← Back to Nexus

Privacy Policy

Last updated: April 17, 2026

Cognfy LLC (“Cognfy,” “we,” “us,” or “our”) operates Nexus, a bookmark management service accessible at stash.nexus and through our mobile applications (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using Nexus, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Your name
  • Email address
  • Password (stored as a cryptographic hash; we never store or have access to your plaintext password)

Profile Information

You may optionally provide:

  • A biographical description
  • A profile photo (stored on our hosting provider's object storage)

Bookmark Data

When you save bookmarks, we collect and store:

  • The URL you saved
  • Page title, description, and favicon (retrieved automatically from the linked page)
  • Open Graph metadata (title, description, image) from the linked page
  • Any notes, tags, or organizational data you add
  • The collection you assign the bookmark to

Usage Data

We automatically collect certain information when you use the Service:

  • Bookmark visit timestamps (when you click a saved bookmark)
  • Search queries you perform within the Service
  • IP address (used for rate limiting; not stored long-term)

Device and Technical Data

We may collect technical information including browser type, operating system, and device identifiers for the purpose of crash reporting and service improvement.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Create and manage your account
  • Store and organize your bookmarks
  • Retrieve metadata (titles, favicons, descriptions) for saved URLs
  • Suggest tags based on your existing bookmarks and domain patterns
  • Enable social features (friend system, collection sharing)
  • Deliver notifications about friend requests and shared content
  • Detect broken links in your bookmark collection
  • Enforce rate limits and prevent abuse
  • Diagnose technical problems and improve the Service

We do not use your information for advertising, and we do not sell your personal data to third parties.

3. How We Share Your Information

We share your information only in these limited circumstances:

  • With other users, at your direction. When you share a collection with a friend, they can see the bookmarks in that collection. When you make a collection public, anyone with the link can view it. Your name, bio, and avatar are visible to users who look up your share code.
  • With service providers. We use third-party services to operate Nexus (see Section 5). These providers process data on our behalf and are contractually obligated to protect it.
  • To comply with legal obligations. We may disclose information if required by law, court order, or governmental request.
  • To protect rights and safety. We may disclose information when we believe it is necessary to prevent fraud, enforce our terms, or protect the safety of our users.

4. Data Retention

We retain your data for as long as your account is active. When you delete your account, we permanently delete all associated data, including:

  • Your profile information
  • All bookmarks, collections, and tags
  • Friend connections and shared collection permissions
  • Notifications
  • API tokens
  • Saved searches
  • Visit history
  • Uploaded avatar images

Account deletion is permanent and cannot be reversed. Deletion is processed immediately upon request.

5. Third-Party Services

We use the following third-party services to operate Nexus:

  • Vercel (United States) — Application hosting, serverless functions, and image/file storage (Vercel Blob for avatar uploads).
  • Neon (United States) — PostgreSQL database hosting for all application data.
  • Upstash (United States) — Redis-based rate limiting to prevent abuse. Stores only anonymized counters, not personal data.
  • Sentry (United States) — Error tracking and crash reporting. May receive technical data such as error messages, stack traces, and device information when errors occur.

These providers maintain their own privacy policies governing their handling of data.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Passwords are hashed using industry-standard cryptographic algorithms
  • API tokens are hashed with SHA-256 before storage
  • All data is transmitted over HTTPS/TLS encryption
  • Database access is restricted to the application layer
  • Session tokens expire after 24 hours

No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights and Choices

Access and Export

You can export all of your bookmark data at any time through the Service in HTML, CSV, or JSON format.

Correction

You can update your profile information, bookmarks, tags, and collections at any time through the Service.

Deletion

You can delete your account and all associated data from the Settings page within the Service. Account deletion is immediate and permanent. You may also request deletion by contacting us at [email protected].

Data Portability

The export feature provides your data in standard, machine-readable formats (HTML bookmark format, CSV, or JSON).

8. Rights for Residents of Specific Jurisdictions

European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation, including the right to access, rectify, erase, restrict processing, object to processing, and data portability. Our legal basis for processing your data is your consent (provided when you create an account) and our legitimate interests in operating the Service. To exercise these rights, contact us at [email protected].

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell personal information. To exercise your rights, contact us at [email protected].

9. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will delete that information.

10. Cookies and Similar Technologies

Nexus uses essential cookies only:

  • Session cookie — Required for authentication. Contains an encrypted session token. Expires after 24 hours.
  • Theme preference — Stores your light/dark mode preference locally.

We do not use advertising cookies, analytics cookies, or third-party tracking cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

12. Browser Extension

The Nexus browser extension is a capture tool that lets you save the current page to your Nexus account by clicking the toolbar icon. When you click it, the extension reads the active tab's URL and title — that is the only time it accesses any tab data. It does not run on pages you visit, does not observe your browsing history, and does not inject scripts into websites.

Your API token is stored in browser.storage.local, which is sandboxed to the extension and is not accessible to websites or other extensions. When you save a bookmark through the extension, the page URL, title, and any notes or tags you provide are sent over HTTPS to stash.nexus. Nothing else is transmitted — no page content, no visit history, no analytics, and no data to any server other than stash.nexus.

You can revoke your API token at any time from the Settings page on stash.nexus under API Token. Revoking the token immediately prevents the extension from authenticating. If you uninstall the extension, the token is removed from your browser but remains valid on the server until you revoke it in Settings.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

Cognfy LLC
1001 S Main St, Ste 600
Kalispell, MT 59901-1498
Email: [email protected]