Privacy Policy

Effective Date: 2026-04-13  |  Last Updated: 2026-04-29

Entity: Nobsy, LLC, a California Limited Liability Company (“Nobsy,” “we,” “us,” or “our”).

This Privacy Policy governs the data collection, processing, and protection practices for the Nobsy PDF Retrieval-Augmented Generation (RAG) application, accessible at nobsy.ai, and associated services (the “Service”). This document describes our data flows, your rights under applicable legal frameworks—including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the General Data Protection Regulation (GDPR/UK GDPR)—and the allocation of responsibility regarding uploaded content.

1. Controller vs. Processor & Data Categories

To provide a secure and functional RAG pipeline while complying with applicable privacy frameworks, we separate the data we process into two operational categories:

Category A: Account & Billing Data (Nobsy as Data Controller). Information required to maintain your account, provide support, and process payments. This includes your name, email address, IP address, corporate affiliation, job title, and payment history.

1.1 Legal Bases for Category A Processing (GDPR/UK GDPR)

We process Category A data on the following legal bases, mapped by purpose:

Processing Purpose

Legal Basis

GDPR Article

Account provisioning & service delivery

Performance of a Contract

Art. 6(1)(b)

Billing & payment processing

Performance of a Contract

Art. 6(1)(b)

Fraud prevention & platform security

Legitimate Interest

Art. 6(1)(f)

Security logging & abuse prevention

Legitimate Interest

Art. 6(1)(f)

Essential service communications

Performance of a Contract

Art. 6(1)(b)

Optional marketing communications

Consent

Art. 6(1)(a)

Legal & regulatory compliance

Legal Obligation

Art. 6(1)(c)

Category B: AI Pipeline Data. The content you upload to our platform, including unstructured text extracted from PDF documents, your chat queries, and the resulting session histories generated by the AI interface.

1.2 Role Allocation for Category B Data

For AI Pipeline Data processed solely to provide document retrieval, embedding generation, query handling, and response generation on behalf of an enterprise customer operating under an executed Data Processing Agreement (DPA) or Master Service Agreement (MSA), Nobsy acts as a processor/service provider and the customer acts as the controller/business.

For self-service individual accounts, and for processing necessary to secure, maintain, troubleshoot, prevent abuse of, and administer the Service, Nobsy acts as an independent controller with respect to such processing.

2. User-Provided Content & Shared Responsibility

2.1 General Acknowledgment

By utilizing Nobsy PDF, you acknowledge that our system ingests unstructured text from PDFs for the sole purpose of enabling chat-to-document interactions.

2.2 Prohibited Content Categories

You are prohibited from uploading categories of regulated data as described in Section 4.1 of our Terms of Service, including but not limited to:

2.3 Responsibility for Enterprise Accounts

For enterprise and organizational accounts governed by a separately executed DPA or MSA, the allocation of data minimization, redaction, and compliance obligations shall be as set forth in that executed agreement. In the absence of such an agreement, the terms of this Section 2 apply.

2.4 Responsibility for Individual Accounts

For individual (non-enterprise) users, Nobsy implements the following safeguards:

Upload-Time Acknowledgment. By uploading a document, you represent and warrant that the content complies with our Acceptable Use Policy (Section 4.1 of our Terms of Service) and does not contain categories of data prohibited thereunder.

Content Responsibility. You are solely responsible for ensuring that content you upload complies with our Acceptable Use Policy. We do not guarantee detection of regulated or sensitive data within uploaded content.

2.5 Indemnification & Liability

Liability allocation and indemnification obligations arising from user-uploaded content are governed exclusively by the applicable Terms of Service agreement, not this Privacy Policy.

3. AI Sub-Processor Data Flow

When you upload a document to Nobsy PDF, the data follows this path:

Extraction & Embedding. Document text is extracted and converted into mathematical representations (embeddings) via embedding models.

Vector Storage. Embeddings are stored in a PostgreSQL database with pgvector extension, hosted on Amazon Web Services (AWS) infrastructure within the United States.

Inference Processing. When you query a document, relevant text chunks and your prompt are transmitted to OpenAI’s enterprise API endpoints for inference processing.

Our core application infrastructure is hosted on Amazon Web Services (AWS) in the US-West-1 (N. California) region, with availability zone redundancy where supported by the deployment configuration. A complete list of infrastructure providers, their data processing locations, and applicable DPAs is maintained in our Sub-Processor Registry (Section 6).

4. No Model Training Commitment

Nobsy does not use customer Account Data or AI Pipeline Data—including uploaded PDFs, embeddings, and chat session histories—to train, fine-tune, or improve any general-purpose AI models.

Where we use third-party LLM or embedding providers, we obtain data processing agreements that include commitments against using customer content for provider model training, and we configure such services to minimize retention and to restrict use of customer content to the requested inference or embedding functionality. Current provider-specific data handling configurations, including applicable retention policies, are described in our Sub-Processor Registry (Section 6). Third-party providers are independently responsible for compliance with their own data processing commitments.

Because third-party provider terms and technical controls may evolve, current provider-specific details—including applicable data retention configurations and contractual terms—are described in our Sub-Processor Registry (Section 6). Nobsy periodically reviews sub-processor compliance with these contractual terms.

5. Cookies and Similar Technologies

Nobsy uses the following categories of cookies and similar tracking technologies on nobsy.ai and within the Service:

Essential Cookies. Required for core Service functionality, authentication, and security. These cannot be disabled.

Analytics Cookies. We use Google Analytics (GA4) and Microsoft Clarity to understand usage patterns and improve the Service. Google Analytics collects interaction data including page views, session duration, and device information. Microsoft Clarity collects heatmap and session recording data to analyze user experience. These may be disabled via your cookie preferences.

Advertising/Tracking Cookies. Our Google Analytics implementation is linked to Google Ads for cross-context behavioral advertising, including audience building and remarketing. Identifiers and internet activity information may be shared with Google for these purposes. You may opt out of this sharing as described in Section 10.2.

You can manage cookie preferences through the cookie banner displayed on nobsy.ai or through your browser settings. We do not respond to legacy “Do Not Track” browser signals. However, we recognize and honor Global Privacy Control (GPC) signals as described in Section 10.2.

6. Third-Party Sub-Processors & Data Sharing

We do not sell your personal data. We share data solely with infrastructure providers required to operate the Service.

Our current authorized sub-processors are:

Sub-Processor

Role

Data Location

Data Categories

Amazon Web Services (AWS)

Cloud hosting, compute, database (RDS PostgreSQL with pgvector)

United States (us-west-1)

Category A & B

OpenAI

LLM inference processing (enterprise API endpoints)

United States

Category B

Stripe

Payment processing

United States

Category A (billing)

Google (GA4 / Google Ads)

Analytics & advertising

United States

Category A (identifiers, network activity)

Microsoft (Clarity)

Analytics (heatmaps, session recordings)

United States

Category A (network activity)

Cohere

Search result reranking (inference processing)

United States

Category B

Amazon SES

Transactional email delivery

United States

Category A (email address)

Cloudflare (Turnstile)

Bot detection and abuse prevention

Global (Cloudflare edge network)

Category A (IP address, browser metadata)

A maintained version of this registry with links to each sub-processor’s Data Processing Agreement (DPA) is available at: https://pdf.nobsy.ai/sub-processors.html.

We will provide reasonable advance notice before authorizing a new sub-processor that will process Category B data. Customers may object on reasonable data protection grounds within a reasonable period following notification. If we cannot reasonably accommodate the objection, the customer may terminate the affected Service, without penalty, on written notice before the new sub-processor begins processing the relevant data.

7. Retention Timelines & Data Deletion

7.1 Retention by Data Category

We retain personal data only as long as necessary for the purposes described in this Policy or as required by applicable law:

Data Category

Retention Period

Basis

Account identifiers & profile

Until account deletion; residual copies in encrypted backups up to 90 days

Service delivery

Billing & transaction records

Until account deletion; residual copies in encrypted backups up to 90 days

Payment compliance

Support communications

Until account deletion; residual copies in encrypted backups up to 90 days

Service improvement / disputes

Analytics data (GA4, Clarity)

Per provider defaults (GA4: 14 months; Clarity: 13 months)

Analytics / product improvement

Uploaded documents & embeddings

Until user-initiated deletion or account termination

Service delivery

Chat session histories

Until user-initiated deletion or account termination

Service delivery

Encrypted backup residue

Overwritten per backup rotation (max 90 days)

Disaster recovery

7.2 Category B Data Deletion Protocol

When you initiate the deletion of a document or terminate your account, Nobsy will promptly delete or render inaccessible the relevant data from production systems, and in any event within ten (10) business days:

Source File Deletion. The original PDF is deleted from our cloud storage.

Embedding Deletion. All associated mathematical embeddings are deleted from the PostgreSQL vector database.

Context and Session Clearing. All temporary context windows and associated chat logs tied to that document are cleared from our active databases.

Limited residual copies may remain temporarily in encrypted backups, logs, or disaster-recovery systems and will be deleted or overwritten in the ordinary course pursuant to our backup retention schedule (maximum 90 days). Additionally, our AI inference sub-processor (OpenAI) may retain API inputs for up to 30 days solely for abuse and safety monitoring, in accordance with their enterprise data processing terms. Upon request, we will confirm via email that deletion from production systems has been initiated.

8. Cross-Border Data Transfers

Nobsy’s core infrastructure is hosted in the United States on Amazon Web Services (AWS). Your Account Data and AI Pipeline Data will be transferred to, processed, and stored on servers located in the United States.

For users accessing the Service from Canada, the transfer of personal information to the United States is necessary to perform the Service under our agreement with you and is conducted in accordance with PIPEDA. By using the Service, you consent to this transfer.

For users accessing the Service from the European Economic Area (EEA), the United Kingdom, or Switzerland, we ensure adequate protection for cross-border data transfers through the Standard Contractual Clauses (SCCs) incorporated into our subprocessors’ data processing agreements.

Where required, we also assess the legal and practical risks of relevant transfers and implement supplementary contractual, technical, and organizational safeguards appropriate to the nature of the transferred data, including encryption in transit and at rest, access controls, and data minimization. Further details may be provided in applicable customer agreements.

9. Security Measures

We implement commercially reasonable, industry-standard technical and organizational measures to protect your data, including:

No internet-based service can guarantee absolute security. We do not warrant the absolute security of any information transmitted to or stored by the Service.

In the event of a security incident affecting personal data, Nobsy will notify affected users and applicable regulatory authorities in accordance with the timelines required by applicable law. For enterprise customers, incident notification timelines, content, and cooperation obligations may be specified in the applicable customer agreement or data processing addendum. Where no such agreement applies, we will provide notice without undue delay after confirming a security incident affecting personal data.

10. CCPA/CPRA Disclosures (California Residents)

Nobsy provides CCPA/CPRA-compliant rights to all California residents, including requests for access, deletion, and correction of personal information.

10.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we may have collected the following categories of personal information as defined by Cal. Civ. Code §1798.140(v), depending on how you use the Service:

10.2 “Sale” and “Sharing” of Personal Information

We do not sell your personal data for monetary consideration as defined by CCPA §1798.140(ad).

We “share” (as defined by CPRA §1798.140(ah)) identifiers and internet activity information with Google through the linkage of Google Analytics (GA4) and Google Ads for cross-context behavioral advertising, including audience building and remarketing. California residents may opt out of this sharing by:

10.3 Sensitive Personal Information

We do not request or intentionally seek to collect sensitive personal information for purposes of inferring characteristics about consumers. However, because users may upload unstructured documents, uploaded content may contain sensitive personal information. Where such information is included in customer-provided content, we process it solely to provide the requested Service, to maintain security, and as otherwise permitted by applicable law, and not for profiling or cross-context behavioral advertising.

10.4 Your Rights Under CCPA/CPRA

We will not discriminate against you for exercising any of these rights. We verify consumer requests by matching the request to the email address associated with your account and requesting confirmation from that email. Authorized agents may submit requests on your behalf with verifiable written authorization. We will respond to verifiable consumer requests within forty-five (45) days, with the option to extend by an additional forty-five (45) days if reasonably necessary.

10.5 California “Shine the Light” Disclosure

California residents may request information regarding whether we have disclosed certain personal information to third parties for their direct marketing purposes during the preceding calendar year. We do not disclose personal information to third parties for their own direct marketing purposes.

11. Rights for Individuals in the EEA, UK, and Switzerland

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you may have the following rights under applicable data protection law:

To exercise any of these rights, contact our Privacy Officer using the details in Section 15. We will respond to data subject access requests within one (1) month, extendable by up to two (2) additional months where necessary due to complexity or volume. Data portability requests will be provided in a structured, commonly used, machine-readable format (e.g., JSON or CSV).

You also have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members\_en.

11.1 Automated Decision-Making

We do not engage in solely automated decision-making that produces legal effects or similarly significant effects on individuals within the meaning of GDPR Article 22. Our AI features assist users in retrieving and interacting with their own uploaded content and do not make autonomous decisions about individuals.

12. International User Rights & PIPEDA Compliance

12.1 Global Data Rights

Regardless of your jurisdiction, you maintain the right to access, correct, or delete your personal data, and to withdraw consent for marketing communications. To exercise these rights, contact our Privacy Officer using the details in Section 15.

12.2 PIPEDA Accountability (Canadian Users)

In accordance with Canada’s PIPEDA and the Fair Information Principles, Nobsy designates the Privacy Officer identified in Section 15 as the individual accountable for our compliance.

Consent. By creating an account and using the Service, you provide meaningful consent to the collection, use, and disclosure of personal information reasonably necessary to provide the Service. We will seek additional consent where required for non-essential processing that is not reasonably necessary to provide the Service. You may withdraw consent for non-essential processing at any time by contacting our Privacy Officer or by using the account management tools within the Service.

Breach Notification. In the event of a breach of security safeguards involving personal information under our control that poses a real risk of significant harm, we will provide any required notifications to affected individuals and the Office of the Privacy Commissioner of Canada as soon as feasible after we determine that the breach has occurred, as required by PIPEDA §10.1.

13. Children’s Privacy

The Service is not directed to children, and we do not knowingly collect personal information from children under the age of 13 (or such higher age as may be defined by applicable local law). We also require all users to be at least 18 years old under our Terms of Service. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete such information promptly.

14. Policy Updates

We reserve the right to update this Privacy Policy to reflect changes in applicable regulatory frameworks, AI-specific legislation, or our system architecture. We will provide notice of material changes via email to the address associated with your account at least fourteen (14) days prior to the changes taking effect.

Where required by applicable law, we will obtain your consent to material changes before they take effect. Otherwise, your continued use of the Service after the effective date of the revised Privacy Policy will be subject to the updated terms.

15. Contact Information & Privacy Officer

If you have questions regarding this Privacy Policy, wish to exercise your data rights, or need to contact our designated Privacy Officer regarding accountability and compliance, please contact:

Nobsy Privacy Officer

Email: privacy@nobsy.ai

Telephone: (650) 661-4298

Address: 2108 N ST STE N, Sacramento, CA 95816

Document version: 5.4 | Last revised: April 29, 2026