Legal

Privacy Policy

Last updated: May 2026

Privacy Policy

Naauai Inc. Last updated: May 2026

Our Commitment

Naauai is built for people who handle sensitive information professionally. We take the same standard of care with yours. This policy explains plainly what we collect, why we collect it, and the choices you have over it. We do not sell your data. We do not use your platform activity to train external AI models. We do not share your information with advertisers.

If something in this policy is unclear, contact us at privacy@naauai.com.

1. Who We Are

Naauai is operated by Naauai Inc., a company incorporated in the State of Delaware, United States ("Naauai", "we", "us", "our").

For users in the European Economic Area (EEA) or United Kingdom, Naauai Inc. acts as the data controller in respect of your personal data, and Section 11 of this policy describes the additional protections that apply to you.

2. What We Collect

2.1 Information you provide directly

  • Account information — your name, professional title, email address, and password when you register.
  • Profile information — organisation, industry, role, and areas of focus you provide to personalise your experience.
  • Payment information — billing name, address, and payment method details. Card numbers are processed by our payment provider (Stripe) and are not stored on our systems.
  • Content you create — notes, clippings, annotations, and collections you save in Notebooks.
  • Communications — messages you send to our support team, responses to surveys, and feedback you submit.

2.2 Information collected automatically

  • Usage data — pages and content viewed, features used, time spent, search queries within the platform, and navigation paths.
  • Device and technical data — IP address, browser type and version, operating system, device identifiers, and referring URLs.
  • Session data — login timestamps, session duration, and authentication events.
  • AI Advisor interaction logs — queries submitted to the AI Executive Advisor and responses generated, stored to support your session history and platform quality.

2.3 Information from third parties

  • Single Sign-On (SSO) providers — if your organisation uses SSO, we receive the profile attributes passed by your identity provider (typically name and email).
  • Payment processors — Stripe may share confirmation of successful transactions and billing status.
  • Analytics providers — aggregated, anonymised behaviour data from tools we use to understand platform performance.

3. How We Use Your Information

We use your information for the following purposes, each grounded in a lawful basis:

PurposeLawful Basis
Providing and maintaining your account and platform accessContract performance
Personalising your learning paths, content recommendations, and AI Advisor responsesContract performance / Legitimate interests
Processing payments and managing billingContract performance / Legal obligation
Sending service communications (account updates, security alerts, billing receipts)Contract performance / Legal obligation
Sending editorial updates, new content alerts, and product newsLegitimate interests (with opt-out)
Improving platform features, content quality, and AI tool performanceLegitimate interests
Detecting and preventing fraud, abuse, and security incidentsLegitimate interests / Legal obligation
Complying with legal obligations and responding to lawful requestsLegal obligation
Conducting anonymised research and analysis to understand aggregate usageLegitimate interests

We do not use your personal Notebook content, AI Advisor queries, or individual behavioural data to train AI models made available to other users or third parties.

4. The AI Executive Advisor

Your interactions with the AI Executive Advisor — including queries, conversation history, and any documents or context you share during a session — are:

  • Processed to generate your response in real time
  • Stored to support your session history and allow you to revisit past interactions
  • Used in aggregate, anonymised form to monitor and improve response quality
  • Never shared with other users
  • Never used to train externally accessible AI models

Sensitive information you choose to include in Advisor queries (for example, internal business details or financial figures) is held in accordance with our enterprise security standards and deleted in accordance with the retention schedule in Section 8.

5. Sharing Your Information

We do not sell your personal information. We share it only in the following circumstances:

Infrastructure and service providers — we engage third-party vendors who process data on our behalf under binding data processing agreements. Our primary infrastructure providers include:

  • Vercel — application hosting and edge delivery (United States)
  • Neon — database infrastructure (United States)
  • Cloudflare — CDN, DDoS protection, and network security (United States)
  • Stripe — payment processing
  • AI model provider — model inference for the Executive Advisor; inputs are processed under a zero data retention agreement and are not used to train base models

These providers may only use your data to provide their services to us and are contractually bound to maintain appropriate security standards.

Enterprise accounts — if your access is provided through an organisational licence, your account administrator may have visibility of your usage data and learning progress as configured under your organisation's agreement.

Legal requirements — we may disclose information when required by law, court order, or governmental authority, or where necessary to protect the rights, safety, or property of Naauai, our users, or the public.

Business transfers — in the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity. We will notify you before your data is subject to a materially different privacy policy.

With your consent — for any other purpose, with your explicit prior consent.

6. Cookies and Tracking

We use cookies and similar technologies to operate the platform, remember your preferences, and understand how the platform is used. See our Cookie Policy for details.

7. Your Privacy Rights

All users

Regardless of your location, you may:

  • Access your account information at any time via your account settings
  • Correct inaccurate information by updating your account profile
  • Delete your account and associated personal data by contacting privacy@naauai.com
  • Opt out of marketing communications via the unsubscribe link in any email or through account settings

California residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to Know — request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete — request deletion of your personal information, subject to certain exceptions.
  • Right to Correct — request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing — we do not sell personal information and do not share it for cross-context behavioral advertising. No action is required.
  • Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information beyond what is necessary to provide our services.
  • Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights.

To submit a CCPA request, contact privacy@naauai.com. We will respond within 45 days. You may designate an authorized agent to make requests on your behalf.

Residents of other US states

Several states have enacted comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA). Where these laws apply to your use of Naauai, you may have rights similar to those described above. Contact privacy@naauai.com to exercise any applicable state privacy rights.

EEA and UK users

See Section 11 for additional rights that apply under GDPR and UK GDPR.

We will respond to all rights requests within 45 days (30 days for EEA/UK requests). There is no charge for making a request.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. Specifically:

  • Account data — retained for the duration of your account and deleted within 90 days of account closure, unless we are required to retain it longer by law.
  • Notebook content — retained until deleted by you, or for 90 days following account closure.
  • AI Advisor interaction logs — retained for 12 months, then deleted or anonymised.
  • Billing records — retained for 7 years in accordance with financial record-keeping obligations.
  • Security and access logs — retained for 12 months.

You may request early deletion of your data at any time by contacting privacy@naauai.com.

9. Security

Naauai is SOC 2 compliant. We implement technical and organizational security measures appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls limiting internal access to personal data
  • Infrastructure running on Vercel (application layer), Neon (database), and Cloudflare (edge and security), all operating within United States data centers
  • Regular penetration testing and security audits
  • Incident response procedures with breach notification protocols consistent with applicable US state data breach notification laws

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@naauai.com.

10. Data Location

Naauai Inc. is headquartered in the United States. All platform data is stored and processed in the United States using the infrastructure described in Section 5. We do not routinely transfer personal data outside the United States.

If you access the platform from outside the United States, your data will be transferred to and processed in the United States. If you are located in the EEA or UK, see Section 11 for the legal mechanisms we rely on for that transfer.

11. Additional Protections for EEA and UK Users

If you are located in the European Economic Area or United Kingdom, the following additional provisions apply.

Legal bases for processing — we process personal data on the following legal bases under GDPR / UK GDPR:

  • Contractual necessity — processing required to provide the platform and fulfill your subscription
  • Legitimate interests — platform improvement, security, and service communications, balanced against your rights
  • Consent — marketing communications and non-essential cookies (withdrawable at any time)
  • Legal obligation — compliance with applicable law

International transfer mechanism — transfers of personal data from the EEA or UK to the United States are made pursuant to the EU–U.S. Data Privacy Framework (where applicable) or Standard Contractual Clauses (SCCs) as approved by the European Commission. Copies of applicable transfer mechanisms are available on request at privacy@naauai.com.

Additional rights — in addition to the rights described in Section 7, EEA and UK users have the right to:

  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interests
  • Data portability — receive your data in a structured, machine-readable format
  • Lodge a complaint with your local data protection supervisory authority (for EEA users, the relevant national authority; for UK users, the Information Commissioner's Office)

Naauai Inc. does not currently maintain a formal EU or UK establishment. For GDPR inquiries, contact privacy@naauai.com.

12. Children

Naauai is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact us at privacy@naauai.com and we will delete it promptly.

13. Changes to This Policy

We may update this policy periodically. When we make material changes, we will notify you by email and by posting a prominent notice on the platform at least 14 days before the changes take effect. Your continued use of Naauai after that date constitutes acceptance of the revised policy.

14. Contact

Privacy inquiries and rights requests: privacy@naauai.com

Security concerns: security@naauai.com

Postal address: Naauai Inc. United States