Privacy Policy

1. Information We Collect

Information You Provide

• Account information: email address and authentication data. Authentication is handled by our third-party provider, Clerk. We do not store passwords. If you sign in with Google or Apple, we receive your email address and basic profile information from those providers.
• Payment information: your payment information is submitted directly to Stripe and is not stored on our servers. We retain Stripe identifiers necessary to manage your subscription.
• Support bundles (optional, user-initiated): device identifier, app version, app logs, system logs, and diagnostic information. Submitted only when you choose to send a support request from within the app.

Information Generated Through Use

• Device information: a device UUID and authentication token, generated when you link a device to your account.
• Pairing data: a pairing token, six-digit pairing code, and pairing status. Pairing requests expire after 10 minutes.
• Rate limiting: timestamps of pairing attempts and support bundle submissions to prevent abuse.
• Approximate location: your device's timezone, derived from its IP address when it connects to our servers. Used to display local time on the device.
• Usage analytics: aggregated, non-identifying information about how you interact with our website, such as pages visited and general device and browser characteristics. Collected by our hosting provider and used to improve the service.

Cookies and Similar Technologies

Our authentication provider (Clerk) sets cookies strictly necessary for keeping you signed in. Our website analytics do not use cookies. We do not use advertising or cross-site tracking cookies.

2. How We Use Your Information

• Account management and authentication
• Device licensing and subscription verification
• Payment processing via Stripe
• Troubleshooting support issues (when you submit a support bundle)
• Security measures including rate limiting and abuse detection
• Analyzing aggregate usage patterns to improve the service

3. How We Store and Protect Your Information

We implement commercially reasonable security measures to protect your information, including:

• Authentication is handled by Clerk, a dedicated identity provider
• Data is encrypted in transit using TLS
• Device authentication uses secure, randomly generated tokens
• Payment processing is handled entirely by Stripe
• No security measure is 100% effective, and we cannot guarantee absolute security

4. Data Retention

• Account data: retained for the life of your account and deleted upon account deletion
• Device links: retained until you unlink the device or delete your account
• Pairing requests: expire and are removed promptly
• Rate limiting records: rate limiting for authentication is handled by Clerk. Pairing attempt records are retained briefly for rate-limiting purposes, then deleted.
• Support bundles: retained only as long as reasonably needed to resolve your issue, then deleted, unless retention is required for legal or regulatory purposes
• Subscription data: retained for the life of your account, then deleted. Stripe retains its own records per its privacy policy.

Deletion of data may not be immediate — residual copies may persist in backups or logs for a limited period before being overwritten in the normal course of operations. We may also retain data as required by law or as necessary to protect our legitimate interests.

5. Data Sharing

We may share your information with the following categories of parties:

• Authentication provider: we use Clerk for authentication and user management, which processes your email address, authentication credentials, and sign-in activity
• Payment processors: we use Stripe for payment processing, which receives your email address and payment information
• Infrastructure providers: we use Convex, Vercel, and Cloudflare to host and operate the service
• Font provider: we load fonts from Google Fonts, which may receive your IP address when pages are loaded
• Law enforcement: if required by law, subpoena, or other legal process

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the data we hold about you
• Correction: request correction of inaccurate data
• Deletion: request deletion of your account and associated data

To exercise any of these rights, contact hyperborea@nettarion.com.

EU/EEA/UK Residents (GDPR)

• Legal basis for processing: contract performance (account management and licensing), legitimate interest (security, abuse prevention, and service improvement), and consent (support bundle submission)
• Right to object to processing based on legitimate interest
• Right to data portability — request your data in a machine-readable format
• Right to lodge a complaint with your supervisory authority
• Right to withdraw consent at any time for processing based on consent

California Residents

• We do not sell or share your personal information as defined under the California Consumer Privacy Act
• We do not currently respond to Do Not Track or Global Privacy Control browser signals
• You will not be discriminated against for exercising your privacy rights

7. International Data Transfers

The service is operated in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. For EU/EEA/UK residents, we rely on the European Commission’s Standard Contractual Clauses (Module Two) as the legal mechanism for international data transfers. Our data processor’s Data Processing Agreement incorporates these clauses pursuant to Commission Implementing Decision (EU) 2021/914.

8. Children’s Privacy

We do not knowingly collect personal information from children under the age of 16. If we discover that we have collected information from a child under 16, we will delete it promptly.

9. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you by updating the date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this privacy policy or wish to exercise your data rights, contact us at hyperborea@nettarion.com.