1. Scope and Priority

This policy applies to all users, visitors, customers, and business contacts interacting with the Services. If another agreement or region-specific notice conflicts with this policy, the more specific legal document controls only for that specific matter.

2. Data Controller and Contact

The data controller for most processing activities is the Company operating Nostify. For legal inquiries, rights requests, or authorized-agent requests, submit your request through Support. We may require identity verification before taking action.

3. Categories of Data We Collect

• Account data: name, username, email, password hash, profile preferences, and account identifiers.
• User content: files, photos, prompts, inputs, outputs, metadata, and project data you upload or generate.
• Transaction data: plan status, receipt metadata, renewal status, and billing events provided by app stores or payment partners.
• Technical data: IP address, device identifiers, operating system, browser/app version, language, crash logs, diagnostics, and timestamps.
• Usage data: features used, session events, clickstream activity, performance signals, and fraud/security signals.
• Communications: support tickets, survey responses, feedback, and correspondence records.
• Cookies and similar technologies: analytics, preference, and security identifiers as described below.

4. Sources of Data

We collect data directly from you, automatically from your device and use of the Services, from app stores/payment processors, from integrated third-party tools you connect, and from anti-fraud/security vendors.

5. Purposes of Processing

• Provide, maintain, secure, and improve the Services.
• Authenticate users, prevent abuse, detect fraud, and enforce legal terms.
• Process purchases, subscriptions, entitlements, and account administration.
• Respond to support requests, legal notices, and operational communications.
• Perform analytics, product research, debugging, and quality assurance.
• Comply with legal obligations, court orders, and lawful government requests.
• Protect rights, safety, property, and platform integrity.

6. Legal Bases (Where Applicable)

Depending on your jurisdiction, we process personal data based on one or more of these legal bases: performance of a contract, legitimate interests, legal obligation, consent, and establishment/exercise/defense of legal claims. Where consent is required, you may withdraw it at any time, but withdrawal does not affect prior lawful processing.

7. Sharing and Disclosure

We do not sell personal data for money. We may disclose information to service providers, hosting and analytics partners, payment/app-store providers, affiliates, professional advisers, auditors, acquirers in mergers or restructurings, and authorities when legally required or to protect rights and safety. We may also disclose de-identified or aggregated information that does not reasonably identify individuals.

8. International Transfers

Data may be processed and stored in countries other than your own, including countries with different privacy protections. Where required, we use recognized transfer mechanisms (for example, contractual safeguards) and technical/organizational controls.

9. Data Retention

We retain data for as long as reasonably necessary for business, contractual, security, audit, and legal purposes. Retention periods vary by data type, risk profile, and legal requirements. We may retain limited records after deletion requests when required for fraud prevention, dispute resolution, compliance, backups, or legal defense.

10. Security

We implement administrative, technical, and physical safeguards designed to protect information. However, no method of transmission, storage, or security control is guaranteed to be 100% secure. You are responsible for maintaining credential confidentiality and endpoint security.

11. Your Rights and Choices

• Access, correction, deletion, and portability rights (subject to law and verification).
• Objection or restriction rights for certain processing activities.
• Withdrawal of consent where processing is consent-based.
• Appeal rights where available under local law.
• Marketing communication opt-out via in-message controls or account settings.

We may decline, limit, or defer requests where permitted by law, including where requests are excessive, technically infeasible, conflict with others' rights, compromise security, or are necessary for legal compliance.

12. Region-Specific Notices

• EEA/UK/Switzerland: You may lodge a complaint with your local data protection authority.
• California: You may have rights to know, delete, correct, and opt out of certain sharing/targeted advertising activities.
• Other U.S. states: We honor applicable state privacy rights subject to verification and statutory exceptions.
• Nevada: Residents may have limited opt-out rights regarding certain data sale definitions under Nevada law.

13. Cookies, Analytics, and Tracking

We and our partners may use cookies, SDKs, pixels, and local storage for authentication, fraud prevention, analytics, product measurement, and service reliability. Browser/device settings may allow you to limit tracking technologies, but some functionality may be degraded. We do not guarantee response to all "Do Not Track" signals.

14. Children and Age Restrictions

The Services are not directed to children under the minimum age permitted by applicable law. If you believe a child provided personal data without proper authorization, contact us via Support. We may remove data and suspend related accounts.

15. Third-Party Services and External Content

The Services may link to or integrate third-party websites, tools, or APIs that we do not control. Their privacy practices are governed by their own policies. We are not responsible for third-party security, availability, or compliance practices.

16. Policy Updates

We may revise this policy at any time. Updated versions are effective when posted unless otherwise required by law. Your continued use of the Services after updates constitutes acknowledgment of the revised policy.

17. Privacy Liability Disclaimer

To the maximum extent permitted by law, the Services are provided on an "as is" and "as available" basis. We disclaim all implied warranties, including merchantability, fitness for a particular purpose, non-infringement, uninterrupted service, and error-free operation. We are not liable for indirect, incidental, consequential, exemplary, special, punitive, or lost-profit damages related to privacy or security incidents, including unauthorized access, interception, deletion, corruption, or disclosure of data caused by third parties, force majeure events, telecommunications failures, or user-side misconfiguration.

18. Contact

For privacy requests, legal notices, or data-rights submissions, contact us through Support. Include sufficient detail so we can locate and verify your request.