PRIVACY POLICY

Nimbus BCI Services

Effective Date: December 10, 2025
Last Updated: December 10, 2025

1. INTRODUCTION

1.1 Overview

Nimbus BCI Inc., a Delaware corporation ("Nimbus BCI," "Company," "we," "us," or "our"), is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Nimbus BCI services (the "Services").

This Privacy Policy applies to:

Our website: https://nimbusbci.com
The Nimbus Studio web application
The Nimbus SDK (NimbusSDK.jl) Julia package
Related services, APIs, and documentation

1.2 Special Notice About Brain Data

IMPORTANT: The Nimbus BCI Services are designed for processing electroencephalography (EEG) and other neurophysiological signals. Brain data and EEG signals may be considered:

Biometric data under various privacy laws including GDPR and state biometric privacy acts
Sensitive personal information under CCPA and other privacy regulations
Special category data requiring enhanced protection and explicit consent

By using our Services, you acknowledge the sensitive nature of brain data and agree to obtain all necessary consents and authorizations before uploading any EEG or neurophysiological data.

SDK Privacy Note: When using the Nimbus SDK, all EEG and neurophysiological data is processed locally on your machine and never transmitted to Nimbus BCI servers. See Section 2.5 for details on SDK-specific data practices.

1.3 Controller and Processor Relationship

Important Distinction:

For Nimbus Studio:

Account Data: For your account information and platform usage data, Nimbus BCI is the data controller
Research Data: For EEG/BCI data you upload to Nimbus Studio, Nimbus BCI is the data processor, and you (the researcher/user) are the data controller

For Nimbus SDK:

API Key Data: For API key authentication and usage metrics, Nimbus BCI is the data controller
Research Data: For EEG/BCI data you process with the SDK, you are the sole data controller. Nimbus BCI does not receive or process this data as it remains entirely on your local machine.

This means:

You are responsible for the lawfulness of your data collection and processing
You must obtain necessary consents from data subjects
You must comply with applicable data protection laws
For Nimbus Studio, we process your research data only according to your instructions
For Nimbus SDK, we have no access to your research data

1.4 Contact Information

Data Protection Officer / Privacy Contact:

Nimbus BCI Inc.
Attention: Privacy Officer
Email: hello@nimbusbci.com
Website: https://nimbusbci.com

For EU/UK Data Subjects:
We do not currently have an EU representative, but will appoint one if required under GDPR.

For California Residents:
See Section 11 for CCPA-specific rights and contact information.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

A. Account Registration Information

When you create an account through our authentication provider (Clerk), we collect:

Identity Information:
- Name (first and last)
- Email address
- Username (if provided)
- Profile photo (if provided via third-party authentication)
Authentication Data:
- Encrypted password (stored by Clerk, not by us)
- Authentication method (email, Google, GitHub)
- Multi-factor authentication settings
Organization Information (if applicable):
- Organization name
- Role/title
- Institutional affiliation

Legal Basis (GDPR): Contract performance, legitimate interests

B. Research Data (EEG/BCI Data)

You may upload the following types of neurophysiological data:

Raw EEG Signals: Multi-channel brain electrical activity recordings
EOG Data: Eye movement artifact data
Event Markers: Stimulus timing and experimental event information
Trial Labels: Classification labels for machine learning
Metadata: Sampling rates, channel names, electrode positions
Custom Datasets: User-uploaded MAT, CSV, EDF files

⚠️ IMPORTANT: You are the data controller for this research data. You must:

Obtain informed consent from participants before uploading
Ensure data is de-identified or anonymized as required
Comply with IRB/ethics committee requirements
Have legal basis for processing under applicable laws

Legal Basis (GDPR): Your instruction as data controller; our processing is based on contract performance

C. Pipeline Configurations

We store your:

Pipeline designs and node configurations
Processing parameters and settings
Saved pipeline templates
Model training configurations
Execution history and preferences

Legal Basis (GDPR): Contract performance, legitimate interests

D. User Communications

If you contact us, we collect:

Email correspondence
Support ticket content
Feedback and feature requests
Bug reports and error logs

Legal Basis (GDPR): Legitimate interests, contract performance

2.2 Information Collected Automatically

A. Usage and Log Data

We automatically collect:

Access Information:
- IP address
- Browser type and version
- Operating system
- Device type (desktop, mobile, tablet)
- Screen resolution
Platform Usage:
- Pages and features accessed
- Actions performed (pipeline execution, model training, etc.)
- Execution times and performance metrics
- Error logs and debugging information
- API calls and WebSocket connections
Session Information:
- Login/logout timestamps
- Session duration
- Concurrent sessions
- Activity timestamps

Legal Basis (GDPR): Legitimate interests (service operation, security, improvement)

B. Cookies and Similar Technologies

We use the following types of cookies:

Cookie Type	Purpose	Duration	Provider
Essential Cookies	Authentication, security, session management	Session / 30 days	Clerk, Nimbus BCI
Analytics Cookies	Usage statistics, performance monitoring	1-2 years	Vercel Analytics, Google Analytics
Preference Cookies	User settings, UI preferences	1 year	Nimbus BCI

Cookie Management:

You can control cookies through your browser settings
Disabling essential cookies may impair platform functionality
See Section 9 for cookie management options

Legal Basis (GDPR): Consent (analytics), legitimate interests (essential)

C. Technical and Diagnostic Data

We collect:

Performance Metrics:
- Pipeline execution times
- Model training duration
- Inference latency
- WebSocket connection quality
- API response times
Error and Crash Data:
- Error messages and stack traces
- Browser console errors
- System state at time of error
- Reproduction steps (if available)

Legal Basis (GDPR): Legitimate interests (service improvement, debugging)

2.3 Information from Third-Party Sources

A. Authentication Provider (Clerk)

We receive from Clerk:

User ID (unique identifier)
Email address (verified status)
Profile information (name, photo if from social login)
Authentication status and timestamps
Security events (login attempts, MFA status)

Clerk's Privacy Policy: https://clerk.com/privacy

B. Third-Party Datasets

If you use public datasets through our platform:

BCI Competition IV: Subject identifiers, anonymized EEG data
PhysioNet EEGMMIDB: Subject codes, de-identified recordings
PhysioNet bigP3BCI: Study identifiers, anonymized P300 data

These datasets are governed by their original licenses and privacy notices.

2.4 Information We Do NOT Collect

We do NOT intentionally collect:

❌ Social Security Numbers or government-issued IDs
❌ Financial information (credit cards - handled by payment processor)
❌ Precise geolocation (GPS coordinates)
❌ Children's personal information (under 18 years old)
❌ Genetic or health information (unless you upload as research data)
❌ Racial or ethnic origin, political opinions, religious beliefs (unless in research data)

2.5 SDK-Specific Data Collection

When you use the Nimbus SDK (NimbusSDK.jl), our data collection is fundamentally different from Nimbus Studio due to the SDK's local-first architecture.

A. Data We Collect from SDK Users

API Key Authentication:
- API key identifier
- Authentication timestamps
- License tier and validity
Usage Metrics (Aggregated):
- Inference counts (for licensing compliance)
- Model usage statistics (which models are used)
- SDK version information
- Error reports (optional, anonymized)
Model Registry Access:
- Model download requests
- Model version information

Legal Basis (GDPR): Contract performance, legitimate interests

B. Data We Do NOT Collect from SDK Users

The following data is processed locally on your machine and never transmitted to Nimbus BCI servers:

❌ EEG or neurophysiological signal data
❌ Research participant data
❌ Inference inputs or outputs
❌ Trained model parameters (unless you choose to upload)
❌ Pipeline configurations
❌ Any biometric or sensitive personal data

Your research data never leaves your computer when using the Nimbus SDK.

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

We use your information to:

A. Provide the Service

Create and manage your account
Authenticate your access
Execute BCI processing pipelines
Store pipeline configurations and results
Provide real-time streaming capabilities
Process EEG/BCI data according to your instructions
Generate visualizations and results
Facilitate data uploads and downloads

Legal Basis (GDPR): Contract performance

B. Improve and Develop the Service

Analyze usage patterns and feature adoption
Identify and fix bugs and errors
Optimize performance and speed
Develop new features and capabilities
Conduct A/B testing and experiments
Generate aggregated, anonymized statistics

Legal Basis (GDPR): Legitimate interests

C. Ensure Security and Integrity

Detect and prevent fraud, abuse, and security threats
Investigate suspicious activity
Enforce Terms of Service
Respond to legal requests and obligations
Protect our rights and property
Maintain platform stability and availability

Legal Basis (GDPR): Legitimate interests, legal obligation

D. Communicate with You

Send service announcements and updates
Respond to support requests
Provide technical assistance
Notify of Terms or Privacy Policy changes
Send security alerts and important notices

Legal Basis (GDPR): Contract performance, legal obligation

E. Conduct Research and Analytics (Aggregated Data Only)

We may use aggregated, de-identified, anonymized data to:

Study BCI algorithm effectiveness
Publish research papers or white papers
Benchmark platform performance
Generate industry insights and trends
Improve NimbusSDK algorithms

Important: We never use your identifiable research data for our own research without explicit consent.

Legal Basis (GDPR): Legitimate interests (anonymized data is not personal data)

3.2 Marketing Communications (Opt-In Only)

We will NOT send marketing emails unless you explicitly opt in. If you opt in, we may send:

Product updates and new features
Educational content and tutorials
Webinar and event invitations
Research opportunities and collaborations

You can opt out at any time via the unsubscribe link in emails.

Legal Basis (GDPR): Consent

3.3 Purposes We Do NOT Use Your Data For

We do NOT:

❌ Sell or rent your personal information to third parties
❌ Use your research data for our own commercial research without consent
❌ Share identifiable EEG/BCI data with third parties (except as disclosed in Section 4)
❌ Use data for discriminatory purposes (employment, insurance, credit decisions)
❌ Train AI models on your data without permission
❌ Conduct medical diagnosis or clinical decision-making

4. HOW WE SHARE YOUR INFORMATION

4.1 We Do NOT Sell Your Personal Information

Nimbus BCI does NOT sell, rent, or trade your personal information to third parties for monetary or other valuable consideration.

4.2 Service Providers and Subprocessors

We share data with trusted third-party service providers who process data on our behalf:

Service Provider	Purpose	Data Shared	Location
Clerk	Authentication and user management	Email, name, user ID	United States
Railway	Backend hosting and data storage	All data stored on platform	United States
Vercel	Frontend hosting and CDN	IP address, usage logs	United States (global CDN)
PostgreSQL (Railway)	Database storage	Account data, pipeline configs, metadata	United States
Vercel Analytics	Usage analytics	Anonymized usage data, page views	United States
Google Analytics	Usage analytics	Page views, session data, anonymized IP	United States

Data Processing Agreements: We have contracts with all service providers requiring them to:

Process data only according to our instructions
Implement appropriate security measures
Comply with data protection laws (GDPR, CCPA, etc.)
Not use data for their own purposes
Return or delete data upon termination

EU Users: We implement appropriate safeguards for international data transfers (Standard Contractual Clauses, adequacy decisions, etc.)

4.3 Legal and Regulatory Disclosures

We may disclose your information if required to:

Legal Process: Comply with court orders, subpoenas, or legal requests
Law Enforcement: Cooperate with government or law enforcement agencies
Legal Rights: Protect our rights, property, or safety, or that of others
Legal Compliance: Comply with applicable laws and regulations
Fraud Prevention: Investigate and prevent fraud or security threats

We will notify you of legal requests unless prohibited by law.

Legal Basis (GDPR): Legal obligation, legitimate interests

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets:

Your information may be transferred to the successor entity
We will notify you before your information is transferred
The successor will be bound by this Privacy Policy (or you will be notified of changes)
You will have the option to delete your account before the transfer

Legal Basis (GDPR): Legitimate interests

4.5 Aggregated and De-Identified Data

We may share aggregated, de-identified, anonymized data that cannot reasonably identify you:

Industry reports and benchmarks
Research publications
Marketing materials
Public presentations

This data is not considered personal information under GDPR or CCPA.

4.6 With Your Consent

We may share your information with third parties if you provide explicit consent, such as:

Collaborators on shared research projects
Institutional administrators (if using enterprise features)
Third-party integrations you authorize

You can revoke consent at any time.

Legal Basis (GDPR): Consent

4.7 Public Information

If you choose to share pipelines publicly (future feature), the following may be visible:

Pipeline configurations (nodes, connections, parameters)
Aggregated performance metrics
Your username or display name

You control what information is shared publicly.

5. DATA RETENTION

5.1 Account Data Retention

We retain your account data:

Active Accounts: As long as your account is active
Inactive Accounts: Up to 2 years after last login (may be deleted sooner)
Deleted Accounts: 30-day grace period for recovery, then permanent deletion

5.2 Research Data Retention

We retain your uploaded EEG/BCI data:

Active Use: As long as you store it on the platform
After Deletion Request: 30 days for backup purposes, then permanent deletion
Legal Hold: Longer if required for legal, regulatory, or safety reasons

You control your research data: You can download and delete it at any time.

5.3 Pipeline Configurations and Results

Pipeline Configs: Retained as long as your account is active
Execution History: Retained for up to 2 years or until you delete
Trained Models: Retained until you delete or account closure
Logs and Metrics: Retained for up to 1 year for debugging and improvement

5.4 Usage Logs and Analytics

Detailed Logs: Retained for 90 days
Aggregated Statistics: Retained indefinitely (anonymized)
Security Logs: Retained for 1 year for security and compliance

5.5 Legal and Compliance Retention

We may retain certain data longer if required for:

Legal Obligations: Tax, accounting, regulatory compliance (typically 7 years)
Dispute Resolution: Pending litigation or claims
Regulatory Investigations: Government or regulatory inquiries
Safety and Security: Fraud prevention, ban evasion

5.6 Backup Data

Backups may contain deleted data for up to 90 days
Backup data is not accessible for normal operations
Backups are securely stored and encrypted

6. DATA SECURITY

6.1 Security Measures

We implement industry-standard security measures including:

A. Technical Safeguards

Encryption in Transit: TLS 1.2+ encryption for all data transmission
Encryption at Rest: Database encryption for stored data
Authentication: Secure authentication via Clerk (JWT tokens)
Access Controls: Role-based access control (RBAC)
API Security: API key authentication, rate limiting
Network Security: Firewalls, intrusion detection systems
Secure Coding: Regular security audits and penetration testing

B. Organizational Safeguards

Access Limitation: Data access limited to authorized personnel only
Employee Training: Regular security awareness training
Confidentiality Agreements: All employees sign confidentiality agreements
Incident Response: Documented incident response and breach notification procedures
Vendor Management: Security assessments of third-party providers

C. Data Isolation

User Data Segregation: Each user's data is isolated in the database
Multi-Tenancy Security: Strict access controls prevent cross-user data access
Account-Level Isolation: Pipeline configs and results are user-scoped

6.2 Limitations of Security

Important Notice:

No system is 100% secure
We cannot guarantee absolute security
Unauthorized access, hardware failures, and other factors beyond our control may compromise data
You are responsible for maintaining the security of your login credentials

6.3 Your Security Responsibilities

You must:

Use a strong, unique password
Enable two-factor authentication (if available)
Keep your credentials confidential
Notify us immediately of any unauthorized access
Use secure networks (avoid public WiFi for sensitive data)
Keep your devices secure (antivirus, OS updates)

6.4 Data Breach Notification

In the event of a data breach affecting your personal information:

GDPR (EU): We will notify you within 72 hours if required
CCPA (California): We will notify you without unreasonable delay
Other Laws: We will comply with applicable notification requirements

Notification will include:

Nature of the breach
Data affected
Likely consequences
Measures taken to address the breach
Recommendations for mitigation

7. YOUR PRIVACY RIGHTS

7.1 Rights for All Users

Regardless of location, you have the following rights:

A. Access

Request a copy of the personal data we hold about you
Receive the data in a structured, commonly used format

How to Exercise: Email hello@nimbusbci.com with subject "Data Access Request"

B. Correction

Request correction of inaccurate or incomplete data
Update your account information directly in the platform

How to Exercise: Update via account settings or email hello@nimbusbci.com

C. Deletion

Request deletion of your personal data (subject to legal retention requirements)
Delete your account and all associated data

How to Exercise: Account settings → Delete Account, or email hello@nimbusbci.com

Important: Deleted data cannot be recovered. Download your data before deletion.

D. Data Portability

Receive your data in a machine-readable format (JSON, CSV)
Transfer your data to another service

How to Exercise: Account settings → Export Data, or email hello@nimbusbci.com

E. Object to Processing

Object to processing based on legitimate interests
Opt out of marketing communications

How to Exercise: Email hello@nimbusbci.com or use unsubscribe links

7.2 Additional Rights for EU/EEA/UK Users (GDPR)

Under the General Data Protection Regulation, you additionally have:

F. Restriction of Processing

Request temporary restriction of processing in certain circumstances
We will store the data but not process it (except with your consent)

How to Exercise: Email hello@nimbusbci.com

G. Right to Lodge a Complaint

File a complaint with your local data protection authority (DPA)
Contact us first so we can attempt to resolve the issue

EU DPAs: https://edpb.europa.eu/about-edpb/board/members_en
UK ICO: https://ico.org.uk

H. Withdrawal of Consent

Withdraw consent at any time (where processing is based on consent)
Withdrawal does not affect lawfulness of past processing

How to Exercise: Email hello@nimbusbci.com or adjust settings

7.3 Additional Rights for California Users (CCPA/CPRA)

See Section 11 for detailed California-specific rights.

7.4 Response Timeframe

We will respond to your requests:

GDPR: Within 1 month (extendable to 3 months for complex requests)
CCPA: Within 45 days (extendable to 90 days)
Other: Within 30 days typically

7.5 Verification

To protect your privacy, we may require verification of your identity before fulfilling requests. We may ask for:

Email address associated with your account
Account verification through Clerk authentication
Additional information to match our records

We will not use information provided for verification for any other purpose.

7.6 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. The agent must provide:

Written authorization from you
Proof of their identity
Your identity verification

8. INTERNATIONAL DATA TRANSFERS

8.1 Data Location

Your data may be transferred to, stored, and processed in:

United States (primary data centers via Railway, Vercel)
Other countries where our service providers operate

The United States may not provide the same level of data protection as your home country.

8.2 Legal Basis for Transfers (GDPR)

For transfers from the EU/EEA/UK to the United States, we rely on:

Standard Contractual Clauses (SCCs): EU-approved model contracts with service providers
Adequacy Decisions: Where applicable (e.g., EU-U.S. Data Privacy Framework, if certified)
Necessary for Contract Performance: Essential for providing the service you requested
Your Explicit Consent: Where we obtain consent for specific transfers

8.3 Safeguards

We implement appropriate safeguards including:

Contractual obligations on service providers (Data Processing Agreements)
Technical security measures (encryption, access controls)
Organizational measures (training, audits)
Transfer impact assessments for high-risk transfers

8.4 UK Users (Post-Brexit)

For UK users, we comply with UK GDPR and use UK-approved transfer mechanisms.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser. They allow us to recognize your device and remember information about your visit.

9.2 Types of Cookies We Use

A. Strictly Necessary Cookies (Cannot Opt Out)

These cookies are essential for the platform to function:

Authentication cookies: Keep you logged in
Security cookies: Prevent CSRF attacks, detect suspicious activity
Session cookies: Maintain your session state
Load balancing cookies: Distribute requests efficiently

B. Functional Cookies (Optional)

These cookies enhance functionality:

Preference cookies: Remember your settings (theme, language)
UI state cookies: Remember panel layouts, collapsed sections
Recent items cookies: Store recently accessed pipelines

C. Analytics Cookies (Optional - If Implemented)

These cookies help us understand how you use the platform:

Usage analytics: Track page views, feature usage, clicks
Performance monitoring: Measure load times, errors
A/B testing: Test different features and designs

We do NOT use:

❌ Advertising or marketing cookies
❌ Social media tracking cookies
❌ Third-party advertising networks

9.3 Cookie Consent

EU/UK Users:

We obtain consent before placing non-essential cookies
You can manage cookie preferences in our cookie banner

Other Users:

You can manage cookies through browser settings

9.4 Cookie Management

Browser Settings

You can control cookies through your browser:

Chrome: Settings → Privacy and Security → Cookies
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Cookies and website data
Edge: Settings → Privacy, search, and services → Cookies

Platform Settings

You can manage non-essential cookies:

Account Settings → Privacy → Cookie Preferences

Consequences of Disabling Cookies

Essential cookies: Platform may not function properly
Functional cookies: You may need to reset preferences each visit
Analytics cookies: We cannot measure platform usage (but platform still works)

9.5 Do Not Track (DNT)

Some browsers send "Do Not Track" signals. We currently do not respond to DNT signals as there is no industry standard for interpretation. We will update this policy if standards emerge.

9.6 Third-Party Analytics

We use the following analytics services to understand platform usage:

A. Vercel Analytics

Service: Vercel Analytics (privacy-friendly)
Data Collected: Page views, session duration, visitor counts, geographic region (country-level)
Purpose: Improve user experience, measure feature adoption
Privacy Policy: https://vercel.com/legal/privacy-policy

Privacy Features:

No cookies required for basic analytics
No cross-site or cross-device tracking
Data is aggregated and anonymized
GDPR and CCPA compliant

B. Google Analytics

Service: Google Analytics 4
Data Collected: Page views, session duration, user interactions, anonymized IP addresses
Purpose: Detailed usage analytics, conversion tracking, user behavior analysis
Privacy Policy: https://policies.google.com/privacy
Opt-Out: https://tools.google.com/dlpage/gaoptout

Configuration:

IP anonymization enabled
Data sharing with Google disabled
Advertising features disabled
User-ID tracking disabled

We do NOT use analytics for:

❌ Cross-site tracking
❌ Advertising or remarketing
❌ Selling data to third parties

10. CHILDREN'S PRIVACY

10.1 Age Restriction

The Platform is NOT intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

Age Verification:

You must be at least 18 years old to create an account
By using the Platform, you represent that you are 18 or older

10.2 Parental Consent for Research Data

Important for Researchers:

If your research involves participants under 18:

You are the data controller for that data
You must obtain parental/guardian consent before collecting data
You must comply with applicable laws regarding children's data (e.g., COPPA in the U.S.)
You must de-identify or anonymize data appropriately
You are responsible for all legal requirements regarding minors' data

10.3 If We Learn of Children's Data

If we learn that we have inadvertently collected personal information from a child under 18:

We will delete the information as quickly as possible
We will terminate the associated account
We will notify the account holder

To report: Email hello@nimbusbci.com with subject "Child Privacy Concern"

11. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

11.1 Applicability

This section applies to California residents as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

11.2 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

Category	Examples	Collected?	Sold?	Shared?
Identifiers	Name, email, user ID, IP address	✅ Yes	❌ No	❌ No
Customer Records	Account information, payment records	✅ Yes	❌ No	❌ No
Protected Classifications	Age (18+), institutional affiliation	✅ Limited	❌ No	❌ No
Commercial Information	Subscription tier, purchase history	✅ Yes	❌ No	❌ No
Biometric Information	EEG/brain data (if you upload)	✅ Yes*	❌ No	❌ No
Internet Activity	Usage logs, browsing history, clicks	✅ Yes	❌ No	❌ No
Geolocation	Approximate location (from IP)	✅ Yes	❌ No	❌ No
Sensory Data	Audio/video (not collected)	❌ No	❌ No	❌ No
Professional Information	Institutional role, research focus	✅ Limited	❌ No	❌ No
Education Information	Institutional affiliation	✅ Limited	❌ No	❌ No
Inferences	Usage patterns, preferences	✅ Yes	❌ No	❌ No

*Biometric/brain data: You are the controller; we are the processor.

11.3 Sources of Personal Information

We collect personal information from:

Directly from you (account creation, uploads)
Automatically (cookies, logs, usage data)
Third parties (Clerk authentication, public datasets)

11.4 Business and Commercial Purposes

We use personal information for:

Providing and maintaining the Service
Processing transactions
Security and fraud prevention
Debugging and error correction
Customer service and support
Internal research for improvement
Legal compliance

See Section 3 for detailed purposes.

11.5 Third Parties We Share With

We share personal information with:

Service providers (Clerk, Railway, Vercel)
Professional advisors (lawyers, accountants)
Government authorities (when legally required)

See Section 4 for detailed disclosures.

11.6 Sale and Sharing of Personal Information

WE DO NOT SELL YOUR PERSONAL INFORMATION.

In the past 12 months:

We have NOT sold personal information
We have NOT shared personal information for cross-context behavioral advertising

11.7 Sensitive Personal Information

We may collect the following sensitive personal information:

Account credentials (password - stored by Clerk)
Precise geolocation (not collected)
EEG/brain data (biometric information)
Health data (only if you upload as research data)

We do NOT use sensitive personal information for purposes other than providing the Service or as permitted by CCPA.

11.8 California Consumer Rights

California residents have the right to:

A. Right to Know

Request disclosure of:

Categories of personal information collected
Sources of personal information
Business purposes for collecting personal information
Categories of third parties with whom we share personal information
Specific pieces of personal information we hold about you

Limit: 2 requests per 12-month period

B. Right to Delete

Request deletion of your personal information (subject to exceptions for legal compliance, fraud prevention, etc.)

C. Right to Correct

Request correction of inaccurate personal information

D. Right to Opt-Out of Sale/Sharing

Opt-out of the sale or sharing of personal information (Not applicable - we don't sell or share)

E. Right to Limit Use of Sensitive Personal Information

Limit our use of sensitive personal information (We only use for providing the Service)

F. Right to Non-Discrimination

You have the right to not receive discriminatory treatment for exercising your CCPA rights. We will not:

Deny goods or services
Charge different prices or rates
Provide different quality of service
Suggest you will receive different quality of service

11.9 How to Exercise Your Rights

Online: Account Settings → Privacy → California Privacy Rights

Email: hello@nimbusbci.com with subject "California Privacy Request"

Verification: We will verify your identity before fulfilling requests. We may ask for:

Email address associated with your account
Account authentication
Additional information to match our records

Authorized Agent: You may use an authorized agent. The agent must provide:

Written authorization
Proof of identity (yours and theirs)

Response Time: 45 days (extendable to 90 days for complex requests)

11.10 Shine the Light Law

California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information for direct marketing purposes.

12. OTHER STATE PRIVACY RIGHTS

12.1 Nevada Residents

Nevada residents have the right to opt-out of the sale of personal information. We do not sell personal information.

12.2 Colorado, Connecticut, Utah, Virginia Residents

Residents of these states have rights similar to GDPR and CCPA, including:

Right to access personal information
Right to correct inaccuracies
Right to delete personal information
Right to data portability
Right to opt-out of targeted advertising (not applicable)
Right to opt-out of sale (not applicable)

How to Exercise: Email hello@nimbusbci.com with your state and request type.

12.3 Biometric Privacy Laws

Illinois Biometric Information Privacy Act (BIPA)

If you are an Illinois resident uploading biometric data (EEG/brain data):

You (as data controller) must provide written notice to participants
You must obtain written consent before collecting biometric data
You must publish a retention and destruction schedule
You must protect biometric data with reasonable security

Nimbus BCI's Role: We are a data processor. We process biometric data only according to your instructions and implement security measures. You are responsible for BIPA compliance for your research.

Other State Biometric Laws

Texas, Washington, and other states have biometric privacy laws. Similar responsibilities apply:

You are the data controller
You must obtain consent
You must comply with state-specific requirements
We are the processor and follow your instructions

13. CHANGES TO THIS PRIVACY POLICY

13.1 Updates and Modifications

We may update this Privacy Policy from time to time to reflect:

Changes in our practices
Changes in applicable laws
New features or services
Feedback from users

13.2 Notice of Changes

We will notify you of material changes by:

Posting the updated Privacy Policy on our website with a new "Effective Date"
Sending email notification to your registered email address
Displaying a prominent notice on the Platform
Requiring re-acceptance for material changes

13.3 Your Acceptance

Non-Material Changes: Effective immediately upon posting
Material Changes: Effective 30 days after notice

Your continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy.

13.4 Objection to Changes

If you do not agree to changes:

You may stop using the Platform
You may close your account
You may request deletion of your data

14. THIRD-PARTY LINKS AND SERVICES

14.1 External Links

The Platform may contain links to third-party websites or services, including:

Public dataset sources (PhysioNet, BCI Competition)
Documentation and research papers
Third-party tools or integrations

We are not responsible for:

Privacy practices of third-party sites
Content or accuracy of external sites
Your interactions with third parties

Recommendation: Review the privacy policies of any third-party sites you visit.

14.2 Third-Party Authentication

We use Clerk for authentication. Clerk's collection and use of your information is governed by Clerk's Privacy Policy: https://clerk.com/privacy

14.3 Third-Party Datasets

Public datasets (BCI Competition, PhysioNet, etc.) are governed by their original terms and privacy notices. We are not responsible for the privacy practices of dataset providers.

15. ACCESSIBILITY

We are committed to making our Privacy Policy accessible to all users. If you have difficulty accessing this Privacy Policy due to a disability, please contact us at hello@nimbusbci.com, and we will provide the information in an alternative format.

16. CONTACT US

16.1 Privacy Inquiries

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Email: hello@nimbusbci.com
Subject Line: "Privacy Inquiry"

Mail:
Nimbus BCI Inc.
Attention: Privacy Officer
588 El Camino Real, Santa Clara, CA 95050 United States

16.2 Data Subject Rights Requests

To exercise your privacy rights (access, deletion, correction, etc.):

Email: hello@nimbusbci.com
Subject Line: "Data Rights Request - [Your State/Country]"

Include:

Your name and email address associated with your account
The right you wish to exercise
Any relevant details or documentation

Response Time:

GDPR: Within 1 month
CCPA: Within 45 days
Other: Within 30 days typically

16.3 Data Protection Authorities

EU/EEA Residents: You have the right to lodge a complaint with your local supervisory authority:

List of EU DPAs: https://edpb.europa.eu/about-edpb/board/members_en

UK Residents: Information Commissioner's Office (ICO)

Website: https://ico.org.uk
Phone: 0303 123 1113

California Residents: California Attorney General

Website: https://oag.ca.gov/privacy
Phone: (916) 210-6276

17. LEGAL BASIS FOR PROCESSING (GDPR)

For EU/EEA/UK users, we process your personal data based on the following legal bases:

Processing Activity	Legal Basis
Account creation and management	Contract performance (Art. 6(1)(b) GDPR)
Processing your research data	Contract performance; your instructions as controller
Service improvement and analytics	Legitimate interests (Art. 6(1)(f) GDPR)
Security and fraud prevention	Legitimate interests (Art. 6(1)(f) GDPR)
Legal compliance	Legal obligation (Art. 6(1)(c) GDPR)
Marketing communications	Consent (Art. 6(1)(a) GDPR) - opt-in only
Processing special category data (brain data)	Explicit consent (Art. 9(2)(a) GDPR) or scientific research exemption (Art. 9(2)(j) GDPR)

18. DATA PROTECTION IMPACT ASSESSMENTS

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including:

Processing of biometric data (EEG/brain signals)
Automated decision-making (if implemented)
Large-scale processing of special category data

DPIAs help us identify and mitigate privacy risks.

19. AUTOMATED DECISION-MAKING

We do NOT currently engage in automated decision-making or profiling that produces legal or similarly significant effects.

If we implement such features in the future:

We will obtain explicit consent where required
We will provide meaningful information about the logic involved
You will have the right to human intervention and to contest decisions

ACKNOWLEDGMENT

By using the Nimbus BCI Platform, you acknowledge that:

You have read and understood this Privacy Policy
You consent to the collection, use, and disclosure of your information as described
You understand the sensitive nature of brain data and will obtain necessary consents
You are responsible for compliance with applicable data protection laws for your research data
You agree to the international transfer of your data as described

Last Updated: December 10, 2025
Version: 1.1

APPENDIX: KEY DEFINITIONS

"API Key" means a unique authentication credential issued by Nimbus BCI for accessing the Nimbus SDK and related API services.

"Biometric Data" means EEG signals, brain activity recordings, and other neurophysiological data that may uniquely identify an individual or be used to infer cognitive or emotional states.

"Data Controller" means the entity that determines the purposes and means of processing personal data.

"Data Processor" means the entity that processes personal data on behalf of the data controller.

"De-Identification" means the process of removing or encrypting personal identifiers to prevent identification of individuals.

"Nimbus SDK" means the Nimbus BCI Julia-based software development kit (NimbusSDK.jl) for local Bayesian BCI inference.

"Nimbus Studio" means the Nimbus BCI web-based platform for visual BCI pipeline design and execution.

"Personal Information" / "Personal Data" means information that identifies, relates to, describes, or could reasonably be linked to you.

"Sensitive Personal Information" means personal information that reveals race, ethnicity, religion, health data, biometric data, precise geolocation, or other categories requiring enhanced protection.

"Services" means all Nimbus BCI products and services, including Nimbus Studio, Nimbus SDK, and associated APIs.

"Third Party" means any individual or entity other than you or Nimbus BCI.

This Privacy Policy complements our Terms and Conditions. For information about your obligations and our limitations of liability, please review our Terms and Conditions.