Privacy Policy
How nomosly collects, uses, retains, and protects data when you use our visual intelligence API and console.
Introduction
nomosly ("we", "our", "us") operates the nomosly visual intelligence platform (the "Service"). This Privacy Policy describes what personal data we collect, why we collect it, how we use it, and the choices you have. By using the Service you agree to the practices described here.
Data we collect
Account data
When you sign up, our identity provider (Auth0) collects your email, name (if you provide one), and authentication credentials. We receive your email and authenticated user identifier from Auth0 to provision your workspace.
API key metadata
For each API key you create we store: a hashed secret, the scopes you assigned, creation/expiry timestamps, last-used timestamp, and a daily request counter for rate limiting. The plaintext secret is shown to you once at creation and never stored.
Usage records
For every API call we record: the user and key that made the call, the operation (face compare, face detect, label detect, text detect), units consumed, and timestamp. These are used for billing and for the usage views in your console.
Image payloads
Images you submit to the Vision API are forwarded to our processing backend for the duration of the request and discarded as soon as we return a response. We do not persist image bytes in our databases. Image content is not written to application logs.
Billing data
Payment information is handled by our payment processor, Polar. We receive a customer identifier, subscription identifier, and invoice metadata via signed webhooks. We do not see or store full card numbers.
Server logs
Our infrastructure records request metadata including timestamp, source IP, HTTP method, path, and response status. Request and response bodies are explicitly excluded from logs.
How we use data
- Operate, maintain, and improve the Service
- Authenticate users and authorize API requests
- Calculate usage and generate invoices
- Send transactional email (account events, billing receipts)
- Investigate abuse, fraud, and security incidents
- Comply with legal obligations
We do not use your data for advertising, do not sell it to third parties, and do not share it for any purpose other than the ones above.
Biometric data
The face comparison and face detection endpoints process biometric identifiers (facial geometry). Because images are not retained after processing, we do not maintain a biometric database, do not enroll users into a recognition gallery, and cannot identify individuals from past requests.
You are responsible for collecting any consent required by law (BIPA, GDPR Article 9, CCPA, and equivalents) from the individuals whose images you submit. See our Acceptable Use Policy for details.
Retention
| Data | Retention |
|---|---|
| Image payloads | Not retained. Discarded after the response is returned |
| Account data (email, name) | For the lifetime of your account |
| API key metadata (hashed) | For the lifetime of your account, or until you revoke the key |
| Usage records (per-call events) | Retained for billing reconciliation; available in the console |
| Server logs | 30 days, then automatically deleted |
| Invoices | 7 years (tax / accounting compliance) |
You may request deletion of your account and associated data at any time by emailing support@nomosly.com. We will retain the minimum data required to comply with legal and accounting obligations (mainly invoices) and delete the rest.
Subprocessors
We rely on the following third parties to operate the Service:
| Provider | Purpose | Data processed |
|---|---|---|
| Amazon Web Services (US, US-East-1) | Cloud infrastructure: compute, storage, and managed services | All operational data; image payloads while a request is in flight |
| Auth0 (Okta) | Authentication and identity management | Email, name, authentication tokens |
| Polar | Payment processing, invoicing, merchant of record | Email, name, billing address, payment method, invoice history |
Each subprocessor handles your data under their own data processing terms. Materially new subprocessors will be announced before they begin processing your data.
International transfers
Our infrastructure runs in the United States (AWS US-East-1). If you are located outside the US, your data is transferred to and processed in the US. Where required, transfers are covered by the standard contractual clauses adopted by the European Commission and equivalent mechanisms with our subprocessors.
Security
All traffic to the API and console is encrypted with HTTPS/TLS. Data at rest in our databases is encrypted using AWS-managed keys. API key secrets are stored as SHA-256 hashes and never returned in plaintext after the moment of creation. See our Security page for the technical details of our practices.
Your rights
Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict the processing of your personal data. To exercise any of these rights, email support@nomosly.com from the address associated with your account. We will respond within 30 days.
Children
The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy as the Service evolves. Material changes will be announced by email to active customers and posted to this page with an updated effective date. Your continued use of the Service after the effective date constitutes acceptance.
Contact
For privacy questions, data requests, or to report a concern, contact support@nomosly.com.