Privacy Policy

Last Updated: December 2025

This Privacy Policy describes how Nezu ("we," "us," or "our") collects, uses, and shares information about you when you use our website, application, and services (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

1.1 Information You Provide to Us

Account Information

Email address
Password (encrypted and securely stored)
Display name (optional)
Profile photo (optional)

Content You Create

Workspaces and their names
Conversation nodes and their content
Messages you send to AI models
AI-generated responses
Files you upload (PDFs, images, documents up to 10MB)

Payment Information

When you subscribe to a paid plan, payment information (credit card details, billing address) is collected and processed directly by Stripe, our payment processor. We do not store your full credit card number on our servers.

Waitlist Information

If you join our waitlist, we collect your email address.

Communications

When you contact us for support, we collect the information you provide in your communications.

1.2 Information Collected Automatically

Usage Data

Message counts and usage statistics for subscription tier enforcement
Node and workspace creation counts
Subscription status and billing cycle information

Cookies and Similar Technologies

Authentication cookies to maintain your logged-in session
Short-lived redirect cookies for authentication flows (expire within seconds)

Log Data

IP addresses (for rate limiting and security purposes)
Browser type and version
Pages visited and time spent
Error logs for debugging purposes

1.3 Information from Third-Party Services

Google OAuth

If you sign in with Google, we receive your email address and name from Google.

2. How We Use Your Information

We use the information we collect to:

Provide and maintain our Services — Create and manage your account, workspaces, and conversation nodes
Process your transactions — Manage subscriptions, process payments, and enforce usage limits
Send you communications — Waitlist confirmations, account notifications, subscription updates, and support responses
Improve our Services — Analyze usage patterns to improve functionality and user experience
Ensure security — Detect, prevent, and respond to fraud, abuse, and security incidents
Comply with legal obligations — Respond to legal requests and prevent harm

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

3.1 Third-Party Service Providers

We use trusted third-party services to operate our platform:

Service Purpose Data Shared Supabase Database, authentication, file storage Account data, workspaces, messages, uploaded files Stripe Payment processing Email, billing information, payment details Resend Email delivery Email address, email content OpenRouter AI model access Your messages and conversation context sent to AI models

3.2 AI Model Providers

When you use AI features, your messages and conversation context are sent to third-party AI providers including:

OpenAI (GPT models)
Anthropic (Claude models)
Google (Gemini models)
xAI (Grok models)

These providers process your data according to their own privacy policies. We recommend reviewing their policies:

OpenAI: https://openai.com/privacy
Anthropic: https://www.anthropic.com/privacy
Google: https://policies.google.com/privacy

Important: Your conversation content is sent to these providers to generate AI responses. While we use API access (not consumer products), each provider has different data retention and training policies.

3.3 Shared Workspaces

If you create a shareable link for a workspace, anyone with that link can view the workspace content in read-only mode. You control whether to create or revoke shared links.

3.4 Legal Requirements

We may disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to:

Comply with legal obligations
Protect our rights, privacy, safety, or property
Prevent fraud or security issues
Protect the rights and safety of our users or the public

3.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4. Data Retention

We retain your information for as long as your account is active or as needed to provide you with our Services.

Account data: Retained until you delete your account
Workspaces, nodes, and messages: Retained until you delete them or your account
Uploaded files: Retained until you delete them or your account
Payment records: Retained as required for tax and legal compliance (typically 7 years)
Waitlist emails: Retained until you unsubscribe or request deletion
Log data: Retained for up to 90 days for security and debugging purposes

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or legitimate business purposes.

5. Data Security

We implement appropriate technical and organizational measures to protect your information:

Encryption: All data is transmitted over HTTPS/TLS encryption
Password security: Passwords are hashed using industry-standard algorithms (bcrypt)
Access controls: Row-level security policies ensure you can only access your own data
API key protection: All API keys (AI providers, payment processing) are stored server-side only and never exposed to clients
Secure authentication: Session management with secure, httpOnly cookies

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

6. Your Rights and Choices

Depending on your location, you may have the following rights:

6.1 Access and Portability

You can access your account information, workspaces, and messages through the Services at any time.

6.2 Correction

You can update your profile information through your account settings.

6.3 Deletion

You can delete individual workspaces, nodes, messages, and files. You can also request deletion of your entire account by contacting us.

6.4 Objection and Restriction

You may object to or request restriction of certain processing of your information.

6.5 Withdraw Consent

Where we rely on consent, you can withdraw it at any time.

6.6 Email Communications

You can opt out of marketing emails by clicking "unsubscribe" in any email. You cannot opt out of transactional emails related to your account.

To exercise these rights, contact us at matthewlaznicka@gmail.com

7. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States, where our service providers operate. These countries may have different data protection laws.

When we transfer data internationally, we use appropriate safeguards such as:

Standard contractual clauses
Service providers with adequate privacy certifications
Your consent where applicable

8. Children's Privacy

Our Services are not intended for children under 13 years of age (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you.
Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
Right to Correct: You can request that we correct inaccurate personal information that we maintain about you.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted by the CPRA.

To exercise these rights, contact us at matthewlaznicka@gmail.com

10. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

Legal Basis: We process your data based on:
- Contract: To provide you with our Services
- Legitimate interests: To improve our Services and ensure security
- Consent: For optional features and marketing communications
- Legal obligation: To comply with applicable laws
Data Protection Authority: You have the right to lodge a complaint with your local data protection authority.
Data Protection Officer: For GDPR-related inquiries, contact us at matthewlaznicka@gmail.com

11. Cookies Policy

We use minimal cookies necessary for the functioning of our Services:

Cookie Purpose Duration Supabase session cookies Maintain authenticated session Session Auth redirect cookie Prevent authentication loops 5 seconds

We do not use:

Marketing or advertising cookies
Third-party tracking cookies
Analytics cookies

12. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.