Privacy Policy

1. Information We Collect

1.1. Information You Provide

• Account information: email address, name, profile photo (optional)
• Contact records: names, phone numbers, email addresses, notes, and other contact details you add to Nanabase
• Voice notes and transcripts: audio recordings you create within the app and their AI-generated text transcriptions
• Calendar context: calendar event titles, dates, and attendee information you choose to connect for meeting preparation features
• Company information: company name, team member details, and role assignments
• Support requests: information submitted through our support form, including your email, name, and message content
• Payment information: processed securely by Stripe; we do not store credit card numbers

1.2. Information Collected Automatically

• Device information: device model, operating system version, unique device identifiers
• Usage data: features used, screens viewed, interaction patterns, session duration
• Location data: approximate location (city/region level) derived from IP address. We do not collect precise GPS location unless you explicitly grant permission for location-based features, and you may revoke this permission at any time in your device settings
• Log data: IP address (anonymized for analytics), browser type, access times, referring URLs
• Crash and performance data: application crash reports, performance metrics, and diagnostic information collected via Sentry (see Section 4)

1.3. Cookies and Similar Technologies

• Essential cookies: required for authentication and security (session tokens, CSRF protection)
• Analytics cookies: Firebase Analytics and Google Analytics to understand usage patterns
• Marketing cookies: Google Ads remarketing cookies on our marketing website only

2. How We Use Your Information

• Provide the Service: manage your contacts, enable team collaboration, process voice notes and transcripts
• Calendar integration: use calendar context to surface relevant contacts and prepare you for meetings
• Authentication and security: verify your identity, protect your account, detect fraud
• Communications: send transactional emails (magic links, account alerts, billing confirmations), weekly digests, and support responses
• Analytics and improvement: understand how the Service is used, identify issues, and improve features
• Crash reporting: diagnose and fix bugs, maintain service stability
• Legal compliance: comply with applicable laws, respond to legal requests

We do not sell, rent, or trade your personal data to third parties.

3. Voice Notes and Transcripts

Nanabase allows you to record voice notes and generates text transcriptions using AI-powered speech-to-text services.

• Voice recordings are stored encrypted at rest using AES-256-GCM via Google Cloud KMS
• Transcriptions are processed by third-party AI services (e.g., OpenAI Whisper) and stored alongside the associated contact record
• Voice data is used solely to provide the transcription feature and is not used for advertising or sold to third parties
• You may delete any voice note and its transcript at any time from within the app
• The microphone permission is requested only when you initiate a voice recording and can be revoked at any time in your device settings

4. Analytics, Crash Reporting, and Third-Party Services

We use the following third-party services to operate and improve the Service:

4.1. Firebase Analytics (Google)

• Collects anonymized usage data: screens viewed, feature usage, session duration, user engagement
• Collects device information: model, OS version, app version
• Does not collect personally identifiable information (PII)
• Data is processed by Google under their Firebase Privacy Policy
• You may opt out of analytics data collection in the app settings

4.2. Sentry (Crash Reporting)

• Collects crash reports, error logs, and performance data when the app encounters issues
• May include: stack traces, device model, OS version, app version, memory state, and breadcrumbs (recent user actions leading to a crash)
• PII (email addresses, contact names) is scrubbed before transmission where technically feasible
• Data is processed by Functional Software Inc. under their Sentry Privacy Policy
• Crash data is retained for 90 days, then automatically deleted

4.3. Other Third-Party Services

• Stripe: payment processing (Privacy Policy)
• Resend: transactional email delivery (Privacy Policy)
• Vercel: web hosting and edge delivery (Privacy Policy)
• Google Cloud / Firebase: authentication, data storage, cloud functions (Privacy Notice)
• Google Ads: remarketing on the marketing website only (see Section 5)

5. Google Ads and Remarketing

Our marketing website (nanabase.co) uses Google Ads Remarketing to show relevant ads to previous visitors. This applies only to the marketing website, not the mobile apps or web application.

• Google marketing cookies collect non-identifiable activity data
• We do not share names, emails, or contact data with Google for advertising

Opt out:

• Google Ads Settings
• Network Advertising Initiative Opt-Out

6. Data Storage and Security

We take the security of your data seriously and implement industry-standard measures:

• Encryption at rest: sensitive personal data (emails, phone numbers, notes, voice recordings) is encrypted using AES-256-GCM via Google Cloud KMS
• Encryption in transit: all communication uses TLS 1.2+ (HTTPS)
• Authentication: magic link authentication with httpOnly session cookies; no passwords stored
• Access control: role-based access control (RBAC) with tenant isolation at the database level
• Infrastructure: data is stored on Google Cloud Platform (Firebase/Firestore) and served via Vercel, both of which maintain SOC 2, ISO 27001, and GDPR compliance certifications

7. Data Retention

We retain your data only as long as necessary to provide the Service and fulfill the purposes described in this policy:

When you delete your account, all associated personal data is permanently removed within 30 days, except where retention is required by law (e.g., billing records for tax compliance).

8. Data Deletion

You can delete your data at any time:

• Individual records: delete contacts, voice notes, or transcripts directly within the app
• Account deletion: go to Settings > Account > Delete Account in the app to permanently delete your account and all associated data
• Email request: send a deletion request to privacy@nanabase.co and we will process it within 30 days

Company data: when you leave a company, your access to company contacts is revoked immediately. Company contacts you contributed remain with the company. Your private contacts are unaffected and remain fully under your control.

9. Location Data

• Approximate location: we derive city/region level location from your IP address for analytics, security (unusual login detection), and content localization
• Precise location: collected only if you explicitly grant permission for location-based features (e.g., tagging a contact with a meeting location). This permission is optional and can be revoked at any time in your device settings
• We do not sell location data or use it for advertising
• Location data is not shared with third parties except as required to operate the Service (e.g., map providers)

10. Calendar Integration

If you choose to connect your calendar, Nanabase accesses:

• Event titles and dates
• Attendee names and email addresses
• Event location (if provided)

This data is used to:

• Surface relevant contacts before meetings
• Suggest contacts to add based on meeting participants
• Provide meeting preparation context

Calendar data is cached temporarily for the meeting preparation feature and is not permanently stored. You can disconnect your calendar at any time in Settings > Integrations, which immediately removes all cached calendar data.

11. Your Rights

Depending on your jurisdiction, you may have the following rights:

Under GDPR (EU/EEA)

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time

Under CCPA (California)

• Right to know what data is collected
• Right to delete personal data
• Right to opt out of data sales (we do not sell data)
• Right to non-discrimination for exercising rights

For All Users

• Export your data from Settings > Account > Export Data
• Delete your account from Settings > Account > Delete Account
• Manage notification preferences in Settings > Notifications
• Control location and calendar permissions in your device settings
• Opt out of analytics in Settings > Privacy

To exercise any of these rights, contact us at privacy@nanabase.co. We will respond within 30 days.

12. Children's Privacy

Nanabase is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@nanabase.co and we will promptly delete it.

13. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for EU data transfers, to protect your data in compliance with applicable privacy laws.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the app or sending you an email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact Information

For privacy-related inquiries or to exercise your data rights: