Privacy Policy

1. Introduction

Nummo, Inc. (“Nummo,” “we,” “us,” or “our”) is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-native spreadsheet platform, website, and related services (collectively, the “Service”).

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Service.

This Privacy Policy applies to the Nummo desktop application, our website at nummo.xyz, and all related services we provide. For enterprise customers with separate written agreements, those agreements govern the processing of data under those arrangements.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when you:

• Account Information: When you create an account, we collect your name, email address, and password. If you sign up through a third-party service (such as Google), we receive your name and email from that service.
• Payment Information: When you subscribe to paid features, we collect payment details through our payment processor, Stripe. We do not store complete credit card numbers on our servers.
• Communications: When you contact us for support or feedback, we collect your name, email address, and the contents of your communications.
• Feedback: Any suggestions, ideas, or feedback you submit about our Service.

2.2 Information Collected Through the Service

Local-First Architecture: Nummo is designed as a local-first application. Your spreadsheets, financial models, and working files are stored locally on your device by default. We do not have access to the contents of your local files unless you explicitly choose to use features that require data transmission.

When you use AI-powered features, specific queries and relevant context may be transmitted to our AI service providers to generate responses. These transmissions are necessary to provide AI functionality.

When you use third-party data integrations, your queries are transmitted directly to those services. The data flows between you and the third-party provider; we facilitate the connection but do not store or process the resulting data.

2.3 Information Collected Automatically

When you use our Service, we may automatically collect:

• Device Information: Device type, operating system, unique device identifiers, and browser information.
• Log Information: IP address, access times, pages viewed, error logs, and other diagnostic data.
• Usage Data: Information about how you interact with our Service, including features used, actions taken, and performance metrics.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies on our website to maintain your session, remember your preferences, and analyze usage patterns.

2.4 Information We Do Not Collect

We do not knowingly collect sensitive personal information such as genetic data, biometric data, health information, or religious beliefs. Our Service is not designed to handle protected health information (PHI) under HIPAA or other similarly regulated data categories.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Provision: To provide, operate, maintain, and improve our Service, including AI-powered features.
• Account Management: To create and manage your account, process payments, and provide customer support.
• Communications: To send you transactional emails, product updates, security alerts, and (with your consent) marketing communications.
• Analytics and Improvement: To analyze usage patterns, diagnose technical issues, and improve our Service.
• Security: To detect, prevent, and address fraud, abuse, security incidents, and violations of our terms.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

4. AI Services and Model Training

No Model Training: We do not use your inputs, queries, spreadsheet data, or any content you create to train artificial intelligence or machine learning models. Your data remains your own.

Third-Party AI Providers: When you use AI features, your queries are processed by our AI service providers (Anthropic and OpenAI). These providers have their own privacy policies governing their handling of data. We recommend reviewing their policies for complete information about their data practices.

AI Output Disclaimer: AI-generated content may contain errors or inaccuracies. You are responsible for reviewing and validating any AI outputs before relying on them for financial decisions or other purposes.

5. How We Share Your Information

We may share your information in the following circumstances:

• Service Providers: We share information with third-party vendors who perform services on our behalf, including hosting (DigitalOcean), payment processing (Stripe), AI services (Anthropic, OpenAI), and data integrations. These providers are contractually obligated to protect your information.
• Legal Requirements: We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity.
• With Your Consent: We may share information with your explicit consent or at your direction.

No Sale of Personal Information: We do not sell, rent, or share your personal information with third parties for their direct marketing purposes.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Account information is retained for the duration of your account and for a reasonable period thereafter for legal compliance. Usage data and logs are typically retained for up to 90 days for operational purposes.

When personal information is no longer needed, we will delete, anonymize, or aggregate it in accordance with applicable laws.

7. Data Security

We implement commercially reasonable technical and organizational measures designed to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These measures include encryption in transit and at rest, access controls, secure development practices, and regular security assessments.

We are committed to pursuing SOC 2 Type II and ISO 27001 certifications to demonstrate our commitment to security best practices.

However, no method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request access to the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to certain exceptions.
• Portability: Request a copy of your personal information in a portable format.
• Restriction: Request restriction of processing of your personal information in certain circumstances.
• Objection: Object to processing of your personal information for certain purposes.
• Withdrawal of Consent: Withdraw consent where processing is based on consent.

To exercise these rights, please contact us at [email protected]. We will respond to verified requests within the timeframe required by applicable law. We will not discriminate against you for exercising your privacy rights.

9. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete your information, the right to opt-out of sales (though we do not sell personal information), and the right to non-discrimination.

California residents may designate an authorized agent to make requests on their behalf. We do not sell or share personal information for cross-context behavioral advertising as defined under California law.

10. International Data Transfers

We are based in the United States, and your information may be processed in the United States or other countries where our service providers operate. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we will ensure that any transfer of your personal information is conducted in compliance with applicable data protection laws, including through the use of Standard Contractual Clauses or other legally recognized transfer mechanisms.

For users in the EEA, UK, or Switzerland, our legal bases for processing include contract performance, legitimate interests, legal compliance, and consent where applicable.

11. Children's Privacy

Our Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to delete that information. If you believe we may have collected information from a child under 13, please contact us at [email protected].

12. Cookies and Tracking Technologies

Our website uses cookies and similar technologies for the following purposes:

• Essential Cookies: Required for the website to function properly, including authentication and security.
• Analytics Cookies: Help us understand how visitors interact with our website to improve our service.
• Preference Cookies: Remember your settings and preferences.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our website.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on our website and updating the “Last Updated” date. We may also notify you by email for significant changes. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

If you are located in the EEA and have concerns about our data practices that we have not satisfactorily addressed, you have the right to lodge a complaint with your local data protection authority.