Privacy Policy
Last updated: May 1, 2026
This Privacy Policy describes how NebuSec (“we,” “us,” or “our”) collects, uses, discloses, and safeguards information when you access or use our web application, related websites, and online services (collectively, the “Service”). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
If you do not agree with this Privacy Policy, please do not access or use the Service. Your use of the Service is also governed by our Terms of Service. We may update this Privacy Policy from time to time; the “Last updated” date above reflects the effective date of the current version. Material changes will be communicated as required by applicable law.
1. Scope and applicability
This Privacy Policy applies to personal information processed in connection with the Service. It applies whether you access the Service directly or through integrations, embeds, or connected third-party platforms. Certain features may be subject to supplemental notices or terms presented at the point of collection.
2. Information we collect
We may collect the following categories of information:
- Account and authentication information. If you sign in with Google or another identity provider, we may receive or associate your account with identifiers such as your name, email address, profile picture, and subject identifier issued by the provider. We process this information to authenticate you, maintain your session, and secure the Service.
- Information you provide. Content and metadata you submit through the Service (for example, forms, uploads, preferences, support requests, and communications).
- Usage and technical data. Information about how you interact with the Service, including IP address, device and browser type, operating system, referring URLs, pages viewed, timestamps, diagnostics, crash data, and approximate location derived from IP address.
- Cookies and similar technologies. We and our service providers may use cookies, local storage, pixels, and similar technologies for authentication, security, preferences, analytics, and performance measurement.
- Information from Google APIs and Google services. If you authorize the Service to access Google APIs or Google user data (including Google Workspace or consumer Google accounts), we collect and process only the data scopes you authorize and only as described in this Privacy Policy and any in-product disclosures. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
3. How we use information
We use collected information to:
- Provide, operate, maintain, and improve the Service;
- Authenticate users, prevent fraud, and protect security and integrity;
- Communicate with you regarding the Service, including technical notices, updates, and support responses;
- Analyze usage and performance to understand trends and improve reliability and user experience;
- Comply with legal obligations, enforce our terms, and exercise or defend legal claims; and
- Conduct internal business operations, including auditing, accounting, and corporate transactions consistent with applicable law.
We do not sell your personal information as “sell” is commonly defined under applicable U.S. state privacy laws. We do not use Google user data for serving ads unless separately disclosed and permitted under applicable agreements and policies.
4. Legal bases (where applicable)
Where the GDPR or similar laws apply, we process personal information where we have a lawful basis, including: performance of a contract; legitimate interests that are not overridden by your rights; consent where required; and compliance with legal obligations.
5. Disclosure of information
We may disclose information as follows:
- Service providers. Vendors that host infrastructure, provide analytics, deliver email, monitor security, or otherwise assist in operating the Service, subject to confidentiality and processing terms.
- Google and integrated platforms. When you connect Google accounts or use Google-hosted deployment models, information may be processed by Google pursuant to Google’s policies and your settings.
- Legal and safety. Regulators, courts, law enforcement, or other parties when required by law or when we reasonably believe disclosure is necessary to protect rights, safety, or security.
- Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.
- With your direction or consent. Any other disclosure you authorize.
6. Data retention
We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods vary based on the nature of the data, legal obligations, dispute resolution, and legitimate business needs.
7. Security
We implement administrative, technical, and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. No method of transmission over the Internet or electronic storage is completely secure; accordingly, we cannot guarantee absolute security.
8. International transfers
If you access the Service from outside the country where we operate, your information may be transferred to and processed in countries that may have different data protection laws. Where required, we implement appropriate safeguards such as standard contractual clauses or equivalent mechanisms.
9. Your rights and choices
Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to certain processing of your personal information, and to data portability or withdrawal of consent where processing is consent-based. You may also have the right to lodge a complaint with a supervisory authority.
California residents may have additional rights under the California Consumer Privacy Act, as amended (“CCPA”), including rights to know, delete, and correct personal information, and to opt out of certain sharing practices where applicable. We do not discriminate for exercising privacy rights.
To exercise applicable rights, contact us using the information below. We may need to verify your identity before fulfilling certain requests.
10. Children’s privacy
The Service is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will take appropriate steps to delete such information.
11. Third-party links and services
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties. We encourage you to review third-party privacy policies, including Google’s Privacy Policy available at https://policies.google.com/privacy.
12. Changes to this Privacy Policy
We may revise this Privacy Policy periodically. We will post the updated policy on this page and update the “Last updated” date. Where required, we will provide additional notice or obtain consent.
13. Contact us
If you have questions or requests regarding this Privacy Policy or our privacy practices, please contact NebuSec at root@nebusec.ai.