nastalgic

Nastalgic Privacy Policy

Effective Date: April 16, 2026 Last Updated: April 16, 2026

This Privacy Policy explains how Nastalgic LLC, an Illinois limited liability company (“Nastalgic,” “we,” “us,” or “our”), collects, uses, shares, and protects personal information in connection with our memory and knowledge API and related services (the “Service”). This Privacy Policy is incorporated into, and should be read together with, our Terms of Service.

If you are an Authorized User on a Team Plan (see Section 4.2 of the Terms of Service), your employer or the organization that contracts with us is the “Customer Organization” and controls the Customer Data you submit. This Privacy Policy describes our practices; the Customer Organization’s own privacy notice governs the relationship between you and them.

1. Scope

This Privacy Policy applies to:

  • Our web properties (including nastalgic.com and any subdomains);
  • Our memory and knowledge API and developer tools;
  • The public_web demo/administration interface; and
  • Email, support, and sales interactions we have with you.

This Privacy Policy does not apply to third-party LLM providers (OpenAI, Anthropic, Google, self-hosted models, and similar) that you connect through our Bring-Your-Own-Key (“BYOK”) features. Those providers handle data under their own terms and privacy notices. See Section 9.

2. Summary (Plain-English)

If you just want the short version:

  • You own your data. Messages, documents, extracted facts, and knowledge-graph entries you store in a vault (“Customer Data”) belong to you.
  • We don’t train AI on your data — ever. Not our models, not a third party’s models, not foundation models.
  • We look at aggregate operational metrics (latency, request counts, error rates) to keep the Service running. These don’t contain Customer Data.
  • Routine staff access to your Customer Data is off by default. We don’t read the inside of your vaults as a matter of course. There’s a separate, explicit opt-in program (see Section 6) if you want us to look at your data to help debug or verify quality.
  • We use third-party services like our cloud hosts, payment processor, and email provider. We list them in Section 10.
  • You have rights to access, correct, delete, and export your data (Section 13).
  • You must be 18+ to use the Service.

The rest of this document is the full legal version.

3. Information We Collect

3.1 Information You Provide

  • Account information: name, email address, password (stored hashed), organization name, billing address, and similar details when you create or manage an account.
  • Payment information: handled by our payment processor (see Section 10); we receive only tokenized references and basic transaction metadata.
  • BYOK credentials: API keys or endpoints for third-party LLM providers you choose to connect. These are encrypted at rest and used only to make calls on your behalf.
  • Communications: content of emails or support messages you send us.
  • Customer Data: the messages, documents, conversation trees, extracted facts, knowledge-graph entries, personas, evidence records, and vault contents you or your Authorized Users submit through the Service.

3.2 Information Collected Automatically

  • Usage and telemetry: API request counts, endpoint paths, HTTP status codes, latency, user-agent and SDK version, error traces, extraction job durations, quota consumption, and similar operational metrics.
  • Device and log data: IP address, approximate geolocation derived from IP, browser type, operating system, timestamps, and referring URLs when you use our website or web app.
  • Cookies and similar technologies: see Section 7.

3.3 Information from Third Parties

  • Identity providers and OAuth: if you sign in with a third-party identity provider, we receive the profile fields you authorize (typically name, email, and a stable user ID).
  • Payment processor: receipt of payment, last four digits of payment method, and fraud signals.
  • Analytics and error monitoring: see Section 10.

4. How We Use Information

We use the information above to:

  1. Provide the Service — host, operate, secure, maintain, and support the Service; run background extraction jobs (resolver, facts, inference, graph, evidence); authenticate requests; enforce quotas.
  2. Bill and account — process payments, calculate metered usage, issue receipts, and manage renewals.
  3. Communicate with you — answer support tickets, send account and security notices, send transactional email, and (if you opt in) send product updates.
  4. Keep the Service safe — detect and investigate fraud, abuse, violations of our Acceptable Use Policy, and security incidents.
  5. Improve the Service through aggregate metrics — understand how the Service performs in the aggregate so we can fix bugs, tune performance, and prioritize features. We use aggregated, anonymized telemetry for this, not Customer Data.
  6. Comply with legal obligations — respond to lawful requests, enforce our Terms, and exercise our legal rights.

5. No Training on Customer Data

We do not use Customer Data to train, fine-tune, reinforce, or otherwise improve any machine-learning or generative AI model — whether our own, a vendor’s, or a foundation model — under any circumstances.

This commitment covers messages, uploaded documents, extracted facts, inferences, entity resolutions, knowledge-graph nodes and edges, personas, evidence records, embeddings derived from Customer Data, and any derivative of the foregoing.

We may use aggregated, anonymized operational metrics (for example, distributions of request latency, counts of extraction-job completions, error-rate trends) that do not identify any customer or individual and do not contain Customer Data.

6. QA Access Program (Opt-In)

Separately from training, we offer an opt-in program that lets you grant Nastalgic permission to look at your Customer Data for testing and quality-assurance purposes only. The program exists because it’s sometimes the fastest way to verify that extraction, retrieval, or graph-construction features are working correctly on real-world data.

6.1 Opt-In Is Required

The QA Access Program is off by default. We will not access the interior of your vaults for QA purposes unless you explicitly opt in through your account settings (or, for a Team Plan, unless your Customer Organization’s admin opts the organization in).

6.2 Scope of Access

If you opt in, authorized Nastalgic personnel and automated QA tooling may:

  • Read messages, documents, extracted facts, knowledge-graph entries, and other Customer Data in your vaults;
  • Replay your requests against staging or test environments to reproduce issues;
  • Compare production output against expected results; and
  • Produce internal QA reports describing observed behavior.

6.3 Permitted Uses

QA access is used only to:

  • Verify that the Service is functioning correctly;
  • Diagnose bugs, regressions, or quality issues;
  • Validate extraction, retrieval, inference, and graph-construction accuracy;
  • Measure the Service against internal quality benchmarks.

6.4 Prohibited Uses

QA access is never used to:

  • Train, fine-tune, reinforce, or evaluate any machine-learning model (this remains prohibited under Section 5);
  • Profile or target you for marketing;
  • Build customer-specific features outside of your account;
  • Share your Customer Data with any third party other than the limited service providers listed in Section 10 who process it under confidentiality obligations.

6.5 Controls, Logging, and Confidentiality

  • Access is limited to named Nastalgic personnel with a QA role; access is logged and auditable.
  • All personnel with QA access are bound by written confidentiality obligations.
  • QA outputs (reports, bug reproductions, regression fixtures) retain any Customer Data they contain for only as long as needed for the QA purpose, and no longer than 180 days, after which they are deleted or de-identified.
  • We will not publicly disclose your Customer Data or use it as a case study without your separate written permission.

You may revoke QA Access Program consent at any time in your account settings or by emailing rob@nastalgic.com. Revocation is prospective — it stops future QA access but does not retroactively unwind prior QA outputs that have already been produced (those will age out under Section 6.5).

6.7 Team Plans

For a Team Plan, only the Customer Organization’s admin can opt the organization in or out. Authorized Users should consult their organization’s policies.

7. Cookies and Similar Technologies

Our website and web app use cookies, local storage, and similar technologies for:

  • Strictly necessary purposes (authentication, session management, load balancing, CSRF protection). These cannot be turned off.
  • Preferences (remembering your UI choices).
  • Analytics (see Section 10) — only if you consent where consent is required by law.

You can control cookies through your browser settings. Blocking strictly necessary cookies may break the Service.

8. How We Share Information

We share personal information only as follows:

  • With service providers listed in Section 10, who process it on our behalf under contract.
  • With third-party providers you choose — when you use BYOK features, we transmit the relevant request data to the provider you specified. See Section 9.
  • With your Customer Organization — if you are an Authorized User on a Team Plan, the organization controls and can access your Customer Data and account metadata.
  • For legal reasons — to comply with a subpoena, court order, or other lawful request; to enforce our Terms; or to protect the rights, property, or safety of Nastalgic, our users, or others. Where we are legally permitted, we will notify you first.
  • In a business transaction — if Nastalgic is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will require the recipient to honor this Privacy Policy or provide notice and choice.
  • With your consent — for any other purpose you expressly authorize.

We do not sell your personal information. We do not “share” your personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA).

9. Bring-Your-Own-Key (BYOK) and Third-Party Providers

When you connect a third-party LLM provider (such as OpenAI, Anthropic, Google, or a self-hosted model) to your account and invoke a BYOK-backed feature:

  • We transmit the relevant prompts, embeddings, or extracted content to that provider on your behalf using the credentials you supplied.
  • The third-party provider handles that data under its own terms and privacy notice.
  • Nastalgic is not responsible for the third-party provider’s data-handling practices, retention policies, training practices, or security. Review their terms before connecting.

We encrypt stored BYOK credentials at rest and transmit them only to the provider you identified.

10. Service Providers We Use

We rely on a limited set of vendors to operate the Service. These include categories such as:

  • Cloud hosting and infrastructure (containers, databases, object storage, queues);
  • Vector storage (Qdrant);
  • Email delivery (transactional and account notifications);
  • Payment processing (credit card authorization, subscription management);
  • Error monitoring and analytics (application observability);
  • Customer support tooling;
  • Third-party LLM providers when used server-side for background extraction (only the minimum data needed for the job).

We enter into data-processing agreements with these vendors that restrict their use of personal information to providing services to us and require appropriate security measures.

A current list of subprocessors is available on request at rob@nastalgic.com and, when we have one, will be published at nastalgic.com/subprocessors.

11. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including:

  • Encryption in transit (TLS);
  • Encryption at rest for stored secrets and BYOK credentials;
  • Role-based access control and least-privilege administration;
  • Separation of management, vault, vector, and queue data stores;
  • Vault-level tenant isolation (separate vault databases and Qdrant collections);
  • Audit logging for sensitive operations;
  • Regular patching and dependency updates.

No service is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you without undue delay as required by applicable law.

12. Data Retention

We retain personal information for as long as needed for the purposes described in this Privacy Policy, subject to these specific retention rules:

  • Customer Data (vault contents): retained for the life of your account.
  • Deleted accounts: we retain Customer Data for a 30-day grace period after termination to allow export or reactivation, after which we delete it from production systems. Backups age out under our normal backup schedule. See Section 14.4 of the Terms of Service.
  • Billing records: retained as long as required by tax and accounting law (typically 7 years in the United States).
  • Security and abuse logs: retained up to 24 months.
  • QA outputs (if you opted in): up to 180 days, then deleted or de-identified (Section 6.5).
  • Aggregated, anonymized metrics: may be retained indefinitely because they no longer identify you.

13. Your Privacy Rights

Depending on where you live, you may have the following rights with respect to your personal information:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct information that is inaccurate.
  • Deletion — ask us to delete your personal information, subject to exceptions (for example, records we must keep for legal or billing reasons).
  • Portability — receive your Customer Data in a portable, machine-readable format.
  • Restriction and objection — ask us to restrict or object to certain processing.
  • Withdraw consent — where processing is based on consent (including the QA Access Program), you may withdraw at any time. Withdrawal does not affect prior processing.
  • No discrimination — we will not retaliate against you for exercising any of these rights.

To exercise a right, email rob@nastalgic.com from the address associated with your account. We will respond within the time frame required by applicable law (typically 30 to 45 days). We may need to verify your identity before acting on a request.

13.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the rights above, and in addition you have the right to know the categories of personal information we collect, the sources, the purposes, and the categories of recipients. We do not sell or share (as those terms are defined under the CPRA) your personal information. You may designate an authorized agent to act on your behalf.

Categories of personal information we have collected in the past 12 months: identifiers; commercial information (transactions); internet and network activity information; geolocation data (approximate, from IP); professional or employment-related information (if provided); inferences drawn from the above (for product analytics only). Sensitive personal information: account login credentials.

13.2 EU / EEA / UK / Swiss Residents (GDPR / UK GDPR)

If you are in the EU, EEA, UK, or Switzerland:

  • Legal bases: we process personal information on the bases of (a) contract (to provide the Service), (b) legitimate interests (to secure, maintain, and improve the Service — balanced against your rights), (c) consent (for marketing, QA Access Program opt-in, and non-essential cookies), and (d) legal obligation (for tax, accounting, and lawful requests).
  • International transfers: we may transfer your personal information to the United States, where our infrastructure is hosted. For transfers out of the EU/EEA/UK/Switzerland, we rely on Standard Contractual Clauses or another lawful transfer mechanism.
  • Supervisory authority: you have the right to lodge a complaint with your local data-protection supervisory authority.

13.3 Other U.S. State Laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, and others as enacted) have rights similar to those above. Exercise them by contacting us as described in Section 13.

14. Children

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child under 18 has provided us with personal information, contact rob@nastalgic.com and we will delete it.

15. Do Not Track

Our Service does not respond to Do Not Track (DNT) browser signals, because there is no common industry standard for how to interpret them. We honor Global Privacy Control (GPC) signals where required by applicable law.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or by a prominent notice in the Service at least 30 days before the changes take effect, except where a shorter period is required by law. The “Last Updated” date at the top of this document reflects the most recent revision.

17. Contact Us

Questions about this Privacy Policy or your personal information?

Nastalgic LLC Email: rob@nastalgic.com Subject line for privacy requests: “Privacy Request”

By using the Service, you acknowledge that you have read and understood this Privacy Policy.