Privacy Policy
Last updated: January 2025
Nido is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR). This policy explains what data we collect, why we collect it, how long we keep it, and what rights you have.
1. Who We Are
Data controller: Nido (nido.app)
Contact: hello@nido.app
We are not required to appoint a Data Protection Officer (DPO) as we are not a public authority and do not carry out large-scale systematic monitoring or processing of special category data.
2. What Data We Collect
- Email address — collected when you sign in or subscribe to Nido.
- Listing content — title, description, amenities, location, and price entered by you when submitting a listing for analysis.
- Usage data — pages visited and features used, collected via PostHog analytics. This is only collected with your explicit consent.
- Payment data — handled entirely by Stripe. We never see or store your card details.
- IP address — processed by Supabase for security purposes (fraud prevention and abuse detection).
3. Why We Collect It (Legal Basis)
- Email / authentication: Contract performance (Art. 6(1)(b) GDPR) — necessary to provide you with access to the service.
- Listing data: Contract performance (Art. 6(1)(b)) — necessary to generate your listing analysis.
- Analytics: Consent (Art. 6(1)(a)) — only collected if you explicitly accept analytics cookies.
- Payment records: Contract performance (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)).
4. How Long We Keep It
- Account data: Until you delete your account.
- Listing analyses: Until you delete them or your account.
- Payment records: 7 years — required by Polish accounting law (legal obligation).
5. Who We Share It With
We use the following sub-processors to operate Nido. Each has signed appropriate data processing agreements (DPAs) and, where applicable, EU Standard Contractual Clauses (SCCs) for transfers outside the EEA.
| Processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase Inc. | Database & authentication | USA (EU SCCs) | supabase.com/privacy |
| Anthropic PBC | AI analysis | USA (EU SCCs) | anthropic.com/privacy |
| Stripe Inc. | Payment processing | USA (EU SCCs) | stripe.com/privacy |
| PostHog Inc. | Analytics (consent only) | EU (Frankfurt) | posthog.com/privacy |
| Resend Inc. | Transactional email | USA (EU SCCs) | resend.com/privacy |
6. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of the data we hold about you.
- Right to rectification (Art. 16) — ask us to correct inaccurate data.
- Right to erasure / "right to be forgotten" (Art. 17) — you can delete your account and all associated data directly in your account Settings.
- Right to restriction of processing (Art. 18) — ask us to limit how we use your data.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent — you can withdraw consent for analytics cookies at any time by changing your cookie preferences on our Cookie Policy page.
To exercise any of the above rights, email us at hello@nido.app. We will respond within 30 days.
7. Cookies
For full details on the cookies we use, please see our Cookie Policy.
8. Data Security
We take the security of your data seriously. All data is transmitted over TLS (HTTPS) encryption and stored encrypted at rest within Supabase. Access to personal data is limited to authorised personnel only, on a need-to-know basis.
9. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes that affect your rights, we will notify you by email before the changes take effect.
10. Complaints
You have the right to lodge a complaint with the Polish supervisory authority:
UODO (Urząd Ochrony Danych Osobowych)
uodo.gov.pl
ul. Stawki 2, 00-193 Warsaw, Poland