Privacy Policy

Nimbus AI Technologies, Inc. ("Company", "we", "our", or "us") respect your privacy and are committed to protecting it through our compliance with this policy. This policy describes how we collect, process, retain, and disclose personal data about you when providing services to you through our websites, applications, products, and services that link to this policy (our "Services") and our practices for using, maintaining, protecting, and disclosing that information.

‍

This policy applies only to information we collect:

1. Through the Services.
2. In communications, including email, text, chat, and other electronic messages, between you and the Services.

‍

It does not apply to information collected by:

1. Us offline or through any other means, including on any other website operated by Company or any third party (including our affiliates and subsidiaries) that does not link to this policy; or 
2. Any third party (including our affiliates and subsidiaries), including through any application or content (including advertising) that may link to or be accessible from or through the Services, including personal data that may be provided to us by our Customers, which is processed pursuant to a Data Processing Agreement.

‍

We may provide additional or different privacy policies that are specific to certain features, services, or activities.

‍

Please read this policy carefully to understand our policies and practices regarding your information and how we treat it. By interacting with our Services or providing us with your information, you agree to the collection, use, and sharing of your information as described in this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of the Services after we make changes as described here is deemed to be acceptance of those changes, so please check the policy periodically for updates. 

‍

Our Role: Controller vs. Processor

Nimbus offers products that fall into two distinct privacy roles, and this policy applies differently depending on which role applies to your data.

1. Nimbus as a controller. This policy describes how we process personal data for which we determine the purposes and means of processing — including personal data of visitors to our public websites (such as nmbs.ai), prospects and leads, account holders and authorized users of our Services, contacts at our business customers and partners, recipients of our marketing communications, and individuals who participate in calls or other interactions routed through our voice and telephony features in our own capacity. For this data, Nimbus is the “business” under the CCPA and the “controller” under the GDPR, and the rights and choices described in this policy apply.

2. Nimbus as a processor / service provider. A core part of our Services involves operating AI agents that access, retrieve, and act on data inside third-party systems used by our business customers (each, a “Customer”) — including, for example, content in our Customers’ databases, files,  Google Drive workspaces, and other data our Customers direct us to process on their behalf (collectively, “Customer Data”). For Customer Data, the Customer is the controller (or “business”), and Nimbus acts as a processor (or “service provider” / “contractor”) on the Customer’s behalf. Our processing of Customer Data is governed by the agreement between Nimbus and the Customer, including any data processing agreement (“DPA”), and not by this policy. Nimbus does not use Customer Data for our own marketing, does not sell or share Customer Data, and does not use Customer Data to train, fine-tune, or improve machine learning or large language models except as expressly permitted by the applicable Customer agreement and DPA.

If you are an individual whose personal data is contained in Customer Data and you wish to exercise rights with respect to that data (access, deletion, correction, etc.), please direct your request to the Customer. If the Customer asks us to assist, we will do so consistent with the Customer’s instructions and our agreement with them. The remainder of this policy describes our practices in our capacity as a controller.

‍

Children's and Minors' Data

Our Services are not intended for, and we do not knowingly collect any personal data from, children under the age of 13. If we learn we have collected or received personal data from a child under 13 years old without verification of parental consent, we will delete that information. 

‍

The Personal Data That We Collect or Process

"Personal data" is information that identifies, relates to, or describes, directly or indirectly, you as an individual, such as your name, email address, telephone number, home address, or payment information (for example, account information such as name, postal address, email address, and any other identifier we may use to contact you online or offline).

The types and categories of personal data we collect or process include:

1. Account and contact information, including name, address (such as home address, work address, or other address), email address, phone number, username, and other contact information you provide us.
2. Payment information, including credit card or debit card information and information about the payment methods and services (such as PayPal or Venmo) you use in connection with the Services. 
3. Account history, including information about your subscription, account, transactions, purchases, order history, or discounts.
4. Demographic information, including your age, gender, income level, education, or family or marital status, if you have consented to such information collection.
5. Location information, including general geographic location such as country, state or province, or city and precise geolocation, if you have enabled and consented to location information collection.
6. Device information, including your IP address, device identifiers, operating system and version, preferred language, hardware identifiers, browser type and settings, and other device information.
7. Content and information you elect to provide as part of your profile or in any reviews you make through the Services or emails, chats, or other communications sent to us.
8. Images, voice recordings, and videos collected or stored in connection with the Services, if you have consented to such information collection.

‍

If you are a California resident, additional disclosures apply to you. See “Additional Disclosures for California Residents” below.

‍

Some of the information identified above, such as precise geolocation information, may be considered sensitive data under certain laws. If required under applicable law, we will collect and process sensitive personal data only with your consent. If you choose not to provide or allow us to collect some information, we may not be able to provide you with requested features, services, or information.

‍

We also collect:

1. Statistics or aggregated information. Statistical or aggregated data does not directly identify a specific person, but we may derive non-personal statistical or aggregated data from personal data. For example, we may aggregate personal data to calculate the percentage of users accessing a specific Services feature.
2. Technical information. Technical information includes information about your internet connection and usage details about your interactions with the Services, such as clickstream information to, through, and from our Services (including date and time), products that you view or search for; page response times, download errors, length of your visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), or methods used to browse away from a page.

‍

If we combine or connect non-personal statistical or technical data with personal data so that it directly or indirectly identifies an individual, we treat the combined information as personal information.

‍

How We Collect Your Personal and Other Data

1. You Provide Information to Us

We collect information about you when you interact with our Services, such as when you create or update an account, place an order, subscribe, or make a purchase or request, participate in surveys, sweepstakes, contests, or promotions, or create, upload, or post content to the Services, including reviews, media such as photos, videos, or audio recordings.

‍

2. Automatically Through Our Services

As you navigate through and interact with our Services, we may use automatic data collection technologies to collect information that may include personal data. Information collected automatically may include usage details, IP addresses, operating system, and browser type, and information collected through cookies, web beacons, and other tracking technologies including details of your interactions with our Services, such as traffic data, location data, logs, and other communication data, and which resources and Services features that you access and use.

We use these automatic collection technologies only for first-party purposes — operating, securing, measuring, and improving our own Services. We do not use them to track your activity on other websites or online services for behavioral advertising, and we do not allow third-party advertisers, ad networks, or ad servers to collect information about you on our Services for cross-context behavioral advertising.

Using automatic collection technologies helps us to improve our Services and to deliver a better and more personalized experience.

The technologies we use for this automatic data collection may include:

1. Cookies. A cookie is a small file placed on your device when you interact with the Services. You may refuse to accept or disable cookies by activating the appropriate setting on your browser or device. However, if you select this setting, you may be unable to access certain features of the Services. 
2. Web Beacons. Some parts of the Services and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those parts or opened an email and for other related statistics (for example, recording the popularity of certain content and verifying system and server integrity).

‍

To the extent any of these automated technologies are considered a personal data sale, targeted advertising, or profiling, under applicable laws, depending on where you live, you may opt out from use of these automated technologies for such uses by email to accounts@nmbs.ai. Please note that some Services features may be unavailable as a result.

‍

We engage a limited number of service providers that operate automatic collection technologies on our behalf for first-party purposes only, such as product analytics, performance monitoring, customer support, and security. These service providers are contractually prohibited from using information collected through our Services for their own purposes or for cross-context behavioral advertising. They may include:

3. Analytics and product-usage measurement providers (acting as our service providers).
4. Hosting, content delivery, error monitoring, and security providers.

‍

3. From Business Partners and Service Providers

We may receive personal data about you from other sources and combine that with information we collect directly from you. For example, we may obtain information about you from service providers that we engage to perform services on our behalf, such as email platform providers, content delivery services, payment processors, promotions services, gift card program providers, analytics, security and anti-fraud services, and data brokers. We also may receive personal data from business partners that we engage to share consumer information with us, including your personal preferences and demographic information such as age, gender, and income level so that we can better provide you with a personalized experience, including personalized content, offers and services. We may also receive your personal information from our other Customers who have gathered your information pursuant to their own policies. Any such data is strictly controlled by the Customer who provided it and is governed by their Privacy Policy as well as your agreement with them. We do not use, distribute, or process any third-party data provided to us by a Customer except according to their express instructions.

‍

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal data, to:

1. Provide you with the Services and any contents, features, information, products, or services that we make available through the Services.
2. Fulfill and manage subscriptions, purchases, orders, deliveries, payments, returns, and exchanges.
3. Fulfill any other purpose for which you provide it.
4. Provide you with notices about your account, including expiration and renewal notices.
5. Improve our Services, including by analyzing your information and creating aggregated data derived from your information) to develop, maintain, analyze, improve, optimize, measure, and report on our Services and their features and how users interact with them. Our analysis may include the use of technology like machine learning and large language models, which may include training these models or sharing with third parties for model training.
6. Promote our Services, business, and offerings through first-party marketing channels, including marketing emails and product communications you have subscribed to, on-site messages, and advertising we place on our own Services. We do not sell your personal information, we do not share your personal information for cross-context behavioral advertising, and we do not use your personal information to target you with ads on third-party websites or services.
7. Carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
8. Notify you when Services updates are available and about changes to any products or services we offer or provide through them.
9. In any other way we may describe when you provide the information.
10. For any other purpose with your consent.

‍

The usage information we collect, whether connected to your personal data or not, helps us improve our Services and deliver a better and more personalized experience by enabling us to:

1. Estimate our audience sizes and usage patterns.
2. Store information about your preferences, allowing us to customize the Services according to your individual needs and interests.
3. Speed up your searches.
4. Recognize you when you return to our Services.

‍

For more information, see Your Rights and Choices About Your Information.

‍

We use location information we collect to provide the appropriate version of our website based on your country of residence.

‍

Who We Disclose Your Information To

We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may also disclose personal data that we collect or you provide as described in this privacy policy:

1. To our subsidiaries and affiliates.
2. To contractors, service providers, and other third parties we use to support our organization and who are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them.
3. To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Nimbus’ assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by Nimbus is among the assets transferred.
4. To fulfill the purpose for which you provide it. For example, if you give us an email address to use a feature of our Services to send an automated e-mail, we will transmit the contents of that email and your email address to the recipients.
5. For any other purpose disclosed by us when you provide the information.
6. With your consent.

‍

We may also disclose your personal data:

1. To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
2. To enforce or apply our terms of use nmbs.ai/terms or terms of sale and other agreements, including for billing and collection purposes.
3. If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of our organization, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

‍

The categories of personal data we may disclose include:

1. Account and contact information.
2. Payment information.
3. Account history, including information about your subscription, account, transactions, purchases, order history, or discounts.
4. Demographic information.
5. Location information, including general geographic location and precise geolocation.
6. Device information.
7. Content and information you elect to provide to us.
8. Images, voice recordings, and videos collected or stored in connection with the Services, if you have consented to such information collection.

‍

Your Rights and Choices About Your Information

This section describes mechanisms you can use to control certain uses and disclosures of your information and rights you may have under state law, depending on where you live.

1. Advertising, marketing, cookies, and other tracking technologies choices: 
   
   1. Cookies and Other Tracking Technologies. You can set your browser to refuse all or some browser cookies or other tracking technology files, or to alert you when these files are being sent. You can choose whether or not to allow the Services to collect information through other tracking technologies by emailing us at accounts@nmbs.ai. If you disable or refuse cookies or similar tracking files, some Services features may be inaccessible or not function properly. Some browsers include a "Do Not Track" (DNT) setting that can send a signal to the online services you visit indicating you do not wish to be tracked. Because there is not a common understanding of how to interpret the DNT signal, our Services may not respond to all browser DNT signals. Instead, you can use the range of other tools to control data collection and use, including the cookie controls and advertising controls described in this policy.
   2. Promotions by the Company. If you do not wish us to use your information to promote our own or third parties’ products or services, you can opt out by logging into your account and adjusting your account settings and preferences or by emailing accounts@nmbs.ai.
2. Location data choices:  You can choose whether or not to allow the Services to collect and use real-time information about your device's location through the device's privacy settings. If you block the use of location information, some Services features may become inaccessible or not function properly.

‍

Your State Privacy Rights

‍

Depending on your state of residency, you may have certain rights related to your personal data, including: 

1. Access and Data Portability. You may confirm whether we process your personal data and access a copy of the personal data we process. To the extent feasible and required by state law, depending on your state, data will be provided in a portable format. Depending on your state, you may have the right to receive additional information and it will be included in the response to your access request.
2. Correction. You may request that we correct inaccuracies in your personal data that we maintain, taking into account the information's nature and processing purpose.
3. Deletion. You may request that we delete personal data about you that we maintain, subject to certain exceptions under applicable law.  
4. Opt Out of Using Personal Data for Targeted Advertising, Profiling, and Sales. You may request that we do not use your personal data for these purposes.

‍

State-by-State Rights Summary

The table below summarizes the comprehensive U.S. state privacy laws that are in effect as of the last updated date above and the rights they generally provide. The specific rights, exceptions, response timelines, and verification requirements are governed by each state’s statute and implementing regulations, and the description in this table is provided for convenience only. If there is any inconsistency between this table and the underlying statute, the statute controls.

State

Law

Effective

Rights Available

Notes

California

CCPA / CPRA

2020 / 2023

Access, Delete, Correct, Portability, Opt-out of Sale/Share, Limit Use of Sensitive PI, Non-Discrimination, Appeal

See dedicated California section below. Honors Global Privacy Control (GPC).

Virginia

VCDPA

Jan 2023

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Appeal right within 60 days of a denial.

Colorado

CPA

Jul 2023

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Honors universal opt-out signals (GPC).

Connecticut

CTDPA

Jul 2023

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Honors GPC; heightened protections for minors aged 13–17.

Utah

UCPA

Dec 2023

Access, Delete, Portability, Opt-out of Sale and Targeted Advertising

No correction right and no appeal right; narrower than other state laws.

Texas

TDPSA

Jul 2024

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Sensitive-data processing requires opt-in consent. Honors GPC.

Oregon

OCPA

Jul 2024

Access (including a list of specific third parties to whom data was disclosed), Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Broader access right than other state laws.

Montana

MCDPA

Oct 2024

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Honors GPC.

Florida

FDBR

Jul 2024

Limited rights (Access, Delete, Correct, Portability, Opt-out of Sale/Targeted Advertising)

Applies only to very large in-state controllers; most consumers receive rights only when the controller meets statutory thresholds.

Iowa

ICDPA

Jan 2025

Access, Delete, Portability, Opt-out of Sale and Targeted Advertising

No correction right; narrower scope than other laws.

Delaware

DPDPA

Jan 2025

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Honors GPC.

New Hampshire

NHDPA

Jan 2025

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Honors GPC.

Nebraska

NDPA

Jan 2025

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Modeled closely on the Texas TDPSA.

New Jersey

NJDPA

Jan 2025

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Honors GPC; heightened rules for sensitive personal information and minors.

Tennessee

TIPA

Jul 2025

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Affirmative defense / safe harbor for businesses with a NIST-aligned privacy program.

Minnesota

MCDPA

Jul 2025

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Right to question the result of profiling and to be informed of the reasons.

Maryland

MODPA

Oct 2025

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Strict data-minimization standard; broader protections for known minors.

Indiana

INCDPA

Jan 2026

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Modeled on the Virginia VCDPA.

Kentucky

KCDPA

Jan 2026

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Modeled on the Virginia VCDPA.

Rhode Island

RIDTPPA

Jan 2026

Access, Delete, Correct, Portability, Opt-out of Sale, Targeted Advertising, and Profiling

Honors GPC; additional transparency disclosures.

Nevada

NRS 603A (as amended)

(in effect)

Limited right to opt out of certain personal-data sales

Narrower than the comprehensive state laws; covers operators of certain online services.

For all states listed above, you may exercise applicable rights by emailing accounts@nmbs.ai or, where available, by following the instructions provided in your account settings. We will respond to your request within the timeframe required by the applicable state law. If we deny your request in whole or in part, we will explain the basis for our decision and, where applicable, your right to appeal.

‍

Important: The exact scope of these rights varies by state. There are also several exceptions where we may not have an obligation to fulfill your request. 

To exercise any of these rights, please email accounts@nmbs.ai. To appeal a decision regarding a consumer rights request, email accounts@nmbs.ai and attach a pdf transcript of the prior determination that we sent to you that you wish to appeal. Your request will be reviewed by a separate compliance team member who will make an independent determination.

‍

Some browsers and browser extensions support the Global Privacy Control (“GPC”) that can send a signal to process your request to opt out from certain types of data processing, including data "sales" as defined under certain laws. When we detect such a signal, we will make reasonable efforts to respect your choices indicated by a GPC setting as required by applicable law.

‍

Nevada provides its residents with a limited right to opt out of certain personal data sales. Residents who wish to exercise their sale opt-out rights may submit a request to this designated address: accounts@nmbs.ai. However, please know we do not currently sell data triggering that statute’s opt-out requirements. 

‍

If you are a California resident, additional disclosures and rights apply to you. See “Additional Disclosures for California Residents” below.

‍

Additional Disclosures for California Residents

This section provides additional disclosures required under the California Consumer Privacy Act (“CCPA”) for California residents. Any terms defined in the CCPA have the same meaning when used here. This section does not apply to personal information we collect in an employment context—employees, job applicants, contractors, and other workers should request our employee privacy policy from their supervisor.

‍

Personal Information We Collect

“Personal information” means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include publicly available information from government records or widely distributed media, lawfully obtained truthful information that is a matter of public concern, deidentified or aggregated consumer information, or information excluded from the CCPA’s scope (such as health information covered by HIPAA or the CMIA, clinical trial data, or information covered by the FCRA, GLBA, FIPA, or the Driver’s Privacy Protection Act).

‍

In the preceding 12 months, we have collected the following categories of personal information from California consumers, with the retention periods indicated:

‍

A. Identifiers. Real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, or other similar identifiers. We do not collect driver’s license numbers or passport numbers. Collected: Yes. Retention: 5 years.

B. California Customer Records (Cal. Civ. Code § 1798.80(e)). Name, address, telephone number, Social Security number, credit card number, debit card number, other payment-related financial information, employment and employment history, and medical information. We do not collect signatures, physical characteristics, passport numbers, driver’s license or state identification card numbers, insurance policy numbers, education records, bank account numbers, or health insurance information. Some information in this category may overlap with other categories. Collected: Yes. Retention: 5 years.

C. Protected classification characteristics. Age (40 or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, reproductive health decision-making, military and veteran status, or genetic information. Collected: No. We do not require or routinely collect protected classification information. To the extent you voluntarily provide demographic information (such as age or gender) through your account settings, that information is collected only with your consent and retained for the life of your account.

D. Commercial information. Records of personal property, products, or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies. Collected: Yes. Retention: 5 years.

E. Biometric information. Genetic, physiological, behavioral, and biological characteristics or activity patterns used to extract a template or identifier (e.g., fingerprints, faceprints, voiceprints, iris or retina scans, gait, sleep, health, or exercise data). Collected: Yes — limited to voiceprints and similar biometric identifiers derived from call audio when you use our voice or telephony features, where applicable law permits and where you have provided any required consent. Retention: 5 years, or such shorter period as required by applicable biometric privacy laws (e.g., Illinois BIPA, Texas CUBI, Washington H.B. 1493).

F. Internet or other network activity. Activity on our websites, mobile apps, or other digital systems, such as browsing history, search history, system usage, electronic communications with us, and postings on our social media. Collected: Yes. Retention: 5 years.

G. Geolocation data. Physical location or movements, such as ZIP code, the time and location of your use of our websites or applications, or other location information. Collected: Yes. Retention: 5 years.

H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information, including customer service call recordings. Collected: Yes — call audio, recordings, and transcripts created when you interact with our voice and telephony features, and images and other media you choose to upload to the Services. Retention: 5 years (call audio and transcripts may be retained for shorter periods where required by applicable law or our retention schedules).

Call Recording Notice. Some of our Services include voice and telephony features that may record, transcribe, and analyze calls. Where you participate in a call routed through, originated by, or received by these features, we will provide notice and obtain consent as required by applicable law, including the two-party (all-party) consent laws of California, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. If you do not consent to recording, do not proceed with the call.

I. Professional or employment-related information. Current or past job history. Collected: Yes. Retention: 5 years.

J. Non-public education information (FERPA). Education records directly related to a student maintained by an educational institution or party acting on its behalf. Collected: No. Retention: N/A.

K. Inferences. Profiles reflecting a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Collected: Yes. Retention: 5 years.

L. Sensitive personal information. Further identified in the Sensitive Personal Information section below. Collected: Yes. Retention: 5 years.

‍

Sensitive Personal Information

The CCPA treats certain categories of personal information as “sensitive personal information” when used to infer characteristics about a consumer. In the preceding 12 months, we have collected the following sensitive personal information categories for that purpose:

‍

L.1. Government identifiers (e.g., SSN, driver’s license, state ID, or passport number). Collected to infer characteristics: No. Retention: N/A.

L.2. Complete account access credentials (e.g., usernames, account logins, account numbers, or card numbers combined with a required access or security code or password). Collected to infer characteristics: No. Retention: N/A.

L.3. Precise geolocation (e.g., GPS data from a mobile device pinpointing location within approximately 1,850 feet). Collected to infer characteristics: No. Retention: N/A.

L.4. Racial or ethnic origin. Collected to infer characteristics: No. Retention: N/A.

L.5. Citizenship or immigration status. Collected to infer characteristics: No. Retention: N/A.

L.6. Religious or philosophical beliefs. Collected to infer characteristics: No. Retention: N/A.

L.7. Union membership. Collected to infer characteristics: No. Retention: N/A.

L.8. Mail, email, or text messages not directed to the Company. Collected to infer characteristics: No. Retention: N/A.

L.9. Genetic data. Collected to infer characteristics: No. Retention: N/A.

L.10. Neural data. Collected to infer characteristics: No. Retention: N/A.

L.11. Unique identifying biometric information. Collected to infer characteristics: No. Retention: N/A.

L.12. Health information. Collected to infer characteristics: No. Retention: N/A.

L.13. Sex life or sexual orientation information. Collected to infer characteristics: No. Retention: N/A.

L.14. Children’s personal information (under age 16). Collected to infer characteristics: No. Retention: N/A.

‍

Sources of Personal Information

We obtain personal information directly from you (through forms and other information you provide), indirectly from you (through your interactions with our websites, applications, and customer service), from other customers (such as through referral programs or when those customers provide your data to us pursuant to their own privacy policy and agreements—information we do not control except as directed by that customer), and from inferences generated by our systems or our service providers’ systems.

‍

Business and Commercial Purposes

We use and disclose the personal information we collect (including sensitive personal information) for the business and commercial purposes described in the “How We Use Your Information” section above, including: developing, offering, and providing our products and services; meeting our contractual obligations and enforcing our rights, including for billing and collections; fulfilling the purposes for which you provided the information; improving our products, services, marketing, and customer experience; notifying you about changes to our products or services; administering our systems and conducting internal operations, including troubleshooting, testing, research, analytics, and survey activities; enabling participation in interactive features; protecting our company, employees, and operations; measuring advertising effectiveness and delivering relevant advertising; managing your account, including for security and outreach; performing data analytics and benchmarking; engaging in corporate transactions (such as evaluating potential mergers and acquisitions); complying with applicable laws and responding to law enforcement requests; and exercising or defending the legal rights of the Company and its employees, affiliates, customers, contractors, and agents.

‍

We use and disclose sensitive personal information only for the purposes permitted under the CCPA (the “Permitted SPI Purposes”), including: performing actions necessary for our consumer relationship that an average consumer would reasonably expect; preventing, detecting, and investigating security incidents; defending against fraudulent, deceptive, or illegal activity; ensuring physical safety; short-term, transient use such as non-personalized advertising that is not used to build a profile about you or alter your experience outside the current interaction; performing services on behalf of the Company (including account maintenance, transaction processing, identity verification, payment processing, financing, analytics, and storage); verifying or maintaining the quality or safety of our products and services; and collecting or processing sensitive personal information that we do not use to infer characteristics about a consumer. We do not use or disclose sensitive personal information for purposes other than the Permitted SPI Purposes.

‍

We will not collect additional categories of personal information or use the personal information we collect for materially different, unrelated, or incompatible purposes without providing you notice and, where required, obtaining your consent. We may collect, process, and disclose aggregated or deidentified consumer information for any purpose, and will not attempt to reidentify it except to validate our deidentification processes.

‍

Disclosure, Sale, and Sharing of Personal Information

We disclose the categories of personal information described above to service providers and contractors to support our business operations. These disclosures are made under written contracts that require recipients to keep personal information confidential, prohibit using the information for any unrelated purpose, and meet the CCPA’s other service provider and contractor requirements.

‍

We do not sell your personal information, including sensitive personal information, and we have not done so in the preceding 12 months. We do not share your personal information with third parties for cross-context behavioral advertising, and we have not done so in the preceding 12 months. We do not, and have not, sold or shared personal information about anyone under the age of 16.

‍

Your California Privacy Rights

If you are a California resident, the CCPA grants you the following rights regarding your personal information.

‍

Right to know and data portability. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting, selling, or sharing it, and the categories of recipients. Our response will cover the 12-month period preceding your request; we will honor requests covering longer periods that do not extend past January 1, 2022, unless doing so is impossible or would involve disproportionate effort. You may exercise this right twice in any 12-month period.

‍

Right to delete. You may request that we delete personal information we collected from you, subject to certain exceptions. We will notify our service providers, contractors, and other recipients to take appropriate action.

‍

Right to correct. You may request that we correct inaccurate personal information we maintain about you. We may require documentation to verify your identity and support your claim.

‍

Right to limit sensitive personal information. You may request that we limit the use and disclosure of your sensitive personal information to the Permitted SPI Purposes. Because we already use sensitive personal information only for Permitted SPI Purposes, exercising this right does not change our practices.

‍

Right to opt out of sale or sharing. You may direct us to stop selling or sharing your personal information at any time, including through a user-enabled opt-out preference signal such as Global Privacy Control. As noted above, we do not currently sell or share personal information.

‍

Automated decision-making technology (ADMT) rights. When a business uses ADMT to make significant decisions about a consumer—such as decisions affecting financial or lending services, housing, education, employment, or healthcare—the CCPA provides access and opt-out rights, as well as a right to appeal to a human reviewer in certain cases. We do not currently use ADMT to make significant decisions about consumers, so these rights do not apply at this time.

‍

Right to non-discrimination. You will not be discriminated or retaliated against for exercising any of your CCPA rights.

‍

How to Exercise Your California Rights

To exercise any of these rights, or to designate an authorized agent to act on your behalf, email accounts@nmbs.ai. We may ask you to provide information to verify your identity (or your authorized agent’s authority) before we can process your request. We consider requests submitted through your password-protected account sufficiently verified for personal information associated with that account. You do not need to create an account to submit a request.

‍

We will confirm receipt of your request within 10 business days and will substantively respond within 45 days. If we require more time, we may extend our response period by an additional 45 days and will notify you in writing of the reason and extension period. If we cannot comply with your request in whole or in part, we will explain the reason, subject to any legal or regulatory restrictions. For data portability requests, we will provide your information in a readily usable format that allows you to transmit it from one entity to another without hindrance.

‍

For requests to limit or opt out, we will process your request as soon as feasible, but no later than 15 business days after receipt. We will notify our service providers, contractors, and downstream recipients of your request and instruct them to comply and to forward the request to their own downstream recipients where applicable. We may deny opt-out requests we have a good-faith, reasonable, and documented belief are fraudulent, and will explain the reason for any denial.

‍

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine a fee is warranted, we will explain our reasoning and provide a cost estimate before proceeding.

‍

After you make a request to limit or opt out, we will wait at least 12 months before asking you to reauthorize the use or disclosure of your sensitive personal information for purposes other than the Permitted SPI Purposes, or the sale or sharing of your personal information. You may opt back in at any time by emailing accounts@nmbs.ai.

‍

To appeal our decision on a California rights request, follow the appeal instructions in the “Your State Privacy Rights” section above.

‍

European Users and GDPR Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent local laws give you additional rights with respect to your personal data. Subject to applicable exceptions, these rights include: the right to access the personal data we hold about you; the right to request correction of inaccurate or incomplete personal data; the right to request erasure (the “right to be forgotten”); the right to restrict or object to our processing of your personal data; the right to data portability; the right to withdraw consent at any time where processing is based on consent; and the right to lodge a complaint with your local supervisory authority.

‍

Our legal bases for processing personal data under the GDPR include: performance of a contract with you; compliance with legal obligations; our legitimate interests in operating and improving the Services, securing our systems, and preventing fraud (where those interests are not overridden by your rights and freedoms); and, where required, your consent. Where we transfer personal data outside the EEA, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.

‍

To exercise any of your GDPR rights, including a request to delete your personal data, please email accounts@nmbs.ai. We will respond to your request within the timeframes required by applicable law. You also have the right to lodge a complaint with the supervisory authority in the country where you reside, work, or believe the alleged infringement occurred.

‍

AI and Machine Learning Model Training

As described in this policy, we may use personal data and content you provide through the Services to train, fine-tune, evaluate, and improve machine learning and large language models, and we may share data with third parties for these purposes. You may opt out of having your personal data used for AI or machine learning model training at any time by emailing accounts@nmbs.ai with the subject line “AI Training Opt-Out.” Once we process your request, we will exclude your personal data from future model training. Please note that opting out does not affect models that have already been trained, and certain Services features that depend on model improvement may be limited as a result.

‍

How We Protect Your Personal Data

We use commercially reasonable administrative, physical, and technical measures designed to protect your personal data from accidental loss or destruction and from unauthorized access, use, alteration, and disclosure. These measures include encryption of personal data in transit and at rest, and role-based access controls that limit access to personal data to authorized personnel with a legitimate business need. However, no website, mobile application, system, electronic storage, or online service is completely secure, and we cannot guarantee the security of your personal data transmitted to, through, using, or in connection with the Services. In particular, email, texts, and chats sent to or from the Services may not be secure, and you should carefully decide what information you send to us via such communications channels. Any transmission of personal data is at your own risk.

‍

The safety and security of your information also depends on you. You are responsible for taking steps to protect your personal data against unauthorized use, disclosure, and access. 

‍

How We Retain Your Personal Data

We keep the categories of personal data described in this policy for as long as reasonably necessary to fulfill the purposes described or for as otherwise legally permitted or required, such as maintaining the Services, operating our organization, complying with our legal obligations, resolving disputes, and for safety, security, and fraud prevention. This means that we consider our legal and business obligations, potential risks of harm, and nature of the information when deciding how long to retain personal data. At the end of the retention period, personal data will be deleted, destroyed, or deidentified.

‍

For our retention periods by category of personal information collected from California residents, see “Additional Disclosures for California Residents” above.

‍

Data Breach Notification Policy

‍

Upon our detection or notification of any data breach involving your data, we will notify you at your last known physical and/or electronic mailing address without undue delay and as required by applicable law. The data breach notice will inform you of what data was (or may have been) accessed, what steps you can take to protect yourself, and any other pertinent information that we may have to offer you at that time.

‍

Changes to Our Privacy Policy

We may update this policy from time to time, and we will provide notice of any such changes to the policy as required by law. The date the privacy policy was last updated is identified at the top of the page. We will notify you of changes to this policy by updating the "last updated" date and posting the updated policy on the Services. We may email or otherwise communicate reminders about this policy, but you should check our Services periodically to see the current policy and any changes we have made to it.

‍

Contact Information

To exercise your rights or ask questions or comment about this privacy policy or our privacy practices, or to lodge a privacy complaint or concern, please contact us at accounts@nmbs.ai

‍