Privacy Policy
Last updated: April 17, 2025
1. Data Controller
The data controller for your personal data is Nomos (trade name, company being incorporated), registered address: 28903 Getafe, Madrid, Spain.
Contact: nomos.servicedesk@gmail.com
Note: Full legal identification details will be updated once the company is formally incorporated. If you need formal identification at any time, please write to the email address above.
2. Data We Collect
- Account data: email address, username, password (encrypted by Firebase Auth).
- User-uploaded content: text, instructions, and documents provided for document generation.
- Images: image files uploaded for analysis and inclusion in documents.
- Audio: voice recordings for transcription. Audio files are not stored permanently; they are processed in memory and deleted after transcription.
- Generated documents: the text and information produced by the system from user instructions.
- Knowledge base: reference instructions and data that users configure per organization to guide document generation.
- Payment data: handled entirely by Stripe. Nomos does not store card details.
- Technical usage data: activity logs, session identifiers, operation metadata.
3. Purposes and Legal Basis
Service provision
We process your data to provide Nomos features: document generation, image analysis, audio transcription, and translation. Legal basis: Art. 6(1)(b) GDPR (contract performance).
AI processing
Content you provide may be sent to AI providers (OpenAI, Anthropic) for processing. Legal basis: Art. 6(1)(b) GDPR (contract performance) and, where applicable, Art. 6(1)(a) (consent given when accepting these terms).
Payment and credit management
We process billing data to manage credit purchases. Legal basis: Art. 6(1)(b) and Art. 6(1)(c) GDPR (legal billing obligation).
Security and fraud prevention
Activity logs to detect misuse. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
4. Third-Party Service Providers
Nomos uses the following external services acting as data processors or recipients:
| Provider | Purpose | Location |
|---|---|---|
| Google Firebase / GCP | Data storage, authentication, backend logic | European Union eur3 / europe-west1 |
| OpenAI, LLC | Text generation, image analysis, audio transcription, embeddings | United States |
| Anthropic PBC | Text generation (alternative model) | United States |
| Stripe, Inc. | Credit payment processing | United States PCI-DSS Level 1 |
| Vercel, Inc. | Frontend hosting | Global CDN |
5. International Data Transfers
AI providers (OpenAI and Anthropic) and Stripe are headquartered in the United States. Data transfers to these providers are made under the Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914), ensuring an equivalent level of protection to that required in the EU.
Content you enter on the platform (text, images, audio) may be processed on servers located in the United States when using document generation, image analysis, or audio transcription features. By accepting these terms, you expressly consent to such international transfer for the provision of the service.
User data at rest (account, stored documents, settings) is kept in European Google Cloud data centers (region eur3 / europe-west1).
6. Data Retention
Your data will be retained while your account is active or as needed to provide the service. After account cancellation, data will be deleted or anonymized within a reasonable timeframe, unless there is a legal obligation to retain it longer (e.g., billing data for the period required by applicable tax law).
Audio files uploaded for transcription are processed and deleted immediately after the operation; only a partial transcription summary (maximum 1,000 characters) is retained for audit purposes.
7. Your Rights
Under the GDPR, you have the right to:
- Access: request confirmation and a copy of the data we process about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten"): request deletion of your data when it is no longer necessary or you withdraw consent.
- Restriction of processing: request that we suspend processing under certain circumstances.
- Data portability: receive your data in a structured, commonly used format.
- Objection: object to processing based on legitimate interest.
- Withdrawal of consent: at any time, without affecting the lawfulness of prior processing.
You can exercise your rights by writing to nomos.servicedesk@gmail.com stating the right you wish to exercise and attaching a copy of your identity document. We will respond within one month, extendable by two months in complex cases.
8. Complaint to a Supervisory Authority
If you believe that the processing of your data violates data protection law, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your authority at edpb.europa.eu. In Spain, the competent authority is the Agencia Española de Protección de Datos (AEPD): www.aepd.es
10. Special Categories of Data
Nomos is not designed or enabled to process special categories of data under Art. 9 GDPR (health data, ideology, religion, racial origin, sexual orientation, trade union membership, genetic or biometric data, criminal convictions). Users agree not to upload this type of data to the platform.
11. Changes to This Policy
Nomos may update this Privacy Policy at any time. Substantial changes will be communicated via a platform notice or email at least 15 days in advance. Continued use of the service after changes take effect constitutes acceptance.
© 2026 Nomos. All rights reserved.