Privacy Policy
Draft — pending review by a qualified lawyer. This text is not final and is not legal advice.
1. Who we are
The data controller is Namup, LLC, a Delaware company, whose address is 131 Continental Dr, Suite 305, Newark, DE 19713, United States. EU Representative (GDPR Art. 27): being appointed — until then, write to us directly and we answer every request. Contact: privacy@namup.net.
2. Data we collect
The minimum necessary: email, your sign-in method (Google, or email and password with email confirmation), subscription details (via Stripe), region/language preference, and technical metadata (IP at login, app version). Your financial declarations are processed locally on your device — we never read them. We do not collect your bank credentials, use no advertising trackers, and never sell your data.
3. How we use data
To provide the service, process subscriptions, secure accounts, detect your region for pricing, answer support, and — if you enable it — generate AI insights. No use for advertising or resale.
4. Where data is stored
Local by default: your financial data stays on your device, and we never read it. Cloud backup (opt-in): end-to-end encrypted — the key never leaves your device, so it's unreadable to us — hosted in the EU. Account data (email, subscription): servers hosted in the EU/EEA (Supabase).
5. Sub-processors
We share data only with: Stripe (payments and VAT, EU/US under Standard Contractual Clauses), Anthropic (AI, if you enable it: a derived context; or, if you enable reading your text, the sentence you type with your contact details stripped on-device — never used to train the AI, short anti-abuse retention only —, US under Standard Contractual Clauses), Supabase (account and encrypted backup, EU), and — when enabled — PostHog (anonymous usage statistics: screen events with no identifier, never your financial data, EU hosting) — each under a data-processing agreement. No other sharing without your consent, except where required by law.
6. Your rights (GDPR)
Access, rectification, erasure, portability, restriction, objection, withdrawal of consent. Exercise them in-app (data export, account deletion, privacy settings) or by email. Response within 30 days. Account deletion purges the device, erases the cloud backup, and sends a confirmation.
7. Retention
Local financial data: until you delete it. Email/account: account lifetime + legal minimum (10 years, fiscal obligations). Support: 3 years. Login metadata: 12 months.
8. Cookies & trackers
The app uses on-device storage solely for your data — functional storage, not tracking. No advertising cookies or third-party tracking scripts in the app.
9. Children
The service is not directed at anyone under 16, and we do not knowingly collect their data. Contact us for prompt deletion.
10. Authorities & law
We disclose data to authorities only when required by law (court order, regulatory demand), and we notify you where legally permitted.
11. International transfers
Primary processing is in the EU/EEA. Any transfer to the United States (e.g. Anthropic) occurs under Standard Contractual Clauses (GDPR Art. 46) or the EU-US Data Privacy Framework.
12. Changes
We notify you by email at least 30 days before any material change. Continued use after the effective date constitutes acceptance.
13. Contact & supervisory authority
Privacy: privacy@namup.net (Namup, LLC — 131 Continental Dr, Suite 305, Newark, DE 19713, United States). EU Representative (GDPR Art. 27): being appointed; until then, that same email handles every request. You may lodge a complaint with your country's supervisory authority (in France: the CNIL).