Nistoo

Privacy Policy

Last updated: May 4, 2025

Nistoo ("we", "us", or "our") operates nistoo.com and the Nistoo compliance platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

Information you provide directly

  • Account registration data (name, email address, password)
  • Organization details (company name, industry, size)
  • Compliance data, evidence files, and documents you upload
  • Payment information (processed by Stripe — we do not store card data)
  • Communications with our support team

Information collected automatically

  • Usage data (pages visited, features used, time spent)
  • Device and browser information (IP address, browser type, OS)
  • Cookies and similar tracking technologies
  • Log data (access times, error reports)

Information from third parties

  • OAuth login data from Google or GitHub (name, email, profile picture)
  • Integration data from services you connect (AWS, GitHub, Azure AD)

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Nistoo platform
  • Process transactions and send related information
  • Generate AI-powered compliance analysis and reports
  • Send administrative information, updates, and security alerts
  • Respond to comments and questions and provide customer support
  • Monitor and analyze usage trends to improve our service
  • Detect, prevent, and address technical issues and fraud
  • Comply with legal obligations

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract performance: processing necessary to provide the services you have subscribed to
  • Legitimate interests: improving our platform, ensuring security, and preventing fraud
  • Legal obligation: complying with applicable laws and regulations
  • Consent: where you have given explicit consent (e.g., marketing communications)

4. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with:

  • Service providers: Neon (database), Upstash (Redis), Vercel (hosting), Resend (email), Stripe (payments), OpenAI (AI features), AWS (storage)
  • Legal requirements: when required by law, court order, or government authority
  • Business transfers: in connection with a merger, acquisition, or sale of assets
  • With your consent: for any other purpose with your explicit consent

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. You may request deletion of your account and associated data at any time by contacting us at privacy@nistoo.com. We may retain certain information as required by law or for legitimate business purposes.

6. Data Security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your own, including the United States. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion of your personal data
  • Object to or restrict processing of your data
  • Data portability (receive your data in a structured format)
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@nistoo.com.

9. Cookies

We use cookies and similar technologies for:

  • Essential cookies: authentication sessions and security
  • Analytics cookies: understanding how users interact with our platform (PostHog)
  • Preference cookies: remembering your settings and language preference

You can control cookies through your browser settings. Disabling essential cookies will affect platform functionality.

10. Children's Privacy

Nistoo is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal data, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a prominent notice on our platform. Your continued use of Nistoo after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: