Privacy Policy

Last updated: June 28, 2025

Nomly and its affiliates ("Nomly," "we," "us") are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and retain personal information when you visit our website (https://nomly.ai/) or use our services.

1. Who This Policy Applies To

This Privacy Policy applies to U.S.-based restaurant operators and their authorized users who use Nomly's platform. We do not serve consumers directly and do not knowingly collect data from individuals under the age of 18.

• If you are a restaurant operator, you are the controller of any personal data you upload to our platform (e.g., staff schedules, labor cost records). In these cases, Nomly acts as your processor.
• For data related to platform usage, analytics, and AI-generated outputs (e.g., summaries, insights), Nomly acts as a controller.

For privacy-related inquiries or to exercise your rights, contact us at privacy@nomly.ai.

2. What Information We Collect

A. Information You Provide

B. Information We Collect Automatically

We do not collect GPS or mobile telemetry.

C. AI Input and Output Data

We store AI-generated outputs linked to user accounts, such as:

• Summaries of parsed emails
• POS data insights
• Operational alerts

These are stored on a per-location basis for your ongoing use. Inputs/outputs sent to OpenAI (for RAG) and Mistral AI (for OCR) are logged but not used for external model training.

3. How We Use Your Information

We use your data to:

• Operate the Nomly platform and provide services
• Parse incoming emails for operational summaries
• Generate AI-powered insights from POS and labor data
• Track product usage and email engagement
• Comply with legal and security obligations

We do not sell or share your personal information in the legal sense (e.g., under CPRA).

4. Data Retention

• Active user data is retained indefinitely while your account is active.
• Deleted accounts are retained for 30 days, after which they are permanently deleted unless required by law.
• AI outputs and logs are retained for as long as needed to provide the services or as required for audit/compliance.

5. Data Hosting and Transfers

• All data is stored on Supabase (U.S. region) and served via Vercel.
• We do not transfer personal data outside of the U.S.
• We do not use any subprocessors located outside the United States.

6. Security

We implement reasonable technical and organizational measures, including encryption and MFA, to protect your data. No system is 100% secure; please contact us immediately at privacy@nomly.ai if you suspect unauthorized access.

7. Your Rights (U.S. Users Only)

As a California resident (CPRA), you have the right to:

• Request access to your personal data
• Correct inaccurate data
• Delete your data
• Opt out of marketing emails
• Request details about third-party disclosures
• Limit use of sensitive data (e.g., labor cost info)

To exercise your rights, email privacy@nomly.ai. We may need to verify your identity before fulfilling your request.

8. Third-Party Services

We use:

• Google Analytics for usage tracking
• Email providers to send and track engagement

We do not currently run behavioral advertising or use ad pixels.

Our site may include links to external websites. We are not responsible for the privacy practices of those third parties.

9. Children

Nomly is intended for business use only and is not directed at anyone under 18.

10. Updates to This Policy

We may revise this Privacy Policy from time to time. If we make material changes, we'll notify you via email or an in-app notice. The date at the top will always reflect the latest version.

For any privacy-related questions, please contact:

• Email: privacy@nomly.ai
• Website: https://nomly.ai