1. Who we are
Nemu & Co. ("Nemu", "we", "our") is a software company incorporated in Zürich, Switzerland. We operate the Nemu platform — a freelance automation tool available at app.nemu.agency. This policy explains how we collect, use, and protect your personal data.
2. What data we collect
We collect the following categories of data:
- Account data — your name, email address, and password (hashed using bcrypt) when you register.
- Profile & workspace data — timezone, currency preference, hourly rate, business details, and workspace settings you provide.
- Client & project data — information you input about your clients, projects, tasks, meetings, bookings, time entries, invoices, and receipts.
- Billing data — subscription plan, payment status, and invoice history. Payment card details are processed by Stripe Payments Europe, Ltd. and never stored on Nemu servers.
- Communication data — emails we send you (transactional + optional marketing), and support messages you send us.
- Usage data — pages visited, feature usage, session timestamps, browser/device info, and approximate geolocation (country-level, via IP) used for currency detection.
- Calendar & email integration data (only if you connect a Google, Microsoft, or iCloud calendar) — OAuth refresh tokens, event metadata, and attendee info needed to display your schedule. We never read personal email content.
- Cookies & identifiers — session cookies for authentication and minimal analytics identifiers. See our Cookie Policy.
2a. Legal basis for processing (GDPR Art. 6)
- Contract — processing necessary to deliver Nemu's services you've subscribed to (Art. 6(1)(b)).
- Legal obligation — invoice retention, tax records, and anti-fraud monitoring (Art. 6(1)(c)).
- Legitimate interests — product analytics, security monitoring, and fraud prevention, balanced against your rights (Art. 6(1)(f)).
- Consent — optional marketing emails, non-essential analytics cookies. You can withdraw consent at any time (Art. 6(1)(a)).
3. How we use your data
- To provide and improve the Nemu platform.
- To generate time reports, invoices, and automation outputs on your behalf.
- To send transactional emails (invoice confirmations, reminders, weekly summaries).
- To respond to support requests.
- To detect abuse, fraud, and security incidents.
- To comply with legal obligations under Swiss and EU law.
We do not sell, rent, or share your data with third parties for advertising purposes.
4. Subprocessors & data transfers
We use the following carefully vetted providers to deliver the Service. Each has signed a Data Processing Agreement with us:
| Subprocessor | Purpose | Data region |
|---|
| Supabase Inc. | Database, auth, storage | Ireland (EU) |
| Stripe Payments Europe, Ltd. | Payment processing, VAT | Ireland (EU) + US (SCCs) |
| Resend Inc. | Transactional email | Ireland (EU) |
| Vercel Inc. | Hosting, edge CDN | Global edge + US (SCCs) |
| Google LLC / Microsoft Corp. | Calendar + email sync (only if you opt-in) | US (SCCs) |
When data is transferred outside the European Economic Area or Switzerland, we rely on EU Standard Contractual Clauses (SCCs) and Swiss-EU equivalency decisions to ensure an equivalent level of protection. A full up-to-date subprocessor list is available at privacy@nemu.agency on request.
5. How long we keep your data
We retain your account and billing data for as long as your account is active, plus a further 12 months after deletion for legal and audit purposes. Activity logs older than 24 months are automatically purged. You can request immediate deletion at any time.
6. Your rights (GDPR & Swiss nFADP)
Whether you are in the EU/EEA under the GDPR, in Switzerland under the revised Federal Act on Data Protection (nFADP), or in the UK under UK GDPR, you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or outdated data.
- Erasure — request deletion of your account and associated data ("right to be forgotten").
- Restriction — limit how we process your data.
- Portability — receive your data in a structured, machine-readable format (JSON).
- Objection — object to processing based on legitimate interests or direct marketing.
- Withdraw consent — revoke any consent you previously gave.
- Lodge a complaint — Swiss residents: FDPIC (Federal Data Protection and Information Commissioner, edoeb.admin.ch); EU residents: your national data protection authority.
- Not be subject to solely automated decisions with legal or similar effect.
You can exercise most rights directly from Settings → Privacy (export data, delete account). For anything else email us at privacy@nemu.agency. We will respond within 30 days.
6a. Children's privacy
Nemu is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has created an account, contact privacy@nemu.agency and we will promptly delete it.
6b. Security measures
We take security seriously. Measures include:
- All data encrypted in transit (TLS 1.3) and at rest (AES-256).
- Passwords hashed with bcrypt — never stored in plaintext.
- Row Level Security (RLS) in our database so users can only access their own data.
- Rate limiting on authentication and sensitive API endpoints.
- Security headers including Content Security Policy, HSTS, and X-Frame-Options.
- Regular dependency scans and vulnerability monitoring.
- Responsible disclosure program — see our security page.
Despite our efforts, no system is 100% secure. If you suspect a breach, contact security@nemu.agency.
7. Cookies
We use strictly necessary cookies to operate the platform and optional analytics cookies to understand usage. See our Cookie Policy for details.
8. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before taking effect.