Privacy Policy

Nereus — operated by Demersal, Inc.

Effective Date: April 11, 2026 Last Updated: April 11, 2026

This Privacy Policy explains how Demersal, Inc. ("Demersal," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the Nereus platform at usenereus.com (the "Service"). This policy applies to all users of the Service, including account holders and their authorized team members.

By using the Service, you agree to the collection and use of information in accordance with this policy.

---

1. Information We Collect

1.1 Account Information

When you sign in with Google OAuth 2.0, we receive and store:

• Your name
• Your email address
• Your Google profile picture URL
• Your Google account identifier (a unique ID used to link your account)

We do not receive or store your Google password.

1.2 Agreement Data (Extracted Metadata)

When you sync documents from Google Drive, the Service uses AI to extract structured metadata from your agreements. This metadata includes fields such as:

• Agreement names, types, and statuses
• Counterparty names and contact information
• Effective dates, termination dates, and renewal dates
• Financial terms (value, payment frequency, billing terms)
• Governing law and jurisdiction
• Product and service descriptions
• Location information referenced in agreements
• Investment terms (amounts, equity stakes, instrument types, valuation caps, discount rates, interest rates, board representation, and related fields)

This metadata is stored in our database and constitutes the primary data the Service manages on your behalf.

1.3 Information We Do Not Store

• Full-text copies of your documents. Your source files remain in your Google Drive. The Service reads them during sync to extract metadata, then references them by URL.
• Google account passwords or persistent OAuth tokens. Authentication is session-based.
• Payment card numbers. Payment processing will be handled entirely by Stripe when paid plans are available. We will not have access to your full card details.

1.4 Usage and Log Data

We automatically collect certain technical information when you use the Service, including:

• IP address
• Browser type and version
• Pages visited and features used
• Timestamps of requests
• Request identifiers (for debugging and support)

This data is collected through server logs and is used for security, debugging, and service improvement.

1.5 Audit Log Data

The Service maintains an internal audit log of data modifications (create, update, delete actions) associated with your account. This log includes the user ID, action type, affected entity, timestamp, and IP address. Audit logs are used for security monitoring and are not exposed to end users.

---

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Authenticate your identity, process your documents, store and display your Agreement Data, and enable search and management features.
• Maintain and improve the Service: Monitor performance, diagnose issues, analyze usage patterns (in aggregate), and develop new features.
• Communicate with you: Send service-related communications such as account notifications, security alerts, and support responses.
• Ensure security: Detect and prevent unauthorized access, fraud, and abuse.
• Comply with legal obligations: Respond to lawful requests from authorities and comply with applicable laws.

We do not use your information to serve advertisements. We do not sell, rent, or trade your personal information to third parties.

---

3. Third-Party Service Providers

We share information with the following third-party service providers:

3.1 Anthropic (AI Processing)

• What is shared: Document content is transmitted to the Anthropic Claude API during the sync process for metadata extraction.
• How it is used: Anthropic processes the data and returns structured metadata to Nereus. Anthropic does not use commercial API data to train its AI models.
• Retention: Anthropic retains API inputs and outputs for a limited period for operational and safety monitoring purposes, as described in their commercial terms.
• Encryption: All data transmitted to Anthropic is encrypted in transit via TLS.
• More information: Anthropic's Commercial Terms

3.2 Google (Authentication and Drive Access)

• Authentication: Google OAuth 2.0 provides identity verification. Google receives standard OAuth data (redirect URIs, scopes requested).
• Drive Access: A Google Drive service account with read-only access reads documents from folders you explicitly share. The service account cannot modify, delete, or create files in your Drive.
• More information: Google's Privacy Policy

3.3 DigitalOcean (Infrastructure)

• Hosting: The Service and its database are hosted on DigitalOcean infrastructure in United States data centers.
• More information: DigitalOcean's Privacy Policy

3.4 Stripe (Payment Processing)

• What is shared: When paid plans are available and you subscribe, billing information will be collected and processed by Stripe. Demersal will receive only a payment confirmation and a truncated card identifier — never your full card number.
• More information: Stripe's Privacy Policy

We do not share your Customer Data with any other third parties except as required by law.

---

4. Data Security

We implement industry-standard technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit, access controls, tenant isolation between user accounts, and audit logging of data modifications.

We regularly review our security practices and update them as the Service evolves. No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

---

5. Data Retention

• Account information: Retained for the duration of your account and deleted within 30 days of account termination.
• Agreement Data: Retained for the duration of your account. Deleted within 30 days of account termination or upon your request.
• Audit logs and server logs: Retained for as long as necessary for security, debugging, and compliance purposes.
• Anthropic API data: Retained by Anthropic for a limited period per their commercial terms. Demersal has no control over Anthropic's retention within this window.

---

6. Your Rights

6.1 Access

You may request information about the personal data we hold about you. Agreement Data is accessible through the Service at any time.

6.2 Correction

You may request correction of inaccurate personal information. You can also edit Agreement Data directly through the Service.

6.3 Deletion

You may request deletion of your account and all associated data by contacting us at jon@demersal.tech. We will process deletion requests within 30 days, except where retention is required by law.

6.4 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at jon@demersal.tech. We will verify your identity before processing your request.

---

7. Cookies and Tracking

The Service uses only essential session cookies required for authentication and security (session management, CSRF tokens). We do not use tracking or advertising cookies.

---

8. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete it promptly.

---

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days in advance. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

---

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Demersal, Inc. Email: jon@demersal.tech