Privacy
Account

Privacy Policy

Effective 18 May 2026

Plain-English summary

  • We collect what we need to run the product for you — nothing more.
  • We never sell your data or your contacts' data.
  • We never use your data to train models for other customers.
  • You can export or delete your account at any time.
  • Sub-processors are listed below and limited to operating the service.

1. Data we collect

Account data: name, email, profile photo (from Google sign-in), broker registration number (BRN) if you provide it, and authentication metadata.

Operational data: the contacts, listings, deals, viewings, messages, documents and activity you create or import into the platform.

Usage data: minimal anonymised analytics, error reports (Sentry) and access logs for security and uptime.

Payment data: handled by Stripe — we store only the customer ID and subscription status, never card numbers.

2. How we use it

  • To provide and operate the service for you.
  • To send WhatsApp / email on your behalf when you trigger a send.
  • To generate AI suggestions (Atlas) using your own data, scoped to your account.
  • To send you operational emails (billing, security alerts).
  • To meet legal obligations.

We do not use your contact data for advertising and do not share it with third parties for their own purposes.

3. Sub-processors

We use the following sub-processors to operate the service:

  • Vercel — application hosting
  • Supabase — managed PostgreSQL database
  • Stripe — subscription billing
  • Anthropic — AI inference (Atlas) — your data is sent for inference only, never used for model training
  • Meta (WhatsApp Business Cloud API) — message delivery, when configured
  • Sentry — error reporting
  • Upstash — rate-limit counters

4. Data residency and security

Data is stored in regions chosen for low latency to Dubai. We use TLS in transit, encryption at rest, scoped database access, role- based access control, and audit logging. Sensitive contact PII is hashed and blind-indexed where used for matching, so plain-text phone/email is not unnecessarily duplicated.

5. Retention

We retain your data for as long as your account is active. On deletion we remove personal data within 30 days, except where retention is required by law (e.g. financial records). Backups roll off according to our backup schedule.

6. Your rights

You can: export your data from Settings, request correction of inaccurate data, request deletion of your account, and object to processing where applicable law permits. Email privacy@nelkins.app — we respond within 30 days.

7. Children

The service is not intended for anyone under 18.

8. Changes

Material changes to this policy will be notified by email or in- product at least 14 days before they take effect.