Privacy Policy
Last updated: November 3, 2025
Effective Date: November 3, 2025 | Version 1.0
1. Introduction
Nelieo ("Nelieo," "we," "us," or "our") is committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your personal data. This Privacy Policy explains our practices regarding data collection and processing when you use our AI-native operating system and related services (collectively, the "Services").
This policy applies to all users of our website, waitlist, and Services. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
Key Principles:
- Transparency: We clearly communicate what data we collect and why
- Minimal Collection: We only collect data necessary for our Services
- User Control: You have full control over your data
- Security First: We employ industry-leading security measures
- Compliance: We comply with GDPR, CCPA, and other privacy regulations
2. Data Controller
The controller within the meaning of data protection laws, in particular the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), is:
Nelieo
Country: United States
Email: triunex.shorya@gmail.com
Data Protection Officer: triunex.work@gmail.com
Website: https://nelieo.com
For any questions regarding this Privacy Policy or our data processing practices, please contact our Data Protection Officer using the contact details above.
3. Data We Collect
We collect several types of information from and about users of our Services:
3.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, company name | Account creation, authentication, communication |
| Waitlist Data | Email, name, company, use case | Early access management, product development |
| Profile Information | Job title, industry, preferences | Service personalization, feature development |
| Communication Data | Support messages, feedback, survey responses | Customer support, service improvement |
| Payment Information | Billing address, payment method (via Stripe) | Transaction processing, billing |
3.2 Automatically Collected Information
- Device Information: IP address, browser type, operating system, device identifiers
- Usage Data: Pages visited, features used, interaction patterns, session duration
- Location Data: General location based on IP address (country/region level)
- Cookies & Tracking: See Section 9 for detailed information
- Log Data: Server logs, error reports, performance metrics
3.3 Information from Third Parties
We may receive information about you from third-party services you choose to connect with our Services, such as OAuth providers (Google, Microsoft), analytics providers, and business intelligence tools.
4. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | Processing Activities |
|---|---|
| Consent (Art. 6(1)(a) GDPR) | Marketing communications, newsletter subscriptions, optional cookies |
| Contract Performance (Art. 6(1)(b) GDPR) | Account creation, service delivery, payment processing |
| Legal Obligation (Art. 6(1)(c) GDPR) | Tax compliance, record keeping, law enforcement requests |
| Legitimate Interests (Art. 6(1)(f) GDPR) | Security, fraud prevention, analytics, service improvement |
5. How We Use Your Data
We use the collected information for the following purposes:
Service Delivery
- Provide and maintain our Services
- Process transactions and payments
- Authenticate users and prevent fraud
- Provide customer support
Communication
- Send service updates and notifications
- Respond to inquiries and requests
- Send marketing communications (with consent)
- Conduct surveys and research
Improvement & Analytics
- Analyze usage patterns and trends
- Develop new features and services
- Optimize user experience
- Conduct A/B testing and research
Legal & Security
- Comply with legal obligations
- Protect against security threats
- Enforce our terms of service
- Protect rights and property
6. Data Sharing & Processors
We do not sell your personal data. We may share your information with the following categories of recipients:
6.1 Service Providers (Processors)
| Provider | Service | Data Shared | Location | Safeguards |
|---|---|---|---|---|
| Google Cloud Platform | Cloud hosting, infrastructure | All service data | USA, EU | DPA, SCCs, Privacy Shield successor |
| Stripe | Payment processing | Payment information, email | USA | PCI-DSS certified, DPA |
| Google Analytics | Web analytics | Usage data, IP (anonymized) | USA | IP anonymization, DPA |
| SendGrid/Mailgun | Email delivery | Email address, name, email content | USA | DPA, encryption in transit |
| Sentry | Error monitoring | Error logs, device info | USA | DPA, data filtering |
6.2 Other Disclosures
- Legal Requirements: When required by law, court order, or government request
- Business Transfers: In connection with mergers, acquisitions, or asset sales
- Protection: To protect our rights, privacy, safety, or property
- With Consent: When you explicitly authorize disclosure
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account data (active users) | Duration of account + 30 days | Service provision, account recovery |
| Waitlist data | Until launch + 12 months | Early access management, communication |
| Transaction records | 7 years | Legal requirement, tax compliance |
| Marketing consent records | 3 years after last interaction | Compliance demonstration |
| Server logs | 14 days (IP anonymized after 24h) | Security, performance monitoring |
| Analytics data | 14 months (Google Analytics) | Service improvement, trend analysis |
| Support communications | 3 years | Quality assurance, legal protection |
Upon deletion, data is removed from active systems within 30 days and from backups within 90 days.
8. Your Rights as a Data Subject
Depending on your location, you have the following rights regarding your personal data:
Right to Access (Art. 15 GDPR)
Request a copy of your personal data we hold and information about how we process it.
Right to Rectification (Art. 16 GDPR)
Correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure (Art. 17 GDPR)
Request deletion of your personal data under certain circumstances ("right to be forgotten").
Right to Restriction (Art. 18 GDPR)
Limit how we use your data if you contest its accuracy or object to processing.
Right to Data Portability (Art. 20 GDPR)
Receive your data in a structured, commonly used format and transmit it to another controller.
Right to Object (Art. 21 GDPR)
Object to processing based on legitimate interests, including profiling and direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent (does not affect lawfulness of prior processing).
Right to Lodge a Complaint
File a complaint with your local data protection authority if you believe we've violated your rights.
8.1 How to Exercise Your Rights
To exercise any of these rights, please contact us at triunex.shorya@gmail.com with:
- Your full name and email address associated with your account
- Clear description of the right you wish to exercise
- Any supporting information to verify your identity
Response Time: We will respond to your request within 30 days (GDPR) or 45 days (CCPA) of verification.
8.2 Supervisory Authorities
You have the right to lodge a complaint with your local supervisory authority:
EU/EEA: Find your Data Protection Authority
UK: Information Commissioner's Office (ICO)
California: California Attorney General
10. International Data Transfers
As a global service, we may transfer your personal data to countries outside your jurisdiction, including to the United States where our primary servers are located.
10.1 Transfer Mechanisms
For transfers from the EU/EEA to third countries, we implement appropriate safeguards:
| Recipient Country | Safeguard Mechanism | Description |
|---|---|---|
| United States | Standard Contractual Clauses (SCCs) | EU Commission-approved model clauses for data transfers |
| United Kingdom | Adequacy Decision | EU Commission has recognized UK's adequate protection level |
| Switzerland | Adequacy Decision | Recognized as providing adequate data protection |
10.2 Additional Safeguards
- Encryption: All data transfers are encrypted using TLS 1.3
- Data Processing Agreements: Binding contracts with all processors
- Security Measures: Technical and organizational measures meeting EU standards
- Regular Audits: Compliance assessments of transfer mechanisms
You can request copies of the safeguards we have in place by contacting triunex.shorya@gmail.com.
9. Cookies & Tracking Technologies
We use cookies and similar tracking technologies to enhance your experience, analyze usage, and deliver personalized content.
9.1 Types of Cookies We Use
9.2 Third-Party Cookies
We work with third-party services that may set their own cookies:
- Google Analytics: Website analytics and user behavior tracking
- YouTube: Video embedding and playback
- Stripe: Payment processing and fraud detection
9.3 Managing Cookie Preferences
You can control cookies through:
- Cookie Consent Banner: Adjust preferences through our cookie consent tool
- Browser Settings: Configure your browser to reject or delete cookies
- Opt-Out Tools: Use industry opt-out mechanisms like DAA Opt-Out or Your Online Choices
Browser-Specific Instructions:
β οΈ Note: Disabling certain cookies may limit functionality and prevent you from using some features of our Services.
11. Security Measures
We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration.
11.1 Technical Safeguards
π Encryption
- TLS 1.3 for data in transit
- AES-256 for data at rest
- End-to-end encryption for sensitive operations
π‘οΈ Access Controls
- Role-based access control (RBAC)
- Multi-factor authentication (MFA)
- Principle of least privilege
π Monitoring
- 24/7 security monitoring
- Intrusion detection systems
- Regular vulnerability scanning
πΎ Backup & Recovery
- Regular automated backups
- Disaster recovery procedures
- Business continuity planning
11.2 Organizational Measures
- Employee Training: Regular privacy and security training for all staff
- Data Minimization: Collect only necessary data
- Access Logging: Audit trails for all data access
- Vendor Management: Due diligence on all third-party processors
- Incident Response: Documented breach notification procedures
11.3 Certifications & Compliance
β οΈ Data Breach Notification: In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Article 33.
12. Third-Party Services
Our Services integrate with various third-party platforms. When you use these integrations, additional privacy policies may apply.
12.1 Analytics & Performance
Google Analytics
Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Purpose: Website analytics, user behavior analysis, performance optimization
Data Collected: IP address (anonymized), device info, pages visited, session duration
Retention: 14 months (automatically deleted)
Opt-Out: Google Analytics Opt-out Browser Add-on
Privacy Policy: Google Privacy Policy
12.2 Payment Processing
Stripe
Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
Purpose: Payment processing, subscription management, fraud prevention
Data Collected: Payment information, billing address, transaction history
Security: PCI-DSS Level 1 certified
Note: We do not store complete payment card details on our servers
Privacy Policy: Stripe Privacy Policy
12.3 Communication & Email
Email Service Providers
Providers: SendGrid/Mailgun
Purpose: Transactional emails, newsletters, notifications
Data Shared: Email address, name, email content
Double Opt-In: We use verified opt-in for marketing communications
12.4 Embedded Content
YouTube
Provider: Google LLC / YouTube, LLC
Purpose: Video embedding and playback
Privacy Mode: We use YouTube's privacy-enhanced mode (youtube-nocookie.com)
Control: Videos only load when you click play
Privacy Policy: YouTube Privacy Policy
Google Fonts
Purpose: Display web fonts for consistent typography
Data Shared: IP address, browser information
Alternative: Fonts may be cached locally in future updates
12.5 Social Media
We use a 2-click solution for social media plugins to protect your privacy:
- Plugins are initially inactive
- No data is transmitted until you manually activate them
- Activation enables direct connection to the social network
- If you're logged into the social network, your visit may be tracked
13. Children's Privacy
Our Services are not intended for individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.
13.1 Age Verification
- We require users to confirm they meet the minimum age requirement
- Account creation is restricted to individuals 16 years or older
- We implement age-appropriate design measures
13.2 Parental Rights
If you believe we have inadvertently collected data from a child:
- Contact us immediately at triunex.shorya@gmail.com
- We will delete the data within 48 hours of verification
- Parents can request access to their child's data
COPPA Compliance (US): We comply with the Children's Online Privacy Protection Act and do not collect data from children under 13.
14. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
14.1 California Consumer Rights
- Right to Know: Request disclosure of categories and specific pieces of personal information we collect
- Right to Delete: Request deletion of your personal information (subject to exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information
- Right to Limit: Limit use of sensitive personal information
- Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights
14.2 Categories of Personal Information
In the past 12 months, we have collected the following categories of personal information:
- Identifiers (name, email, IP address)
- Commercial information (transaction history)
- Internet activity (browsing behavior, interactions)
- Geolocation data (general location)
- Inferences (preferences, characteristics)
14.3 Sale of Personal Information
We do not sell your personal information. We do not and will not sell your personal data to third parties for monetary or other valuable consideration.
14.4 Exercising California Rights
To submit a request, contact us at:
- Email: triunex.shorya@gmail.com
- Subject Line: "California Privacy Rights Request"
- Include: Your name, email, and specific right you wish to exercise
Verification: We will verify your identity before processing requests. Response within 45 days.
14.5 Authorized Agent
You may designate an authorized agent to make a request on your behalf. The agent must provide proof of authorization.
14.6 "Shine the Light" Law
California Civil Code Section 1798.83 permits California residents to request information about disclosures to third parties for direct marketing. We do not share personal information with third parties for their direct marketing purposes.
15. GDPR Compliance (EU/EEA/UK)
For individuals in the European Union, European Economic Area, and United Kingdom, we comply fully with the General Data Protection Regulation (GDPR).
15.1 Lawful Basis Summary
| Processing Activity | Legal Basis | Your Options |
|---|---|---|
| Service delivery | Contract performance (Art. 6(1)(b)) | Required for service use |
| Marketing emails | Consent (Art. 6(1)(a)) | Opt-out anytime via unsubscribe |
| Analytics | Legitimate interest (Art. 6(1)(f)) | Object or adjust cookie settings |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Required by law |
15.2 Data Protection Officer
You can contact our Data Protection Officer at: triunex.work@gmail.com
15.3 Representative in the EU
If required under GDPR Article 27, we will appoint an EU representative and provide contact details here.
15.4 Cross-Border Transfers
We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers outside the EU/EEA. See Section 10 for details.
15.5 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority in your EU member state:
- Find your authority: EDPB Member List
- UK: Information Commissioner's Office
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
16.1 Notification of Changes
- Material Changes: We will notify you via email and/or prominent notice on our website at least 30 days before changes take effect
- Minor Changes: Updated "Last Updated" date at the top of this policy
- Version History: Available upon request
16.2 Your Continued Use
Your continued use of our Services after the effective date of changes constitutes acceptance of the updated policy. If you do not agree to changes, please discontinue use and contact us to delete your account.
16.3 Archived Versions
Previous versions of this Privacy Policy are archived and available upon request at triunex.shorya@gmail.com.
17. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
17.1 Request Response Time
- GDPR (EU/UK): Within 30 days (may extend to 60 days for complex requests)
- CCPA (California): Within 45 days (may extend to 90 days)
- General Inquiries: Within 3 business days
Commitment to Privacy
At Nelieo, we believe privacy is a fundamental right. We are committed to protecting your personal data, providing transparency in our practices, and giving you control over your information. We continuously review and improve our privacy practices to ensure they meet the highest standards.
This Privacy Policy was last reviewed and updated on November 3, 2025. We conduct regular privacy impact assessments and maintain detailed records of processing activities as required by GDPR Article 30.