Privacy Policy

This Privacy Policy explains how Nernayam ("we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the Nernayam desktop application and related cloud services (collectively, "the Service").

Nernayam is a local-first note-taking and AI copilot application. This means your notes, canvas data, and knowledge graph are stored on your device by default. Cloud features are entirely optional and require your explicit consent to activate.

This policy applies to all users of Nernayam worldwide, including users in the European Economic Area (EEA), United Kingdom, United States (including California), India, and all other jurisdictions. We have designed this policy to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), India's Digital Personal Data Protection Act 2023 (DPDP Act), and other applicable data protection laws.

Data Controller:

Nernayam is operated by pgsvarma (sole proprietor). For purposes of GDPR, pgsvarma is the data controller. For purposes of the DPDP Act, pgsvarma is the data fiduciary.

Contact:

Email: pgsvarma@gmail.com

We collect different categories of data depending on how you use the Service. Below is an itemized description of each category, how we collect it, and what it is used for.

2.1 Data collected when you use Nernayam offline (no account):

We collect no data whatsoever. All data stays on your device. We have no servers involved, no analytics, no telemetry, and no tracking scripts.

2.2 Data collected when you create an account:

2.3 Data collected when you enable Cloud Sync:

2.4 Data collected when you use the AI Copilot (cloud mode):

2.5 Data collected when you link Telegram:

2.6 Data collected automatically (cloud users only):

2.7 Data we do NOT collect:

We do not collect location data, device identifiers, advertising IDs, browsing history, contacts, biometric data, or data from children. We do not use cookies, tracking pixels, analytics services, or any form of behavioral tracking.

Under the GDPR, we process your personal data only when we have a valid legal basis. Here are the legal bases we rely on for each processing activity:

Contractual necessity (Article 6(1)(b)):

Processing your account data, cloud sync data, and subscription data is necessary to perform the contract between you and us (providing the Nernayam service you signed up for).

Legitimate interest (Article 6(1)(f)):

Processing IP addresses (hashed) and user agents for security and abuse prevention. Our legitimate interest is protecting the Service and all users from fraud, unauthorized access, and attacks. We have balanced this against your privacy rights by hashing IP addresses and automatically scrubbing session data after 30 days.

Consent (Article 6(1)(a)):

When you choose to use the AI Copilot in cloud mode, you are explicitly consenting to have your messages processed by a third-party AI provider. When you link Telegram, you are consenting to message processing through the Telegram Bot API. You may withdraw consent at any time by disabling these features.

We do not process data based on legitimate interest for direct marketing, profiling, or automated decision-making.

We use your data for the following specific purposes and no others:

Service delivery:

To authenticate your identity, maintain your session, synchronize your notes across devices, store your file attachments, and process your subscription.

AI processing:

To transmit your messages to the AI provider you selected and return the generated response to you. We act as a pass-through; we do not analyze, profile, or train models on your messages.

Security and abuse prevention:

To detect and prevent unauthorized access, fraud, and abuse of the Service. IP addresses are HMAC-hashed before storage so that we can identify suspicious patterns without retaining your actual IP address.

Service communications:

To send you essential transactional emails (account verification, password reset, billing receipts). We do not send marketing emails.

Compliance:

To comply with legal obligations, respond to lawful requests from authorities, and enforce our Terms of Service.

What we do NOT do with your data:

We do not sell, rent, or trade your personal information. We do not use your data for advertising or profiling. We do not use your notes, messages, or any User Content to train AI models. We do not share your data with data brokers. We do not engage in automated decision-making that produces legal or similarly significant effects on you.

When you use cloud features, your data is processed by the following third-party services. Each acts as a data processor on our behalf (or, for AI providers, as an independent controller for the messages you send).

AI Providers (only when you use the AI Copilot in cloud mode):

Your messages are sent to the provider you select. We support:

- Google Gemini (Google LLC) -- Privacy: https://policies.google.com/privacy

- Anthropic Claude (Anthropic PBC) -- Privacy: https://www.anthropic.com/privacy

- OpenAI (OpenAI LLC) -- Privacy: https://openai.com/policies/row-privacy-policy/

- xAI Grok (xAI Corp) -- Privacy: https://x.ai/legal/privacy-policy

- Groq (Groq Inc) -- Privacy: https://groq.com/privacy-policy/

- Sarvam AI (Sarvam AI Pvt Ltd) -- Privacy: https://www.sarvam.ai/privacy-policy

These providers process your messages to generate AI responses. They may retain your data according to their own policies. We do not control their data handling practices once your message is transmitted.

Embeddings (cloud mode only):

- Cloudflare Workers AI -- generates text embeddings for semantic search

Infrastructure:

- Cloudflare Workers (Cloudflare Inc) -- hosts our API backend

- Turso / LibSQL (Turso Inc) -- stores user accounts, notes, and metadata in SQLite databases

- Cloudflare R2 (Cloudflare Inc) -- stores file attachments in isolated per-user paths

Authentication:

- Google OAuth (Google LLC) -- if you sign in with Google

- GitHub OAuth (GitHub / Microsoft) -- if you sign in with GitHub

Billing:

- Polar.sh (Polar Software Inc) -- processes subscription payments

- Dodo Payments (Dodo Payments) -- alternative payment processor for Indian users

Messaging:

- Telegram Bot API (Telegram FZ-LLC) -- if you link your Telegram account

We do NOT share data with:

Data brokers, advertising networks, analytics companies, social media platforms, or any party not listed above.

Your data may be transferred to and processed in countries outside your jurisdiction, including the United States (where Cloudflare and AI providers operate).

For EEA/UK users:

Transfers to countries outside the EEA/UK are protected by:

- Standard Contractual Clauses (SCCs) where applicable

- Cloudflare's GDPR-compliant Data Processing Addendum

- The EU-US Data Privacy Framework (for certified US companies)

For Indian users:

Cross-border transfers are conducted in accordance with the DPDP Act and any rules issued by the Central Government regarding permissible jurisdictions.

For all users:

You may avoid international data transfers entirely by using Nernayam in offline mode with local AI models (Ollama). In that configuration, no data leaves your device.

We retain your data only for as long as necessary to fulfill the purposes described in this policy. Here are our specific retention periods:

After account deletion:

When you delete your account, all associated data is permanently removed from our servers within 24 hours. This includes notes, files, memories, conversation history, and all metadata. Billing records may be retained longer as required by law.

Backup retention:

Encrypted database backups may contain your data for up to 7 days after deletion before being rotated out.

Depending on your jurisdiction, you have the following rights regarding your personal data. We honor these rights for all users regardless of location.

8.1 Rights available to all users:

Right to access -- You can export all your data at any time from Settings > Cloud > Export Data. The export includes notes, files, memories, conversation history, and account metadata in standard JSON format.

Right to deletion -- You can permanently delete your account and all associated data from Settings > Cloud > Delete Account. You can also contact us at pgsvarma@gmail.com.

Right to portability -- Your data export is in standard, machine-readable JSON format.

Right to withdraw consent -- You can disable cloud sync, AI cloud processing, or Telegram integration at any time. You can switch to BYOK (Bring Your Own Key) mode to route AI requests directly from your device.

Right to rectification -- You can update your name and email from your account settings.

8.2 Additional rights for EEA/UK residents (GDPR):

Right to restriction -- You can request that we restrict processing of your data while we address a dispute or verify accuracy (Article 18).

Right to object -- You can object to processing based on legitimate interests (Article 21). We will stop processing unless we demonstrate compelling legitimate grounds.

Right to lodge a complaint -- You have the right to file a complaint with your local data protection authority (e.g., the ICO in the UK, CNIL in France, BfDI in Germany).

8.3 Additional rights for California residents (CCPA/CPRA):

Right to know -- You can request the categories and specific pieces of personal information we have collected about you in the past 12 months.

Right to delete -- You can request deletion of your personal information, subject to certain legal exceptions.

Right to opt-out of sale/sharing -- We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.

Right to non-discrimination -- We will not deny you service, charge different prices, or provide a different level of service because you exercise your privacy rights.

Categories of personal information collected (past 12 months):

- Identifiers (name, email, OAuth ID)

- Internet activity (hashed IP, user agent -- retained 30 days)

- Content you create (notes, files, messages -- when cloud sync is enabled)

Categories sold or shared: None. We do not sell or share personal information.

8.4 Additional rights for Indian residents (DPDP Act):

Right to access information -- You may request a summary of your personal data and the processing activities performed on it.

Right to correction and erasure -- You may request correction of inaccurate data or erasure of data no longer necessary for the stated purpose.

Right to grievance redressal -- You may contact us with any complaint at pgsvarma@gmail.com. If unsatisfied, you may file a complaint with the Data Protection Board of India.

Right to nominate -- You have the right to nominate another person to exercise your rights in the event of your death or incapacity.

How to exercise your rights:

Email pgsvarma@gmail.com with your request. We will verify your identity and respond within 30 days (or sooner as required by applicable law).

Nernayam includes an AI Copilot feature. We are committed to transparency about how it works.

What the AI Copilot does:

The AI Copilot is a conversational assistant integrated into Nernayam. When you send a message, it is processed by the AI provider you selected (Google Gemini, Anthropic Claude, OpenAI, xAI Grok, Groq, or Sarvam AI) to generate a response.

How your data flows:

1. You type a message in the AI Copilot panel

2. Your message (and relevant context you have opted into, such as the current note) is sent to our API server via encrypted HTTPS

3. Our server forwards your message to the selected AI provider's API

4. The AI provider generates a response and returns it to our server

5. Our server relays the response to your application

What the AI providers receive:

Your message text, conversation history for the active session, and any note content you explicitly include as context. They do not receive your email, name, IP address, or any other account information.

AI model training:

We do not use your data to train any AI models. The third-party AI providers' own policies govern whether they use API data for training; most providers (Anthropic, OpenAI, Google) do not train on API data by default.

Local AI alternative:

You can use the AI Copilot with local models via Ollama or in BYOK mode. In these configurations, your messages never leave your device (Ollama) or go directly from your device to the AI provider without passing through our servers (BYOK).

Automated decision-making:

The AI Copilot does not make any automated decisions that have legal or similarly significant effects on you. It generates text responses for your consideration; all decisions remain with you.

EU AI Act transparency:

Nernayam's AI Copilot interacts with you as a conversational AI system. In compliance with Article 50 of the EU AI Act, we inform you that when you use the AI Copilot, you are interacting with an AI system, not a human.

We implement the following technical and organizational measures to protect your data:

Encryption:

- All data in transit is encrypted via TLS 1.2+ (HTTPS)

- API keys stored on your device are encrypted using AES-256-GCM via the operating system's secure storage (Tauri safeStorage backed by OS keyring -- Windows DPAPI, macOS Keychain, Linux Secret Service)

- Passwords are hashed with bcrypt before storage

Access controls:

- Cloud files are stored in isolated per-user paths on Cloudflare R2

- Database access is restricted to authenticated API requests

- Authentication uses Bearer tokens with automatic expiration

Privacy by design:

- IP addresses are HMAC-hashed before storage (we cannot reverse them to plain IP addresses)

- User agent strings are automatically scrubbed after 30 days

- No tracking scripts, analytics, cookies, or telemetry anywhere in the application

- The core application works entirely offline without any network communication

Breach notification:

In the event of a data breach that affects your personal data, we will:

- Notify affected users within 72 hours (as required by GDPR Article 33)

- Notify the relevant data protection authority as required by applicable law

- Report to the Data Protection Board of India without delay (as required by DPDP Act)

- Provide details about the nature of the breach, data affected, and remediation steps

Nernayam is not directed at children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at pgsvarma@gmail.com and we will promptly delete it.

We do not track users across third-party websites or services, so we do not respond to Do Not Track (DNT) signals because there is no tracking to disable.

We honor Global Privacy Control (GPC) signals. However, since we do not sell or share personal information for behavioral advertising, GPC signals do not change how we handle your data -- we already do not engage in the practices GPC is designed to prevent.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

How we notify you:

- We will update the "Last updated" date at the top of this page

- For material changes (new data collection, new third-party processors, changes to your rights), we will provide notice through the Nernayam application and/or by email

- We will provide at least 30 days' notice before material changes take effect

Your options:

If you disagree with a material change, you may delete your account before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Previous versions:

We maintain an archive of previous versions of this policy. You may request any prior version by emailing pgsvarma@gmail.com.

For any privacy-related questions, data access requests, complaints, or concerns:

Email: pgsvarma@gmail.com

Operator: pgsvarma

For GDPR inquiries: As a small business, we are not required to appoint a Data Protection Officer. All privacy inquiries are handled directly by the data controller (pgsvarma) at the email above.

For DPDP Act inquiries: The data fiduciary may be reached at pgsvarma@gmail.com. If you are unsatisfied with our response, you may lodge a complaint with the Data Protection Board of India.

For CCPA/CPRA inquiries: California residents may exercise their rights by emailing pgsvarma@gmail.com. We will verify your identity and respond within 45 days.

Response time: We aim to respond to all privacy requests within 15 business days, and no later than 30 days (or the shorter period required by applicable law).