Privacy.

Nona AI is a B2B AI automation provider. This site exists to explain what we do, capture interest from prospective customers, and let visitors try our chat and voice agent. We collect the minimum information needed to do those three things and nothing else.

We don't sell your information. We don't use the contact form, voice transcripts, or calculator inputs to train public models. We do use third-party services (OpenAI for the live AI agent, Resend for transactional email, Railway for hosting) to operate the site, and this policy tells you exactly what they receive.

• Contact form data. Your name, work email, company, and the message you send, plus any optional fields you fill in.
• Project calculator inputs. The configuration choices you make in the on-site project calculator (service type, volume, integrations). We store the resulting scope only if you submit it via the contact form.
• Nona AI Agent transcripts. When you open the on-site voice or chat agent we collect the audio you speak and the text you type, plus the agent's responses. These pass through OpenAI's Realtime API and are kept on our servers only for the duration of the session unless you explicitly opt in to leave a transcript with your contact info.
• Technical metadata. IP address, user agent, page path, and approximate region for the duration of your visit. Used for security, fraud prevention, and aggregated traffic reporting.
• Email newsletter. If you subscribe to our newsletter we store your email until you unsubscribe.
• LinkedIn integration data. If you sign in with LinkedIn or connect a LinkedIn page to Nona AI, we collect only the data fields covered by the OAuth scopes you explicitly approve — typically your LinkedIn profile (name, headline, profile picture, public profile URL), email address, and, where you grant the relevant permissions, organization-page content and analytics. Full breakdown in § LinkedIn integration.

We do notcollect: your real-time location, your browsing history outside our site, biometric identifiers, financial account details, or any sensitive category of data under GDPR Article 9 / CCPA § 1798.140(ae).

Lawful basis (GDPR Art. 6). We rely on (a) your consent when you submit the contact form, subscribe to the newsletter, or start an agent conversation, and (b) our legitimate interest in running a secure, useful B2B website. Where we use legitimate interest we balance it against your fundamental rights and document the assessment internally.

We use your data only to:

• Reply to your inquiry and scope a proposal if you ask.
• Generate live responses through the Nona AI Agent and route follow-ups to a human if requested.
• Measure aggregated, non-personalized usage so we can improve the site (which pages get traffic, where the agent gets stuck).
• Comply with legal obligations and respond to lawful requests from authorities.

The site includes a Nona AI Agent powered by OpenAI's Realtime API (gpt-4o). When you open it:

• Your microphone access is opt-in. We never enable the microphone without an explicit click.
• Audio is streamed peer-to-peer to OpenAI via WebRTC using a short-lived ephemeral session token we mint server-side. The raw audio does not transit Nona AI servers.
• We log only session metadata (session ID, start/end time, total duration) and the agent's final summary. Full transcripts are kept for 30 days for quality review, then deleted.
• Sessions are capped at 5 minutes by default. After that the agent will offer to schedule a human conversation.
• You can request deletion of your transcript at any time at privacy@nonamedai.com.

OpenAI's data handling for Realtime API requests is governed by their API Data Usage Policies. OpenAI does not use API inputs or outputs to train their models.

Nona AI integrates with LinkedIn through LinkedIn's official APIs and OAuth 2.0 / OpenID Connect authorization flows. We comply with the LinkedIn API Terms of Use and the LinkedIn Platform restricted-use policies.

• Scopes we may request. We request only the OAuth scopes required to operate the feature you initiated — for example openid, profile, email for Sign In with LinkedIn, and, when you opt into publishing or analytics for a LinkedIn organization you manage, the narrowest applicable scopes (e.g. w_member_social, w_organization_social, r_organization_social). Each scope is shown to you on LinkedIn's consent screen before approval.
• How LinkedIn data is used. Solely to power the feature you authorized: authenticating you, publishing content you compose on your behalf, or surfacing analytics inside the Nona AI dashboard for the organization you administer. We do not enrich profiles, do not build shadow profiles, and do not combine LinkedIn data with third-party datasets for advertising or resale.
• Token storage and security. LinkedIn OAuth access and refresh tokens are stored encrypted at rest (AES-256) in a tenant-isolated secrets store, scoped to the authorizing account, transmitted only over TLS 1.3, and rotated according to LinkedIn's token lifetime policy. Tokens are never logged, never embedded in URLs, and never shared with third parties beyond the processors listed in § Third-party processors.
• No scraping, no unauthorized collection. We access LinkedIn exclusively through the official LinkedIn APIs and only within the scopes you grant. We do not scrape LinkedIn pages, do not harvest member or connection data outside the OAuth grant, do not bypass rate limits, and do not access information through any unofficial endpoints.
• Sharing LinkedIn data. LinkedIn-derived data stays within Nona AI's infrastructure and the sub-processors listed in § Third-party processors. We do not sell, license, or transfer LinkedIn data to data brokers, advertisers, or any third party outside that list.
• Marketing Developer Platform & Lead Gen Forms. When a Nona AI customer authorizes us to operate their LinkedIn Ads account through the Marketing Developer Platform, we access only campaign-management and reporting endpoints needed to perform the work — we do not download Matched Audiences or member-level audience lists. When that customer collects leads through LinkedIn Lead Generation Forms, the lead's contact information is retrieved through the Lead Sync endpoint, transferred directly into the customer's CRM of record, and retained inside Nona AI only as long as needed to complete the transfer (typically < 24 hours) before being purged from our systems. Conversion data from the LinkedIn Insight Tag is processed only in the customer's Ads Account; Nona AI does not retain raw conversion events.
• Revoking access. You can revoke Nona AI's access to your LinkedIn account at any time from your LinkedIn permitted-services settings, or by emailing privacy@nonamedai.com. On revocation we invalidate our copies of your tokens immediately and delete LinkedIn-derived data within 30 days.
• LinkedIn's own data handling. LinkedIn's collection, processing, and disclosure of your data are governed by the LinkedIn Privacy Policy. LinkedIn is an independent data controller for the data it holds about you on its platform.
• Compliance contact. For LinkedIn-API-specific compliance questions or to exercise any of the rights above as they relate to LinkedIn data, email privacy@nonamedai.com with the subject “LinkedIn data request”.

We use the following service providers (data processors under GDPR Art. 28). All are bound by data processing agreements.

The site uses a small number of functionalcookies only: a session-storage flag to remember if you've seen the preloader, and a sessionStorage entry for the voice agent session token. These expire when you close the tab.

We do not use Google Analytics, Meta Pixel, or any third-party ad-tracking pixel on this site. If we add server-side aggregate analytics in the future we will update this policy and surface a consent banner where required by law.

• Contact form submissions: 24 months from the last interaction.
• Newsletter subscription: until you unsubscribe.
• Voice/chat agent transcripts: 30 days.
• LinkedIn OAuth tokens and LinkedIn-derived data: until you disconnect the integration or revoke access in LinkedIn settings, then deleted within 30 days.
• Server logs (IP, request path): 90 days.
• Commercial engagement records (proposals, invoices, SOWs): 7 years per applicable tax law.

Nona AI Tech, Inc. is incorporated in the United States. Our processors (OpenAI, Resend, Railway) primarily process data in the United States. If you are in the EU, UK, or another jurisdiction with cross-border restrictions, we rely on Standard Contractual Clauses (SCCs) under GDPR Art. 46 with each processor. You may request a copy of the SCC executed with a specific processor by emailing privacy@nonamedai.com.

Depending on your jurisdiction you may have the right to:

• Access — request a copy of the personal data we hold on you.
• Rectify — ask us to correct inaccurate or incomplete data.
• Erase — request deletion of your data (also known as the right to be forgotten).
• Restrict — limit how we process your data.
• Port — receive your data in a machine-readable format.
• Object — object to processing based on our legitimate interest.
• Withdraw consent — withdraw consent at any time for processing based on consent.
• Revoke LinkedIn access — disconnect Nona AI from your LinkedIn account at any time via LinkedIn's permitted-services settings. We delete LinkedIn-derived data within 30 days of revocation.
• Lodge a complaint — with your local supervisory authority. EU/UK residents may also contact their data protection authority.

To exercise any of these rights, email privacy@nonamedai.com. We respond within 30 days.

Data in transit is encrypted using TLS 1.3. Data at rest in our application database is encrypted using AES-256. Access to production systems is restricted to named engineers and rotated quarterly. We follow least-privilege principles and audit access logs monthly. We do not store payment information — invoicing runs through Stripe under their PCI DSS Level 1 certification.

The Nona AI site and product are not directed to children under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@nonamedai.com and we will delete it.

When we make material changes to this policy we update the effective date at the top of this page and, where required, email the change to active commercial customers. Continued use of the site after a change indicates acceptance of the updated policy.

For privacy questions, data requests, or any concern about how we handle your information:

For EU residents, we will appoint a representative under GDPR Art. 27 before launching paid services to EU customers. The appointment will be announced in this section.