DRAFT — Requires legal review before publication.

Privacy Policy

Last updated: April 2026

1. Who We Are

Nainty Pty Ltd (ABN pending), operating at nainty.com, provides an AI-powered business operating system for solopreneurs and consultants.

2. Data We Collect

2.1 Account Data

Name, email address, password (hashed with scrypt, never stored in plaintext), business name, industry, timezone, and currency preference.

2.2 Business Data (User-Generated)

Clients, invoices, proposals, contracts, projects, tasks, time entries, expenses, forms, form submissions, mileage entries, meeting notes, calendar events, and all other business records you create.

2.3 Financial Data

  • Bank connections: OAuth tokens encrypted with AES-256-GCM before storage. We never store your bank login credentials.
  • Payment cards: Handled entirely by Stripe. Card numbers never touch our servers.
  • Transaction data: Bank transactions imported via Plaid (US/EU/UK) or Basiq (AU/NZ) for reconciliation.

2.4 Communication Data

If you connect Gmail or Outlook: email metadata (sender, recipient, subject, date) and snippets are synced for client matching. Full email bodies are not stored. SMS/WhatsApp messages sent via the Service are logged.

2.5 Meeting Data

Scheduling bookings (guest name, email, timezone), and optionally audio recordings and AI-generated transcripts if you use the meeting recording feature.

2.6 Usage Data

Page views, feature usage patterns, and portal analytics. IP addresses are hashed (SHA-256, truncated) — we do not store raw IP addresses for analytics. Usage data is retained for 180 days.

2.7 AI Interaction Data

When you use AI features, your business context is processed through a PII redactor that strips personal identifiers before sending to our AI provider (Anthropic). AI prompts and responses are logged for quality monitoring with a 90-day retention.

3. How We Use Your Data

  • Service delivery: Processing your invoices, managing your clients, generating proposals, running automations.
  • AI features: Generating form fields, writing proposals, creating workflows, producing report commentary, suggesting actions.
  • Security: Fraud detection, rate limiting, audit logging.
  • Improvement: Aggregate, anonymised usage patterns to improve the Service (never individual data).
  • Communication: Transactional emails (invoice sent, meeting booked), product updates (with opt-out).

4. Data Sharing (Sub-Processors)

We share data with third-party services only as necessary to provide the Service. See our full Sub-Processor List. Key processors:

  • Anthropic: AI features — receives PII-redacted business context only.
  • Stripe: Payment processing — receives payment amounts and payer email.
  • Plaid/Basiq: Bank feeds — receives OAuth tokens (encrypted in transit and at rest).
  • Google/Microsoft: Calendar and email sync — receives OAuth tokens for connected accounts.

We do not sell your data. We do not share data for advertising purposes.

5. Data Storage and Security

  • Infrastructure: On-premises Kubernetes cluster in Australia.
  • Encryption at rest: Integration tokens encrypted with AES-256-GCM. Database credentials in HashiCorp Vault.
  • Encryption in transit: TLS 1.2/1.3 on all connections. HSTS enabled.
  • Access control: Row-Level Security (RLS) on all tables ensures tenant data isolation. Every database query is scoped to your organisation.
  • Authentication: Secure session cookies (HttpOnly, Secure, SameSite). Optional two-factor authentication.
  • Monitoring: 24/7 automated monitoring with 9 alert rules.

6. Data Retention

  • Active account: Data retained while your account is active.
  • Audit trails: 7 years (legal and compliance requirement).
  • Portal analytics: 180 days, then automatically purged.
  • AI interaction logs: 90 days.
  • After account deletion: All data deleted within 30 days. Backups purged within 90 days.

7. Your Rights

Under the Australian Privacy Act 1988 and, where applicable, the EU General Data Protection Regulation (GDPR), you have the right to:

  • Access: Request a copy of all data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your data (subject to legal retention requirements).
  • Portability: Export all your data in JSON or CSV format at any time.
  • Objection: Object to processing for specific purposes.
  • Restriction: Request restriction of processing.

To exercise any right, email privacy@nainty.com. We respond within 30 days.

8. Cookies

We use a single session cookie for authentication (HttpOnly, Secure, SameSite=lax, 24-hour expiry). We use a lightweight analytics beacon for portal page views (IP hashed, no personal identification). We do not use third-party tracking cookies, advertising cookies, or social media pixels. See our Cookie Policy for details.

9. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect data from children.

10. International Transfers

Some sub-processors are located outside Australia (primarily the United States). Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where required by GDPR.

11. Changes to This Policy

We will notify you of material changes via email at least 30 days before they take effect. Minor clarifications may be made without notice.

12. Contact

Privacy inquiries: privacy@nainty.com

Data Protection Officer: dpo@nainty.com

Privacy Policy — Nainty — Nainty