LEGAL

Privacy Policy

We respect your data. This page explains what we collect, why, and your rights regarding it. Plain English first; legal precision second.

Pre-launch notice. NimboX is in pre-launch development. Personal data collection is currently limited to email signups, feedback submissions, and standard server logs. A formal privacy policy reviewed by counsel will replace this version on or before public launch. We will notify users of material changes.

Effective date: April 25, 2026 · Last updated: April 25, 2026 · Data controller: NimboX Labs Inc., Delaware

The short version

If you only read one paragraph: we collect the minimum data needed to operate the platform, we don't sell your raw personal information, we use industry-standard security practices, and you can email hello@nimbox.app at any time to access, correct, or delete your data.

1. What we collect

Three categories of data:

Account data — email address, optional name, login method (Google/Apple/email). Voluntary; you provide it when signing up.
Usage data — pages visited, destinations viewed, position calculator inputs, share actions. Collected automatically via privacy-first analytics (Plausible).
Trip data — destinations you track, trip dates, weather risk preferences. You provide this when using the trip-planning features.

We do not collect: government-issued IDs, social security numbers, exact location coordinates, financial account numbers (handled by Stripe), or biometric data.

2. Why we collect it

Your data powers four uses:

Operating the platform — authenticating accounts, displaying personalized forecasts, processing subscription payments via Stripe.
Improving the product — anonymized aggregate analytics on which features are used, where users get stuck, what destinations get the most attention.
Communicating with you — confirmation emails, feature announcements (with opt-in), Trip Risk Report newsletter (only if you subscribe), founder updates for registered users.
Aggregated audience products — fully anonymized cohort data may be used in aggregate audience products sold to advertisers and licensees. Raw personal information is never sold. See section 4 below.

3. Who we share data with

We use third-party service providers to operate the platform. Each is bound by data processing agreements:

Stripe — payment processing for subscriptions
Cloudflare — DNS, email forwarding, security
Netlify — site hosting and content delivery
Plausible Analytics — privacy-first usage analytics (no cookies, no cross-site tracking)
Resend / Beehiiv — transactional and newsletter email
Kalshi — when you choose to fund a trading account, you create a separate account directly with Kalshi governed by their privacy policy

We do not share data with social-network advertising platforms (Meta, TikTok, etc.) without your explicit consent.

4. Aggregated audience products

NimboX may license aggregated, anonymized audience cohorts to advertisers (described in our For Marketers offering). When we do this:

Personal identifiers are hashed using one-way cryptographic hashing per CCPA / GDPR best practice
Minimum cohort sizes ensure no individual is identifiable
You can opt out at any time by emailing hello@nimbox.app with subject "Audience opt-out"

5. Your rights

Under CCPA, GDPR, and other applicable privacy laws, you have the right to:

Access your personal data — what we hold, how it's used
Correct inaccurate data
Delete your data (subject to legal retention requirements)
Port your data in a machine-readable format
Object to specific processing activities
Opt out of any audience syndication or marketing communications

Email hello@nimbox.app with the subject line of the right you want to exercise. We respond within 30 days.

6. Data retention

Account data: retained while your account is active, plus 90 days after closure. Usage analytics: aggregated and retained indefinitely; individual session data retained 90 days. Trip data: retained while account is active. Email logs: retained 12 months. Backups: rotated within 30 days.

7. Security

We use TLS encryption for all data in transit, encrypted storage at rest via our infrastructure providers, multi-factor authentication on all internal systems, and limit data access to authorized personnel on a need-to-know basis. No system is 100% secure. If we discover a breach, we will notify affected users within 72 hours of discovery.

8. Children

NimboX is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have collected data from a child under 13, contact hello@nimbox.app immediately.

9. International data transfers

NimboX Labs is headquartered in Delaware, USA. Our service providers operate globally. By using the platform, you consent to data transfer to and processing in the United States and other jurisdictions where our service providers operate.

10. Changes to this policy

We may update this policy. Material changes will be announced on this page with a revised effective date. For material changes affecting registered users, we will email a notice. Continued use of the platform after a change constitutes acceptance.

11. Contact

Privacy questions: hello@nimbox.app
Data subject requests: hello@nimbox.app with the relevant subject line
Mailing address: provided upon request.