Skip to main content

Privacy Policy

Last updated: 2026-01-14

1. Who We Are

Nimbus is a desktop software product developed and sold by FoogleGiber LLC, a United States limited liability company. We operate the website getnimbus.net and the Nimbus desktop application (collectively, the “Service”).

FoogleGiber LLC is the data controller for personal data processed through the Service. If you have questions about this policy, contact us at privacy@getnimbus.net.

2. What Data We Collect

2.1 Information You Provide

  • Account registration: email address, username, and a hashed password. We never store plaintext passwords.
  • Purchase information: billing name, billing address, and payment method details. Payment card numbers are tokenized by our payment processors and never reach our servers.
  • Support communications: any information you voluntarily submit through our Discord community, email support, or contact forms.

2.2 Information Collected Automatically

  • License validation data: hardware fingerprint components used to bind your license to your machine. This includes a one-way hash derived from machine identifiers (machine SID, BIOS UUID, disk serial, and primary MAC address). The raw identifiers never leave your device — only the irreversible hash is transmitted.
  • Application telemetry: application version, operating system version, and anonymized feature-usage counters. We do not log keystrokes, window titles, process lists, or filesystem contents.
  • Website analytics: page views, referrer headers, browser user-agent string, and coarse geolocation derived from IP address (city-level only). We self-host analytics and do not use Google Analytics or similar third-party trackers.
  • Server logs: IP address, timestamp, HTTP method, URL, status code, and response size. Logs are retained for 30 days for abuse prevention and then purged.

2.3 Data We Do NOT Collect

  • We do not collect or process special-category data (race, religion, health, biometrics, political opinions).
  • We do not knowingly collect data from anyone under 16. If we learn we have, we delete it within 72 hours.
  • We do not sell, rent, or trade personal data to third parties.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under the following lawful bases:

  • Contractual necessity (Art. 6(1)(b)): processing required to deliver the Nimbus software license you purchased, validate your license, and provide customer support.
  • Legitimate interests (Art. 6(1)(f)): fraud prevention, abuse detection, service improvement analytics, and direct marketing about product updates to existing customers. You may object to direct marketing at any time.
  • Consent (Art. 6(1)(a)): where we rely on consent (e.g., optional newsletter sign-up), you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): tax records, accounting, and responding to valid law-enforcement requests.

4. Cookies and Similar Technologies

4.1 Essential Cookies

We use a single first-party session cookie to maintain your authenticated dashboard session. This cookie is strictly necessary for the Service to function and is not used for tracking. It expires when you close your browser.

4.2 Analytics Cookies

We do not use advertising cookies, retargeting pixels, or third-party tracking cookies. Our self-hosted analytics use a first-party persistent cookie with a 12-month expiry to measure unique visitors. No personal data is stored in the cookie — it contains only a random identifier.

4.3 Managing Cookies

You can block all cookies via your browser settings. Blocking essential cookies will prevent you from logging into the Nimbus dashboard. Most browsers also support “Do Not Track” signals; we honor DNT:1 by disabling analytics collection entirely for that session.

5. Third-Party Services

5.1 Payment Processing — Stripe

Payments are processed by Stripe, Inc. When you purchase a Nimbus license, Stripe collects your payment card details, billing address, and transaction metadata. Stripe acts as an independent data controller for payment processing. We receive a tokenized payment method ID and the last four digits of your card number. Stripe’s privacy policy is available at stripe.com/privacy.

5.2 Licensing Infrastructure — SellAuth / KeyAuth

License key generation, validation, and hardware-lock management are handled by SellAuth (merchant-of-record overlay) and KeyAuth (license backend). These services receive your email address, username, license key, and the one-way hardware hash described in Section 2.2. They do not receive raw hardware identifiers, payment details, or support messages. Both services are bound by data processing agreements that restrict use to license-management purposes only.

5.3 Infrastructure Providers

  • Vercel Inc. — hosts the Nimbus marketing site and customer dashboard. Vercel processes IP addresses and request-level metadata as part of edge-function execution. Data is processed in Vercel’s US and EU regions.
  • Upstash Inc. — provides the serverless KV store used for rate limiting and session state. Upstash processes ephemeral request metadata; no personal data is persisted in KV beyond session TTLs.
  • BunnyCDN (BunnyWay d.o.o.) — delivers Nimbus application binaries and update manifests. CDN edge nodes process IP addresses and user-agent strings for cache optimization and DDoS mitigation. Logs are retained for 72 hours.

5.4 Discord

Our community support server is hosted on Discord. Messages you send in public channels or support tickets are visible to Discord, Inc. and are subject to Discord’s privacy policy. We do not export or mine Discord message history for purposes unrelated to support.

6. Data Retention

Data CategoryRetention PeriodDeletion Trigger
Account data (email, username, hashed password)Duration of account + 30 daysAccount deletion request or 30 days post-closure
License records (key, hardware hash, expiry)Duration of license + 2 yearsLicense expiry + 2 years (fraud/chargeback defense)
Payment records (Stripe token, last-4, amount)7 yearsTax/accounting obligation expiry
Support tickets and Discord messages2 years from last activityRolling purge; earlier on request where feasible
Server access logs30 daysRolling daily purge
Website analytics events14 monthsRolling monthly purge
Application telemetry26 monthsRolling monthly purge; earlier on request

Retention periods may be extended to comply with legal obligations, resolve disputes, or enforce our Terms of Service. When the retention period expires, data is irreversibly deleted or anonymized within 30 days.

7. Data Subject Rights (GDPR / UK GDPR / CCPA)

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — request deletion of your data, subject to legal retention obligations.
  • Restriction — limit how we process your data while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests, including direct marketing.
  • Automated decision-making — we do not subject you to decisions based solely on automated processing that produce legal effects.

To exercise any of these rights, email privacy@getnimbus.net. We will respond within 30 calendar days. We may require proof of identity before fulfilling certain requests. There is no fee unless the request is manifestly unfounded or excessive.

If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local supervisory authority. For EEA residents, a list of authorities is maintained at edpb.europa.eu.

8. International Data Transfers

FoogleGiber LLC is based in the United States. Personal data is processed and stored in the US and, where infrastructure providers offer it, the EU (Frankfurt, Ireland). For transfers from the EEA, UK, or Switzerland to the US, we rely on:

  • Standard Contractual Clauses (SCCs) incorporated into our data processing agreements with each sub-processor.
  • The EU-US Data Privacy Framework where the sub-processor is certified (Stripe, Vercel).

A copy of the relevant SCCs can be requested at privacy@getnimbus.net.

9. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.3) for all Service endpoints.
  • Encryption at rest (AES-256) for all persistent data stores.
  • Hardware security modules (HSMs) for Ed25519 license-signing keys.
  • Mandatory multi-factor authentication for all production-access personnel.
  • Annual third-party penetration testing of the licensing API.
  • Immutable audit logging for all administrative data-access events.

No method of electronic storage or transmission is 100% secure. In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33–34.

10. Children’s Privacy

Nimbus is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us immediately. We will delete the data within 72 hours of verification.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

  • Email to the address associated with your Nimbus account.
  • A prominent notice on the Nimbus dashboard.
  • An update to the “Last updated” date at the top of this page.

Continued use of the Service after changes become effective constitutes acceptance of the revised policy. If you disagree with the changes, you may close your account and request data deletion as described in Section 7.

12. Contact Information

For all privacy-related inquiries:

FoogleGiber LLC
Email: privacy@getnimbus.net
Data Protection Officer: Erick Vasquez
DPO Email: dpo@getnimbus.net

This policy is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles. Any disputes arising under this policy shall be resolved in accordance with the dispute resolution provisions of our Terms of Service.