corp. (US) via X’s Conversion API. We send only pseudonymous signals — the X click identifier (twclid), your IP address, and browser user-agent — never your name, email, or account data. The transfer to the US is covered by the EU Standard Contractual Clauses. Legal basis: our legitimate interest in measuring our advertising (Art. 6(1)(f) GDPR).

This measurement runs on an opt-out basis. It is switched off automatically when your browser sends a Global Privacy Control or Do Not Track signal, and you can opt out for this device at any time using the control below.

8. Security

• TLS 1.3 in transit; encrypted storage at rest where supported by Hetzner
• Per-customer namespace isolation with strict network policies
• Role-based access control (RBAC) on platform APIs
• Secrets encrypted via operator-managed encryption key
• Best-effort — explicitly not a security guarantee

These are good-faith engineering practices, not warranties. No infrastructure is unbreachable; no engineering practice is perfect; no key-management posture survives every adversary. The Service is provided on a best-effort basis as set out in the Terms of Service §§6.2, 6.4, 6.5. To report a suspected vulnerability, see our security policy.

9. Changes to this Policy

Material changes will be communicated via email and via a notice on nyxory.com at least 14 days before they take effect, where practicable.

10. Service improvement and aggregated learning data

When you use the Service, your AI coding agent communicates with our MCP server to deploy applications. As part of this exchange we collect and aggregate the following technical data for the purpose of improving the Service:

• Tool-call traces — name, arguments, stated reason, outcome, duration
• Agent briefings — stack, services, env-var names (we exclude secret values), deployment intent
• Deployment outcomes — what succeeded, what failed, where, and why

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating, securing, and improving the Service. Aggregation is built into the pipeline by design.

Right to object & opt out: Email privacy@nyxory.com to discontinue use of your data for service-improvement purposes. We confirm within 30 days. Once the in-console toggle ships, you will be able to disable continuous-learning collection per account.

11. Controller vs Processor — when you deploy customer-facing apps

11.1 For the platform itself: we are the controller (Verantwortlicher, Art. 4(7) GDPR) of the personal data described in §2 of this Policy that we process about you, our user.

11.2 For your deployed applications: when you deploy an application that itself processes personal data of its own end users — for example a SaaS product, an API, a website with a contact form, a backend that stores customer records — you are the controller of that data, and we are a processor (Auftragsverarbeiter, Art. 4(8) GDPR) acting on your instructions in respect of hosting only. Our processing of that data is limited to operating the underlying compute, storage, and network resources you have provisioned.

11.3 DPA on request. A formal Data Processing Agreement (Auftragsverarbeitungsvertrag) per Art. 28(3) GDPR is not in force by default during the open beta. If you process personal data of identifiable end users via the Service and require a DPA, contact privacy@nyxory.com and we will negotiate one bilaterally. A standalone DPA template will be published post-Beta.

11.4 Your end-user-facing obligations are yours. You are responsible for your own privacy notices, consent flows, lawful-basis assessments, retention schedules, and Art. 13/14 disclosures vis-à-vis your end users. We do not assume controller obligations for your end users by virtue of hosting your application.

12. Contact

• Privacy: privacy@nyxory.com
• Abuse / takedown: abuse@nyxory.com
• General: hello@nyxory.com
• Postal: see Imprint