Privacy Policy

Last updated: 2026-04-24

DRAFT This policy is awaiting final legal review before publication. Content is subject to change.

Nomabase, Inc. ("Nomabase," "we," "our," or "us") operates the Nomabase platform at nomabase.io. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our services.

1. Who this policy applies to

This policy applies to visitors to nomabase.io, users who create an account, and business customers ("tenants") who connect their tools and use the Nomabase platform to manage their business presence.

If you are a Nomabase customer's end customer whose data appears in our system (for example, a person whose appointment or review data is processed on behalf of a Nomabase tenant), the relevant tenant's privacy policy governs that relationship. Contact us at legal@nomabase.io if you have questions.

2. Data we collect

Account and contact data

When you create an account, we collect your name, email address, and business name. You may optionally provide a phone number and billing address.

Business data you connect

The core purpose of Nomabase is to connect the tools your business already uses and surface patterns across them. When you authorize an integration, we receive and store data from that service: appointment records, payment summaries, customer contact information, review content, social post history, and similar operational records. You control which integrations are active; we only access data from services you have explicitly connected.

Usage and session data

We collect standard web server logs (IP addresses, browser type, referring URLs, pages visited, timestamps) and use cookies to maintain your session. We use PostHog for internal product analytics.

Inbound communications

If you contact us by email or through a form, we retain that correspondence. If you use Slack to connect with us or your Nomabase session, messages are processed through our Slack integration.

3. How we use your data

  • Delivering the service: Operating the platform, running AI agent sessions on your behalf, publishing your website, managing your Google Business Profile, responding to reviews, and executing other actions you authorize.
  • Improving the platform: Analyzing aggregate usage patterns, debugging errors, measuring feature performance. We do not use your business data to train our own AI models.
  • Billing and account management: Processing subscription payments through Stripe, sending invoices, and managing your account lifecycle.
  • Security and fraud prevention: Monitoring for abuse, enforcing rate limits, and investigating security incidents.
  • Legal compliance: Responding to lawful requests from authorities and fulfilling our obligations under applicable law.

We do not sell your personal data to third parties. We do not use your data for cross-customer advertising.

4. Subprocessors

We share data with third-party subprocessors to operate the platform. All subprocessors are subject to contractual data processing terms. A full list is available at /legal/subprocessors.

Key subprocessors include Anthropic (AI inference), Supabase (database), Vercel (hosting), Cloudflare (infrastructure), and Stripe (billing). Tenant-elected integrations like Google, QuickBooks, and Calendly are only activated when you explicitly connect them.

5. Data subject rights

If you are located in the European Economic Area, United Kingdom, or California, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Ask us to correct inaccurate data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Receive your data in a structured, machine-readable format. Nomabase provides a data export API for account holders.
  • Restriction: Ask us to restrict processing in certain circumstances.
  • Objection: Object to processing based on legitimate interests.

To exercise any of these rights, email legal@nomabase.io with the subject line "Data Subject Request." We will respond within 30 days. For access and export requests, you can also use the data export feature in your account settings.

6. Data retention

We retain your account data for as long as your account is active and for up to 90 days after account deletion to allow for recovery. Certain records may be retained longer if required by law (for example, financial records subject to statutory retention periods).

Business data from connected integrations (appointments, reviews, financial summaries) is retained for the duration of the subscription and purged within 30 days of account deletion.

Server logs are retained for 90 days. Anonymized aggregate analytics data may be retained indefinitely.

7. International data transfers

Nomabase is incorporated in the United States. Our primary infrastructure (Supabase, Vercel) is US-based. If you are located outside the United States, your data may be transferred to and processed in the United States.

For customers in the EEA or UK, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for international transfers. Customers requiring a Data Processing Agreement (DPA) covering transfers and Art. 28 obligations should contact legal@nomabase.io.

8. Security

We implement industry-standard security controls: TLS in transit, encryption at rest (Supabase pgsodium for sensitive credential fields), RBAC within the platform, rate limiting on all public APIs, and structured secrets management.

To report a security vulnerability, email security@nomabase.io. We do not currently have a formal bug bounty program.

9. Cookies

We use strictly necessary cookies for authentication (Supabase session cookie, httpOnly). We do not use advertising cookies or tracking pixels on the platform. Our public landing page uses PostHog analytics cookies for internal product metrics; these are first-party cookies.

10. Children's privacy

The Nomabase platform is not directed to children under 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact legal@nomabase.io.

11. Changes to this policy

We may update this policy as the platform evolves. Material changes will be communicated by email to account holders at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Nomabase, Inc.
legal@nomabase.io