Privacy Policy

This Privacy Policy describes how Nuboc Inc. ("Nuboc", "we", "us", or "our") collects, uses, and shares information in connection with your use of our products and services, including Nuboc ERP and Retail Radar (collectively, the "Services"). It also explains your rights regarding that information.

References to "you" apply to customers, merchants, end users, and visitors unless otherwise noted.

Section 1Information We Collect

Account Information

When you create a Nuboc account we collect:

• Email address, hashed password, and organization name
• Billing address and payment method (processed by Stripe; we do not store card numbers)
• IP address, browser user agent, and sign-in timestamps

Data You Provide Through Our Services

Depending on which Services you use, we may process:

• Business and financial records entered into Nuboc ERP
• Support ticket content, customer communications, and attachments submitted through Retail Radar
• Shopify store data synced through the Retail Radar Shopify app, including orders, products, customers, and fulfillment records
• Internal notes, workflow configurations, and user-generated content

Usage and Technical Data

We automatically collect certain technical data when you use the Services:

• Log data — pages visited, actions taken, timestamps, referring URL
• Device information — browser type, operating system, screen resolution
• Session cookies required for authentication and analytics cookies to understand feature usage. You can disable analytics cookies in your account settings.

Section 2Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process personal data under the following lawful bases under GDPR Article 6:

• Contract performance — processing necessary to provide the Services you have subscribed to
• Legitimate interests — fraud detection, security monitoring, and product improvement analytics, where these interests are not overridden by your rights
• Legal obligation — retaining transaction records as required by applicable law
• Consent — sending optional marketing communications and using non-essential analytics cookies. You may withdraw consent at any time.

Section 3How We Use Your Information

We use collected information to:

• Provide, operate, and improve our Services
• Process and manage business data entered into Nuboc ERP
• Power AI-assisted features including ticket summarization, draft reply generation, and categorization (see Section 4)
• Send transactional communications — ticket acknowledgements, billing notifications, and system alerts
• Detect and prevent spam, abuse, and unauthorized access
• Comply with legal obligations and enforce our Terms of Service
• Contact you about material changes to the Services or this policy

Section 4AI Processing

Certain Nuboc services use Anthropic's Claude API to power AI-assisted features. When these features are activated:

• Relevant data is transmitted to Anthropic's API for processing
• Anthropic does not use this data to train AI models under our current Data Processing Agreement
• AI-generated content is always presented to a human before sending or acting upon; no fully automated actions are taken without review
• You may disable AI features from your account settings; no data will be sent to Anthropic while AI features are disabled

Section 5How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

Service Providers

We engage the following sub-processors to operate the Services. Each is bound by data processing agreements:

• Postmark (ActiveCampaign) — transactional email delivery (United States)
• Anthropic — AI processing when AI features are enabled (United States)
• Stripe — payment processing and billing (United States)
• Cloudflare — CDN, DNS, and object storage (United States)
• Hetzner Online GmbH — server hosting (Germany, EU)

Legal Requirements

We may disclose information if required by law, regulation, court order, or valid legal process. Where permitted, we will notify you before disclosure.

Business Transfers

In connection with a merger, acquisition, or sale of substantially all assets, personal data may be transferred as part of that transaction. We will notify affected users via email and this policy at least 30 days before any such transfer.

Section 6International Data Transfers

Our primary infrastructure runs on Hetzner servers in Germany (EU). Some sub-processors, including Anthropic and Postmark, process data in the United States. Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, to protect your data.

Section 7Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide the Services. When you delete your organization:

• A full data export is generated and sent to the organization owner's email address within 24 hours of deletion confirmation
• Data is retained for 7 days after deletion confirmation to allow download of the export
• After 7 days, all organization data is permanently and irreversibly purged from our systems and backups
• Billing records and transaction logs may be retained for up to 7 years as required by applicable tax law

Section 8Data Security

We implement the following technical and organizational measures to protect your data:

• Encryption at rest for all sensitive fields including API keys, access tokens, and customer PII
• TLS 1.2+ for all data in transit
• Multi-tenant data isolation — tenant-level security ensures organizations cannot access each other's data
• Role-based access controls with audit logging
• Automated dependency updates and security patching
• VPN-gated server access with hardware security key (FIDO2) enforcement for infrastructure

No transmission over the internet or method of electronic storage is 100% secure. We will notify you of any breach affecting your data as required by applicable law.

Section 9Your Rights

All Users

You have the right to:

• Access the data we hold about you or your organization via the platform admin or by emailing legal@nuboc.com
• Export your data at any time from your account settings
• Correct inaccurate data
• Request deletion of your account and all associated data
• Opt out of AI processing by disabling AI features in your account settings
• Opt out of non-essential analytics cookies in your account settings

EEA and UK Residents (GDPR/UK GDPR)

In addition to the above, you have the right to:

• Restriction of processing in certain circumstances
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection authority

California Residents (CCPA/CPRA)

California residents have the right to:

• Know what personal information we collect, use, and disclose (we do not sell personal information)
• Delete personal information we have collected, subject to certain exceptions
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioral advertising
• Non-discrimination for exercising any of these rights

To exercise your California rights, email legal@nuboc.com with the subject line "CCPA Request." We will respond within 45 days.

Section 10Children's Privacy

The Services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us at legal@nuboc.com and we will delete it promptly.

Section 11Changes to This Policy

We may update this Privacy Policy from time to time. For material changes we will:

• Email the organization owner at least 30 days before the change takes effect
• Display an in-app notice until you acknowledge the updated policy
• Update the "Last updated" date at the top of this document

Continued use of the Services after the effective date constitutes acceptance of the updated policy.

Section 12Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or want to report a data concern:

For EEA/UK data protection inquiries, you may also contact us at the same address. We aim to respond to all privacy requests within 30 days.