Privacy Policy

Information you provide directly. Name, shipping address, email address, order details, Certificate of Analysis inquiries, batch verification inquiries, and any messages you send to support. Payment details are entered at checkout into the Ivno-backed payment flow, with MoonPay onramp support where available, and are not stored on Nexus Laboratory systems.

Information collected automatically. Device information (browser type, operating system, approximate screen size), referrer URL, pages requested, and approximate geographic location derived from IP address. We do not store full IP addresses long-term; analytics is processed via Cloudflare Web Analytics, which uses privacy-preserving aggregation rather than per-visitor tracking cookies.

Information from third parties. Fraud-prevention signals from payment processor/onramp providers; fulfillment status from USPS (our shipping carrier); and aggregated, de-identified site analytics from Cloudflare Web Analytics.

We use the information we collect to:

• Process and fulfill orders, including payment processing through the Ivno-backed checkout flow and shipping via USPS.
• Deliver Certificates of Analysis and respond to batch-verification inquiries.
• Provide customer support and respond to inquiries about products, COAs, batches, or order status.
• Detect, prevent, and investigate fraud or abuse.
• Comply with applicable laws and respond to lawful requests from authorities (subpoenas, court orders, etc.).
• Improve the site and product offerings using aggregated, de-identified analytics.
• Send transactional emails (order confirmations, shipping notifications, support replies). Nexus Laboratory does not send marketing or promotional emails — every message we send is in response to a transaction or a support inquiry you initiated.

Cookies and similar browser-storage technologies are used on this site for these limited purposes only: to maintain your shopping cart and session state during a visit; for aggregated, privacy-preserving analytics via Cloudflare Web Analytics; and, if you create an account, to keep you signed in via a single secure cookie (described under “Accounts and sign-in” below).

Nexus Laboratory does not use third-party advertising cookies, behavioral retargeting trackers, social-media tracking pixels, or cross-site tracking technologies. You can control cookies via your browser settings; disabling cookies may degrade some features (cart and checkout require session storage to function).

A Nexus Laboratory account is optional. You can browse, access Certificates of Analysis, and check out as a guest without creating one. If you do create an account, the following describes the data we collect and how we secure it.

Account data we collect. Your email address is required to create an account. Any other profile fields — such as a name or organization — are optional and are clearly marked optional at the form.

Sign-in (magic links). We authenticate accounts with emailed “magic link” sign-in links — we do not store passwords. A sign-in link can be used once and expires 15 minutes after it is sent. Magic-link emails are sent through Resend, our transactional email provider, and contain only the sign-in link plus a brief security note — no marketing, no tracking pixels, and no personal data beyond what sign-in requires.

No third-party sign-in. We do not offer “Sign in with Google,” “Sign in with Apple,” or any other third-party identity provider. This is a deliberate privacy choice: signing in through a third-party provider would disclose to that provider that you are a Nexus Laboratory customer.

Session cookie. When you are signed in, we set a single secure, HTTP-only cookie to keep you signed in. It lasts 30 days by default; you can choose a 24-hour session at sign-in by unchecking “Remember this device.” We do not use tracking, marketing, or analytics cookies tied to your account.

Sign-in security data. When you sign in, we hash your IP address with a secret salt before storing it alongside your session record — we do not store IP addresses in plaintext. This hashed value is used only to detect anomalous session activity.

Saved addresses. Shipping addresses you save to your account are encrypted at rest using AES-256-GCM authenticated encryption. The encryption key is held only by the running application, so a database backup on its own cannot decrypt them.

Where account data is stored. Account data — your account record, sessions, magic-link records, and saved addresses — is stored in a PostgreSQL database on the same private server that runs nexuslaboratory.org. It is not shared with any third-party database provider.

Hiding past orders. You can hide individual past orders from your account view. Hiding is a dashboard-display preference only — the order is still retained in our records for shipping, refund, and support purposes; it is not deleted.

Inactive accounts. If an account has no sign-in activity for 24 months, we flag it for cleanup. We send a single reminder email at the 18-month mark before any cleanup occurs.

Deleting your account. You can delete your account at any time from your account page. Deletion is immediate and removes your account profile, saved addresses, session records, and magic-link records. Order records themselves are retained to meet U.S. tax and regulatory obligations (typically up to seven years), but they are unlinked from your account at deletion so they no longer identify you.

We share personal information only as needed to operate the service:

• Payment processor and onramp providers. Payment is completed through an Ivno-backed secure checkout flow, with MoonPay onramp support where available. Card, bank, crypto, or fiat-onramp payment details are entered directly into the payment provider flow; Nexus Laboratory does not receive or store card numbers, only the order metadata required to fulfill the order. The payment providers’ privacy policies govern their independent handling of the transaction.
• Shipping carrier (USPS). We share your name, shipping address, and order contents with USPS to dispatch and track the shipment.
• Infrastructure providers. Cloudflare for DNS, CDN, and Web Analytics; Cloudflare Email Routing for support email; hosting and email-delivery vendors as required to operate the service. Each provider is bound by its own privacy and security obligations.
• Legal and safety. We may disclose information if required to comply with applicable law, legal process, or a lawful request, or to protect the rights, property, or safety of Nexus Laboratory, our users, or others.

We do not sell personal information to anyone for any purpose. We do not share personal information with data brokers, advertising networks, or marketing vendors.

We retain personal information only as long as needed to fulfill the purposes described in this policy, then delete or de-identify it. Order records and tax-and- regulatory records may be retained for up to seven years to meet legal and accounting requirements. Support correspondence is retained while active and archived for up to two years afterward.

We protect information using a combination of encryption in transit (HTTPS site-wide), access controls, and the security practices of our infrastructure providers (Cloudflare, Ivno, MoonPay, USPS). No system is perfectly secure; we cannot guarantee absolute security and you transmit information at your own risk.

Nexus Laboratory ships exclusively within the United States, so most users will be U.S. residents. Depending on where you live, you may have rights under applicable privacy laws to:

• Access the personal information we hold about you.
• Request correction of inaccurate personal information.
• Request deletion of personal information (subject to legal retention requirements).
• Object to or restrict certain processing of your personal information.
• Withdraw consent where processing relies on consent (note: most of our processing is necessary to fulfill the contract you initiated by ordering).
• For California residents under the CCPA/CPRA: opt out of any sale or sharing of personal information (we do not sell or share).
• For EU/UK residents under GDPR/UK-GDPR (relevant for EU/UK researchers who inquire even though we do not ship there): lodge a complaint with the relevant supervisory authority.

Submit privacy requests to [email protected]. We will respond within the time required by applicable law (typically 30-45 days).

Nexus Laboratory products and services are not directed to anyone under 21 years of age. We do not knowingly collect personal information from anyone under 21. If you believe someone under 21 has provided us with personal information, contact us at [email protected] and we will delete it.

Nexus Laboratory operates from the United States and ships exclusively within the United States. The site is accessible from outside the U.S., but if you access the site from outside the U.S. you do so on your own initiative and are responsible for compliance with local laws. Information processed in connection with your visit may be processed in the United States. By using the site, you consent to the transfer of information to the United States.

We may update this Privacy Policy from time to time. We will post the new version on this page and update the “Effective” date above. For privacy questions, contact us at [email protected] or via the contact page.