Privacy Policy

Nandella ("we", "us", "our") is a personal identity hub service that lets individuals store, manage and share their professional identity. We are committed to protecting your personal data in full accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable data protection laws worldwide.

Data controller: Nandella Inc. · Contact: privacy@nandella.io

We only collect data you explicitly provide. We never sell it, never use it for advertising, and never share it without your consent. The categories of data we collect are:

• Identity data — name, preferred name, date of birth, nationality
• Contact data — email address, phone number, postal address, website
• Professional data — career history, education, skills, certifications, references
• Social data — links to third-party social profiles you voluntarily add
• Technical data — IP address (session only), browser type, access timestamps
• Usage data — share link access counts (no viewer PII stored)

We do not collect health data, financial data, criminal records, or any special category data under GDPR Article 9 unless you voluntarily add it to a module designed for that purpose and give explicit consent.

We use your data exclusively to provide the Nandella service:

• Storing and displaying your identity hub data to you
• Generating documents (resumes, business cards, portfolios) on your request
• Serving your public profile pages to viewers — only when you explicitly toggle a feature public
• Sending transactional emails (registration confirmation, password reset, share-access alerts)
• Fraud prevention and security monitoring

We do not use your data to train AI models. AI features use your data as input for a single API call and the data is not retained by the AI provider beyond that call.

By default, all your data is private. No data is publicly accessible without your explicit action.

When you toggle a feature public (e.g. "Business card", "Portfolio"), you give explicit consent for that specific data subset to be viewable by anyone with the public URL. You can revoke this consent at any time by toggling the feature off — the public URL will immediately return a blank page and the data will no longer be served.

Toggling a feature off is equivalent to withdrawing consent under GDPR Article 7(3). Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

• Location: All data is stored in the European Union (Supabase Frankfurt, eu-central-1). We do not transfer personal data outside the EEA without adequate safeguards.
• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access control: Row-level security policies ensure users can only access their own data. Database credentials are never exposed to client-side code.
• Audit logging: All significant data operations are logged in our append-only audit log for GDPR compliance and security review.

We retain your data for as long as you maintain an active account. You may request deletion at any time. Upon deletion:

• All personal data is marked for erasure immediately
• A 30-day grace period applies, after which all data is permanently deleted from our database and backups
• Anonymised aggregate statistics (e.g. total share link views with no PII) may be retained for service analytics

You have the following rights, exercisable at any time by contacting privacy@nandella.io:

• Right of access (Article 15) — request a copy of all data we hold about you
• Right to rectification (Article 16) — correct inaccurate data at any time via the dashboard
• Right to erasure (Article 17) — request permanent deletion of all your data
• Right to portability (Article 20) — export all your data in JSON format from Settings
• Right to restrict processing (Article 18) — request that we limit how we use your data
• Right to object (Article 21) — object to processing based on legitimate interests
• Right to withdraw consent — withdraw any consent at any time (toggle features off)

We will respond to all rights requests within 30 days. You also have the right to lodge a complaint with your national data protection authority.

We use only strictly necessary cookies required for authentication. We do not use tracking cookies, advertising cookies, or analytics cookies. No cookie consent banner is required because we do not place any non-essential cookies.

We share data with the following sub-processors, each bound by GDPR-compliant data processing agreements:

• Supabase Inc. — database, authentication, and file storage (EU region)
• Anthropic PBC — AI text generation for resume bullets, bios, cover letters (data used per-call only, not retained for training)
• Vercel Inc. — application hosting and edge delivery
• QR Server — QR code image generation (receives URLs only, no personal data)

Nandella is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately at privacy@nandella.io and we will delete it.

We may update this policy from time to time. We will notify you by email and display a notice in the dashboard at least 14 days before any material changes take effect. Continued use of Nandella after the effective date constitutes acceptance of the updated policy.

For any privacy-related questions, data requests, or complaints:

• Email: privacy@nandella.io
• Response time: within 5 business days for general enquiries, 30 days for formal rights requests

If you are unsatisfied with our response, you have the right to complain to the supervisory authority in your country of residence. In the EU, you can find your national authority at edpb.europa.eu.