Privacy Policy

nuph.ai is an AI-powered LinkedIn outreach platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website, platform, browser extension, and related services (collectively, the "Service").

This policy applies to all users of nuph.ai, including registered account holders, website visitors, and individuals whose data may be processed through the Service at the direction of our users.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service. If you do not agree, you must immediately cease using the Service.

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, it is important to distinguish between the roles of Data Controller and Data Processor:

• nuph.ai as Data Controller: We act as the Data Controller for the personal data you provide directly to us when you create an account, make payments, contact support, or otherwise interact with our platform. This includes your name, email address, billing information, and usage data.
• nuph.ai as Data Processor: When you use our Service to search for, enrich, or process LinkedIn profile data or other third-party data, nuph.ai acts solely as a Data Processor on your behalf. In this capacity, you (the user) are the Data Controller and bear full responsibility for ensuring that your collection and use of such data complies with all applicable data protection laws, including GDPR, and any applicable terms of service of third-party platforms.
• User Responsibility: As the Data Controller for third-party data processed through nuph.ai, you are responsible for: (a) having a lawful basis for processing the data; (b) providing required notices to data subjects; (c) responding to data subject access requests; and (d) complying with all applicable data retention and deletion requirements.
  • (e) You are solely responsible for obtaining any required consents, authorizations, or permits necessary to collect, process, store, and use third-party personal data through the Service;
  • (f) You are solely responsible for ensuring that your outreach activities comply with applicable anti-spam laws, including but not limited to the CAN-SPAM Act (USA), CASL (Canada), and equivalent legislation in your jurisdiction;
  • (g) You will not use the Service to process special categories of personal data (as defined under Article 9 GDPR) without explicit consent from the data subjects;
  • (h) nuph.ai shall bear no liability whatsoever for any fines, penalties, claims, damages, or enforcement actions arising from your use of third-party data processed through the Service, and you agree to fully indemnify and hold harmless nuph.ai from any such claims.

We process third-party data solely in accordance with your instructions and do not independently determine the purposes or means of processing such data.

We collect and process the following categories of information:

• Account Information: When you register for an account, we collect your name, email address, company name, job title, and any other information you voluntarily provide during the onboarding process or in your profile settings.
• Payment and Billing Data: When you subscribe to a paid plan or purchase credits, we collect billing details such as your name, billing address, and payment method. Payment data is processed exclusively by Creem (creem.io). nuph.ai does not store credit card information. For Creem's data handling practices, visit creem.io/privacy.
• Usage Data: We automatically collect information about how you interact with the Service, including pages visited, features used, search queries, credits consumed, campaigns created, and timestamps of actions. This data helps us improve the Service and provide technical support.
• Device and Technical Data: We collect your IP address, browser type and version, operating system, device identifiers, referring URLs, and general location data (country/city level) derived from your IP address.
• LinkedIn and Third-Party Data: When you use the Service to search for or enrich professional contacts, the Service facilitates the capture of publicly available professional profile data at your explicit instruction and on your behalf. nuph.ai operates exclusively as a technical conduit; you, as the user, initiate, direct, and control all data capture activities. nuph.ai does not independently access, scrape, or collect any third-party data — all such activities occur through your own authenticated browser session via our Chrome Extension, using your own credentials and within your own LinkedIn account. This may include names, job titles, company information, professional summaries, skills, education history, and other publicly available profile information. This data is processed by nuph.ai as a Data Processor (see Section 2).
• AI-Generated Content: When you use our AI features, we process the prompts you provide and the messages generated by the AI. This data is used to deliver the requested service and, in anonymized and aggregated form, may be used to improve our AI models.
• Communications: If you contact us via email, support forms, or other channels, we collect the content of your communications along with any metadata (such as timestamps and email addresses).
• Cookies and Tracking Technologies: We use cookies, local storage, and similar technologies to collect data about your browsing behavior. For more details, please refer to our Cookie Policy.
• Instagram Profile Data: When you voluntarily connect your own Instagram account or provide your Instagram profile URL, we process your own publicly available Instagram profile data solely to enrich nuph.ai's understanding of your communication style, interests, and professional positioning. This data is used exclusively to improve the personalization of AI-generated messages on your behalf. We do not collect, store, or process Instagram profile data belonging to third parties.

We use the information we collect for the following purposes:

• Service Provision: To create and manage your account, process subscriptions and payments, deliver the features you request (including LinkedIn lead discovery, AI enrichment, lead scoring, and campaign management), and provide customer support.
• Service Improvement: To analyze usage patterns, identify bugs and performance issues, develop new features, and improve the overall user experience of the platform.
• Security and Fraud Prevention: To detect, prevent, and investigate suspicious activity, unauthorized access, and potential violations of our Terms of Service.
• Communications: To send you transactional emails (account confirmations, password resets, billing receipts), service updates, security alerts, and support responses. We may also send promotional communications with your consent, from which you can opt out at any time.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
• AI Model Improvement: We may use anonymized, aggregated data derived from AI interactions to improve the quality of our AI-generated content. No personally identifiable information is used for this purpose, and individual users cannot be identified from such aggregated data.
• Analytics and Reporting: To generate internal analytics reports on platform usage, revenue, and operational metrics to help us make informed business decisions.

Under the GDPR, we rely on the following legal bases for processing your personal data:

• Performance of a Contract (Art. 6(1)(b) GDPR): Processing is necessary to fulfill our contractual obligations to you, including providing the Service, managing your account, and processing payments.
• Consent (Art. 6(1)(a) GDPR): Where required, we obtain your explicit consent before processing your data for specific purposes, such as sending marketing communications or placing non-essential cookies. You have the right to withdraw consent at any time.
• Legitimate Interests (Art. 6(1)(f) GDPR): We process certain data based on our legitimate interests, including improving the Service, ensuring security, preventing fraud, and conducting business analytics. We always balance our legitimate interests against your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c) GDPR): We process data when necessary to comply with our legal obligations, such as maintaining financial records, responding to lawful requests from authorities, and meeting tax and regulatory requirements.

For third-party data (e.g., LinkedIn profile data) processed through the Service, you as the user/Data Controller are responsible for establishing and maintaining the appropriate legal basis for such processing.

This section is critically important for all users of nuph.ai.

nuph.ai enables users to search for and collect publicly available professional profile data from LinkedIn and other sources. When using these features:

• User as Data Controller: You are the Data Controller — and bear full and exclusive legal responsibility — for all third-party personal data captured, processed, stored, or used through the Service at your instruction. nuph.ai's role is limited to providing the technical infrastructure that facilitates your data processing activities. nuph.ai does not determine the purposes, scope, or means of any third-party data processing carried out through the Service.
• Your Responsibilities: You must ensure that your use of third-party data complies with: (a) the General Data Protection Regulation (GDPR) and any other applicable data protection laws; (b) LinkedIn's User Agreement and Privacy Policy; (c) any other applicable terms of service of third-party platforms; (d) all applicable local, national, and international laws and regulations; (e) LinkedIn's restrictions on automated tools, scraping, and data collection, as set out in LinkedIn's User Agreement and Professional Community Policies; (f) all applicable anti-spam, electronic communications, and data protection regulations in the jurisdictions where your prospects are located, including but not limited to GDPR (EU), CAN-SPAM (USA), CASL (Canada), LGPD (Brazil), and PDPA (various Asian jurisdictions); (g) applicable laws regarding cold outreach, unsolicited commercial messages, and professional contact in your target markets; and (h) your employer's or client's data handling policies, if applicable.
• Lawful Basis: You must have a valid legal basis (such as legitimate interest under Article 6(1)(f) GDPR) for collecting and processing third-party personal data through nuph.ai. You are solely responsible for conducting any required legitimate interest assessments or data protection impact assessments.
• No Endorsement: nuph.ai is not affiliated with, endorsed by, or officially connected to LinkedIn Corporation or any of its subsidiaries. "LinkedIn" is a registered trademark of LinkedIn Corporation. Our Service interacts with publicly available information and does not imply any partnership, sponsorship, or endorsement by LinkedIn.
• Data Accuracy: nuph.ai does not guarantee the accuracy, completeness, or currency of any third-party data retrieved through the Service. You are responsible for verifying the accuracy of data before using it for outreach or other purposes.
• Prohibited Uses: You may not use the Service to: (a) collect data for discriminatory purposes; (b) stalk, harass, or send unsolicited bulk messages; (c) violate any individual's right to privacy; or (d) engage in any activity that violates applicable laws or regulations.

nuph.ai reserves the right to suspend or terminate the accounts of users who violate these requirements or use the Service in a manner that could expose nuph.ai to legal liability.

Technical Architecture and User Control: nuph.ai's Chrome Extension operates exclusively within your own browser session, using your own authenticated LinkedIn account. The Extension reads publicly visible profile data that you yourself could manually view and copy. All automated actions — including connection requests and message delivery — are performed through your own account under your control. nuph.ai does not maintain separate server-side accounts, bots, or credentials that access LinkedIn independently. You remain in full control of all actions taken through your account at all times.

No Warranty Regarding Third-Party Platform Compliance: nuph.ai makes no representation or warranty that use of the Service is compliant with LinkedIn's Terms of Service, User Agreement, or any other third-party platform policies. LinkedIn's policies are subject to change at any time without notice. You are solely responsible for independently assessing and ensuring compliance with all applicable platform terms before using the Service. nuph.ai shall not be liable for any account suspension, restriction, or termination imposed by LinkedIn or any other third-party platform as a result of your use of the Service.

Indemnification: You agree to defend, indemnify, and hold harmless nuph.ai and its affiliates, officers, directors, employees, and agents from and against any and all claims, damages, obligations, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from: (a) your use of the Service; (b) your processing of third-party personal data through the Service; (c) your violation of any applicable law or regulation; (d) your violation of any third-party rights, including privacy rights; or (e) your breach of these policies or our Terms of Service.

Rate Limiting and Account Safety: nuph.ai implements configurable rate limiting and human-behavior simulation features designed to help protect your LinkedIn account. However, nuph.ai does not guarantee that use of the Service will not result in account restrictions or termination by LinkedIn. You acknowledge that use of automation tools on LinkedIn involves inherent risks to your account, and you accept full responsibility for any consequences to your LinkedIn account resulting from your use of the Service.

This section governs the use of nuph.ai's browser-based automation features, including the Chrome Extension and associated data capture workflows.

How the Technology Works: nuph.ai's Chrome Extension operates within your own web browser, on your own device, using your own authenticated accounts on third-party platforms such as LinkedIn. The Extension reads data that is publicly visible to any logged-in user viewing the same pages. All automated actions (such as sending connection requests or messages) are performed through your own account using your own credentials. nuph.ai does not operate independent server-side bots, fake accounts, or scrapers. The data capture process is functionally equivalent to a user manually browsing and copying information, assisted by browser-based tooling.

User's Sole Responsibility for Platform Compliance: You acknowledge that:

• (a) LinkedIn's Terms of Service restrict or prohibit certain forms of automated data collection and outreach automation. nuph.ai provides technical tools; you are solely responsible for determining whether and how to use them in compliance with applicable platform terms.
• (b) nuph.ai does not endorse, encourage, or guarantee compliance with any third-party platform's terms of service. The inclusion of LinkedIn integration features in the Service does not constitute a representation by nuph.ai that such use is permitted by LinkedIn.
• (c) You have independently reviewed LinkedIn's User Agreement, Professional Community Policies, and any other applicable platform terms, and have made your own independent determination regarding the permissibility of your intended use of the Service.
• (d) Any risk of account suspension, restriction, legal action, or other consequence from LinkedIn or any other third-party platform arising from your use of the Service is borne entirely by you.
• (e) You will not use the Service to access data that is not publicly available, bypass authentication systems, circumvent technical access controls, or engage in any activity that could constitute unauthorized computer access under applicable law (including the Computer Fraud and Abuse Act (CFAA), the EU Directive on Attacks Against Information Systems, or equivalent legislation).
• (f) You will implement reasonable safeguards when using automation features, including respecting rate limits, avoiding mass unsolicited messaging, and ensuring your outreach activities comply with applicable anti-spam laws.

No Liability for Third-Party Enforcement Actions: nuph.ai shall not be liable for any losses, damages, costs, or consequences arising from: (a) LinkedIn's or any other platform's enforcement of its terms of service against you; (b) suspension or termination of your LinkedIn or other platform accounts; (c) legal claims by LinkedIn, Microsoft, or other third parties against you arising from your use of the Service; or (d) any regulatory action against you related to your data collection or outreach activities.

Data Processing Infrastructure: nuph.ai uses Apify Technologies s.r.o. as part of its backend infrastructure to execute browser automation workflows at your direction. When you initiate a data capture or automation task, the task is executed using your own authenticated session credentials, which you provide. Apify acts as a sub-processor of nuph.ai and processes data solely to execute tasks at your instruction. For Apify's data processing practices, see apify.com/privacy-policy.

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

• Service Providers: We share data with trusted third-party service providers who help us operate and improve the Service. These include:
  • Supabase, Inc. — Database hosting, authentication, and backend API services. Data may be stored in EU-based data centers. SOC 2 Type II compliant. Privacy policy: supabase.com/privacy
  • Vercel, Inc. — Web hosting, CDN, and serverless edge functions. Operates a global edge network with EU nodes. Privacy policy: vercel.com/legal/privacy-policy
  • Creem B.V. — Payment processing and Merchant of Record services. Handles all billing, invoicing, tax compliance, and chargebacks. nuph.ai does not store payment card data. Privacy policy: creem.io/privacy
  • OpenRouter, Inc. / AI model providers — AI language model inference for message generation, lead scoring, and enrichment features. Prompts and generated content are processed transiently and are not used to train third-party AI models without your consent. Privacy policy: openrouter.ai/privacy
  • Apify Technologies s.r.o. — Browser automation and data processing infrastructure used to execute user-initiated data capture workflows. Data is processed at your instruction and on your behalf. Headquartered in Prague, Czech Republic (EU). GDPR compliant. Privacy policy: apify.com/privacy-policy
  All service providers are: (a) contractually bound to process your data only as instructed by us; (b) prohibited from using your data for their own purposes; (c) required to implement appropriate technical and organizational security measures; and (d) obligated to assist us in fulfilling our GDPR obligations, including responding to data subject requests.
• Legal Requirements: We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation or valid legal process; (b) protect and defend our rights or property; (c) prevent fraud or abuse of the Service; or (d) protect the personal safety of users or the public.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your data.
• With Your Consent: We may share your information with third parties when you explicitly consent to such sharing.

International Data Transfers: Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we implement appropriate safeguards as required by GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the recipient's adequate data protection certification (such as the EU-US Data Privacy Framework).

We implement robust technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data in transit is encrypted using TLS 1.2+ (HTTPS). Data at rest is encrypted using AES-256 encryption.
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. We use role-based access controls and multi-factor authentication for administrative access.
• Infrastructure Security: Our hosting providers (Supabase and Vercel) maintain SOC 2 Type II compliance and implement comprehensive physical and network security measures.
• Regular Security Assessments: We conduct regular security reviews, vulnerability assessments, and code audits to identify and address potential security risks.
• Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of any data breach in accordance with GDPR requirements (within 72 hours of becoming aware of the breach).
• Secure Development: We follow secure development practices, including code reviews, dependency scanning, and adherence to OWASP security guidelines.

Despite these measures, no method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials.

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected:

• Account Data: Retained for the duration of your account and for up to 30 days after account deletion, to allow for account recovery.
• Billing and Transaction Data: Retained for a minimum of 5 years after the transaction date, as required by Spanish and EU tax and accounting regulations.
• Usage Data and Logs: Retained for up to 12 months for analytics and security purposes, then anonymized or deleted.
• LinkedIn and Third-Party Data: Retained in your account according to your configuration settings. You may delete this data at any time through the platform. Upon account deletion, all associated third-party data is permanently deleted within 30 days.
• AI Interaction Data: Chat logs and AI-generated content are retained for the duration of your account. Anonymized, aggregated data derived from AI interactions may be retained indefinitely for service improvement purposes.
• Support Communications: Retained for up to 3 years after the last interaction to provide context for ongoing support.

When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you. You may request the deletion of your data at any time by contacting us at privacy@nuph.ai.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under GDPR regarding your personal data:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed.
• Right to Rectification (Art. 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to Erasure (Art. 17): You have the right to request that we delete your personal data, subject to certain legal exceptions (e.g., data required for legal compliance).
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. You may contact the Agencia Española de Protección de Datos (AEPD) at www.aepd.es, or the supervisory authority of your country of residence.

To exercise any of these rights, please contact us at privacy@nuph.ai. We will respond to your request within 30 days. In certain circumstances, we may need to verify your identity before processing your request.

Limitations Regarding Third-Party Data: Please note that the rights described in this section apply to personal data for which nuph.ai is the Data Controller (i.e., your account data, usage data, and billing data). For third-party personal data processed by nuph.ai as a Data Processor at your instruction, data subject rights requests should be directed to you as the Data Controller. nuph.ai will assist you in responding to such requests where technically feasible and as required by applicable law.

We use cookies and similar tracking technologies (such as local storage and session storage) to enhance your experience on our platform. Cookies are small text files that are placed on your device when you visit our website.

We use the following types of cookies:

• Essential Cookies: Required for the basic functionality of the Service, including authentication, session management, and security. These cookies cannot be disabled without impacting core functionality.
• Performance Cookies: Help us understand how visitors interact with the Service by collecting anonymous usage statistics. This data helps us improve performance and user experience.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your language preferences and display settings.

We do not currently use marketing or advertising cookies. For detailed information about the specific cookies we use and how to manage them, please refer to our Cookie Policy.

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, please note that disabling essential cookies may prevent you from using certain features of the Service.

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age. If you are under 18, please do not use the Service or provide any personal information to us.

If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that information from our servers. If you believe that a child under 18 has provided personal data to us, please contact us at privacy@nuph.ai so that we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• For significant changes, we will notify you by email (sent to the email address associated with your account) or by displaying a prominent notice within the Service.
• We may also provide additional notice through in-app notifications or a banner on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

• Platform: nuph.ai
• Website: https://nuph.ai
• General Inquiries: here@nuph.ai
• Privacy and Data Protection: privacy@nuph.ai
• Data Protection Officer (DPO): dpo@nuph.ai

For data protection inquiries within the European Union, you may contact our Data Protection Officer at the address above. We will respond to all legitimate requests within 30 days. If the request is particularly complex or we receive a high volume of requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

If you are not satisfied with our response, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD), or the supervisory authority of your country of residence.