COOKIE POLICY

Nimbus BCI Services

Effective Date: December 10, 2025
Last Updated: December 10, 2025

1. INTRODUCTION

This Cookie Policy explains how Nimbus BCI Inc. ("Nimbus BCI," "we," "us," or "our") uses cookies and similar technologies on the Nimbus BCI services available at https://nimbusbci.com.

Note: The Nimbus SDK (NimbusSDK.jl) is a Julia software package that runs locally on your computer and does not use cookies or similar web technologies. This Cookie Policy applies only to the Nimbus Studio web application and the nimbusbci.com website.

This Cookie Policy should be read together with our:

By using our web-based Services, you consent to the use of cookies as described in this Cookie Policy, subject to your preferences and applicable law.

2. WHAT ARE COOKIES?

2.1 Definition

Cookies are small text files that are placed on your computer, smartphone, or other device when you visit a website. Cookies are widely used to make websites work more efficiently and provide information to website owners.

2.2 How Cookies Work

When you visit a website:

Your browser requests the web page from the server
The server sends the page along with cookies
Your browser stores the cookies on your device
On subsequent visits, your browser sends the cookies back to the server
The server reads the cookies to recognize you and customize your experience

2.3 Similar Technologies

In addition to cookies, we may use similar technologies including:

Local Storage: Browser storage for larger amounts of data (HTML5)
Session Storage: Temporary storage that expires when you close your browser
Web Beacons: Tiny graphics (also called "pixels" or "tags") that track interactions
JavaScript: Code that runs in your browser to provide functionality

For simplicity, this Cookie Policy refers to all these technologies collectively as "cookies."

3. WHY WE USE COOKIES

We use cookies to:

✅ Authenticate Your Access

Keep you logged in to your account
Verify your identity
Prevent unauthorized access

✅ Provide Core Functionality

Save your preferences and settings
Remember your pipeline configurations
Maintain your session state
Enable real-time WebSocket connections

✅ Ensure Security

Protect against cross-site request forgery (CSRF)
Detect and prevent fraud
Monitor for suspicious activity
Enforce rate limits

✅ Improve Performance

Load balance traffic across servers
Cache content for faster loading
Reduce server load
Optimize resource delivery

✅ Understand Platform Usage (with your consent)

Analyze how users interact with the Platform
Identify popular features and pain points
Measure performance and errors
Guide product development

❌ We Do NOT Use Cookies For:

Cross-site tracking or surveillance
Targeted advertising
Selling data to third parties
Social media tracking (unless you use social login)

4. TYPES OF COOKIES WE USE

4.1 Classification by Duration

A. Session Cookies (Temporary)

What they are: Deleted when you close your browser

Examples:

Authentication session cookie
WebSocket connection state
Pipeline execution progress
Temporary form data

Why we need them: Essential for the Platform to function during your visit

B. Persistent Cookies (Long-lasting)

What they are: Remain on your device until they expire or you delete them

Examples:

"Remember me" authentication (30 days)
User preferences (1 year)
Analytics tracking (if enabled, 1-2 years)

Why we need them: To remember your settings across sessions

4.2 Classification by Provider

A. First-Party Cookies (Set by Nimbus BCI)

These cookies are set directly by our Platform (nimbusbci.com).

Examples:

nimbus_session - Authentication session
nimbus_prefs - User preferences
nimbus_csrf - Security token

B. Third-Party Cookies (Set by Service Providers)

These cookies are set by external services we use.

Examples:

Clerk authentication cookies
CDN cookies (Vercel)
Analytics cookies (if applicable)

Important: We carefully vet all third-party services and require them to use cookies only for legitimate purposes.

5. DETAILED COOKIE LIST

5.1 Strictly Necessary Cookies

These cookies are essential for the Platform to function. You cannot opt out of these cookies.

Cookie Name	Provider	Purpose	Duration	Type
`__clerk_db_jwt`	Clerk	Stores authentication token for session management	Session	HTTP
`__session`	Clerk	Main authentication session cookie	7 days	HTTP
`__client_uat`	Clerk	Tracks user authentication timestamp	Session	HTTP
`nimbus_csrf`	Nimbus BCI	Prevents cross-site request forgery attacks	Session	HTTP
`nimbus_session`	Nimbus BCI	Maintains platform session state	Session	HTTP
`ws_connection_id`	Nimbus BCI	Manages WebSocket connection for real-time features	Session	JavaScript
`csrf_token`	Nimbus BCI	Security token for API requests	1 hour	HTTP

Legal Basis (GDPR): Strictly necessary for service provision; no consent required (ePrivacy Directive, Article 5(3) exemption)

5.2 Functional Cookies

These cookies enhance functionality. You can opt out, but some features may not work properly.

Cookie Name	Provider	Purpose	Duration	Type
`nimbus_prefs`	Nimbus BCI	Stores user preferences (theme, layout, language)	1 year	Local Storage
`nimbus_recent_pipelines`	Nimbus BCI	Remembers recently accessed pipelines	30 days	Local Storage
`nimbus_ui_state`	Nimbus BCI	Saves panel positions and collapsed sections	90 days	Local Storage
`nimbus_execution_history`	Nimbus BCI	Caches recent execution results	7 days	Local Storage
`nimbus_node_palette_state`	Nimbus BCI	Remembers node palette collapsed/expanded state	1 year	Local Storage

Legal Basis (GDPR): Legitimate interests; opt-out available

5.3 Performance and Analytics Cookies

These cookies help us understand how you use the Platform. You can opt out without affecting functionality.

Note: We will only set these cookies with your explicit consent (for EU/UK users) or with opt-out option (for other users).

Cookie Name	Provider	Purpose	Duration	Type
`_vercel_insights`	Vercel Analytics	Privacy-friendly page view tracking	Session	HTTP
`_ga`	Google Analytics	Distinguishes unique users	2 years	HTTP
`_ga_<container-id>`	Google Analytics	Maintains session state	2 years	HTTP
`_gid`	Google Analytics	Distinguishes unique users	24 hours	HTTP
`nimbus_analytics`	Nimbus BCI	Tracks feature usage and performance	1 year	Local Storage

Note: You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout

Legal Basis (GDPR): Consent required

What we track (if you consent):

Page views and navigation paths
Feature usage (which nodes you use most)
Pipeline execution times
Error rates and types
Browser and device information (anonymized)

What we DON'T track:

Personal identifiers (IP addresses are anonymized)
Specific EEG data or research content
Keystroke logging or screen recording
Cross-site activity

5.4 Cookies We Do NOT Use

We explicitly DO NOT use:

❌ Advertising Cookies

No ad targeting
No remarketing pixels
No ad network cookies

❌ Social Media Tracking Cookies

No Facebook Pixel
No Twitter tracking
No LinkedIn Insights
(Social login cookies from Clerk/OAuth are different and covered in 5.1)

❌ Cross-Site Tracking Cookies

No third-party trackers
No data brokers
No surveillance technology

6. THIRD-PARTY COOKIES

6.1 Authentication Provider (Clerk)

Service: Clerk (https://clerk.com)
Purpose: Secure authentication and user management
Cookies Set: __clerk_db_jwt, __session, __client_uat
Privacy Policy: https://clerk.com/privacy
Data Processing Agreement: In place

What Clerk cookies do:

Authenticate your identity
Maintain your login session
Enable single sign-on (SSO)
Provide multi-factor authentication (MFA)

Opt-Out: You cannot opt out of Clerk cookies as they are strictly necessary for authentication. If you don't want these cookies, you cannot use the Platform.

6.2 Content Delivery Network (Vercel)

Service: Vercel (https://vercel.com)
Purpose: Fast, secure content delivery
Cookies Set: May set cookies for load balancing and caching
Privacy Policy: https://vercel.com/legal/privacy-policy
Data Processing Agreement: In place

What Vercel cookies do:

Route your requests to the nearest server
Cache static content for faster loading
Balance load across infrastructure

Opt-Out: These are essential for performance; opting out may degrade your experience.

6.3 Analytics Providers

We use the following analytics services:

A. Vercel Analytics

Service: Vercel Analytics
Purpose: Privacy-focused usage statistics and performance monitoring
Cookies Set: Minimal or none (privacy-friendly analytics)
Privacy Policy: https://vercel.com/legal/privacy-policy

Privacy Features:

No cross-site or cross-device tracking
Data is aggregated and anonymized
GDPR and CCPA compliant
No advertising or remarketing

B. Google Analytics

Service: Google Analytics 4
Purpose: Detailed usage analytics and user behavior analysis
Cookies Set: _ga, _ga_<container-id>, _gid
Privacy Policy: https://policies.google.com/privacy
Opt-Out: https://tools.google.com/dlpage/gaoptout

Configuration:

IP anonymization enabled
Data sharing with Google disabled
Advertising features disabled
User-ID tracking disabled

Data Collected (both services):

Page views and navigation paths
Session duration
Geographic region (country-level)
Device and browser type (anonymized)

7. COOKIE CONSENT AND MANAGEMENT

7.1 Cookie Consent Banner (EU/UK/EEA Users)

When you first visit our Platform from the EU, UK, or EEA, you will see a cookie consent banner with options to:

✅ Accept All Cookies - Allows all cookies (necessary, functional, analytics)
⚙️ Customize Settings - Choose which non-essential cookies to allow
❌ Reject Non-Essential - Allow only strictly necessary cookies

Your choice is stored for 1 year.

7.2 Cookie Preference Center

You can change your cookie preferences at any time:

Location: Account Settings → Privacy → Cookie Preferences

Options:

✅ Strictly Necessary Cookies (cannot disable)
☑️ Functional Cookies (optional)
☑️ Analytics Cookies (optional)

Effect: Changes take effect immediately; some cookies may need page reload.

7.3 Browser-Level Cookie Management

You can also control cookies through your browser settings:

Google Chrome

Settings → Privacy and Security → Cookies and other site data
Options:
- Allow all cookies
- Block third-party cookies
- Block all cookies
To delete: Click "See all cookies and site data" → Remove specific cookies

Mozilla Firefox

Settings → Privacy & Security → Cookies and Site Data
Options:
- Standard, Strict, or Custom protection
- Block third-party cookies
To delete: Click "Clear Data" → Choose Cookies and Site Data

Apple Safari

Preferences → Privacy → Cookies and website data
Options:
- Block all cookies
- Allow from websites I visit
- Allow from current website only
To delete: Click "Manage Website Data" → Remove specific sites

Microsoft Edge

Settings → Privacy, search, and services → Cookies
Options:
- Block third-party cookies
- Block all cookies
To delete: Settings → Privacy → Choose what to clear

Mobile Browsers

iOS Safari:

Settings → Safari → Block All Cookies

Android Chrome:

Chrome → Settings → Site settings → Cookies

iOS/Android Firefox:

Firefox → Settings → Privacy → Cookies

7.4 Consequences of Disabling Cookies

If You Disable Strictly Necessary Cookies:

❌ Cannot log in to your account
❌ Cannot save pipeline configurations
❌ Cannot execute pipelines
❌ Real-time features will not work
Bottom line: Platform will not function

If You Disable Functional Cookies:

⚠️ Preferences reset on each visit
⚠️ Must reconfigure UI layout each session
⚠️ Recent pipelines not remembered
Bottom line: Platform works but less convenient

If You Disable Analytics Cookies:

✅ Platform works perfectly
✅ No impact on functionality
ℹ️ We cannot measure feature usage or improve based on data
Bottom line: No effect on your experience

8. DO NOT TRACK (DNT) SIGNALS

8.1 What is DNT?

"Do Not Track" (DNT) is a browser setting that sends a signal to websites requesting not to be tracked.

8.2 Our Response to DNT

Current Status: We do not currently respond to DNT signals due to lack of industry standard for interpretation.

What we do instead:

We don't track you across other websites (no cross-site tracking)
We don't use advertising cookies
We provide opt-out controls for analytics cookies
We minimize data collection regardless of DNT setting

If industry standards emerge: We will update this policy and implement DNT compliance.

8.3 How to Enable DNT

Chrome: Not supported (removed in 2019)
Firefox: Settings → Privacy & Security → Send "Do Not Track" signal
Safari: Preferences → Privacy → Ask websites not to track me
Edge: Settings → Privacy → Send "Do Not Track" requests

9. COOKIE SECURITY AND PRIVACY

9.1 Cookie Security Measures

We implement security measures to protect cookies:

✅ Secure Flag: Cookies transmitted only over HTTPS
✅ HttpOnly Flag: Prevents JavaScript access to sensitive cookies
✅ SameSite Attribute: Prevents cross-site request forgery (CSRF)
✅ Encryption: Sensitive cookie data is encrypted
✅ Expiration: Cookies expire after set duration
✅ Domain Restriction: Cookies scoped to nimbusbci.com only

9.2 What Information Cookies Contain

Strictly Necessary Cookies:

User ID (hashed)
Session ID (random token)
Authentication status (boolean)
CSRF token (random)

Functional Cookies:

UI preferences (theme, language)
Panel positions (pixel values)
Recent pipeline IDs (UUIDs)

Analytics Cookies:

Anonymous user identifier
Page view counts
Timestamp of visits
Anonymized IP address

What cookies DO NOT contain:

Your password (ever)
Credit card information
Social Security Number
EEG or research data
Personal health information

9.3 Cookie Access Control

Who can access cookies:

✅ Your browser (you)
✅ Our Platform servers (for authentication and functionality)
✅ Clerk (authentication cookies only)
✅ Vercel CDN (delivery optimization cookies only)
✅ Analytics provider (analytics cookies only, if you consent)

Who CANNOT access cookies:

❌ Advertisers or ad networks
❌ Social media companies (except OAuth login providers, limited)
❌ Data brokers
❌ Other websites you visit

10. LEGAL COMPLIANCE

10.1 GDPR and ePrivacy Directive (EU/UK)

We comply with:

GDPR (General Data Protection Regulation) - Data protection
ePrivacy Directive - Electronic communications privacy

Requirements: ✅ Obtain consent before non-essential cookies
✅ Provide clear information about cookies
✅ Allow users to withdraw consent easily
✅ Respect user choices
✅ Implement cookie preference management

Legal Bases:

Strictly necessary cookies: No consent required (ePrivacy exemption)
Functional cookies: Legitimate interests (Art. 6(1)(f) GDPR)
Analytics cookies: Consent (Art. 6(1)(a) GDPR)

10.2 CCPA (California)

Under CCPA, cookies may be considered "personal information."

Our Compliance: ✅ Disclosure of cookies in Privacy Policy
✅ No sale of personal information (including cookie data)
✅ Opt-out of analytics cookies available
✅ Right to delete (includes cookie data)

10.3 Other Jurisdictions

We comply with cookie laws in other jurisdictions including:

UK PECR (Privacy and Electronic Communications Regulations)
Canada PIPEDA (Personal Information Protection and Electronic Documents Act)
Australia Privacy Act
Brazil LGPD (Lei Geral de Proteção de Dados)

11. COOKIE LIFESPAN AND RENEWAL

11.1 Cookie Expiration

Cookie Category	Typical Lifespan	Renewal
Session Cookies	Until browser closes	Every session
Authentication	7-30 days	On login
Preferences	1 year	On update
Analytics	1-2 years	On visit
CSRF Tokens	1 hour	Every hour

11.2 Automatic Renewal

Some cookies are automatically renewed:

Session cookies: Renewed on each page load
Authentication cookies: Renewed on login
Analytics cookies: Renewed on each visit (if consented)

You can prevent renewal by:

Clearing cookies manually
Disabling cookies in browser
Withdrawing consent in Cookie Preference Center

11.3 Cookie Deletion

When cookies are deleted:

When you clear your browser data
When you withdraw consent (non-essential cookies)
When you delete your account
When cookies reach expiration date
When you log out (session cookies)

12. CHILDREN'S PRIVACY

The Platform is not intended for users under 18 years of age. We do not knowingly set cookies on devices used by children under 18.

If you are a parent or guardian and believe your child has accessed the Platform:

Clear cookies from the device
Contact us at hello@nimbusbci.com
We will delete any associated data

See our Privacy Policy (Section 10) for more information on children's privacy.

13. UPDATES TO THIS COOKIE POLICY

13.1 Changes and Modifications

We may update this Cookie Policy to reflect:

Changes in cookies we use
Changes in applicable laws
Changes in our practices
New features or services

13.2 Notification of Changes

We will notify you of material changes by:

Updating the "Last Updated" date at the top
Displaying a notice on the Platform
Sending email notification (for significant changes)
Requiring renewed consent (for new non-essential cookies)

13.3 Your Acceptance

Non-Material Changes: Effective immediately upon posting

Material Changes: Effective 30 days after notice, or upon your acceptance

Your continued use after the effective date constitutes acceptance of the updated Cookie Policy.

14. CONTACT US

14.1 Cookie Inquiries

For questions about cookies or this Cookie Policy:

Email: hello@nimbusbci.com
Subject Line: "Cookie Policy Inquiry"

Mail:
Nimbus BCI Inc.
Attention: Privacy Officer
588 El Camino Real, Santa Clara, CA 95050 United States

14.2 Cookie Consent Issues

If you have issues with cookie consent or preferences:

Email: hello@nimbusbci.com
Subject Line: "Cookie Consent Issue"

Include:

Your browser and version
Screenshot of the issue (if applicable)
Steps to reproduce

14.3 Data Protection Authorities

If you believe we are not complying with cookie laws, you may contact:

EU/EEA: Your local supervisory authority

List: https://edpb.europa.eu/about-edpb/board/members_en

UK: Information Commissioner's Office (ICO)

Website: https://ico.org.uk
Phone: 0303 123 1113

15. ADDITIONAL RESOURCES

15.1 Learn More About Cookies

General Information:

All About Cookies: https://www.allaboutcookies.org
AboutCookies.org: https://www.aboutcookies.org
Wikipedia: https://en.wikipedia.org/wiki/HTTP_cookie

Browser-Specific Guides:

Privacy Tools:

Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
Privacy Badger (EFF): https://privacybadger.org
uBlock Origin: https://ublockorigin.com

15.2 Related Policies

Please also review:

SUMMARY

Key Points

✅ We use cookies for authentication, functionality, and analytics

✅ Essential cookies cannot be disabled (platform wouldn't work)

✅ You control non-essential cookies (functional and analytics)

✅ We never use cookies for advertising or cross-site tracking

✅ You can manage cookies via platform settings or browser

✅ We comply with GDPR, ePrivacy, and CCPA cookie requirements

✅ Cookie data is secure (encrypted, HttpOnly, SameSite, Secure flags)

✅ We're transparent about every cookie we use

QUICK COOKIE GUIDE

For EU/UK/EEA Users

When you visit:

See cookie consent banner
Choose: Accept All, Customize, or Reject Non-Essential
Continue using platform

To change preferences:

Account Settings → Privacy → Cookie Preferences

For US/Other Users

When you visit:

Cookies placed based on default settings
Opt-out available for analytics

To change preferences:

Account Settings → Privacy → Cookie Preferences

For All Users

To delete cookies:

Browser Settings → Privacy → Clear Cookies
Or: Account Settings → Privacy → Clear Platform Cookies

To opt out of analytics:

Cookie Preferences → Disable Analytics Cookies
Or: Browser extension (Privacy Badger, uBlock Origin)

Last Updated: December 10, 2025
Version: 1.1
Next Review: June 10, 2026

This Cookie Policy is part of our commitment to transparency and privacy. For complete privacy information, please read our full Privacy Policy.