Legal

Privacy Policy

Effective 2026-04-21

Summary

CUST/OS is designed to run entirely on the operator's device. Out of the box, the plugin collects no personal information, sends no telemetry, and transmits no data off the device. This policy explains what data the plugin handles, where it lives, and what changes when the operator configures optional third-party inference providers. It also describes the limited, privacy-preserving analytics used on this marketing website.

Who we are

CUST/OS is built by NimbusXR, a veteran-owned small business. Questions or requests under this policy can be sent to legal@nimbusxr.us.

Data the plugin handles

All of the data below is stored locally on the device running the CUST/OS plugin. Nothing in this list is transmitted to NimbusXR or any third party by default.

  • Conversation history. Chat messages between the operator and the agent. Stored in a local SQLite database. Wiped on uninstall.
  • Audit log. Records of tool calls, approvals, model calls, delegations, and security events. Stored in an immutable local SQLite table; the operator can export it for after-action review.
  • Persistent memory and vector store. Facts the operator explicitly asks the agent to remember, and embeddings used for skill selection. Stored locally, wiped on uninstall.
  • API keys for third-party providers. If the operator configures a cloud inference provider (OpenAI, Anthropic, etc.), the key is stored in Android EncryptedSharedPreferences, backed by the Android Keystore. Keys never appear in configuration files and are not readable by Lua skills.
  • Operator identity. Callsign and operator profile as configured by the operator within the plugin. Stored locally.

Microphone, audio, and voice

When the operator uses push-to-talk, microphone audio is processed locally by an on-device speech-to-text component. The audio does not leave the device. Transcripts flow into the same conversation history described above.

Location data

CUST/OS reads the operator's ATAK self-marker so the agent can reason about the operator's position when the operator asks. Location data never leaves the device unless the operator explicitly sends it to a third-party provider they have configured (see next section).

Third-party inference providers

If the operator configures CUST/OS to use an external inference provider — for example a cloud LLM, a remote embedding service, or a delegated command-post node — then prompt content routed to that provider (which may include operator messages, context summaries, and relevant tactical data) is sent over the network to that provider.

The operator is solely responsible for choosing which providers to configure and for understanding each provider's own privacy practices. CUST/OS does not endorse, operate, or receive a copy of any data sent to third-party providers. The runtime enforces classification boundaries configured by the operator to help prevent unauthorized providers from receiving classified context, but the operator remains responsible for their own classification configuration.

Data we do not collect (plugin)

  • The CUST/OS plugin reports no analytics or telemetry to NimbusXR.
  • No crash reports or usage data is transmitted unless the operator explicitly enables a third-party provider that collects such data.
  • No advertising identifiers are read or shared.

This website

This marketing website (custos.nimbusxr.us) uses Plausible Analytics to measure aggregate traffic — page views, referrers, city-level geography, browser/OS shares, and outbound link clicks. Plausible is cookieless, does not use localStorage, does not fingerprint visitors, and does not track individuals across sessions or sites. IP addresses are processed transiently to derive geography and are never stored. No personal data is collected, stored, shared, or sold. This analytics is used on the website only; it is not present in the ATAK plugin.

If you use the Quick Install page at custos.nimbusxr.us/install, your browser downloads the starter-kit tarball directly from GitHub (github.com). GitHub receives your IP address per its standard request logging — NimbusXR does not. The one-click installer also requests access to the USB device you select; this runs entirely between your browser and your phone and sends no data to any server.

Data retention and deletion

All plugin-generated data described above lives on the operator's device for as long as the plugin is installed. Uninstalling the plugin removes the local database, audit log, vector store, and persistent memory. The operator may also clear specific items from within the app.

Children

CUST/OS is intended for professional use by tactical operators and is not directed at children under 13.

Changes to this policy

We may update this policy to reflect changes in the plugin or in applicable law. The effective date above indicates when the current version took effect.

Contact

Questions, requests to exercise rights under applicable privacy law, or any other inquiries can be sent to legal@nimbusxr.us.