● NEXUS AI · PRIVACY POLICY
Back
Privacy Policy
Last updated: June 13, 2026
This policy explains what data thyfwxit.com and the Nexus AI Terminal at thyfwxit.com/nexus collect, how it's used, and which third parties are involved. The site is operated solo by Xavier Scott (THYFWX). It is a personal project, not a commercial product.
Do not enter personal information
Everything you type into the AI chat is sent to third-party providers (Groq, Google Gemini) to generate responses. Never enter passwords, Social Security numbers, credit card numbers, medical information, or anything you wouldn't want a third party to see. I have no control over how AI providers handle your input once it leaves my server.
What I collect from every visitor
If you visit thyfwxit.com or thyfwxit.com/nexus, the following is collected automatically:
- IP address: logged by the server on every request. Used for security (blocking abusive users), debugging errors, and basic traffic analytics. Your IP is also used to determine your approximate geographic region via ipinfo.io so the speed test can show your location. IP logs are kept for approximately 30 days, then automatically rotated.
- Browser information: your browser name, version, operating system, and device type (the "user-agent" string). This helps me understand what devices people use and debug rendering issues.
- Page requests: which pages you visit and when. Standard web server behavior.
- Connection metadata: the Maintenance Hub reads your browser's reported CPU core count, device memory, screen resolution, connection type, and battery status. This data is displayed to YOU on your screen. It is not sent to or stored on my server.
- Device fingerprint: a short hash is generated from your screen resolution, GPU renderer, timezone, and browser rendering characteristics. This hash cannot identify you personally. It identifies your device configuration. It is included in conversation logs for security purposes and is stored on the server only if your account is banned, to prevent ban evasion via guest mode or network switching. If you are not banned, your fingerprint is not stored.
What I collect when you sign in with Google
Nexus uses Google OAuth for sign-in. When you sign in:
- Google sends me your name, email address, and profile picture. I never see or receive your Google password.
- Your name, email, and profile picture are stored in your browser's
localStorage so the terminal can display your identity. They are NOT stored on my server in plain text.
- My server stores a hashed account ID (derived from your Google ID) linked to your leaderboard handle and image generation quota counter. This is how I track how many images you've generated today without storing your email on the server.
- If you accept the one-time 18+ confirmation, a simple yes flag is stored against your hashed account ID. It exists so you are never asked twice and so the Unfiltered mode can verify the confirmation server side. It holds no birthdate, no identity document, nothing beyond the fact that you confirmed.
- Google OAuth only requests the openid, email, and profile scopes. I cannot access your Google Drive, Gmail, contacts, calendar, or any other Google service.
What I collect when you chat with the AI
This is the most important section. Read it carefully.
- Your prompts leave my server. Every message you type is forwarded to a third-party AI provider (Groq or Google Gemini) to generate a response. I do not permanently store the full text of your conversations on my server.
- I cannot control what AI providers do with your input. Once your prompt leaves my server, it is subject to that provider's own privacy policy and data handling practices. This is why you should never enter sensitive personal information.
- Conversations live in your browser only. Chat history is stored in your browser's memory (RAM) during the session and in
localStorage for signed-in users. Closing the tab clears session memory. Signed-in users can clear localStorage anytime via the AI Profile panel.
- Moderation logging: if you trigger a critical-content moderation pattern (prompts involving violence toward specific people, CSAM, weapon synthesis, school violence, kidnapping, or body disposal), the offending prompt text and your IP address are forwarded to my private Discord channel for manual review. A temporary lockout is applied automatically. This is a safety measure, not advertising or data mining.
- Rate limiting: so one user or script can't burn the shared free AI quota, my server keeps a small request counter keyed to your IP that expires within the minute. It holds only a count, never your prompt text, and is not used for tracking or ads.
- Guests: everything is session-only. Close the tab and it's gone. No account, no persistent data.
- Signed-in users: the last several messages per chat mode persist in your browser's
localStorage so the AI can maintain context across page reloads. You can wipe this anytime. It never leaves your browser.
What I collect when you generate an image
- Your text prompt is sent to the image provider. Depending on availability, this is Replicate (paid, higher quality) or Pollinations (free). The provider generates the image and returns it.
- Generated images are stored in your browser only. The image data (base64 encoded) is saved to your browser's
localStorage so you can view your generation history. Images are NOT uploaded to or stored on my server.
- Quota tracking: my server keeps a counter of how many images you've generated today, tied to your hashed account ID, plus a second counter tied to your IP address. This is how I enforce daily limits (15/day per account, 30/day per network, 150/day for premium). Both counters reset daily and expire on their own. I do not store what you generated, just how many times.
What I collect when you play games
- Leaderboard submissions: if you submit a high score, your chosen handle, score, game name, and timestamp are stored on my server. Your email is NOT attached to leaderboard entries, only your handle.
- Game state: nothing about your gameplay is sent to the server in real-time. Games run entirely in your browser. Only final scores are submitted if you choose to.
What I collect from the speed test
- The speed test sends and receives random data between your browser and my server to measure bandwidth. No personal data is transmitted during the test. Your IP address is visible to the server (as with any web request) and is shown to you in the results. Speed test results are not stored on my server.
Browser storage (localStorage)
Nexus stores the following in your browser's localStorage. This data never leaves your device unless you explicitly share it:
- Your sign-in identity (name, email, profile picture, owner status)
- Chat history per mode (last several messages for AI context)
- AI memory notes you've written in the AI Profile
- Generated image history
- Command history (terminal input history)
- Accessibility preferences
- Current chat mode selection
You can clear all of this at any time by signing out, using "Forget All" in the profile dropdown, or clearing your browser's site data for thyfwxit.com.
Third-party services and what they receive
- Groq (groq.com): receives your chat prompts to generate AI text responses. Primary AI provider. Subject to Groq's privacy policy.
- Google Gemini (ai.google.dev): receives your chat prompts as a fallback AI provider. Subject to Google's AI terms.
- Replicate (replicate.com): receives image generation prompts. Paid provider with $15/month budget cap. Subject to Replicate's privacy policy.
- Pollinations (pollinations.ai): receives image generation prompts as free fallback.
- Google OAuth (accounts.google.com): handles sign-in authentication. I never receive your Google password. Only name, email, and profile picture are shared with me.
- Google AdSense (googlesyndication.com): displays ads on standalone pages (speed test, leaderboard, changelog, about, invaders, typing, privacy, terms). Uses cookies for ad personalization, frequency capping, and performance measurement. You can manage ad preferences at adssettings.google.com. Full details: Google partner site policies.
- Google Funding Choices (fundingchoicesmessages.google.com): shows the EU/UK GDPR consent banner, the US state "Do Not Sell or Share My Personal Information" opt-out banner, and (if you have an ad blocker enabled) a small dismissible bottom banner asking you to consider allowing ads. These are managed by Google on my behalf. The ad blocking recovery banner is set to "Bottom pinned" and is dismissible. It never blocks page content. Subject to Google's privacy policy.
- ipinfo.io: receives your IP address to determine approximate geographic location (country, city). Used by the speed test server info display. No other personal data is shared.
- Cloudflare Pages (cloudflare.com): hosts the frontend. Standard CDN request logs.
- Cloudflare Workers (cloudflare.com): hosts the backend API at api.thyfwxit.com. Processes AI chat requests, auth, and leaderboards. Standard Cloudflare logging.
Cookies: exactly what's set
nexus_session: a JWT (JSON Web Token) containing your hashed user ID, display name, and email. HTTP-only (JavaScript cannot read it), Secure (only sent over HTTPS), SameSite=None, scoped to .thyfwxit.com. Expires after 30 days. Set when you sign in with Google or continue as guest. Cleared when you sign out.
- AdSense cookies: set by Google's ad scripts when ads load. Used for ad personalization, frequency capping, and performance measurement. I do not control these cookies. You can opt out via Google's ad settings.
- Google OAuth cookies: set temporarily during the sign-in flow. Managed by Google, not by me.
- I do not set any analytics cookies, tracking pixels, or fingerprinting scripts.
Your rights
- See your data: email xavier@thyfwxit.com with the Google account email you signed in with. I'll look up what's stored under your account: leaderboard scores, display handle, and whether any moderation flags exist. This is a manual process. Expect a response within a few business days.
- Delete your data: email me and I'll remove your leaderboard entries, display handle, and any moderation logs tied to your account. Conversation logs sent to my private Discord channel will also be deleted. This is done manually and may take a few business days. Once deleted, it cannot be recovered.
- Sign out and forget: the profile dropdown in the terminal has "Sign Out" (clears your session cookie) and "Forget All" (wipes all browser-stored data including chat history, image history, and preferences).
- EU / UK / EEA / Switzerland visitors (GDPR): Google's funding-choices consent banner asks you to accept or reject personalized ads before any ad personalization data is set. I do not track you independently of Google's ad system. You can change your choice anytime by clearing site data or revisiting the banner via your browser's storage controls.
- California / Colorado / Connecticut / Utah / Virginia and other US state residents (CCPA / CPRA / state laws): I do not sell personal data for money. To opt out of the "sharing" of personal information for cross-context behavioral advertising (which is how some US state laws classify ad personalization), use the "Do Not Sell or Share My Personal Information" link shown on pages that display ads. This signal is also honored automatically if your browser sends the Global Privacy Control (GPC) header. The opt-out applies to ad personalization only. It does not block ads themselves.
- Ad personalization opt-out (everyone, regardless of region): visit adssettings.google.com to turn off ad personalization at the Google account level. This affects all sites that use AdSense, not just this one.
Data retention
- Server logs: approximately 30 days, then automatically rotated by the hosting provider.
- Account data (leaderboard handle, image quota counter): kept until you request deletion. Image quota counters reset daily automatically.
- Rate limit counters (chat): a temporary message counter tied to your IP enforces the daily guest chat limit. It holds only a count for the current day, then expires on its own.
- Conversation logs (sent to a private Discord channel): kept indefinitely for safety review. Deleted on request.
- Moderation logs (flagged prompts from critical-content triggers): kept indefinitely for safety enforcement. Deleted on request.
- Device fingerprints: only stored if your account is banned. Used solely for ban enforcement. Deleted if your ban is lifted.
- Browser data (chat history, images, preferences): stored on YOUR device only. Cleared when you clear browser data or use "Forget All." I have no access to your browser's localStorage.
Children
Nexus is intended for users 18 and older. The Unfiltered chat mode is for mature audiences and requires a Google sign-in plus age confirmation before access. All image generation is SFW (safe for work). The Unfiltered chat may touch on mature themes, but explicit sexual content is refused in every mode.
I do not knowingly collect data from children under 13. If I learn that a child under 13 has provided personal data through the site, I will delete it immediately upon request. Contact xavier@thyfwxit.com.
Changes to this policy
If this policy changes in any meaningful way, the updated version is posted here and the "Last updated" date at the top is bumped. Significant changes are also announced in the changelog. Continuing to use the site after a policy change means you accept the updated version.
Contact
Xavier Scott (THYFWX): xavier@thyfwxit.com