Effective: March 1, 2026 · Last updated: February 28, 2026
The short version: We process your data in volatile memory and destroy it. We never see, store, or log the contents of your sessions. Our database contains only your email, hashed API key, and usage counts. CDPs are returned to you — we don't keep copies.
Nanorix Inc. ("Nanorix," "we," "us") is a Delaware C-Corporation that provides cryptographic destruction proof services via the Nanorix Verify API. Contact: hello@nanorix.io
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account identity, billing, communications | Until account deletion |
| Hashed API key (Argon2) | Authentication | Until account deletion |
| Subscription tier | Enforce usage limits | Until account deletion |
| Stripe customer ID | Billing | Until account deletion |
| Session count (aggregate) | Usage tracking, billing | Rolling monthly |
| Ed25519 public keys | CDP verification | Indefinite (public data) |
| Data | What Happens |
|---|---|
| Data you submit to sessions | Exists only in volatile memory. Destroyed on session termination. Never written to disk, logged, or transmitted. |
| Execution commands and outputs | Processed in volatile memory. Returned to you in API response. Destroyed on session termination. |
| Cryptographic Destruction Proofs | Generated at destruction time. Returned to you in API response. We do not retain copies. |
| Ed25519 private signing keys | Ephemeral. Created per session. Zeroized immediately after CDP signing. Never persisted. |
| Data | Purpose | Retention |
|---|---|---|
| IP address | Rate limiting, abuse prevention | Not logged to disk |
| API request metadata (method, path, status code, duration) | Operational monitoring | Cloud Run logs, 30 days |
What we explicitly do NOT collect or store: session data contents, execution outputs, CDP bodies, private keys, raw API keys, IP addresses on disk, or any data that could reconstruct what you processed.
Account data is used to: authenticate API requests, enforce tier-based usage limits, process payments via Stripe, and communicate service updates. We do not sell, rent, or share your data with third parties for marketing purposes.
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, subscription tier, payment info (handled by Stripe directly) |
| Google Cloud Run | API hosting | Request metadata (standard cloud logging) |
| Neon | Database hosting | Account data (email, hashed keys, usage counts) |
None of these services have access to your session data, which exists only in volatile memory on the Cloud Run instance during execution.
API keys are hashed with Argon2 before storage — we cannot recover your key. All API traffic is encrypted via TLS. Session data never leaves volatile memory and is never written to persistent storage. The destruction process includes multi-pass memory overwriting, cryptographic key zeroization, and filesystem unmounting, as documented in the CDP specification.
Nanorix Verify is architecturally designed so that Protected Health Information (PHI) submitted to sessions exists only in volatile memory and is destroyed with cryptographic proof. Our database never contains PHI. However, Nanorix does not currently execute Business Associate Agreements (BAAs). If you require a BAA, contact us at founder@nanorix.io to discuss enterprise arrangements.
For users in the European Economic Area: the legal basis for processing account data is contract performance (providing the Service you signed up for). You have the right to access, rectify, or delete your account data. Session data is not retained, so there is nothing to access or delete — the CDP you receive is your record. To exercise your rights, contact hello@nanorix.io. We will respond within 30 days.
Account data is retained until you request deletion. Session data is destroyed at session termination (seconds to minutes). API request logs are retained for up to 30 days for operational purposes. To delete your account and all associated data, email hello@nanorix.io. Deletion will be completed within 30 days.
The Service is not directed at individuals under 18. We do not knowingly collect data from minors.
We may update this Privacy Policy with 30 days' notice via email or website posting. Material changes affecting data handling will be clearly communicated.
Nanorix Inc.
Privacy inquiries: hello@nanorix.io
Security issues: security@nanorix.io