Privacy & Terms of Use

Our commitment to transparency, security & respect.

Our commitment to transparency, security & respect.

Our commitment to transparency, security & respect.

Last updated: June 23, 2026

Quick Summary


We believe privacy is not just a legal checkbox, it is a trust agreement. This page explains what data we collect, how we use it, and the choices you have. We keep it short, plain, and honest.

Most of what we do is research. People share their experiences with us through conversational surveys we run for our clients, and we treat that contribution as privileged. We collect only what is needed, we ask for layered and explicit consent, and the words people share are never run through AI to be interpreted. A named human reviews the analysis. This page covers both the people who participate in our research and the clients and account holders who use our platform.

Want the details? Pick any topic below.

Last updated: June 23, 2026

Quick Summary


We believe privacy is not just a legal checkbox, it is a trust agreement. This page explains what data we collect, how we use it, and the choices you have. We keep it short, plain, and honest.

Most of what we do is research. People share their experiences with us through conversational surveys we run for our clients, and we treat that contribution as privileged. We collect only what is needed, we ask for layered and explicit consent, and the words people share are never run through AI to be interpreted. A named human reviews the analysis. This page covers both the people who participate in our research and the clients and account holders who use our platform.

Want the details? Pick any topic below.

TL;DR Overview


Privacy Basics


  • We collect only what is needed to provide our services and conduct our research engagements.

  • Your data is never sold.

  • You control your information (access, update, delete, withdraw consent).

  • We use encryption and industry-standard security measures.

  • We do not use AI or machine learning to interpret participant survey responses. Analysis of responses is deterministic and rule-based, and a named human reviews it.


Data We Collect


  • Only the data needed to deliver and improve our services and to run each research engagement.

  • For research participants: survey responses (including open-ended narrative), and, where you choose to provide them, demographics, audio, video, and other media.

  • Sensitive or special-category data (such as race, ethnicity, gender identity, disability, or accounts of difficult experiences) is collected only with your explicit, separate opt-in, and only where the research purpose requires it.

  • For clients and account holders: contact and professional details, project information, and (for users of our financial management features) bank connection data through Plaid.


How We Use Your Data


  • To run our research engagements, build and analyze surveys, and produce reports for our clients.

  • To operate, troubleshoot, and improve our platform and services.

  • To communicate important updates and, where you have opted in, ongoing engagement opportunities.

  • For de-identified or aggregated analysis, case studies, and methodology development, governed by the consent you gave.

  • Never for resale.


Sharing & Disclosure


  • Shared with the client who commissioned the research (who is usually the data controller), with authorized practitioner partners working on that specific engagement, and with the service providers who help us deliver the service.

  • May be disclosed if legally required or to prevent harm.

  • Never shared for advertising or unrelated marketing.


Data Retention & Security


  • We keep data only as long as necessary for the engagement, plus limited periods for legal, accounting, and methodology purposes.

  • Stored in encrypted, access-controlled environments.


Your Rights & Choices


  • Access, correct, or delete your information.

  • Withdraw consent for optional data collection, including ongoing engagement.

  • Where applicable under your state or country law, opt out of profiling.

  • Contact us with any privacy question or concern.

TL;DR Overview


Privacy Basics


  • We collect only what is needed to provide our services and conduct our research engagements.

  • Your data is never sold.

  • You control your information (access, update, delete, withdraw consent).

  • We use encryption and industry-standard security measures.

  • We do not use AI or machine learning to interpret participant survey responses. Analysis of responses is deterministic and rule-based, and a named human reviews it.


Data We Collect


  • Only the data needed to deliver and improve our services and to run each research engagement.

  • For research participants: survey responses (including open-ended narrative), and, where you choose to provide them, demographics, audio, video, and other media.

  • Sensitive or special-category data (such as race, ethnicity, gender identity, disability, or accounts of difficult experiences) is collected only with your explicit, separate opt-in, and only where the research purpose requires it.

  • For clients and account holders: contact and professional details, project information, and (for users of our financial management features) bank connection data through Plaid.


How We Use Your Data


  • To run our research engagements, build and analyze surveys, and produce reports for our clients.

  • To operate, troubleshoot, and improve our platform and services.

  • To communicate important updates and, where you have opted in, ongoing engagement opportunities.

  • For de-identified or aggregated analysis, case studies, and methodology development, governed by the consent you gave.

  • Never for resale.


Sharing & Disclosure


  • Shared with the client who commissioned the research (who is usually the data controller), with authorized practitioner partners working on that specific engagement, and with the service providers who help us deliver the service.

  • May be disclosed if legally required or to prevent harm.

  • Never shared for advertising or unrelated marketing.


Data Retention & Security


  • We keep data only as long as necessary for the engagement, plus limited periods for legal, accounting, and methodology purposes.

  • Stored in encrypted, access-controlled environments.


Your Rights & Choices


  • Access, correct, or delete your information.

  • Withdraw consent for optional data collection, including ongoing engagement.

  • Where applicable under your state or country law, opt out of profiling.

  • Contact us with any privacy question or concern.


1. Privacy Introduction

Our Commitment to Your Data

We believe your privacy is essential. This policy explains what information we collect, how we use it, and the choices you have. We collect personal details you choose to share with us, as well as technical information about how you interact with our services. We use this data to provide and improve our offerings, conduct our research engagements, communicate with you, and ensure the security of our systems. We do not sell your personal information. By using our website or services, you agree to this policy and our Terms of Use.

This Privacy Policy ("Policy") describes how Nesolagus, LLC ("we," "us," or "our") collects, uses, and protects information through our website nesolagus.com, the Warren research platform, and all related services, applications, and tools (collectively, the "Services").

About the Warren Platform

Warren is our research platform. It is the system through which we design conversational surveys, collect and analyze responses, and report findings to our clients. The platform includes tools for discovery and project scoping, survey building, an analytical dashboard, an audience engagement center, and supporting business and financial management features. When this Policy refers to participant data or survey data, it refers to information collected through Warren on behalf of the clients who commission our research. When it refers to account or billing data, it refers to information from the clients and account holders who use the platform directly.

This Policy applies to:


  • All users of our Services, including clients, account holders, and research participants.

  • All projects involving adult participants.

  • Projects involving minors only where noted. Youth-focused and student-focused projects are governed by a separate, project-specific Minor Participants Privacy Policy provided at the time of collection.


In most cases, Nesolagus acts as a service provider or data processor on behalf of our clients, who serve as the data controller. This means our clients determine what information is collected and how it is used. When acting as a processor, we handle data only in accordance with the client’s instructions.

Our Role: Processor and Controller

In most cases, Nesolagus acts as a service provider or data processor on behalf of our clients, who serve as the data controller. This means our clients determine what information is collected and how it is used. When acting as a processor, we handle data only in accordance with the client's documented instructions and the applicable Data Processing Agreement.

In a limited set of activities, we act as a controller in our own right. These include operating and securing the platform, maintaining business and account records, and (where the relevant consent permits) producing de-identified or aggregated case studies and developing our research methodology. Where we re-analyze data from a completed engagement for these purposes, we do so within the scope of the consent originally given, or we seek fresh consent.


Educational Institutions and Minors (FERPA and COPPA)

For projects involving educational institutions and student data subject to the Family Educational Rights and Privacy Act (FERPA), we operate as a "school official" and implement additional safeguards. These requirements are documented in project-specific Data Processing Agreements.

For engagements involving minors, including students in K-12 settings, we do not contact participants directly. Ongoing engagement and the sharing of results are routed through the school, district, or institutional gatekeeper, which disseminates findings according to its own protocol. We design these engagements to operate within FERPA, the Children's Online Privacy Protection Act (COPPA), and applicable institutional research protocols. The terms of each such engagement are set out in the project-specific Minor Participants Privacy Policy and Data Processing Agreement.


1. Privacy Introduction

Our Commitment to Your Data

We believe your privacy is essential. This policy explains what information we collect, how we use it, and the choices you have. We collect personal details you choose to share with us, as well as technical information about how you interact with our services. We use this data to provide and improve our offerings, conduct our research engagements, communicate with you, and ensure the security of our systems. We do not sell your personal information. By using our website or services, you agree to this policy and our Terms of Use.

This Privacy Policy ("Policy") describes how Nesolagus, LLC ("we," "us," or "our") collects, uses, and protects information through our website nesolagus.com, the Warren research platform, and all related services, applications, and tools (collectively, the "Services").

About the Warren Platform

Warren is our research platform. It is the system through which we design conversational surveys, collect and analyze responses, and report findings to our clients. The platform includes tools for discovery and project scoping, survey building, an analytical dashboard, an audience engagement center, and supporting business and financial management features. When this Policy refers to participant data or survey data, it refers to information collected through Warren on behalf of the clients who commission our research. When it refers to account or billing data, it refers to information from the clients and account holders who use the platform directly.

This Policy applies to:


  • All users of our Services, including clients, account holders, and research participants.

  • All projects involving adult participants.

  • Projects involving minors only where noted. Youth-focused and student-focused projects are governed by a separate, project-specific Minor Participants Privacy Policy provided at the time of collection.


In most cases, Nesolagus acts as a service provider or data processor on behalf of our clients, who serve as the data controller. This means our clients determine what information is collected and how it is used. When acting as a processor, we handle data only in accordance with the client’s instructions.

Our Role: Processor and Controller

In most cases, Nesolagus acts as a service provider or data processor on behalf of our clients, who serve as the data controller. This means our clients determine what information is collected and how it is used. When acting as a processor, we handle data only in accordance with the client's documented instructions and the applicable Data Processing Agreement.

In a limited set of activities, we act as a controller in our own right. These include operating and securing the platform, maintaining business and account records, and (where the relevant consent permits) producing de-identified or aggregated case studies and developing our research methodology. Where we re-analyze data from a completed engagement for these purposes, we do so within the scope of the consent originally given, or we seek fresh consent.


Educational Institutions and Minors (FERPA and COPPA)

For projects involving educational institutions and student data subject to the Family Educational Rights and Privacy Act (FERPA), we operate as a "school official" and implement additional safeguards. These requirements are documented in project-specific Data Processing Agreements.

For engagements involving minors, including students in K-12 settings, we do not contact participants directly. Ongoing engagement and the sharing of results are routed through the school, district, or institutional gatekeeper, which disseminates findings according to its own protocol. We design these engagements to operate within FERPA, the Children's Online Privacy Protection Act (COPPA), and applicable institutional research protocols. The terms of each such engagement are set out in the project-specific Minor Participants Privacy Policy and Data Processing Agreement.


2. Information We Collect

2.1 Information You Provide


  • Device and browser information

  • IP address and approximate location

  • Usage data and analytics

  • Cookies and similar technologies

  • Log files and timestamps

  • Authentication and access logs (including reviewer identity and timestamps where you access a survey through a secured review link)


2.2 Automatically Collected Information


  • Device and browser information

  • IP address (hashed for privacy, retained 90 days) and approximate location

    Usage data and analytics

  • Cookies and similar technologies

  • Log files and timestamps


2.3 Information from Third Parties


  • Social media profiles (if you connect accounts)

  • References from clients or partners

  • Publicly available information

  • Bank and account information through Plaid, for users of our financial management features (see Section 4.5)


2.4 Research Participant and Survey Data


When you participate in a survey we run, you contribute data that we treat as privileged. This is the heart of what our platform does, and we want to be specific about it.

Survey responses. Our surveys are conversational and often invite open-ended, narrative answers in your own words. We collect those responses as you provide them.

Demographic information. Some surveys ask about demographics, which can include race, ethnicity, gender identity, sexual orientation, disability, age, and similar characteristics. This information is sensitive (and is treated as "special category" or "sensitive" data under laws such as the GDPR and various US state privacy laws). We collect it only through a separate, explicit opt-in, and only where the research purpose requires it. You can participate without providing it.


Media.
Where a survey invites audio, video, or other media, we collect it only through a separate media consent.


Accounts of difficult experiences.
Some research addresses sensitive topics such as discrimination, violence, loss, illness, or structural disadvantage. Participation in these sections is always optional, content warnings are provided before sensitive material, and supportive resources are offered. We do not ask for exhaustive detail of traumatic events unless it is necessary for the research purpose.


Derived analytical data.
When we analyze responses, we generate structured information about each response, such as theme tags, sentiment classifications, quality indicators, and response-pattern profiles (which we call archetypes). These describe patterns in how someone answered a specific survey. They are not statements about who a person is, and they are produced by deterministic, rule-based logic rather than by AI. Section 3.4 explains this in more detail, including how profiling is handled.


Consent and contact preferences.
We record the layered consents you give and any opt-ins for ongoing engagement, so that we honor your choices over time. Section 3.3 describes our consent model.


2. Information We Collect

2.1 Information You Provide


  • Device and browser information

  • IP address and approximate location

  • Usage data and analytics

  • Cookies and similar technologies

  • Log files and timestamps

  • Authentication and access logs (including reviewer identity and timestamps where you access a survey through a secured review link)


2.2 Automatically Collected Information


  • Device and browser information

  • IP address (hashed for privacy, retained 90 days) and approximate location

    Usage data and analytics

  • Cookies and similar technologies

  • Log files and timestamps


2.3 Information from Third Parties


  • Social media profiles (if you connect accounts)

  • References from clients or partners

  • Publicly available information

  • Bank and account information through Plaid, for users of our financial management features (see Section 4.5)


2.4 Research Participant and Survey Data


When you participate in a survey we run, you contribute data that we treat as privileged. This is the heart of what our platform does, and we want to be specific about it.

Survey responses. Our surveys are conversational and often invite open-ended, narrative answers in your own words. We collect those responses as you provide them.

Demographic information. Some surveys ask about demographics, which can include race, ethnicity, gender identity, sexual orientation, disability, age, and similar characteristics. This information is sensitive (and is treated as "special category" or "sensitive" data under laws such as the GDPR and various US state privacy laws). We collect it only through a separate, explicit opt-in, and only where the research purpose requires it. You can participate without providing it.


Media. Where a survey invites audio, video, or other media, we collect it only through a separate media consent.


Accounts of difficult experiences. Some research addresses sensitive topics such as discrimination, violence, loss, illness, or structural disadvantage. Participation in these sections is always optional, content warnings are provided before sensitive material, and supportive resources are offered. We do not ask for exhaustive detail of traumatic events unless it is necessary for the research purpose.


Derived analytical data. When we analyze responses, we generate structured information about each response, such as theme tags, sentiment classifications, quality indicators, and response-pattern profiles (which we call archetypes). These describe patterns in how someone answered a specific survey. They are not statements about who a person is, and they are produced by deterministic, rule-based logic rather than by AI. Section 3.4 explains this in more detail, including how profiling is handled.


Consent and contact preferences. We record the layered consents you give and any opt-ins for ongoing engagement, so that we honor your choices over time. Section 3.3 describes our consent model.


3. How We Use Information

3.1 Purposes


  • Provide and improve our Services

  • Design surveys, collect responses, and analyze and report findings to the client who commissioned the research

  • Communicate about projects and services

  • Process payments and maintain records

  • Customize user experience

  • Analyze usage patterns and trends

  • Where consent permits, produce de-identified or aggregated case studies and develop our research methodology

  • Comply with legal obligations

  • Protect against fraud and security threats


3.2 Legal Basis


  • Consent (when you explicitly agree)

  • Contract (to fulfill our agreements)

  • Legitimate Interests (to operate effectively)

  • Legal Compliance (when required by law)


3.3 Our Consent Model for Research Participants


We use a layered consent model so that participation in one part of a survey never assumes consent to another. Each layer is explicit and is presented in plain language, not buried in fine print. The layers are:

  1. Participation: consent to take part in the survey.

  2. Story-sharing: consent for us to use your narrative responses.

  3. Demographics: a separate opt-in to provide demographic information.

  4. Media: a separate consent for any audio, video, or other media.

  5. Ongoing engagement: an optional opt-in to be contacted about future opportunities, such as newsletters, listening sessions, community membership, or future research.

You can decline any layer and still participate to the extent you choose, and you can withdraw a consent at any time. For engagements involving minors, consent and any ongoing contact are handled through the institution rather than directly with the participant (see Section 1).


3.4 Artificial Intelligence and Automated Processing


We are deliberate about where AI is and is not used, and we want this to be clear.

We do not use AI to interpret participant responses. The analysis of survey responses is fully deterministic and rule-based. No AI, large language model, or machine learning system processes participant responses to generate analytical outputs. We made this choice so that every analytical result can be reproduced, inspected, and disclosed, and so that the meaning of a participant's words stays with the participant rather than being re-interpreted by a model the participant cannot inspect.

Where we do use AI. We use AI tools as production infrastructure at specific stages that do not operate on participant responses:

  • To help generate survey instruments from project specifications gathered during scoping. This works from the client's project inputs, not from participant data.

  • To help draft narrative templates and report scaffolding. This works from structured, aggregated analytical outputs (such as theme counts and sentiment distributions), not from raw participant text. Raw text appears in a report only as direct quotes selected by the deterministic process, and a named human reviews and approves the content before it is delivered.

  • To help synthesize project briefs during scoping.


We do not train AI or machine learning models on client or participant data.

Profiling and human review. The response-pattern profiles described in Section 2.4 are a form of profiling. They are produced by transparent, rule-based scoring, and the analytical outputs are reviewed by a named human analyst before they become findings. We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. Where you have a right under applicable law to opt out of profiling, you may exercise it (see Section 5).

Disclosure. For each engagement, we publish a methodology disclosure aligned with the AAPOR Transparency Initiative standard, which describes how data was processed, including where AI tools were and were not used.


3. How We Use Information

3.1 Purposes


  • Provide and improve our Services

  • Design surveys, collect responses, and analyze and report findings to the client who commissioned the research

  • Communicate about projects and services

  • Process payments and maintain records

  • Customize user experience

  • Analyze usage patterns and trends

  • Where consent permits, produce de-identified or aggregated case studies and develop our research methodology

  • Comply with legal obligations

  • Protect against fraud and security threats


3.2 Legal Basis


  • Consent (when you explicitly agree)

  • Contract (to fulfill our agreements)

  • Legitimate Interests (to operate effectively)

  • Legal Compliance (when required by law)


3.3 Our Consent Model for Research Participants


We use a layered consent model so that participation in one part of a survey never assumes consent to another. Each layer is explicit and is presented in plain language, not buried in fine print. The layers are:

  1. Participation: consent to take part in the survey.

  2. Story-sharing: consent for us to use your narrative responses.

  3. Demographics: a separate opt-in to provide demographic information.

  4. Media: a separate consent for any audio, video, or other media.

  5. Ongoing engagement: an optional opt-in to be contacted about future opportunities, such as newsletters, listening sessions, community membership, or future research.

You can decline any layer and still participate to the extent you choose, and you can withdraw a consent at any time. For engagements involving minors, consent and any ongoing contact are handled through the institution rather than directly with the participant (see Section 1).


3.4 Artificial Intelligence and Automated Processing


We are deliberate about where AI is and is not used, and we want this to be clear.

We do not use AI to interpret participant responses. The analysis of survey responses is fully deterministic and rule-based. No AI, large language model, or machine learning system processes participant responses to generate analytical outputs. We made this choice so that every analytical result can be reproduced, inspected, and disclosed, and so that the meaning of a participant's words stays with the participant rather than being re-interpreted by a model the participant cannot inspect.

Where we do use AI. We use AI tools as production infrastructure at specific stages that do not operate on participant responses:

  • To help generate survey instruments from project specifications gathered during scoping. This works from the client's project inputs, not from participant data.

  • To help draft narrative templates and report scaffolding. This works from structured, aggregated analytical outputs (such as theme counts and sentiment distributions), not from raw participant text. Raw text appears in a report only as direct quotes selected by the deterministic process, and a named human reviews and approves the content before it is delivered.

  • To help synthesize project briefs during scoping.


We do not train AI or machine learning models on client or participant data.

Profiling and human review. The response-pattern profiles described in Section 2.4 are a form of profiling. They are produced by transparent, rule-based scoring, and the analytical outputs are reviewed by a named human analyst before they become findings. We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. Where you have a right under applicable law to opt out of profiling, you may exercise it (see Section 5).

Disclosure. For each engagement, we publish a methodology disclosure aligned with the AAPOR Transparency Initiative standard, which describes how data was processed, including where AI tools were and were not used.


4. Information Sharing


4.1 We may share information with:


  • The client who commissioned the research, who is usually the data controller for the engagement

  • Authorized practitioner partners, who receive access scoped to a specific engagement in order to perform analysis and interpretation, under confidentiality terms (access is per-engagement, not platform-wide)

  • Service providers (hosting, storage, authentication, analytics, payment processing, bank connectivity)

  • Professional advisors (legal, accounting, insurance)

  • Business partners (with your consent)

  • Law enforcement (when legally required)

  • Successors (in case of merger or acquisition)

  • Research participants themselves, where you have consented to receive findings (for minor and student engagements, this is routed through the institution)


4.2. Artificial Intelligence

We use AI tools to assist in survey generation, brief synthesis, and report drafting, as described in Section 3.4. We do not use AI to interpret participant responses, and we do not use client or participant data to train AI or machine learning models. Any AI processing is performed in accordance with our data minimization and purpose limitation principles.


4.3 We never:


  • Sell your personal information

  • Share data for unrelated marketing

  • Transfer data without appropriate safeguards


4.4. Payment Processing (Stripe)

We use Stripe, Inc. ("Stripe") to process all payments. When you submit payment through our billing portal or invoices:


What Stripe Collects Directly

  • Card number, expiration date, and security code (CVV)

  • Billing name and address

  • Email address for receipts

  • IP address and device fingerprint for fraud prevention

What We Receive from Stripe:

  • Last 4 digits of your card (for receipt reference)

  • Card brand (Visa, Mastercard, etc.)

  • Payment status (success or failure)

  • Transaction ID for record-keeping

Stripe's Compliance:

Stripe is certified as a PCI DSS Level 1 Service Provider, the highest level of certification in the payments industry. All card data is encrypted using 256-bit TLS and stored in Stripe's secure, PCI-compliant infrastructure. Your card information never touches our servers.

For information about how Stripe handles your data, see Stripe's Privacy Policy at stripe.com/privacy. To exercise data rights related to payment information, you may contact us or Stripe directly.

Payment Record Retention:

Transaction records are retained for 7 years in compliance with US tax and accounting requirements.


4.5 Financial Management Features (Plaid)


For account holders who use the financial management features within Warren, we use Plaid, Inc. to securely connect bank accounts for balance visibility and transaction import. These features are for our clients and account holders. They are not part of survey participation, and research participants are not asked to connect bank accounts. When you link a bank account:

What Plaid Collects Directly:

• Account credentials (during secure OAuth flow only)

• Account and routing numbers (for verification)

What We Receive from Plaid:

  • Account identifiers and institution name

  • Account type (checking, savings, etc.)

  • Account balances (refreshed periodically)

  • Transaction history (up to 24 months)

Important:

  • Bank access is READ-ONLY. We cannot move money, initiate payments, or make transfers.

  • You can disconnect your bank account at any time from your settings.

  • Transaction data is retained for 24 months on a rolling basis.

Plaid's Compliance:

Plaid is SOC 2 Type II and ISO 27001 certified. For information about how Plaid handles your data, see Plaid's Privacy Policy at plaid.com/legal.


4.6 Authentication, Hosting, and Storage Providers


To operate the platform securely, we rely on a small number of infrastructure providers who process data on our behalf as service providers under contract:

  • Authentication: We use Clerk to manage sign-in and to verify user roles and access permissions.

  • Hosting and storage: We use Vercel for application hosting and for storing uploaded media, response attachments, per-project configuration, and encrypted database backups. 

  • Database hosting: We use Railway to host the managed PostgreSQL databases. 

These providers process data only as needed to provide their services to us and are bound by their own security and privacy obligations. We maintain a current list of our material sub-processors and can provide it on request.


5. Your Rights & Data Security


Your Rights: 


You may:


  • Access your personal information

  • Correct or update your data

  • Delete your information (subject to legal requirements)

  • Opt out of marketing communications and withdraw any ongoing-engagement opt-in

  • Withdraw consent, including for any individual consent layer described in Section 3.3

  • Opt out of profiling, where your state or country law provides that right

  • Request a copy of your data in a portable, machine-readable format

  • Lodge complaints with supervisory authorities

Where we process your data as a processor on behalf of a client, we will direct certain requests to that client (the controller) or act on the client's instructions, and we will let you know when we do.

To exercise these rights, contact: privacy@nesolagus.com

Data Security:


We use encryption and industry-standard measures to protect data, including:

  • Encryption in transit and at rest

  • Access controls and authentication, including per-engagement scoping of partner access

  • Separation of systems across the platform to limit the impact of any single incident

  • Regular security assessments

  • Incident response procedures

  • Employee training

  • PCI DSS compliance for payment processing (via Stripe)


A Note on Certifications and Verification

No system is 100% secure. You share information at your own risk. Nesolagus does not hold SOC 2, ISO, or other formal compliance certifications. We describe the practices we follow above. Some of the specific operational claims we make (for example, data center location, particular encryption standards, and de-identification methods) are subject to ongoing internal verification, and we will update this Policy as that verification is completed. We do not claim certifications we do not hold.


Breach Notification

In the event of a security incident affecting your personal information, we will notify affected individuals and relevant authorities within 72 hours of confirming the breach, or as otherwise required by applicable law.

Data Portability

You may request a copy of your data in a portable, machine-readable format (such as CSV or JSON).


5. Your Rights & Data Security


Your Rights: 


You may:


  • Access your personal information

  • Correct or update your data

  • Delete your information (subject to legal requirements)

  • Opt out of marketing communications and withdraw any ongoing-engagement opt-in

  • Withdraw consent, including for any individual consent layer described in Section 3.3

  • Opt out of profiling, where your state or country law provides that right

  • Request a copy of your data in a portable, machine-readable format

  • Lodge complaints with supervisory authorities

Where we process your data as a processor on behalf of a client, we will direct certain requests to that client (the controller) or act on the client's instructions, and we will let you know when we do.

To exercise these rights, contact: privacy@nesolagus.com

Data Security:


We use encryption and industry-standard measures to protect data, including:

  • Encryption in transit and at rest

  • Access controls and authentication, including per-engagement scoping of partner access

  • Separation of systems across the platform to limit the impact of any single incident

  • Regular security assessments

  • Incident response procedures

  • Employee training

  • PCI DSS compliance for payment processing (via Stripe)


A Note on Certifications and Verification

No system is 100% secure. You share information at your own risk. Nesolagus does not hold SOC 2, ISO, or other formal compliance certifications. We describe the practices we follow above. Some of the specific operational claims we make (for example, data center location, particular encryption standards, and de-identification methods) are subject to ongoing internal verification, and we will update this Policy as that verification is completed. We do not claim certifications we do not hold.


Breach Notification

In the event of a security incident affecting your personal information, we will notify affected individuals and relevant authorities within 72 hours of confirming the breach, or as otherwise required by applicable law.

Data Portability

You may request a copy of your data in a portable, machine-readable format (such as CSV or JSON).


6. Data Retention & Internal Transfers

Data Retention:


  • Client project data is retained only for the duration of the engagement, unless otherwise agreed in writing.

  • Standard retention for project-specific data is 90 days after project completion, after which data is securely deleted or de-identified.

  • We may retain de-identified or aggregated data, and (where the original consent permits, or where we obtain fresh consent) identifiable engagement data, in order to produce case studies and to develop our research methodology. Re-analysis of completed engagements stays within the scope of the consent originally given.

  • For participants who opted in to ongoing engagement (Section 3.3, layer 5), we retain the contact information and engagement preferences needed to honor that opt-in until you withdraw it.

  • Some business records may be retained for up to 7 years for legal or accounting purposes.

  • Bank transaction data (via Plaid): 24 months rolling, then deleted.

  • IP addresses

A Note on Indigenous and Community Data Sovereignty


For engagements that center an Indigenous community, data governance follows that community's authority over its own data, consistent with recognized data sovereignty principles. We will not undertake such an engagement without genuine partnership with the specific community, the community's protocols governing the work, and the community's authority over data, analysis, and dissemination. Where we cannot meet those standards, we decline the work rather than proceed.


International Data Transfers:


We operate in the United States. By using our Services, you consent to data processing in the U.S. We use appropriate safeguards for international transfers when applicable.


7. Terms of Use

Acceptance 


By accessing or using our Services, you agree to these Terms. If you do not agree, do not use our Services.


Eligibility


Services are for individuals aged 18+ unless otherwise specified in a separate policy.


Use of Services


Permitted Use:


  • Browse our site and portfolio

  • Contact us for projects

  • Participate in surveys and forms

  • Engage with our research and creative services


Prohibited Conduct:

  • Providing false or misleading information

  • Violating laws or regulations

  • Infringing on intellectual property

  • Uploading malicious code or viruses

  • Unauthorized access attempts

  • Scraping or redistributing content without permission

  • Impersonating others

  • Submitting unlawful or infringing content in surveys

  • Interfering with or disrupting Services


Intellectual Property


All Nesolagus content is protected. You own the content you submit (such as your survey responses, testimonials, and media), and you grant us a non-exclusive license to use it to deliver our Services and, where you have consented, for case studies and methodology development.

The Warren platform and methodology are solely owned and operated by Nesolagus, LLC. This includes the platform applications, the analytical methods and frameworks, and the analytical artifacts that the platform produces from responses (such as theme tags, sentiment classifications, quality scores, and archetype definitions and assignments). Clients receive deliverables that are products of the platform (instruments, reports, analyses, and disclosures), but the platform and its underlying intellectual property are not transferred through any engagement. Where a practitioner partner contributes named analytical work to an engagement, that contribution is attributed to them, but attribution does not transfer platform intellectual property in either direction. Detailed intellectual property and licensing terms for a given engagement are set out in the applicable engagement contract or Master Services Agreement, which controls in the event of any conflict with this summary.

Client Work


Portfolio and case study examples may include client projects, subject to the applicable agreements and consents.


Disclaimers


Services are provided "as is" without warranties. We do not guarantee specific business or project outcomes.


Limitation of Liability


We are not liable for indirect, incidental, or consequential damages.


Indemnification


You agree to indemnify Nesolagus from claims arising from your use of our Services.


Governing Law


Connecticut law applies. Disputes will be resolved in Hartford County via negotiation, mediation, or arbitration.


Severability & Entire Agreement


If any term is invalid, the rest remain in effect. This Policy and these Terms are the full agreement, except where a signed engagement contract, Data Processing Agreement, or Master Services Agreement applies, in which case that document controls for the relevant engagement.


7. Terms of Use

Acceptance 


By accessing or using our Services, you agree to these Terms. If you do not agree, do not use our Services.


Eligibility


Services are for individuals aged 18+ unless otherwise specified in a separate policy.


Use of Services


Permitted Use:


  • Browse our site and portfolio

  • Contact us for projects

  • Participate in surveys and forms

  • Engage with our research and creative services


Prohibited Conduct:

  • Providing false or misleading information

  • Violating laws or regulations

  • Infringing on intellectual property

  • Uploading malicious code or viruses

  • Unauthorized access attempts

  • Scraping or redistributing content without permission

  • Impersonating others

  • Submitting unlawful or infringing content in surveys

  • Interfering with or disrupting Services


Intellectual Property


All Nesolagus content is protected. You own the content you submit (such as your survey responses, testimonials, and media), and you grant us a non-exclusive license to use it to deliver our Services and, where you have consented, for case studies and methodology development.

The Warren platform and methodology are solely owned and operated by Nesolagus, LLC. This includes the platform applications, the analytical methods and frameworks, and the analytical artifacts that the platform produces from responses (such as theme tags, sentiment classifications, quality scores, and archetype definitions and assignments). Clients receive deliverables that are products of the platform (instruments, reports, analyses, and disclosures), but the platform and its underlying intellectual property are not transferred through any engagement. Where a practitioner partner contributes named analytical work to an engagement, that contribution is attributed to them, but attribution does not transfer platform intellectual property in either direction. Detailed intellectual property and licensing terms for a given engagement are set out in the applicable engagement contract or Master Services Agreement, which controls in the event of any conflict with this summary.

Client Work


Portfolio and case study examples may include client projects, subject to the applicable agreements and consents.


Disclaimers


Services are provided "as is" without warranties. We do not guarantee specific business or project outcomes.


Limitation of Liability


We are not liable for indirect, incidental, or consequential damages.


Indemnification


You agree to indemnify Nesolagus from claims arising from your use of our Services.


Governing Law


Connecticut law applies. Disputes will be resolved in Hartford County via negotiation, mediation, or arbitration.


Severability & Entire Agreement


If any term is invalid, the rest remain in effect. This Policy and these Terms are the full agreement, except where a signed engagement contract, Data Processing Agreement, or Master Services Agreement applies, in which case that document controls for the relevant engagement.


8. State-specific Rights & Contact

State-Specific Rights


Residents of California, Connecticut, Colorado, Virginia, and other states with privacy laws have additional rights, including the right to access, correct, delete, and obtain a copy of their personal data, and, in several states, the right to opt out of profiling and the right to have sensitive data processed only with opt-in consent. We do not sell personal data.


Contact


  • For Privacy Questions: privacy@nesolagus.com

  • For Terms of Use Questions: privacy@nesolagus.com

  • For General Inquiries: hello@nesolagus.com

  • Accessibility: This Policy is available in alternative formats upon request.


8. State-specific Rights & Contact

State-Specific Rights


Residents of California, Connecticut, Colorado, Virginia, and other states with privacy laws have additional rights, including the right to access, correct, delete, and obtain a copy of their personal data, and, in several states, the right to opt out of profiling and the right to have sensitive data processed only with opt-in consent. We do not sell personal data.


Contact


  • For Privacy Questions: privacy@nesolagus.com

  • For Terms of Use Questions: privacy@nesolagus.com

  • For General Inquiries: hello@nesolagus.com

  • Accessibility: This Policy is available in alternative formats upon request.