We collect the smallest amount of data that lets us deliver a paid product, enforce a license, and answer a support ticket. We don't sell data, we don't run ad networks, and we don't watch you play.
What we collect
| Data | Why | Source |
|---|---|---|
| License key, derived as a HWID-bound hash | Enforce the single-user license and HWID lock | Your machine, hashed locally |
| Discord username (optional) | Route support tickets to you | You give it to us voluntarily |
| Email address | Send your receipt and license delivery | Forwarded by our payment processor |
| IP address at purchase and at activation | Detect chargeback fraud and stolen-card resellers | Captured server-side at the moment of the request |
| Crash dumps | Debug a crash you reported | Only if you submit one through the dashboard or a ticket |
| Anonymous loader telemetry (default ON, toggle in Settings) | Spot crashes and broken installs in the wild | Loader sends lifecycle events and a per-machine hash that is not reversible to your account, key, HWID, or IP |
That's the full list. If something is not on the list above, we do not collect it.
Anonymous loader telemetry
When the loader runs, it sends a small stream of lifecycle events back to us — things like "loader started", "cleaner finished in 6.2 seconds", "inject completed", "loader crashed during step 7". This lets us see, in aggregate, where customers are getting stuck so we can fix the top problems in under 24 hours.
We do not send your username, email, license key, HWID, IP, or precise Windows build number. The only stable identifier is a hash that lets us count one machine as one machine, never as a person.
It is on by default. You can turn it off in Settings → Privacy → Send
anonymous telemetry inside the loader, or set the environment variable
NIMBUS_DEV_NO_TELEMETRY=1. The change takes effect at the next launch.
The full event-by-event list lives in the loader source tree at
docs/PRIVACY_TELEMETRY.md.
What we do NOT collect
- In-game actions. We do not record your matches, your inputs, your positioning, your aim history, or anything you do during gameplay.
- Game telemetry. We do not read your K/D, your rank, your match IDs, your loadouts, or any state from the Marvel Rivals client outside what the overlay needs to render in real time on your own machine.
- Replays or screenshots. We never capture or upload video, audio, or screen contents.
- Other-app data. We do not enumerate your installed programs, browse your files, or read processes other than the game.
- Demographics. No age, no gender, no location beyond IP for fraud checks, no advertising profile.
Third parties we use
These are the only third parties that touch your data, and only to the extent listed:
- SellAuth — processes your payment, handles refunds and chargebacks, delivers your license key. They see your purchase amount, billing details required by the card network, and email.
- KeyAuth — license activation backend. Sees your license key, HWID-derived hash, and activation timestamps. Does not see your email or Discord.
- Discord — community and support. Whatever you post in our server is governed by Discord's terms; we only see what every server admin sees.
- Cloudflare — DNS, CDN, and bot protection in front of our site and API. Sees the IP and request metadata of any visitor.
- Vercel — hosts this website. Sees standard web-server access logs for getnimbus.net.
We do not share data with marketing partners, ad networks, data brokers, or analytics resellers. We have never sold data and we will not.
Cookies
See our Cookie Policy. The TL;DR: a small number of strictly-necessary cookies and a privacy-respecting analytics ping. No tracking, no ads, no Pixel.
Data retention
| Data | Retained for |
|---|---|
| License key + HWID hash | 12 months after your last activation, then deleted |
| Email + Discord | While your subscription is active, plus 12 months for support history |
| Purchase records (held by SellAuth) | As long as their tax / chargeback obligations require |
| IP at purchase / activation | 90 days, then truncated for fraud aggregates only |
| Crash dumps | 90 days after the issue is closed |
We keep nothing on customers who have been inactive for over 12 months beyond what tax law requires us to hand to the payment processor.
Your rights
You can:
- Access. Request a JSON export of everything we have associated with your license key.
- Delete. Request deletion of everything except what we are legally required to retain (payment records).
- Correct. Ask us to fix wrong information.
- Opt out of fraud-detection IP retention if you have a credible reason (most won't).
The way you do any of this is the same way you do everything else with Nimbus — open a ticket in our Discord. We respond within 24 hours during peak and complete the request inside 30 days.
Children
Nimbus is 18+. We do not knowingly sell to minors. If you are under 18 and your parent figures out you have a paid subscription, they may request a full refund and we will give it to them.
Updates to this policy
If we change the list of what we collect or who we share it with, we will post the new policy here and bump the effective date. If the change is material, we will pin a notice in our Discord for at least 14 days.
Contact
Open a ticket in our Discord. Privacy requests are handled by the same team that handles support; we don't make you bounce around.
Effective: 2026-05-30. Last updated: 2026-05-30.