Legal / Privacy

How Nerviq handles website lead and feedback data.

This draft privacy page covers the current website scope: lead capture, early-access requests, enterprise follow-up, and feedback intake. It does not describe a hosted customer control plane because Nerviq does not currently operate one publicly.

Draft copyWebsite scope onlyEncrypted intake storage
Draft — pending legal review
Not yet authoritative. Contact hello@nerviq.net for questions.

Scope and controller

This page is intentionally narrow. It covers the public site, its forms, and the operational follow-up that comes directly from those submissions.

Included

Current scope

Waitlist and pricing-interest capture.

Enterprise and dashboard early-access forms.

Feedback intake and operational email follow-up tied to the original request.

Placeholder

Controller draft

Nerviq.

Primary privacy and business contact: business@nerviq.net.

Controller entity name and jurisdiction remain subject to legal review.

What data we collect

The current intake flow is designed around product interest and follow-up, not around sensitive identity or payment processing.

Forms

User-supplied fields

  • name and email address
  • company name, team size, repo count, and agent count
  • AI tools in use and lead intent
  • free-form message content about the request
Request data

Operational metadata

  • submission timestamp
  • source page and CTA source
  • user agent and referer when present
  • current site version or commit identifier for traceability

We do not intentionally request payment details or government identifiers in the public site flow.

Why we process it

The practical reason for collecting this data is to answer the request that the visitor actually made and to keep the intake flow usable and abuse-resistant.

  • respond to the user or company that requested contact
  • prioritize enterprise and early-access follow-up
  • understand product demand by segment
  • maintain operational records of inbound requests
  • detect spam, abuse, and misuse of the intake flow

We do not sell personal data, and we do not use lead submissions to train third-party AI models.

Storage, encryption, and security

The website stores lead records as encrypted payloads before persistence. That matters more than marketing language here, so the draft states the mechanism plainly.

Technical facts

Current implementation posture

  • lead payloads are serialized server-side
  • payloads are encrypted with AES-256-GCM before storage
  • ciphertext is stored with IV and authentication-tag metadata
  • the confidentiality boundary depends on correct LEAD_ENCRYPTION_KEY management
Plain language

Security limits

We use administrative, technical, and organizational measures intended to protect submitted information.

No storage or transmission method is guaranteed to be perfectly secure.

The detailed vulnerability-reporting process lives on the draft security page.

Sharing, transfers, and retention

The privacy posture is intentionally conservative: no sale of data, no ad-network sharing, and retention windows tied to pipeline usefulness instead of indefinite accumulation.

Draft policy

Sharing and disclosure

  • no sale of personal data
  • no routine sharing with third-party advertisers
  • limited disclosure only to service providers needed to operate the website and notification flow
  • disclosure when required by law or needed to protect rights and security

A future production page should list subprocessors directly or link to a maintained subprocessors register.

Draft timing

Retention and transfers

  • active lead records: up to 12 months from last meaningful contact
  • stale pipeline records: delete or anonymize within 24 months
  • abuse and security logs: shorter retention, typically 30 to 90 days unless investigation requires longer

International-transfer wording remains a legal placeholder until provider locations and transfer safeguards are finalized.

Rights under GDPR / CCPA-style laws

Subject to applicable law, visitors may have the right to access, correct, delete, restrict, object, or request portability for their personal data.

  • access or correction requests
  • deletion requests
  • restriction or objection to certain processing
  • portability where applicable
  • withdrawal of consent for future contact
  • opt-out rights where CCPA-style regimes require them

Requests can be directed to business@nerviq.net. A production version should also publish a response workflow and handling SLA.

Children, changes, and contact

This draft is not aimed at children, and it will change before publication once legal review confirms the final entity, jurisdiction, subprocessors, and operational handling details.

Housekeeping

Children and updates

The site is not intended for children, and we do not knowingly collect personal data from children below the age threshold required by applicable law.

When published for real, this page should carry an effective date and describe how material updates are communicated.

Still pending

Open items before publication

  • final controller entity and jurisdiction
  • subprocessors disclosure
  • retention schedule confirmation
  • data-subject request workflow and SLA
  • cross-links to final Terms and Security pages