Privacy Policy
This policy describes what data Autogon Inc. (operating as Nemesis Labs) collects when you use our products, how we handle it, and the rights you have over it. Our products are local-first by design. We collect the minimum required to operate the service.
1. What we collect
1.1 Account data
When you create an account, we collect: email address, name (if you provide one), country, and password hash. For paid customers we additionally store the Stripe or Paystack customer ID assigned at checkout. We do not store full card numbers or banking credentials.
1.2 Operational telemetry (Nemesis Blue)
The Blue agent sends limited heartbeat data so we can confirm the agent is alive and your subscription is valid:
- Device identifier (synthetic, per-install hash; not a hardware serial)
- Agent version, OS version
- Integrity-chain head hash (proves no tampering)
- Threat-count deltas (e.g. “3 detections since last check-in”)
For Pro+ tiers with detection telemetry enabled (opt-in, toggleable), we additionally process behavioral feature vectors of detected events: process hashes, parent-child lineage, MITRE ATT&CK tag. We do not collect: file contents, full command lines, browser history, document contents, keystrokes, microphone, camera, screen contents, or any personal communications.
1.3 Operational telemetry (Nemesis Red)
The Red engine runs in your environment. Evidence, findings, and reports do not leave your network. We collect only license-validation pings (license id, agent version, timestamp) for the purpose of enforcing license terms.
1.4 Payment data
Card data is handled by our payment processors (Stripe, Paystack). We receive a token referencing your payment method, the last four digits of your card, and the card brand. We do not store full card numbers, CVV, or banking credentials.
1.5 Website analytics
Our marketing site (nemesislabs.xyz) collects standard anonymized server-side analytics: country-level IP, browser and OS family, referrer. We do not use cross-site tracking cookies or fingerprinting.
2. How we use it
- To provide, operate, and maintain the Services.
- To enforce subscription and license terms.
- To improve detection efficacy (Blue) and reasoning quality (Red), using only the opt-in telemetry described above.
- To communicate service-relevant updates: security advisories, billing notices, breaking changes. We do not send marketing email without a separate opt-in.
- To comply with legal obligations (subpoenas, court orders, tax records).
3. Who we share it with
We share data only with the following categories of recipients, only as needed to deliver the Services:
- Infrastructure providers: Supabase (database + auth), Amazon Web Services (compute and storage in us-east-2 primary), Cloudflare (edge CDN).
- Payment processors: Stripe, Paystack.
- Email delivery: Resend, used only for transactional email (signup confirmation, billing).
- Legal authorities: only when required by valid legal process. We will challenge requests that appear overbroad and publish a transparency report annually.
We do not sell personal data. Ever.
4. Where we store it
Primary infrastructure is in AWS us-east-2 (Ohio, U.S.). EU-resident storage is available for Business and MSSP tier customers on request and will be the default for EU customers before EU general availability. Data in transit is encrypted with TLS 1.3. Data at rest is encrypted using AES-256 on our database storage layer.
5. How long we keep it
- Heartbeats: 7 days rolling.
- Detection telemetry: 90 days (Pro, Family, Business); 1 year (MSSP).
- Account & billing records: lifetime of account; 30-day grace period after deletion request, after which records are permanently erased except for records we must retain by law (e.g. tax records).
- Audit log:duration of account; required for SOC 2 compliance.
6. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct data that is inaccurate or incomplete.
- Delete your account and associated data. See our Data Deletion page for how to request this.
- Export a copy of your data in a portable format.
- Object to processing or restrict it.
- Withdraw consent for any opt-in processing.
EU/UK residents: you may lodge a complaint with your local data protection authority. California residents: rights under the CCPA/CPRA apply. To exercise any of these rights, email [email protected]. We respond within 30 days.
7. Children's privacy
Our products are not directed to children under 13 (or 16 in the EU). We do not knowingly collect data from such children. If you believe a child has provided us data, email [email protected] and we will delete it promptly.
8. Security
We use reasonable administrative, technical, and physical safeguards designed to protect personal data, including TLS 1.3 in transit, AES-256 at rest, role-based access control, audit logging, and quarterly security reviews. No system is impenetrable. We will notify affected users of a data breach within 72 hours of confirmation, as required by applicable law.
9. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified at least 30 days in advance via email or in-product notice.
10. Contact
Privacy questions or requests: [email protected]. Postal address available on request.