Privacy Policy

Last Updated: March 19, 2026

We believe privacy is a feature, not a compliance checkbox. This policy explains exactly what we collect, what we don’t collect, and how we use it.

At a Glance

  • We collect: Anonymized usage analytics only (page views, feature usage, no PII)
  • We do NOT collect: Screening queries, personal information, or browsing history
  • No third-party tracking: No Google Analytics, Facebook Pixel, or external ad networks
  • No data sharing: We don’t sell, rent, or trade your data
  • Short retention: Analytics deleted after 12 months

1. What We Collect

1.1 Anonymized Usage Analytics

When you use Nobris products, we collect:

  • Page views & feature usage: Which features you access (e.g., “Batch upload initiated,” “Export CSV downloaded”)
  • Aggregate query counts: “X queries performed today” — NOT individual query details
  • Session duration: How long you used the service
  • Device type: Desktop, mobile, tablet (no device fingerprinting)
  • Geographic region: Country/continent level only (from IP geolocation), not precise location

This data is anonymized and aggregated. We cannot and do not attempt to identify you from usage patterns.

1.2 Account Information

If you create an account to access paid features, batch uploads, scheduled reports, or export features, we collect your email address, account creation date, hashed password (one-way encryption; we cannot read it), and optionally your name and organization.

We use this data only to manage your account, send transactional emails (job status, password resets), and optionally contact you about Nobris updates (you can opt out anytime).

2. What We Do NOT Collect

2.1 Screening Queries

We do not log, store, or process your screening queries server-side. Your queries are used in-memory to fetch results from our data index, never persisted to a database, never analyzed for user profiling, and never shared with third parties.

This means we genuinely cannot tell you what entities you’ve screened, even if subpoenaed. Your screenings are private.

2.2 Personal Information

Unless you voluntarily provide it during registration, we do not collect your full name, company name, phone number, physical address, or payment card details.

2.3 Location & Device Data

We do not collect precise GPS location, device identifiers (IMEI, UUID), or mobile advertising IDs. We infer approximate country/region from IP geolocation for analytics only.

3. Cookies & Local Storage

We use only strictly necessary cookies:

  • Session cookie (httpOnly, Secure): Maintains your login state. Deleted when you close your browser or log out.
  • CSRF token: Prevents cross-site request forgery. Deleted at session end.

We do not use Google Analytics, Facebook Pixel, Mixpanel, retargeting cookies, or any third-party tracking service.

4. Data Retention

  • Usage analytics: Retained for 12 months, then automatically deleted
  • Account data: Retained as long as your account is active; deleted within 30 days of account deletion
  • Session cookies: Deleted at session end
  • Server logs: Kept for 7 days for security and debugging, then deleted

5. Government Data & Attribution

Nobris indexes publicly available U.S. government screening lists (OFAC, BIS, etc.). These are public records. When you run a screening:

  • You are searching our local index of government data
  • We do not log your queries to government agencies
  • Government agencies do not receive notification of your queries
  • Results are shown with source attribution (e.g., “OFAC SDN List”)

6. Third-Party Services

Nobris may use third-party services for email delivery (e.g., SendGrid), infrastructure/hosting (e.g., AWS, Vercel), and privacy-focused analytics (e.g., Plausible). All third-party services are bound by data processing agreements that prohibit them from using your data for their own purposes.

7. Your Rights

If you are located in a jurisdiction with privacy laws (GDPR, CCPA, etc.), you have the right to:

  • Access: Request what data we hold about you
  • Correction: Request corrections to inaccurate data
  • Deletion: Request deletion of your data (“right to be forgotten”)
  • Portability: Request your data in machine-readable format
  • Opt-out: Opt out of non-essential data collection

To exercise these rights, contact privacy@nobris.dev with your email address and a description of your request. We will respond within 30 days.

8. Children’s Privacy

Nobris is not intended for users under 13. We do not knowingly collect personal data from children. If we learn that a child has provided personal data, we will delete it immediately.

9. International Data Transfers

If you are located outside the United States and provide personal data (e.g., via account registration), that data may be transferred to, stored in, and processed by us in the United States. By using Nobris, you consent to such transfers. We comply with all applicable cross-border data transfer regulations.

10. Changes to This Policy

We may update this policy at any time. Material changes will be notified via email (if registered) and highlighted on our website. Continued use of Nobris after changes constitutes acceptance of the revised policy.

11. Contact Us

For privacy questions, data access requests, or concerns:

Our Commitment

We designed Nobris with privacy-by-default. We collect only what we need to operate and improve our products. We’ve architected our systems to avoid storing sensitive data like screening queries. We don’t share your data with advertisers or data brokers, and we don’t use dark patterns or deceptive practices.

If we discover we’re collecting more data than necessary, we will reduce collection, not increase it. Your privacy is not for sale.