Privacy Policy

nuph.ai is an AI-powered LinkedIn outreach platform operated by Nuph Technologies S.L., a company registered in Barcelona, Spain. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website, platform, browser extension, and related services (collectively, the "Service").

This policy applies to all users of nuph.ai, including registered account holders, website visitors, and individuals whose data may be processed through the Service at the direction of our users. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree with the practices described in this policy, please do not use the Service.

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, it is important to distinguish between the roles of Data Controller and Data Processor:

• nuph.ai as Data Controller: We act as the Data Controller for the personal data you provide directly to us when you create an account, make payments, contact support, or otherwise interact with our platform. This includes your name, email address, billing information, and usage data.
• nuph.ai as Data Processor: When you use our Service to search for, extract, enrich, or process LinkedIn profile data or other third-party data, nuph.ai acts solely as a Data Processor on your behalf. In this capacity, you (the user) are the Data Controller and bear full responsibility for ensuring that your collection and use of such data complies with all applicable data protection laws, including GDPR, and any applicable terms of service of third-party platforms.
• User Responsibility: As the Data Controller for third-party data processed through nuph.ai, you are responsible for: (a) having a lawful basis for processing the data; (b) providing required notices to data subjects; (c) responding to data subject access requests; and (d) complying with all applicable data retention and deletion requirements.

We process third-party data solely in accordance with your instructions and do not independently determine the purposes or means of processing such data.

We collect and process the following categories of information:

• Account Information: When you register for an account, we collect your name, email address, company name, job title, and any other information you voluntarily provide during the onboarding process or in your profile settings.
• Payment and Billing Data: When you subscribe to a paid plan or purchase credits, we collect billing details such as your name, billing address, and payment method. Payment card details are processed and stored exclusively by our third-party payment processor (Stripe) and are never stored on our servers.
• Usage Data: We automatically collect information about how you interact with the Service, including pages visited, features used, search queries, credits consumed, campaigns created, and timestamps of actions. This data helps us improve the Service and provide technical support.
• Device and Technical Data: We collect your IP address, browser type and version, operating system, device identifiers, referring URLs, and general location data (country/city level) derived from your IP address.
• LinkedIn and Third-Party Data: When you use the Service to search for or enrich professional contacts, we process publicly available LinkedIn profile data on your behalf and at your instruction. This may include names, job titles, company information, professional summaries, skills, education history, and other publicly available profile information. This data is processed by nuph.ai as a Data Processor (see Section 2).
• AI-Generated Content: When you use our AI features, we process the prompts you provide and the messages generated by the AI. This data is used to deliver the requested service and, in anonymized and aggregated form, may be used to improve our AI models.
• Communications: If you contact us via email, support forms, or other channels, we collect the content of your communications along with any metadata (such as timestamps and email addresses).
• Cookies and Tracking Technologies: We use cookies, local storage, and similar technologies to collect data about your browsing behavior. For more details, please refer to our Cookie Policy.

We use the information we collect for the following purposes:

• Service Provision: To create and manage your account, process subscriptions and payments, deliver the features you request (including LinkedIn lead discovery, AI enrichment, lead scoring, and campaign management), and provide customer support.
• Service Improvement: To analyze usage patterns, identify bugs and performance issues, develop new features, and improve the overall user experience of the platform.
• Security and Fraud Prevention: To detect, prevent, and investigate suspicious activity, unauthorized access, and potential violations of our Terms of Service.
• Communications: To send you transactional emails (account confirmations, password resets, billing receipts), service updates, security alerts, and support responses. We may also send promotional communications with your consent, from which you can opt out at any time.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
• AI Model Improvement: We may use anonymized, aggregated data derived from AI interactions to improve the quality of our AI-generated content. No personally identifiable information is used for this purpose, and individual users cannot be identified from such aggregated data.
• Analytics and Reporting: To generate internal analytics reports on platform usage, revenue, and operational metrics to help us make informed business decisions.

Under the GDPR, we rely on the following legal bases for processing your personal data:

• Performance of a Contract (Art. 6(1)(b) GDPR): Processing is necessary to fulfill our contractual obligations to you, including providing the Service, managing your account, and processing payments.
• Consent (Art. 6(1)(a) GDPR): Where required, we obtain your explicit consent before processing your data for specific purposes, such as sending marketing communications or placing non-essential cookies. You have the right to withdraw consent at any time.
• Legitimate Interests (Art. 6(1)(f) GDPR): We process certain data based on our legitimate interests, including improving the Service, ensuring security, preventing fraud, and conducting business analytics. We always balance our legitimate interests against your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c) GDPR): We process data when necessary to comply with our legal obligations, such as maintaining financial records, responding to lawful requests from authorities, and meeting tax and regulatory requirements.

For third-party data (e.g., LinkedIn profile data) processed through the Service, you as the user/Data Controller are responsible for establishing and maintaining the appropriate legal basis for such processing.

This section is critically important for all users of nuph.ai.

nuph.ai enables users to search for and collect publicly available professional profile data from LinkedIn and other sources. When using these features:

• User as Data Controller: You are the Data Controller for all third-party personal data processed through nuph.ai at your instruction. nuph.ai acts exclusively as a Data Processor in this context.
• Your Responsibilities: You must ensure that your use of third-party data complies with: (a) the General Data Protection Regulation (GDPR) and any other applicable data protection laws; (b) LinkedIn's User Agreement and Privacy Policy; (c) any other applicable terms of service of third-party platforms; and (d) all applicable local, national, and international laws and regulations.
• Lawful Basis: You must have a valid legal basis (such as legitimate interest under Article 6(1)(f) GDPR) for collecting and processing third-party personal data through nuph.ai. You are solely responsible for conducting any required legitimate interest assessments or data protection impact assessments.
• No Endorsement: nuph.ai is not affiliated with, endorsed by, or officially connected to LinkedIn Corporation or any of its subsidiaries. "LinkedIn" is a registered trademark of LinkedIn Corporation. Our Service interacts with publicly available information and does not imply any partnership, sponsorship, or endorsement by LinkedIn.
• Data Accuracy: nuph.ai does not guarantee the accuracy, completeness, or currency of any third-party data retrieved through the Service. You are responsible for verifying the accuracy of data before using it for outreach or other purposes.
• Prohibited Uses: You may not use the Service to: (a) collect data for discriminatory purposes; (b) stalk, harass, or send unsolicited bulk messages; (c) violate any individual's right to privacy; or (d) engage in any activity that violates applicable laws or regulations.

nuph.ai reserves the right to suspend or terminate the accounts of users who violate these requirements or use the Service in a manner that could expose nuph.ai to legal liability.

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

• Service Providers: We share data with trusted third-party service providers who help us operate and improve the Service. These include:
  • Supabase (database hosting and authentication)
  • Vercel (web hosting and content delivery)
  • Stripe (payment processing)
  • OpenRouter / AI Providers (AI language model processing)
  • Apify (LinkedIn data extraction infrastructure)
  All service providers are contractually bound to protect your data and process it only as instructed by us.
• Legal Requirements: We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation or valid legal process; (b) protect and defend our rights or property; (c) prevent fraud or abuse of the Service; or (d) protect the personal safety of users or the public.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your data.
• With Your Consent: We may share your information with third parties when you explicitly consent to such sharing.

International Data Transfers: Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we implement appropriate safeguards as required by GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the recipient's adequate data protection certification (such as the EU-US Data Privacy Framework).

We implement robust technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data in transit is encrypted using TLS 1.2+ (HTTPS). Data at rest is encrypted using AES-256 encryption.
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. We use role-based access controls and multi-factor authentication for administrative access.
• Infrastructure Security: Our hosting providers (Supabase and Vercel) maintain SOC 2 Type II compliance and implement comprehensive physical and network security measures.
• Regular Security Assessments: We conduct regular security reviews, vulnerability assessments, and code audits to identify and address potential security risks.
• Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of any data breach in accordance with GDPR requirements (within 72 hours of becoming aware of the breach).
• Secure Development: We follow secure development practices, including code reviews, dependency scanning, and adherence to OWASP security guidelines.

Despite these measures, no method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials.

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected:

• Account Data: Retained for the duration of your account and for up to 30 days after account deletion, to allow for account recovery.
• Billing and Transaction Data: Retained for a minimum of 5 years after the transaction date, as required by Spanish and EU tax and accounting regulations.
• Usage Data and Logs: Retained for up to 12 months for analytics and security purposes, then anonymized or deleted.
• LinkedIn and Third-Party Data: Retained in your account according to your configuration settings. You may delete this data at any time through the platform. Upon account deletion, all associated third-party data is permanently deleted within 30 days.
• AI Interaction Data: Chat logs and AI-generated content are retained for the duration of your account. Anonymized, aggregated data derived from AI interactions may be retained indefinitely for service improvement purposes.
• Support Communications: Retained for up to 3 years after the last interaction to provide context for ongoing support.

When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you. You may request the deletion of your data at any time by contacting us at privacy@nuph.ai.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under GDPR regarding your personal data:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed.
• Right to Rectification (Art. 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to Erasure (Art. 17): You have the right to request that we delete your personal data, subject to certain legal exceptions (e.g., data required for legal compliance).
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Spain, this is the Agencia Espanola de Proteccion de Datos (AEPD) at www.aepd.es.

To exercise any of these rights, please contact us at privacy@nuph.ai. We will respond to your request within 30 days. In certain circumstances, we may need to verify your identity before processing your request.

We use cookies and similar tracking technologies (such as local storage and session storage) to enhance your experience on our platform. Cookies are small text files that are placed on your device when you visit our website.

We use the following types of cookies:

• Essential Cookies: Required for the basic functionality of the Service, including authentication, session management, and security. These cookies cannot be disabled without impacting core functionality.
• Performance Cookies: Help us understand how visitors interact with the Service by collecting anonymous usage statistics. This data helps us improve performance and user experience.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your language preferences and display settings.

We do not currently use marketing or advertising cookies. For detailed information about the specific cookies we use and how to manage them, please refer to our Cookie Policy.

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, please note that disabling essential cookies may prevent you from using certain features of the Service.

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age. If you are under 18, please do not use the Service or provide any personal information to us.

If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that information from our servers. If you believe that a child under 18 has provided personal data to us, please contact us at privacy@nuph.ai so that we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• For significant changes, we will notify you by email (sent to the email address associated with your account) or by displaying a prominent notice within the Service.
• We may also provide additional notice through in-app notifications or a banner on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

• Company: Nuph Technologies S.L.
• Address: Barcelona, Spain
• General Inquiries: here@nuph.ai
• Privacy and Data Protection: privacy@nuph.ai
• Data Protection Officer (DPO): dpo@nuph.ai

For data protection inquiries within the European Union, you may contact our Data Protection Officer at the address above. We will respond to all legitimate requests within 30 days. If the request is particularly complex or we receive a high volume of requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

If you are not satisfied with our response, you have the right to lodge a complaint with the Agencia Espanola de Proteccion de Datos (AEPD) or your local data protection authority.