Nimbalyst Privacy Policy
Effective Date: July 6, 2026
At Nimbalyst, we take your privacy seriously. This Privacy Policy explains how Nimbalyst, Inc. (“Nimbalyst,” “we,” “us,” or “our”) collects, uses, and shares information when you use the Nimbalyst desktop application (the “App”) and our marketing website at nimbalyst.com (the “Website”). By downloading, installing, or using the App, and/or by visiting our Website, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and disclose your information as described in this Privacy Policy.
The App employs a local-first data architecture. Your session data, workspace settings, and project files are stored locally on your device using and your local file system. Core App data is not transmitted to or stored on Nimbalyst servers unless you opt into Nimbalyst Share, Mobile App Sync, Nimbalyst Teams, or other specific features as described below.
Quick Summary
| What We Do | Details |
|---|---|
| Your documents stay local | Your files and workspace data are stored on your device, not our servers |
| We collect anonymous analytics | Usage patterns and performance data to improve the App |
| You can opt out | Disable analytics anytime in App settings |
| Optional email/account | Only if you choose to provide it |
| No advertising | We do not sell your data or use it for advertising |
| AI providers are your choice | You configure which AI services to use; your relationship is directly with them |
| Sharing, sync, and teams are opt-in | Nimbalyst Share, Mobile App Sync, and Nimbalyst Teams use Cloudflare when you choose to share, sync, or collaborate |
| California rights | California residents can review our California Privacy Notice |
| EU/EEA, UK, and Swiss users | DataRep is our appointed data protection representative; see EEA, UK, and Swiss Privacy Rights below |
Part A: Desktop Application
This section applies to your use of the Nimbalyst desktop application.
Information We Collect (App)
Information Stored Locally
The following information is stored in Nimbalyst only on your device and is not transmitted to Nimbalyst:
- Your Documents and Files - All content you create, edit, or store in the App
- Workspace Configuration - Your preferences, settings, and workspace organization
- Local Nimbalyst Data - Cached data, undo history, and other App state
- Your Sessions - your prompts and the AI’s response
You are solely responsible for backing up this locally stored data.
Analytics Data (Collected Automatically)
When analytics are enabled (the default), we automatically collect:
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Features used, actions taken, session duration | Understand how people use the App |
| Performance Data | Load times, memory usage, errors | Identify and fix performance issues |
| Device Data | Operating system, App version, screen resolution | Ensure compatibility and prioritize platform support |
| Crash Reports | Error logs, stack traces | Fix bugs and improve stability |
What we do NOT collect through analytics:
- Content of your documents
- File names or paths
- Personal identifiers (unless you opt in)
Information You Provide Voluntarily
If you choose to provide additional information, we may collect:
| Type | When Collected | Purpose |
|---|---|---|
| Email Address | When you sign up for updates or create an account | Communicate with you, link to analytics for better insights |
| Role/Job Title | During optional onboarding | Understand our user base and tailor the product |
| Survey Responses | When you respond to in-app surveys | Gather feedback to improve the App |
| Support Requests | When you contact support | Respond to your inquiries |
AI Features and Third-Party AI Providers
The App includes AI-powered features that connect to third-party AI providers. You configure which AI providers to use through the App settings by providing your own API keys or credentials.
What is sent to AI providers:
When you use AI features, the App transmits the following to your chosen AI provider:
- Your prompts and questions
- Content from files or documents you are viewing or have selected as context
- Relevant workspace context needed to fulfill your request
Important: Nimbalyst acts as a local conduit to transmit your data to the AI provider you have selected and the AI’s response back.. Your relationship with the AI provider is directly between you and that provider. Nimbalyst does not control how AI providers process, store, or use your data.
Your responsibilities:
- Review and accept the terms and privacy policies of any AI provider you choose to use
- Ensure you have the right to share any content you send to AI providers
- Understand that AI providers may retain and process your data according to their own policies
What Nimbalyst does NOT do:
- We do not send your prompts or AI conversations to our servers
- We do not store your prompts or AI conversations on our servers
- We do not have access to your AI provider API keys after you enter them (they are stored locally)
- We do not receive or retain responses from AI providers on our servers
Nimbalyst Share (Link Sharing)
Nimbalyst Share is an optional, free feature that lets you generate a shareable link to a markdown document or session. When you use Nimbalyst Share:
- How it works: Your content is encrypted in transit and uploaded to Cloudflare, where it is also encrypted at rest. A unique link is generated that you can share with anyone.
- Nimbalyst cannot see your content. Shared content is encrypted and stored on Cloudflare infrastructure. Nimbalyst does not have access to the content of what you share.
- Expiration: Shared links expire after a limited number of days, after which the content is automatically deleted from Cloudflare.
- Your choice: This feature is entirely opt-in. No content is shared unless you explicitly choose to generate a link.
Mobile App Session Sharing
You can optionally configure Nimbalyst to sync sessions to the Nimbalyst mobile app. When you enable Mobile App Session Sharing:
- How it works: Session data is transmitted through Cloudflare and stored there for a limited number of days so your mobile app can retrieve it.
- Encryption: Sessions are encrypted in transit and encrypted at rest on Cloudflare.
- Nimbalyst cannot see your content. Session content is encrypted and stored on Cloudflare infrastructure. Nimbalyst does not have access to the content of your sessions.
- Expiration: Session data is automatically deleted from Cloudflare after a limited number of days.
- Your choice: This feature is entirely opt-in. No session data is transmitted unless you configure mobile app sharing.
Nimbalyst Teams
Nimbalyst Teams is an optional collaboration feature. When you create or join a team workspace and choose to share documents, trackers, or related team content:
- How it works: Shared team content is transmitted through Cloudflare and hosted there so authorized team members can collaborate.
- Encryption: Team content is encrypted in transit and encrypted at rest on Cloudflare.
- Access: Team content is available to authorized team members according to the team’s access settings.
- Retention: Team content remains available while the team workspace or shared content remains active, unless deleted according to the applicable product controls and retention practices.
- Your choice: This feature is entirely opt-in. Local-only work is not sent to Nimbalyst Teams unless you choose to use team collaboration.
Browser Extension (Web Clipper)
The Nimbalyst Web Clipper is an optional Chrome browser extension that clips web pages to your Nimbalyst workspace as markdown files.
- How it works: When you click “Clip Page” or use the right-click context menu, the extension reads the current page’s HTML, converts it to markdown, and sends it to the Nimbalyst desktop app running on your machine via
http://127.0.0.1. - All communication is local. Clipped content is sent only to your locally running Nimbalyst app. No page content, URLs, or browsing data is transmitted to Nimbalyst servers or any third party.
- No browsing data is collected. The extension does not track your browsing history, collect cookies, or monitor page visits. It only reads page content when you explicitly initiate a clip.
- No analytics or tracking. The extension contains no analytics, telemetry, or tracking code.
Part B: Marketing Website
This section applies to your use of nimbalyst.com (the “Website”).
Information We Collect (Website)
Information Collected Automatically
When you visit our Website, we automatically collect:
| Category | Examples | Purpose |
|---|---|---|
| Device Data | IP address, browser type, operating system | Ensure compatibility and security |
| Web Analytics | Pages visited, time on site, referring URL | Understand how visitors use the Website |
| Geolocation Data | Country/region based on IP address | Analyze geographic reach |
Cookies and Tracking Technologies
The Website uses cookies and similar technologies to:
- Essential Cookies - Enable core Website functionality (e.g., staying logged in)
- Functional Cookies - Remember your preferences
- Analytics Cookies - Understand how visitors use the Website
You can control cookies through your browser settings. Disabling cookies may affect Website functionality.
Information You Provide
If you interact with the Website, we may collect:
| Type | When Collected | Purpose |
|---|---|---|
| Email Address | When you sign up for newsletters or download the App | Send updates and communications |
| Contact Information | When you submit a contact form | Respond to your inquiry |
| Payment Information | When you purchase a subscription | Process your payment (via Stripe) |
Part C: General Provisions
The following sections apply to both the App and the Website.
How We Use Your Information
We use the information we collect for the following purposes:
Providing and Improving Our Products
- Operating and maintaining the App and Website
- Fixing bugs and improving performance
- Developing new features based on usage patterns
- Ensuring security and preventing abuse
Communications (If You Opt In)
- Sending product updates and release notes
- Responding to support requests
- Sharing tips and best practices
Analytics and Research
- Understanding how users interact with the App and Website
- Identifying popular features and pain points
- Making data-driven product decisions
- Creating aggregated, anonymized reports
Legal and Safety
- Complying with legal obligations
- Protecting our rights and property
- Ensuring the security of the App, Website, and our users
How We Share Your Information
We do not sell your personal information. We may share information in the following circumstances:
Service Providers
We work with third-party service providers who assist us in operating the App and Website:
| Provider Type | Purpose | Data Shared |
|---|---|---|
| Analytics (PostHog) | App usage analytics | Anonymous usage data |
| Analytics (Google Analytics) | Website analytics | Anonymous usage data, IP address |
| Authentication (Stytch) | Account login for cloud sync | Email, authentication tokens |
| Payment Processing (Stripe) | Processing paid features | Payment information (we don’t store full card numbers) |
| Cloud Infrastructure (Cloudflare) | Hosting shared links, mobile app session sync, and Nimbalyst Teams collaboration | Shared, synced, or team collaboration content when you opt in |
Our service providers are contractually obligated to protect your information and use it only for the purposes we specify.
International Transfers and Data Privacy Framework
Nimbalyst is based in the United States. If we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss adaptations to the Standard Contractual Clauses, as applicable.
Nimbalyst is preparing to self-certify under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Where applicable after certification is finalized, we may rely on the applicable Data Privacy Framework for covered transfers.
Legal Requirements
We may disclose information if required to do so by law or in response to valid legal requests (e.g., subpoena, court order) and enforcing legal terms including: fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities; protecting the rights, property or safety of you, Nimbalyst or another party; enforcing any agreements with you; responding to claims that any posting or other content violates third-party rights; and resolving disputes.
Business Transfers
All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part).
Data That Is Not Personal Information
We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymized data and disclose it with third parties for our lawful business purposes, including to analyze, build and improve the Website or Services and promote our business, provided that we will not disclose such data in a manner that could identify you.
With Your Consent
We may share information with third parties when you explicitly consent to such sharing.
Your Choices and Rights
Opt Out of Analytics (App)
You can disable analytics collection at any time:
- Open the App
- Go to Settings > Privacy
- Toggle off Send anonymous usage data
When you opt out:
- We stop collecting new analytics data from your device
- Previously collected data is retained in aggregate form
- Core App functionality is not affected
Manage Cookies (Website)
You can control cookies through your browser settings. Most browsers allow you to:
- View what cookies are stored
- Delete individual or all cookies
- Block cookies from specific or all sites
Delete Your Account
If you have created an account:
- Contact us at support@nimbalyst.com
- Request deletion of your account and associated data
- We will process your request within 30 days
Access and Portability
You can request a copy of any personal data we have about you by contacting support@nimbalyst.com
Correction
If any information we have about you is incorrect, please contact us to have it corrected.
Data Security
We implement appropriate technical and organizational measures to protect your information:
- Encryption in Transit - All data transmitted to our servers uses TLS encryption
- Encryption at Rest - Cloud-synced data is encrypted at rest
- Access Controls - Limited employee access to user data
- Security Audits - Regular security assessments
However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | While your account is active, and for up to 7 years after it closes where needed for tax and accounting and to establish or defend legal claims. Authentication credentials are deleted when the account closes. You can request deletion at any time, and we delete data we are not required to keep. |
| Billing and payment records | 7 years, to meet tax and accounting requirements. |
| Analytics and usage data | Up to 7 years, then deleted or anonymized. |
| Support communications | Up to 7 years after the matter is resolved. |
| Marketing data | Until you unsubscribe or withdraw consent. |
| User content | While your account is active, or until you delete it. |
| Shared Links (Nimbalyst Share) | Automatically deleted after the expiration period. |
| Mobile App Session Data | Automatically deleted after the expiration period. |
| Aggregated / anonymized data | May be retained indefinitely, as it no longer identifies you. |
Children’s Privacy
The App and Website are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at support@nimbalyst.com, and we will delete such information.
California Privacy Rights
California residents can review our California Privacy Notice for CCPA-aligned California privacy disclosures. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined by the CCPA.
When your browser sends a Global Privacy Control signal on nimbalyst.com, we treat it as a request not to load non-essential analytics scripts for that browser session.
Under California Civil Code Sections 1798.83-1798.84, California residents may contact us to prevent disclosure of personal information to third parties for such third parties’ direct marketing purposes. To submit a privacy request, please contact us at privacy@nimbalyst.com.
Other State Privacy Rights
Residents of other states with comprehensive privacy laws may have similar rights to access, delete, correct, or receive a copy of personal information, or to opt out of certain processing. To exercise a privacy right, please contact us at privacy@nimbalyst.com.
EEA, UK, and Swiss Privacy Rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, applicable data protection law (including the EU GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection) may give you additional rights, including the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent where processing is based on consent. To exercise these rights, contact us at privacy@nimbalyst.com. You also have the right to lodge a complaint with your local data protection supervisory authority.
Data Protection Representative (EU/EEA, UK, and Switzerland)
Nimbalyst, Inc. is based in the United States. We have appointed DataRep as our Data Protection Representative in the European Union / European Economic Area for the purposes of Article 27 of the EU GDPR, in the United Kingdom for the purposes of Article 27 of the UK GDPR, and in Switzerland for the purposes of Article 14 of the Swiss Federal Act on Data Protection.
If you are in the EU/EEA, the UK, or Switzerland and want to raise a question about, or exercise a right in respect of, our processing of your personal data, you can contact DataRep in any of the following ways:
- Webform: www.datarep.com/data-request
- Email: datarequest@datarep.com (please quote “Nimbalyst, Inc.” in the subject line)
- Post: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Ireland
DataRep also maintains contact locations across EU/EEA member states, the United Kingdom, and Switzerland. When contacting DataRep by post at any location, please address your correspondence to “DataRep” so that it reaches our representative. “DataRep” means Data Protection Representative Limited (trading as DataRep), an Irish company with registration number 616588.
Please contact DataRep only for data protection matters. For general questions about Nimbalyst products, services, or your account, please contact support@nimbalyst.com.
EU Digital Services Act Legal Representative
We have appointed DataRep as our legal representative in the European Union for the purposes of Article 13 of the EU Digital Services Act (Regulation (EU) 2022/2065). Authorities and users in the EU can contact our DSA legal representative at digitalrequest@datarep.com or by post at DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Ireland.
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App, Website, or by other means before the changes take effect.
The “Effective Date” at the top of this policy indicates when it was last revised.
Contact Information:
- Email: support@nimbalyst.com
- Website: https://nimbalyst.com
- EU/EEA, UK, and Switzerland data protection representative: DataRep (see EEA, UK, and Swiss Privacy Rights above)