Privacy Policy

Effective date: May 2026 · Governed under Indian law (DPDP Act, 2023) and aligned with GDPR.

Plain-English summary

  • We never store the text or images you paste into Nyilo. They are processed and discarded.
  • No account, no login, no cookie tracking. We do not know who you are.
  • The only thing we temporarily hold is your IP address — for rate limiting only — and it expires automatically.

1. What we collect

IP address (rate limiting only)

Your IP is stored temporarily in our Redis database (Upstash) to enforce the free scan limit (1/day, 5/month). It is stored as a hashed key, not in any log or user record. The daily key expires after 24 hours; the monthly key after 30 days. We cannot link it to your identity.

Anonymous analytics

We use two analytics tools — both configured to collect no personally identifiable information and to set no tracking or advertising cookies:

  • Vercel Analytics — aggregate page views and visitor counts. Data is anonymised before we see it.
  • PostHog (EU-hosted, Frankfurt) — page views and page-leave events to understand how people navigate the site. Autocapture is disabled — PostHog never reads text from inputs. Anonymous users do not receive a profile. Data is stored exclusively on EU servers. You can opt out via PostHog's opt-out extension.

Email address (optional, waitlist only)

If you choose to enter your email for early access notifications, we store it solely to send that notification. We do not share it with third parties or use it for advertising. You can request deletion at any time.

2. What we do NOT collect or store

  • The text you paste into the scanner
  • Images or screenshots you upload
  • Your scan results or risk assessments
  • Your name, location, device fingerprint, or any identifier beyond IP for rate limiting
  • Cookies for tracking or advertising
  • Any persistent user profile

3. Third-party processors

Anthropic (Claude API)

Your submitted text or image is sent to Anthropic's Claude API to perform the scan analysis. Per Anthropic's API usage policy, API inputs are not used to train AI models. Anthropic may retain data for a short period for abuse detection per their own privacy policy.

https://www.anthropic.com/privacy
Upstash Redis

Stores hashed IP-based rate-limit counters only. No content, no identity data. Keys auto-expire.

https://upstash.com/trust/privacy.pdf
Vercel

Hosts the application and provides anonymised, aggregated analytics. Vercel may process server request logs (including IPs) for infrastructure security.

https://vercel.com/legal/privacy-policy
PostHog (EU)

EU-hosted product analytics (Frankfurt data centre). Tracks page views and page-leave events only. Autocapture is explicitly disabled — PostHog never reads your textarea content or scan results. Anonymous visitors receive no persistent profile. All data is stored and processed within the EU under GDPR. You can opt out at any time via the PostHog opt-out browser extension.

https://posthog.com/privacy
Resend (email, when active)

If you submit your email for the waitlist, it is sent via Resend for delivery. Your email is not shared beyond this purpose.

https://resend.com/legal/privacy-policy

4. Your rights

Whether you are in the EU (GDPR), India (DPDP Act 2023), California (CCPA), or elsewhere, you have the right to:

  • Know what data we hold about you (for most users: nothing beyond a transient rate-limit key tied to your IP)
  • Request deletion of any data we hold (email waitlist entries deleted on request; IP rate-limit keys expire automatically)
  • Object to or restrict processing
  • Data portability (not applicable for most users given we hold no personal data)

To exercise any right, email privacy@nyilo.org. We will respond within 30 days.

5. Data retention

IP rate-limit key (daily)24 hours — auto-expires
IP rate-limit key (monthly)30 days — auto-expires
Email (waitlist)Until you request deletion or unsubscribe
Scan content (text/image)Not retained — discarded after Claude responds
Vercel AnalyticsAggregated only, no personal data retained
PostHog analyticsEU servers; pageview events retained per PostHog's default policy (1 year). No personal data — anonymous events only.

6. Grievance officer (India — DPDP Act)

In compliance with the Information Technology Rules, 2021 and the Digital Personal Data Protection Act, 2023:

Entity: Yohaanei Labs

Location: Bengaluru, Karnataka, India

Grievance contact: privacy@nyilo.org

Response time: 30 days

7. Changes to this policy

We will update this page if our data practices change and note the new effective date at the top. Material changes will also be noted on the home page. Continued use after changes constitutes acceptance.

Nyilo · Why this exists · Contact · Terms of Service