This policy explains what personal data we collect when you use Namulai, why we collect it, who we share it with, and your rights. We're committed to GDPR compliance and treating your data with care.
1. Data we collect
Account data: email, name, hashed password (bcrypt). Subscription data: plan, billing status, Stripe customer ID. Usage data: conversation history, daily message counts, models used. Technical data: IP address, browser type, language preference (cookie).
We do not collect: payment card details (Stripe handles those), unnecessary identifiers, biometric or sensitive data.
2. How we use your data
To operate the Service: authentication, displaying conversations, processing payments. To improve the Service: aggregated analytics on usage patterns. To communicate: transactional emails (welcome, password reset, payment failures), occasional product updates if you opt in.
We do not use your conversations to train AI models, ours or anyone else's.
3. Third-party processors
Each processor is bound by data processing agreements compliant with GDPR. AI providers are configured to not retain or train on prompts sent through OpenRouter.
- MongoDB Atlas — database hosting (EU region)
4. Data retention
Conversations: stored as long as your account is active, plus the history limit of your plan (7 days for Lite, 30 days for Standard, unlimited for Pro/High). Account data: retained until you delete your account, then erased within 30 days. Stripe data: retained per Stripe's policy (up to 7 years for accounting/tax compliance).
6. Your rights (GDPR)
You have the right to: access your data, rectify inaccuracies, request erasure ("right to be forgotten"), restrict processing, data portability (export your conversations), object to processing, and withdraw consent at any time. To exercise these rights, email us at the address below; we respond within 30 days.
7. Security
All connections use HTTPS. Passwords are hashed with bcrypt (12 rounds). Database is encrypted at rest. Access to production data is restricted to authorized personnel. We have processes for breach notification within 72 hours as required by GDPR.
8. International transfers
Some processors (notably Stripe and OpenAI) are based outside the EU. Transfers are protected by Standard Contractual Clauses approved by the European Commission. By using Namulai, you acknowledge these transfers are necessary for the Service to function.
9. Children
Namulai is not intended for users under 18. We do not knowingly collect data from minors. If you believe we have, contact us and we'll delete it.
10. Contact
Data controller: Namulai. For privacy questions or to exercise your rights, email contact@namulai.com.