nunn.ai

Nunn.ai Privacy Policy
Effective Date: April 20, 2025

1. INTRODUCTION

Welcome to Nunn.ai ("Service"), an AI-powered resource for evidence law provided by Nunn Ventures, LLC ("Nunn.ai," "we," "us," or "our"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our Service.

By accessing or using our Service, you signify your acceptance of this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not use the Service.

2. INFORMATION WE COLLECT

We collect information to provide and improve our Service. The types of information we collect depend on how you interact with us.

2.1. Information You Provide Directly

* **Account Information:** When you register or authenticate (e.g., via Auth0), we collect information associated with your account, which may include your name, email address, and profile picture URL provided by the authentication service.
* **User Queries:** We collect the questions and prompts you submit to the Service.
* **Uploaded Files:** If you upload documents (e.g., PDF, DOCX, TXT), we collect the files themselves and the text content extracted from them.
* **Communications:** If you contact us directly (e.g., via email), we may collect your name, email address, and the contents of your message.
* **Feedback:** We may collect feedback and suggestions you provide about the Service.

2.2. Information Collected Automatically

* **Interaction Data:** We collect information about your interactions with the Service, including:
* Questions asked and AI responses received.
* Conversation history (linked by a conversation ID).
* Flags indicating follow-up questions or use of specific features (e.g., "Pro Mode").
* Timestamps of interactions.
* Usage counts (e.g., number of questions asked, Pro search usage).
* **Technical Log Data:** We automatically log technical information about your device and connection when you access the Service. This includes:
* IP Address.
* Browser type and version.
* Operating system.
* Referring URLs.
* Date and time of access.
* User-Agent string.
* Request processing times (e.g., time to first response chunk).
* **Cookies and Session Data:** We use cookies and similar technologies for essential functions like maintaining your login session and tracking anonymous user feature usage (e.g., Pro search count for non-logged-in users within a session).
* **Essential Cookies:** Necessary for service operation (e.g., session management, security).
* **Session Storage:** We may use browser session storage for temporary information related to your current interaction.

2.3. Information from Third Parties

* **Authentication Providers (Auth0):** If you authenticate using Auth0, we receive profile information (name, email, profile picture URL) as configured in your Auth0 consent settings.
* **Payment Processors (Stripe, Buy Me a Coffee):** If you make a donation or subscribe to premium features, our payment processors handle your payment information directly. We may receive confirmation of payment and subscription status but do not directly store your full payment card details.

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

* **To Provide and Operate the Service:** Process your queries, generate AI responses, manage user accounts, handle file uploads, and facilitate conversation history.
* **To Improve the Service:**
* Analyze usage patterns to understand how the Service is used and identify areas for improvement.
* Use interaction data (questions, answers, context, relevance check results) for troubleshooting, debugging, and enhancing the accuracy and relevance of search results and AI responses.
* Potentially use anonymized and aggregated User Queries and Interaction Data to fine-tune the underlying AI models (both internal and those accessed via third-party APIs where permitted by their terms). We strive to remove personally identifiable information before using data for training purposes.
* **To Maintain Security and Performance:** Monitor for security threats, prevent fraud and abuse, analyze performance metrics, and ensure the stability of the Service.
* **To Communicate with You:** Respond to your inquiries, provide support, and send important notices about the Service or changes to our policies.
* **To Comply with Legal Obligations:** Meet legal requirements, enforce our Terms of Service, and protect the rights, property, or safety of Nunn.ai, our users, or others.

4. INFORMATION SHARING AND DISCLOSURE

We do not sell your personal information. We may share your information in the following circumstances:

* **Third-Party AI & Search Providers:**
* **AI Processing (OpenRouter - accessing models like Claude):** To generate AI responses and extract context from conversation history, we send your User Queries, relevant conversation history, and generated context (which may include extracted text from your uploaded files and web search results) to OpenRouter. Their use of this data is governed by their privacy policy ([openrouter.ai/privacy](https://openrouter.ai/privacy)). You should review their policy regarding data usage, retention, and potential use for model training.
* **Web Search Providers (You.com, OpenAI Search, Google Custom Search, OpenRouter for Perplexity):** To gather relevant information from the web, we may send your User Queries (or versions enhanced based on conversation history) to these providers. Their use of this data is governed by their respective privacy policies (see Section 10).
* **Service Providers:** We use third-party vendors for essential services:
* **Cloud Hosting & Storage (Google Cloud Platform - GCP):** Our application, database (Cloud SQL), uploaded files (Cloud Storage), and potentially log files (Cloud Storage) are hosted on GCP. Google's use of data is governed by their terms and privacy policies. We primarily use the `us-central1` region, but data residency may vary based on specific GCP services used.
* **Authentication (Auth0):** Handles user login and authentication.
* **Payment Processing (Stripe, Buy Me a Coffee):** Process payments and manage subscriptions/donations.
* These providers only have access to the information necessary to perform their functions and are obligated to protect your information.
* **Legal Requirements:** We may disclose your information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
* **Business Transfers:** In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or uses of your personal information.

5. DATA STORAGE AND RETENTION

* **Database (Cloud SQL):** User account information, question/answer history (for authenticated users, excluding full context), and Pro search usage data are stored in our PostgreSQL database hosted on Google Cloud SQL (primarily `us-central1`). This data is retained as long as your account is active or as needed to provide the Service, subject to your deletion rights.
* **Uploaded Files (Google Cloud Storage - GCS):** Files you upload are stored in a GCS bucket. Currently, **there is no automated retention policy**, and files are stored indefinitely unless manually deleted or you request deletion. The text extracted from these files may also be stored temporarily in server memory during processing and potentially persisted in detailed log files.
* **Detailed Log Files (GCS / Local Filesystem):** Comprehensive logs containing technical data (IP address, User-Agent, timings) and interaction data (questions, full context used, relevance checks, answers, errors) are generated for each interaction.
* In production environments (like Google Cloud Run), these logs are typically stored in the GCS bucket used for uploads under a `user_qa/` prefix.
* In local development environments, these logs are stored in the `User Q&A/` directory within the project structure.
* Currently, **there is no automated retention policy** for these log files in either GCS or the local filesystem; they are stored indefinitely unless manually deleted or you request deletion.
* **Anonymous Conversation History (Server Memory):** For non-logged-in users, a limited history (typically the last 10 turns) of the current conversation (questions, answers, flags) is stored in the application server's memory. This data is volatile and is lost when the server restarts or the session ends. However, the full interaction is still captured in the detailed log files mentioned above.
* **Session Data:** Session cookies and associated data typically expire after a set period (e.g., 30 days of inactivity) or when you log out or clear your browser data. Anonymous usage counts stored in the session reset daily or when the session expires.

We are working on implementing automated retention policies for uploaded files and log files. Until then, please be aware of the indefinite retention described above.

6. DATA SECURITY

We implement reasonable technical and organizational measures to protect your information from unauthorized access, use, disclosure, alteration, or destruction. These measures include:

* Using HTTPS (SSL/TLS) for data transmission.
* Leveraging the security features of our cloud providers (GCP, Auth0).
* Implementing security headers (e.g., Content Security Policy via Talisman).
* Using CSRF protection.
* Securely managing API keys and credentials.
* Limiting internal access to personal information on a need-to-know basis.

However, no internet transmission or electronic storage method is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

7. YOUR DATA RIGHTS AND CHOICES

Depending on your location, you may have certain rights regarding your personal information:

* **Access:** You can request access to the personal information we hold about you. Authenticated users can view their question/answer history through the Service interface.
* **Correction:** You can request correction of inaccurate personal information we hold about you (e.g., your account information).
* **Deletion:** You can request deletion of your personal information. This includes:
* Your user account and associated data in the database.
* Your uploaded files stored in GCS.
* Associated log files stored in GCS or locally (subject to feasibility of identification).
* Please note that deleting your data is permanent and irreversible. We may need to retain certain data for legal or legitimate business purposes (e.g., transaction records, security logs).
* **Data Portability:** You may have the right to receive your personal information in a structured, commonly used, and machine-readable format. Authenticated users can typically copy/paste their history from the interface. For bulk export, please contact us.
* **Opt-Out of Communications:** You can opt-out of non-essential email communications by following the unsubscribe instructions in those emails.

**Exercising Your Rights:** To exercise these rights, please contact us at the email address provided in Section 12. We may need to verify your identity before processing your request. We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

**Cookies:** You can manage cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service.

8. CHILDREN'S PRIVACY

The Service is not intended for or directed at children under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

9. INTERNATIONAL DATA TRANSFERS

Our Service is operated primarily in the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where our servers and central database are located (primarily GCP `us-central1`). Data protection laws in the U.S. may differ from those in your country. By using the Service, you consent to the transfer of your information to the U.S.

10. THIRD-PARTY LINKS AND SERVICES

Our Service may contain links to third-party websites or services, and we utilize third-party APIs as described above. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies:

* Google Cloud Platform: [cloud.google.com/privacy](https://cloud.google.com/privacy)
* Auth0: [auth0.com/privacy](https://auth0.com/privacy)
* OpenRouter: [openrouter.ai/privacy](https://openrouter.ai/privacy)
* OpenAI: [openai.com/policies/privacy-policy](https://openai.com/policies/privacy-policy)
* You.com: [about.you.com/privacy/](https://about.you.com/privacy/)
* Google General Privacy Policy (for Custom Search): [policies.google.com/privacy](https://policies.google.com/privacy)
* Stripe: [stripe.com/privacy](https://stripe.com/privacy)
* Buy Me a Coffee: [buymeacoffee.com/privacy](https://www.buymeacoffee.com/privacy)

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on the Service and updating the "Effective Date" at the top. Your continued use of the Service after the Effective Date constitutes your acceptance of the amended Privacy Policy. We encourage you to review this Privacy Policy periodically.

12. CONTACT US

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, please contact us at:

Nunn Ventures, LLC
Email: alex@nunn.ai
Address: 3617 Austin Ct., Flower Mound, TX 75028