GDPR Compliance
Last updated: December 22, 2024
1. Introduction
This page provides information about how Nomely.ai (operated by Montane LLC) complies with the General Data Protection Regulation (GDPR) for users located in the European Economic Area (EEA), United Kingdom, and Switzerland.
The GDPR gives you specific rights regarding your personal data. We are committed to ensuring these rights are respected and that your data is processed lawfully, fairly, and transparently.
2. Data Controller
Montane LLC is the data controller responsible for your personal data. For questions about data protection, contact us at:
- Contact Form: nomely.ai/contact
3. Legal Bases for Processing
We process your personal data based on the following legal grounds under Article 6 of the GDPR:
3.1 Contract Performance (Article 6(1)(b))
Processing necessary to provide our services to you:
- Account creation and management
- AI name generation and domain checking
- Processing subscription payments
- Providing customer support
3.2 Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate interests, balanced against your rights:
- Improving and optimizing our Service
- Analyzing usage patterns to develop new features
- Preventing fraud and ensuring security
- Enforcing our Terms of Service
3.3 Consent (Article 6(1)(a))
Processing based on your explicit consent:
- Marketing communications (you can withdraw consent at any time)
- Optional cookies for analytics
3.4 Legal Obligation (Article 6(1)(c))
Processing required to comply with legal requirements:
- Tax and accounting records
- Responding to lawful requests from authorities
4. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
4.1 Right of Access (Article 15)
You have the right to obtain confirmation whether we are processing your personal data and, if so, access to that data along with information about how it is processed.
4.2 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete data completed.
4.3 Right to Erasure (Article 17)
You have the right to request deletion of your personal data when:
- The data is no longer necessary for its original purpose
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Deletion is required by law
4.4 Right to Restriction of Processing (Article 18)
You have the right to restrict processing of your personal data in certain circumstances, such as when you contest data accuracy or object to processing.
4.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
4.6 Right to Object (Article 21)
You have the right to object to processing of your personal data based on legitimate interests, including profiling. You also have the absolute right to object to direct marketing at any time.
4.7 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our AI scoring is informational only and does not constitute automated decision-making with legal or similarly significant effects.
5. How to Exercise Your Rights
To exercise any of your GDPR rights, please contact us at:
- Contact Form: nomely.ai/contact
- Subject line: "GDPR Request - [Your Right]"
We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, but we will inform you of any extension within the initial 30-day period.
To verify your identity, we may ask you to provide information that matches our records or confirm your request from your registered email address.
6. Data Transfers Outside the EEA
Your personal data may be transferred to and processed in countries outside the EEA, including the United States, where our service providers are located. We ensure adequate protection for such transfers through:
- Standard Contractual Clauses (SCCs): We use EU-approved contractual clauses with our service providers.
- Data Protection Addendums: Agreements with providers that include GDPR-compliant data protection terms.
- Adequacy Decisions: Where applicable, transfers to countries with EU adequacy decisions.
6.1 Sub-processors
Our main sub-processors processing EEA personal data include:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | USA (AWS) |
| OpenAI | AI Name Generation | USA |
| Stripe | Payment Processing | USA/EU |
| Resend | Email Service | USA |
| Upstash | Redis Caching | EU Available |
| Namecheap | Domain Verification | USA |
| Apify | Social Media Checks | EU |
7. Data Retention
We retain personal data only as long as necessary for the purposes described in our Privacy Policy. Specific retention periods:
- Account Data: Until account deletion request
- Search History: 12 months, then anonymized
- Payment Records: 7 years (legal requirement)
- Log Files: 90 days
- Marketing Consent Records: 3 years after last interaction
8. Data Protection Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Regular security assessments and penetration testing
- Access controls and authentication requirements
- Employee training on data protection
- Incident response procedures
- Regular backups with encryption
9. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document all breaches, including facts, effects, and remedial actions taken
10. Cookies and Tracking
We use essential cookies for the Service to function. For non-essential cookies (analytics, marketing), we obtain your consent before placing them. You can manage your cookie preferences through your browser settings.
Essential cookies we use:
- Session cookies: To maintain your login state
- Security cookies: For CSRF protection
- Preference cookies: To remember your settings
11. Right to Lodge a Complaint
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. You may contact:
- The supervisory authority in your EU member state of residence
- The supervisory authority where you work
- The supervisory authority where the alleged infringement occurred
We encourage you to contact us first through our contact form so we can address your concerns directly.
12. Updates to This Policy
We may update this GDPR compliance information from time to time. Material changes will be communicated through our Service or by email. The "Last updated" date at the top indicates when this page was last revised.
13. Contact Information
For GDPR-related inquiries:
- Contact Form: nomely.ai/contact
Montane LLC
United States