Privacy Policy
This Privacy Policy explains how Nyami (“Nyami,” “we,” “us,” or “our”) collects, uses, and safeguards personal information when you visit nyami.app, join our waitlist, or interact with our communications (collectively, the “Services”). It also sets out your privacy rights under the EU General Data Protection Regulation (GDPR).
1. Who we are & how to reach us
Nyami is a mindful eating companion under development. We act as the data controller for the personal information processed through the Services.
- Controller: Nyami (a pre-incorporation project operated by the founding team; we will update this Policy once the legal entity is registered).
- Registered/principal office: Budapest, Hungary. Please contact us for our full postal address if you wish to write to us.
- Email for privacy enquiries: [email protected]
We have not appointed a data protection officer. If we do so in the future, we will update this Policy with their contact details.
2. The information we collect
- Identification and contact data: Email address and any optional information you submit when joining the waitlist or contacting us.
- Communications data: Messages you send us and our responses, including metadata (dates, times).
- Usage data: Device information (browser type, operating system, screen resolution), IP address, pages viewed, referring URLs, interactions with page elements, session duration, performance metrics, and other analytics data collected via consents-based cookies.
- Consent records: Timestamped records of your cookie and marketing preferences, stored locally (e.g., the `nyami-cookie-consent` cookie) and within our internal logs.
- Aggregated and anonymised data: High-level statistics that no longer identify you, which we use to understand patterns and improve the Services.
3. Why we use your data & our lawful bases
We only process personal data when we have a legal basis under the GDPR. The table below summarises our main processing activities.
| Purpose | Data categories | Legal basis | Retention |
|---|---|---|---|
| Manage the waitlist and respond to enquiries | Identification and contact data; communications data | Consent (Article 6(1)(a)) when you opt in to the waitlist; legitimate interests (Article 6(1)(f)) to respond to ad-hoc enquiries | 12 months after last interaction, unless you request earlier deletion |
| Send product updates and mindful content | Identification and contact data | Consent (Article 6(1)(a)); you can withdraw at any time via the unsubscribe link | Until you withdraw consent or we discontinue the mailing programme |
| Provide secure, reliable access to the site | Usage data, consent records | Legitimate interests (Article 6(1)(f)) to operate, secure, and troubleshoot the Services | Rolling 12 months for server/event logs (confirm actual log retention period) |
| Run product analytics and improve the experience | Usage data (once cookie consent is provided) | Consent (Article 6(1)(a)) via our cookie banner | PostHog retains event data for up to 12 months in the EU region |
| Meet legal obligations and enforce our Terms | Any relevant data category | Legal obligations (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)) | As long as required under applicable law (e.g., limitation periods) |
If we rely on legitimate interests, we balance those interests against your rights by limiting the data we collect, using aggregated insights wherever possible, and offering opt-outs when appropriate.
4. Cookies & similar technologies
We use strictly necessary cookies to remember your preferences, and analytics cookies (set only after you consent) to understand how visitors engage with our pages. You can manage your choices through the banner or your browser settings.
| Cookie | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
| `nyami-cookie-consent` | Nyami (first-party) | Stores your cookie consent choice so the banner does not reappear unnecessarily | 12 months | Strictly necessary |
| `ph_{project-key}_posthog` and related PostHog cookies | PostHog (EU region) | Records session information and feature usage to help us improve Nyami (set only after you click “Accept the crumbs”) | Up to 12 months per PostHog’s retention defaults | Analytics (requires consent) |
Please let us know if additional cookies or third-party scripts are introduced so this section remains accurate.
5. Sharing your data
We do not sell personal information. We share data only with service providers that help us operate the Services, subject to written contracts and appropriate safeguards.
- Sevalla (Hungary/EU): Provides hosting and infrastructure for the landing page and waitlist submission API. Data processed: all categories stored on the site. Safeguards: EU GDPR-compliant hosting.
- Namecheap (United States): Manages our domain name and DNS. Data processed: DNS metadata and minimal contact details. Safeguards: Standard Contractual Clauses (SCCs) and security reviews.
- PostHog (EU cloud region): Delivers product analytics and cookie consent logs. Data processed: usage data and consented event metadata. Safeguards: EU data residency, SCCs where applicable.
We may also disclose data if required by law, to protect our rights or the rights of others, or in connection with a business transaction (such as a merger or acquisition).
6. Data retention
We keep personal information only as long as needed for the purposes described above or as required by law. Current retention guidelines are:
- Waitlist and marketing emails: Removed 12 months after your last interaction or sooner if you unsubscribe.
- Support and enquiry records: Retained for up to 12 months after closure to help us follow up and improve the Services.
- Cookie consent logs: Stored for 12 months to demonstrate compliance, then refreshed.
- Aggregated analytics: Retained indefinitely in non-identifiable form.
We delete or anonymise data once the retention period expires or when you exercise your right to erasure, unless we must keep it for legal reasons.
7. How we protect information
We use administrative, technical, and physical safeguards to protect personal data, including HTTPS encryption, access controls, audit logging, and regular monitoring of our hosting environment. We restrict access to personal information to team members who need it to perform their duties.
8. International data transfers
Our primary operations are in Hungary. When we transfer personal data outside the European Economic Area (for example, to Namecheap in the United States), we rely on lawful transfer tools such as Standard Contractual Clauses and ensure that recipients provide adequate protections.
9. Your rights
Under the GDPR you have the right to request access to your data, correction, deletion, restriction, portability, and to object to certain processing. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
You can exercise your rights by emailing [email protected]. We may ask for additional information to verify your identity before we action your request.
You also have the right to lodge a complaint with your local data protection authority or with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), H-1055 Budapest, Falk Miksa utca 9-11, Hungary (naih.hu, [email protected]).
10. Children
The Services are not directed to anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us so we can delete it.
11. Updates to this Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the “Effective” date above and, where required, provide additional notice (for example, via email or on-site banner). Your continued use of the Services after changes become effective means you accept the revised Policy.
12. Contact us
If you have questions or concerns about this Privacy Policy or our data practices, email us at [email protected].