Legal

Privacy Policy

We collect the minimum information needed to operate a reliable file storage service. This policy explains exactly what that is, how it is protected, and what rights you have over it.

Effective: January 1, 2024 Last updated: June 3, 2024

Plain language summary: We collect your account information, file metadata, and basic technical data to run the service. We do not sell your data, we do not use third-party analytics trackers, and we do not read your file contents. Your files are encrypted before they reach persistent storage and are never accessible to Nomia employees in plaintext.

Overview

This Privacy Policy describes how Nomia Storage, Inc. ("Nomia Storage," "we," "us," or "our") collects, uses, and protects information about you when you use our cloud file storage service, website, API, and desktop clients (collectively, the "Service").

By creating an account or using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

Nomia Storage, Inc. is the data controller for personal information collected through the Service. Our registered address is 340 Pine Street, Suite 800, San Francisco, CA 94104, United States.

Information we collect

Account and billing information

When you register, we collect your name, work email address, and a password (stored as a salted hash; we never store your password in plaintext). If you subscribe to a paid plan, your payment method details are handled exclusively by our payment processor, Stripe, Inc. Nomia Storage receives only a payment confirmation token and the last four digits of your card for display purposes.

File metadata

We collect the name, size, type, and modification timestamps of files you upload, as well as the folder hierarchy you create. This metadata is necessary to display your file browser, enforce storage quotas, and maintain version history. We do not index or analyze the contents of your files for any purpose.

Usage and technical data

To operate, secure, and troubleshoot the Service, we collect:

  • IP addresses and approximate geolocation (country level) at the time of login and file access events
  • Browser type and version, operating system, and referrer URL for web sessions
  • API request logs, including timestamps, endpoints accessed, and HTTP response codes
  • Storage quota utilization and bandwidth consumed per billing period

We do not use third-party analytics services. We do not deploy advertising pixels, tracking scripts, or session-recording tools on any page or in any client application.

Communications

If you contact us for support or send us feedback, we retain the content of that communication along with your email address and the timestamps of the exchange.

How we use your information

We use the information described above for the following purposes, all of which are necessary to deliver the Service or comply with legal obligations:

  • Operating the Service - authenticating your identity, displaying your files, processing uploads and downloads, and enforcing plan limits
  • Billing - calculating storage and seat usage, generating invoices, and coordinating payment with Stripe
  • Security and fraud prevention - detecting unauthorized access attempts, investigating anomalous activity patterns, and enforcing our Terms of Service
  • Technical troubleshooting - diagnosing errors, identifying performance degradation, and resolving support requests
  • Service communications - sending you transactional messages about your account (invoices, password resets, storage warnings). We do not send marketing email unless you have separately opted in
  • Service improvement - analyzing aggregated and anonymized usage statistics to understand which features are most used and where reliability gaps exist. Individual file contents or filenames are never included in this analysis

Storage and security

Security is built into the storage layer, not layered on top of it afterward. Here is what happens to your data technically:

Encryption at rest

Every file is encrypted using AES-256 before being written to persistent storage. Encryption is applied at ingest on our application servers, so file data reaches the storage layer already encrypted. Encryption keys are scoped per workspace and rotated on a rolling schedule. Nomia Storage employees cannot access your file contents in plaintext.

Encryption in transit

All connections to the Nomia Storage web application, API, and desktop clients use TLS 1.3. Connections that attempt to negotiate older protocol versions are refused. We enforce strict transport security (HSTS) with a minimum one-year policy duration.

Redundancy

Every file is written simultaneously to three independent availability zones within the United States. If one zone becomes unavailable, your files remain fully accessible from the remaining zones without any action required on your part and without data loss.

Access controls

Nomia Storage employee access to production systems is restricted by role and requires multi-factor authentication. All access events are logged and reviewed. No employee has a standing mechanism to view the decrypted contents of customer files. Access logs are retained for 24 months.

Independent audits

We engage an independent security firm to audit our infrastructure and application controls each calendar year. The current audit summary report is available to customers on request from your account settings page.

Sharing and disclosure

We do not sell your personal information. We do not share your data with advertising networks, data brokers, or marketing platforms. We share information only in the following limited circumstances:

Subprocessors

We engage the following third-party subprocessors, each subject to a data processing agreement that restricts their use of your data to providing services on our behalf:

  • Stripe, Inc. - payment processing. Stripe receives your billing contact name, email, and payment method details. Stripe's privacy policy is available at stripe.com/privacy.
  • Postmark (ActiveCampaign) - transactional email delivery (invoices, password resets). Postmark receives your email address and the content of transactional messages only.

Our storage infrastructure is operated directly by Nomia Storage. Encrypted file data does not transit through any third-party cloud provider.

Legal requirements

We may disclose information when required by law, court order, or governmental authority with valid jurisdiction. Where legally permitted, we will notify affected customers before complying with such requests and will narrowly interpret any disclosure obligation to limit the scope of information disclosed.

Business transfers

If Nomia Storage is acquired, merged, or substantially restructured, your information may transfer to the acquiring entity. We will notify you by email at least 30 days before any such transfer becomes effective and will give you the option to export or delete your account data before the transfer date.

With your consent

We will share your information with third parties in circumstances not described above only with your explicit, prior consent.

Data retention

We retain your information only as long as necessary for the purposes described in this policy or as required by law.

  • Active account data - retained for the lifetime of your account. You can export your data at any time from account settings.
  • Deleted files - files you delete are moved to a recovery queue for 30 days, after which they are permanently purged from all three availability zones. During the 30-day window you can restore any deleted file. After purge, recovery is not possible.
  • Version history - prior versions of files are retained according to your plan (30 days on Personal, 90 days on Professional). Expired versions are purged automatically.
  • Billing records - invoices and payment records are retained for seven years to satisfy tax and accounting obligations.
  • Support communications - support tickets and associated email threads are retained for three years.
  • Technical logs - server and API logs are retained for 90 days, then automatically deleted. Access audit logs are retained for 24 months.
  • After account closure - when you close your account, file data is purged within 30 days and core account data (name, email, usage history) within 60 days. Billing records are retained for the seven-year period noted above.

Your privacy rights

Depending on your location, you may have the following rights with respect to your personal information. You can exercise most of these directly from account settings. For requests that require our involvement, email us at privacy@nomiastorage.com and we will respond within 30 calendar days (GDPR requests) or 45 calendar days (CCPA requests).

GDPR rights (EU, EEA, and UK residents)

Right of access

Request a copy of the personal information we hold about you, including account data, usage logs, and billing history.

Right to rectification

Correct inaccurate personal information. Most account details (name, email) can be updated directly in settings.

Right to erasure

Request deletion of your personal data. Closing your account triggers automatic deletion per our retention schedule above.

Right to portability

Export your files and account metadata in standard formats (ZIP for files, JSON for account data) from account settings at any time.

Right to restriction

Request that we limit how we process your data while a dispute or complaint is being resolved.

Right to object

Object to processing of your data for purposes other than operating the Service. We do not process data for direct marketing without your consent.

You also have the right to lodge a complaint with your local data protection supervisory authority. In the EU, the relevant authority is the data protection authority in your country of residence.

CCPA rights (California residents)

  • Right to know - request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the categories of sources, our business purpose for collecting it, and any categories of third parties with whom we share it.
  • Right to delete - request deletion of personal information we have collected from you, subject to certain exceptions (such as information we are required to retain for tax compliance).
  • Right to opt out of sale - we do not sell personal information as defined by the CCPA. You do not need to take any action to opt out.
  • Right to non-discrimination - we will not treat you differently, or reduce the quality of service we provide to you, because you exercised any of the above rights.

To submit a request under GDPR or CCPA, email privacy@nomiastorage.com from the email address associated with your account. We may request verification of your identity before processing the request.

Cookies

We use a minimal set of first-party cookies, strictly necessary to operate the Service. We do not use third-party advertising cookies, analytics trackers, or session-recording tools of any kind.

Cookies we set

  • nom_session - an authenticated session token that keeps you logged in. This cookie is HttpOnly, Secure, and SameSite=Strict. It expires when you sign out or after 14 days of inactivity, whichever comes first.
  • nom_csrf - a CSRF (cross-site request forgery) protection token used to validate form submissions. Set alongside the session cookie and deleted on sign-out.

Neither cookie contains personally identifiable information; they are opaque tokens that reference a server-side session record.

If you block these cookies using browser settings, you will not be able to remain logged in to the Service. The Nomia Storage marketing pages (including this one) function without cookies.

For a complete description of our cookie practices see our Cookie Policy.

International data transfers

Nomia Storage is headquartered in the United States and our storage infrastructure operates across three availability zones, all located within the United States. If you access the Service from outside the United States, your data is transferred to and stored in the US.

For customers in the European Union, the European Economic Area, or the United Kingdom, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) of the GDPR as the legal mechanism for transferring personal data to the United States. A copy of the applicable SCCs is available on request at privacy@nomiastorage.com.

Our subprocessors (Stripe and Postmark) operate under their own binding data transfer mechanisms. We ensure through our data processing agreements that each subprocessor maintains transfer mechanisms that are adequate under applicable data protection law.

We maintain a current list of subprocessors and their processing locations. To request an up-to-date copy, contact privacy@nomiastorage.com.

Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page always reflects the date of the most recent revision.

For changes that are material to your rights or our data handling practices, we will notify you by email to the address associated with your account at least 30 days before the new policy takes effect. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the revised terms.

If we make changes that require fresh consent under applicable law (for example, a new processing purpose), we will seek that consent separately before the change takes effect.

Contact

If you have questions about this policy, want to exercise your privacy rights, or want to report a concern, please reach out:

  • Email: privacy@nomiastorage.com
  • Post: Nomia Storage, Inc., Attn: Privacy, 340 Pine Street, Suite 800, San Francisco, CA 94104, United States

We aim to respond to all privacy inquiries within 10 business days and to complete verified data subject requests within 30 calendar days (GDPR) or 45 calendar days (CCPA).

If you are located in the EU or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. The UK Information Commissioner's Office can be reached at ico.org.uk. EEA residents should contact the supervisory authority in their country of residence.

Storage you can trust. Try it for 30 days.

No credit card required. All Professional features included from day one.

Start free trial