We collect the smallest amount of data that lets us deliver a paid product, enforce a license, and answer a support ticket. We don't sell data, we don't run ad networks, and we don't watch you play.
What we collect
| Data | Why | Source |
|---|---|---|
| License key, derived as a HWID-bound hash | Enforce the single-user license and HWID lock | Your machine, hashed locally |
| Discord username (optional) | Route support tickets to you | You give it to us voluntarily |
| Email address | Send your receipt and license delivery | Forwarded by our payment processor |
| IP address at purchase and at activation | Detect chargeback fraud and stolen-card resellers | Captured server-side at the moment of the request |
| Crash dumps | Debug a crash you reported | Only if you submit one through the dashboard or a ticket |
| Anonymous loader telemetry (default ON, toggle in Settings) | Spot crashes and broken installs in the wild | Loader sends lifecycle events and a per-machine hash that is not reversible to your account, key, HWID, or IP |
| Meridian API request and response data | Operate the service, ensure quality, prevent abuse, and improve our products | Captured server-side when you call the Meridian API. Includes the prompt body, model name, response, token counts, and the IP and country of the request |
That's the full list. If something is not on the list above, we do not collect it.
Anonymous loader telemetry
When the loader runs, it sends a small stream of lifecycle events back to us — things like "loader started", "cleaner finished in 6.2 seconds", "inject completed", "loader crashed during step 7". This lets us see, in aggregate, where customers are getting stuck so we can fix the top problems in under 24 hours.
We do not send your username, email, license key, HWID, IP, or precise Windows build number. The only stable identifier is a hash that lets us count one machine as one machine, never as a person.
It is on by default. You can turn it off in Settings → Privacy → Send
anonymous telemetry inside the loader, or set the environment variable
NIMBUS_DEV_NO_TELEMETRY=1. The change takes effect at the next launch.
The full event-by-event list lives in the loader source tree at
docs/PRIVACY_TELEMETRY.md.
What we do NOT collect
- In-game actions. We do not record your matches, your inputs, your positioning, your aim history, or anything you do during gameplay.
- Game telemetry. We do not read your K/D, your rank, your match IDs, your loadouts, or any state from the Marvel Rivals client outside what the overlay needs to render in real time on your own machine.
- Replays or screenshots. We never capture or upload video, audio, or screen contents.
- Other-app data. We do not enumerate your installed programs, browse your files, or read processes other than the game.
- Demographics. No age, no gender, no location beyond IP for fraud checks, no advertising profile.
Third parties we use
These are the only third parties that touch your data, and only to the extent listed:
- SellAuth — processes your payment, handles chargebacks, delivers your license key. They see your purchase amount, billing details required by the card network, and email.
- KeyAuth — license activation backend. Sees your license key, HWID-derived hash, and activation timestamps. Does not see your email or Discord.
- Discord — community and support. Whatever you post in our server is governed by Discord's terms; we only see what every server admin sees.
- Cloudflare — DNS, CDN, and bot protection in front of our site and API. Sees the IP and request metadata of any visitor.
- Vercel — hosts this website. Sees standard web-server access logs for getnimbus.net.
- Model providers (Meridian only) — when you call the Meridian API, we relay your request to the model provider you selected (such as OpenAI via Azure, Anthropic via Vertex, Google Vertex AI, or xAI). That provider receives the prompt body and returns the response. They are bound by their own data-processing terms; we operate under zero-retention agreements with each upstream where one is available.
We do not share data with marketing partners, ad networks, data brokers, or analytics resellers. We have never sold data and we will not.
Cookies
See our Cookie Policy. The TL;DR: a small number of strictly-necessary cookies and a privacy-respecting analytics ping. No tracking, no ads, no Pixel.
Data retention
| Data | Retained for |
|---|---|
| License key + HWID hash | 12 months after your last activation, then deleted |
| Email + Discord | While your subscription is active, plus 12 months for support history |
| Purchase records (held by SellAuth) | As long as their tax / chargeback obligations require |
| IP at purchase / activation | 90 days, then truncated for fraud aggregates only |
| Crash dumps | 90 days after the issue is closed |
| Meridian API request and response data | While your account is active, plus retained for security audit, abuse investigation, and service quality. Aggregates may be retained indefinitely after personal identifiers are removed |
We keep nothing on customers who have been inactive for over 12 months beyond what tax law requires us to hand to the payment processor.
Your rights
You can exercise these directly from your dashboard — no ticket required:
- Access (GDPR Art. 15). Export a JSON + ZIP of everything we have on file for your account at /dashboard/account/export-data. The archive lands in your inbox within 24 hours (usually within a minute) and the signed download link is good for 7 days.
- Delete (CCPA / GDPR Art. 17). Permanently delete your account at /dashboard/account/delete-account. We use a 30-day grace period — sign back in any time before then to cancel. Payment records held by SellAuth are governed by their own retention policy (chargeback + tax obligations).
- Cookie consent (ePrivacy). Set non-essential cookies (analytics, functional) at /cookies or via the banner on first visit. Choices persist for 365 days and can be changed any time.
- Correct. Email + username changes live in your account settings. For anything else, open a ticket in our Discord.
- Opt out of fraud-detection IP retention if you have a credible reason (most won't) — open a ticket in our Discord.
For everything else, open a ticket in our Discord. We respond within 24 hours during peak and complete the request inside 30 days.
Children
Nimbus is 18+. We do not knowingly sell to minors. If you are under 18 and your parent figures out you have a paid subscription, they may contact support in Discord and we will work with them on a resolution.
Updates to this policy
If we change the list of what we collect or who we share it with, we will post the new policy here and bump the effective date. If the change is material, we will pin a notice in our Discord for at least 14 days.
2026-06-14: added the Meridian API service rows. We now collect API request and response data (prompt body + model response + token counts + request IP) for customers who use the Meridian API at meridian.getnimbus.net.
Contact
Open a ticket in our Discord. Privacy requests are handled by the same team that handles support; we don't make you bounce around.
Effective: 2026-06-14. Last updated: 2026-06-14.