This policy explains the cookies and browser storage that the Nexus dashboard and embeddable chat widget use. In short: the cookies we set are first-party and either strictly necessary for signing in or used for privacy-preserving, cookieless analytics — we do not use third-party advertising or cross-site trackers. It sits alongside our Privacy Policy and Terms of Service.
01Essential cookies
The Nexus dashboard uses a small number of strictly necessary, first-party cookies to keep you signed in and to enforce our session policy. Because the product cannot function without them, they are set without a consent prompt, consistent with the essential-cookie exemptions under the GDPR and Qatar PDPL.
- Authentication cookies managed by our identity provider (Supabase Auth) hold your signed-in session tokens. They are created when you log in and cleared when you sign out.
- Session-policy cookies (
nx_auth_start,nx_last_seen,nx_remember) enforce the 8-hour idle timeout, the 30-day maximum session lifetime, and your “Keep me signed in” choice. With that option off they are session cookies that disappear when you close the browser. They are setSameSite=Laxand, over HTTPS,Secure.
We do not set third-party advertising cookies, and we do not use cookies to track you across other websites.
02Chat widget storage
The embeddable chat widget runs inside an isolated Shadow DOM on the sites that install it and does not set cookies. Instead it keeps a small amount of state in the visitor's browser using Web Storage, so a returning visitor can pick up where they left off:
- A persistent chat session id in
localStoragelets a returning visitor resume their conversation and read earlier messages. It is scoped per site and project, keyed by a hash of the public widget key — the raw key is never stored. - A cached copy of the widget's appearance settings in
localStoragelets the launcher paint in the correct theme on the first frame of a return visit; it is refreshed from the server in the background on every load. - When the site owner enables web analytics, a per-tab analytics session id is held in
sessionStorageand cleared when the tab closes (described below).
These writes are best-effort. If the browser blocks storage (private mode or partitioned storage) the widget still works — it simply won't remember an earlier conversation.
03First-party web analytics
When a site owner turns on Nexus web analytics, the widget includes a first-party, cookielesspage-and-event tracker that reports only to Nexus's own analytics collector. It is not a third-party advertising or cross-site tracking service, and Nexus does not embed Google Analytics, the Meta Pixel, or similar third-party trackers.
Each event carries only:
- the event type (page view, widget open, or chat started);
- the page path, without its query string or hash;
- the referring URL and any
utm_*campaign parameters on the landing page.
Device, browser, and operating system are derived server-side from the request's user-agent header. The only client-side identifier is the per-tab session id in sessionStorage above; Nexus computes a daily-rotating, salted visitor hash server-side, so analytics cannot re-identify a visitor across days or link them across the sites they visit.
04Your choices
Because everything above is either strictly necessary (staying signed in) or first-party and privacy-preserving (resuming a chat, cookieless analytics), we do not show a tracking-consent banner for it. You can clear these cookies and storage entries at any time from your browser's cookie and site-data controls, or block storage for a site — the dashboard will simply ask you to sign in again, and the widget will start a fresh conversation.
A business that embeds the widget controls whether web analytics is enabled and is responsible for surfacing any consent notice its own jurisdiction requires to its end-users. For how this fits our wider data practices, see our Privacy Policy; for questions, write to privacy@nexussupportagent.com.