Privacy Policy

1. Who we are

Nomi is operated under the trading name “Nomi”. We are the data controller for the personal information described in this policy. As the Service grows we expect to incorporate a legal entity; if and when that happens we will update this section with the entity name and registered address.

You can reach us at [email protected] for any question about this policy or your personal information.

2. What we collect

We only collect what we need to provide the Service. The categories below describe what we hold; the next section explains why.

Account identifiers

Your authentication provider ID (from Sign in with Apple or Sign in with Google), email address, display name, time zone, and language preference.

Profile preferences

Settings you configure in the app, including notification cadence and how you organize the people in your network.

Audio recordings

Voice recordings you choose to create in the app. We send them to a speech-to-text service to produce a written transcript, and we keep both the recording and the transcript so you can review them later.

Photos and images

Photos you take or upload through the app — for example to scan a business card or attach a profile picture to a person in your network.

Text notes you write

Notes, observations, and summaries you record about people, meetings, or events.

Contacts you provide or import

Name, email, phone number, and any other fields you add for the people in your network — whether you enter them manually, import them from your device contacts (with your permission), or sync them through Google Contacts.

Calendar events you connect

If you connect your Google Calendar, we read the title, time, location, description, and attendee names and email addresses of your events so we can show them in the app and prepare context for you.

AI-inferred information

Summaries, observations, suggestions, and other information that our AI generates from the content above. AI-generated information may be incorrect — you can review, edit, or delete it at any time.

Technical and diagnostic data

Push notification tokens, crash reports, error traces, request logs, and basic performance metrics. We collect these so the app keeps working; they are not used for advertising or profiling.

3. How we use it

We use your information for a small, defined set of purposes:

• App functionality. To authenticate you, store the content you create, and make the Service’s features work.
• Account management. To maintain your account, deliver transactional emails, and respond to your support requests.
• Personalization. To tailor the content the Service surfaces to you based on the information you have provided.
• Developer communications. To send infrequent product or policy updates that materially affect you.
• Analytics (crash & error only). To monitor crashes and errors so we can fix bugs. We do not use third-party marketing analytics.
• Fraud prevention, security, and legal compliance. To protect the Service, our users, and to meet legal obligations.

We do not sell or share your personal information for cross-context behavioural advertising. We do not display third-party ads in the app. We do not engage marketing analytics providers. We do not use App Tracking Transparency identifiers and we do not collect the IDFA.

4. When you connect Google services

If you sign in with Google, or connect Google Calendar or Google Contacts, Google will ask you to grant Nomi access to specific data through OAuth. We only request the scopes listed below, only use the data for the purpose described, and you can revoke access at any time from your Google Account settings or from the integrations screen in the Nomi app.

Basic profile

openid, email, profile Used to identify your account, attach your email to it, and show your name and photo in the app.

Google Calendar

https://www.googleapis.com/auth/calendar.readonly Used to read your upcoming events so we can show them in the app and prepare context for you ahead of each event. Read-only — we never write to, modify, or delete events.

Google Contacts

https://www.googleapis.com/auth/contacts.readonly Used to recognize the people in your network so when an attendee appears in an upcoming event we can match them to someone you already know, rather than asking you to retype the same person twice. Read-only — we never write to, modify, or delete contacts.

Nomi’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Service providers we rely on

We use a small set of vendors (“sub-processors”) to operate the Service. Each one only receives the data necessary for its specific function and is contractually required to handle it on our instructions.

Google Cloud Platform — infrastructure

Hosts the Service (Cloud Run, Cloud SQL, Cloud Storage, Secret Manager, Cloud Tasks). All your account data and content are stored in Google Cloud’s us-central1 region. Data Processing Addendum.

Google Vertex AI (Gemini models) — AI processing

Performs the AI analysis on content you provide — generating summaries, observations, and suggestions. Under Google’s Cloud terms, Vertex AI customer data is not used to train Google’s foundation models. Vertex AI terms.

Google Cloud Speech-to-Text — audio transcription

Transcribes the audio recordings you create. Audio is processed at Google’s US multi-region endpoint and the transcript is returned to us. Speech-to-Text terms.

Firebase Authentication — identity

Manages your sign-in via Sign in with Apple or Sign in with Google, including session tokens. Firebase privacy.

Firebase Cloud Messaging & Apple Push Notification service — push delivery

Firebase Cloud Messaging (FCM) delivers notifications on Android; Apple Push Notification service (APNs) delivers them on iOS. We pass the notification content to the platform; the platform delivers it to your device.

Sentry — crash and error monitoring

Receives crash reports and error traces from the app and the backend so we can find and fix problems. Sampled at 10% of traces in production. Sentry privacy.

6. Where your data lives

Your account data and content are stored primarily in the United States, in Google Cloud’s us-central1 region. Some AI processing happens at Google’s global Gemini endpoint, and audio transcription happens at Google’s US multi-region Speech-to-Text endpoint.

If you use the Service from outside the United States, your personal information is transferred to and processed in the US. For users in the European Economic Area, the United Kingdom, and Switzerland, this international transfer relies on Google Cloud’s Standard Contractual Clauses and equivalent safeguards as described in our processors’ data-processing addenda.

7. How long we keep it

• Active accounts. We keep your data for as long as your account is active.
• Account deletion. When you delete your account, we soft-delete it immediately and keep it recoverable for a 30-day grace period in case you change your mind. After 30 days we permanently remove your content.
• Backups. Backups may persist for up to 35 days before being overwritten.
• Operational logs. Request and error logs are typically retained for up to 30 days.
• Crash & error reports. Stored by Sentry according to their default retention.
• Legal holds. We may retain specific records longer where required by law.

8. Security

We use TLS to encrypt all data in transit between your device and our servers. Data at rest is encrypted using our cloud provider’s managed encryption (Cloud SQL, Cloud Storage, and Secret Manager). Access to production systems is restricted via Google Cloud IAM and the principle of least privilege.

For transparency: Nomi does not provide end-to-end encryption. Because the Service performs AI processing on your content on our behalf, our servers are able to read your content while it is being processed and stored.

9. Your rights

You have the following rights over your personal information, regardless of where you live:

• Access. Ask us what personal information we hold about you.
• Correction. Ask us to correct information that is inaccurate.
• Deletion. Delete your account from Settings → Privacy & Data in the app, or email us at [email protected] if you no longer have the app installed. Deletion is final after the 30-day grace period.
• Export. Email [email protected] and we will send you a copy of your data within 30 days, at no charge.
• Objection & restriction. Ask us to stop or limit certain processing.
• Withdraw consent. Disconnect Google integrations from the app at any time, or revoke them in your Google Account.

We respond to verified requests within 30 days. We will not charge you or restrict the Service for exercising any of these rights.

10. EU / UK GDPR rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or UK GDPR / Swiss FADP) applies to your personal information and gives you the rights described above plus the right to data portability.

Our legal bases for processing are:

• Performance of a contract — for the core functionality of providing the Service to you after you create an account.
• Your consent — for connecting Google Calendar or Google Contacts, accessing your device microphone, camera, photos, or contacts, and for receiving push notifications. You may withdraw consent at any time.
• Legitimate interests — for security, fraud prevention, crash diagnostics, and to improve reliability, balanced against your rights and freedoms.
• Legal obligation — where we must process or retain certain data to comply with applicable law.

You have the right to lodge a complaint with the supervisory authority in your country (for example the Information Commissioner’s Office in the UK, the CNIL in France, the Garante in Italy, the Datenschutzbehörde in Austria) if you believe our handling of your personal information does not comply with the law. International transfers to the United States rely on Google Cloud’s Standard Contractual Clauses.

11. California CCPA rights

If you are a California resident, the California Consumer Privacy Act (CCPA, as amended by the CPRA) gives you additional rights over the personal information we collect.

In the last 12 months we have collected the following CCPA categories: identifiers; customer records (name, email); internet or other electronic network activity (technical/diagnostic data); geolocation information (limited to time-zone level only — we do not collect precise GPS location); audio, electronic, visual, or similar information (the audio and photos you choose to upload); and inferences (AI-generated observations).

We do not sell or share your personal information. We have not sold or shared your personal information for cross-context behavioural advertising in the last 12 months and we will not do so in the future without an updated notice and your explicit opt-in.

You have the right to know what personal information we collect, to delete it, to correct it, and to be free from discrimination for exercising these rights. To make a request, email [email protected]. Authorized agents may submit a request on your behalf with proof of authorization.

12. Children

Nomi is not directed to children under 13 (or under 16 where local law sets that as the digital-consent age). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please email [email protected] and we will delete it.

13. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email (if you have an account) or through an in-app notice before the change takes effect. The “Effective” date at the top of this page always shows the current version. Continued use of the Service after a material change means you accept the updated policy.