Skip to main content
NIMAI LabsBack to home

Privacy Policy

NIMAI Labs — Privacy Policy

Last updated: March 10, 2026

1. Introduction

This Privacy Policy explains how NIMAI Labs ("NIMAI", "we", "us", "our") collects, uses, stores, and protects your personal data when you use the NIMAI Labs platform ("Platform"), including the website at nimailabs.com and the NIMAI Labs mobile application.

NIMAI Labs is the data controller for your personal data. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and the Dutch Implementation Act (Uitvoeringswet AVG).

This Privacy Policy is drafted in English, which is the legally binding version.

2. Data Controller

  • Business name: NIMAI Labs
  • Legal form: Sole proprietorship (eenmanszaak), Netherlands
  • Address: [RELLENAR CON SERVICIO DE DIRECCIÓN]
  • KvK: [PENDING]
  • Contact: contact@nimailabs.com

3. What Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Name — Your display name or artist name
  • Email address — For account access, notifications, and communication
  • Profile photo — If you choose to upload one
  • Country/location — If you choose to provide it
  • Authentication data — Managed by our authentication provider (Clerk), including login method and session tokens

3.2 Profile and Preference Data

As you use the Platform, you may provide:

  • Artist name, bio, genres, artistic level, and main goals
  • Social media links (Spotify, Instagram, TikTok, etc.)
  • Language preference and theme preference
  • Notification preferences (email, push)

3.3 Content Data

Content you create or upload on the Platform:

  • Music projects (names, descriptions, settings)
  • Audio files (tracks, memos, beat uploads)
  • Video files (Discovery submissions)
  • Images (cover art, portfolio items, profile photos)
  • Text (lyrics, notes, ideas, decisions, annotations)
  • Split sheet data (collaborator names, roles, ownership percentages)
  • Marketing content (smart links, EPK data)

3.4 Usage Data

We automatically collect:

  • Pages and features you access on the Platform
  • Interactions with the AI assistant (messages sent and context provided)
  • Project activity (track phase changes, check-ins, actions completed)
  • Discovery engagement (clips viewed, fires given)
  • Device type and browser information (via Vercel Analytics — no personal identifiers)
  • Approximate location (country-level, derived from IP address for analytics only)

3.5 Payment Data

When you subscribe or make purchases:

  • Payment processing is handled entirely by Stripe
  • We do NOT store your credit card numbers, bank account details, or full payment card information
  • We receive from Stripe: transaction IDs, payment status, subscription status, and billing country
  • Stripe's handling of your payment data is governed by Stripe's Privacy Policy

3.6 Communication Data

  • Messages sent to other users through the Platform's messaging system
  • Emails sent to you by the Platform (notifications, digests, marketing)
  • Feedback and support requests submitted through the Platform

4. Why We Process Your Data (Legal Bases)

Under the GDPR, we process your data based on the following legal bases:

| Data | Purpose | Legal Basis | |------|---------|-------------| | Account data | Provide and maintain your account | Contract performance (Art. 6(1)(b)) | | Content data | Store and display your projects and files | Contract performance (Art. 6(1)(b)) | | Payment data | Process subscriptions and marketplace transactions | Contract performance (Art. 6(1)(b)) | | AI interaction data | Provide AI assistant responses | Contract performance (Art. 6(1)(b)) | | Usage analytics | Improve the Platform and fix issues | Legitimate interest (Art. 6(1)(f)) | | Email notifications | Send transactional emails (password reset, feedback received) | Contract performance (Art. 6(1)(b)) | | Marketing emails | Send product updates, tips, and promotions | Consent (Art. 6(1)(a)) | | Discovery clips | Display and promote in Discovery feed | Consent (Art. 6(1)(a)) — given at submission | | Push notifications | Send real-time alerts to your device | Consent (Art. 6(1)(a)) — given via device permission | | Cookie data | Essential platform functionality | Legitimate interest (Art. 6(1)(f)) |

5. Data Processors (Third-Party Services)

We share your data with the following third-party services ("data processors") that help us operate the Platform. Each processor only accesses the data necessary for their specific function.

| Service | Purpose | Data Shared | Location | |---------|---------|-------------|----------| | Clerk | Authentication and user management | Name, email, profile photo, session data | USA (EU-US Data Privacy Framework) | | Stripe | Payment processing | Email, payment details, billing country | USA (EU-US Data Privacy Framework) | | OpenAI | AI assistant responses | Project context sent in messages (track names, notes, phases) | USA (EU-US Data Privacy Framework) | | Google AI (Gemini) | AI assistant responses and daily digests | Project context, user locale | USA (EU-US Data Privacy Framework) | | Resend | Transactional and notification emails | Email address, notification content | USA | | Cloudflare (R2) | File storage (audio, video, images) | Uploaded files | EU (Amsterdam region configurable) | | Vercel | Website hosting, serverless functions, analytics | Access logs, anonymized analytics | Global CDN, EU processing | | Upstash | Rate limiting (Redis) | Anonymized request metadata | EU |

We have Data Processing Agreements (DPAs) or equivalent contractual safeguards with each processor.

For transfers to the United States, our processors participate in the EU-US Data Privacy Framework or we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

5.1 AI Data Processing — Special Notice

When you use AI-powered features (project assistant, copywriter, daily digest), a summary of your project context is sent to OpenAI or Google AI to generate a response. This context may include:

  • Your artist name and project names
  • Track names and their current phases
  • Recent notes, ideas, and feedback summaries
  • Your artistic tone and language preference

We do not send your actual audio files, video files, or full lyrics to AI providers. AI providers process this data under their data processing agreements and do not use it to train their models.

6. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Account data | Until you delete your account | | Content (projects, tracks, files) | Until you delete the content or your account | | Discovery submissions | Until expired by the daily lottery system or cancelled by you; video files are deleted from storage upon expiration | | Messages | Until you delete your account | | Payment records | 7 years (Dutch tax law — Algemene wet inzake rijksbelastingen) | | Usage analytics | 26 months (anonymized) | | AI conversation history | Not persisted — each session is independent | | Push notification tokens | Until you unsubscribe or the token expires | | Deleted account data | Purged within 30 days of account deletion, except data required by law |

7. Your Rights Under the GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15) — Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16) — Correct inaccurate or incomplete data
  • Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing (Art. 18) — Limit how we process your data
  • Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7) — Withdraw consent at any time for processing based on consent

How to Exercise Your Rights

Contact us at contact@nimailabs.com with your request. We will respond within 30 days as required by the GDPR.

For account-level actions, you can:

  • Export your data — Contact us to request a data export
  • Delete your account — Available in your account Settings
  • Manage notifications — Toggle email and push notifications in Settings
  • Withdraw Discovery consent — Cancel your Discovery submission at any time

Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the Dutch Data Protection Authority:

  • Autoriteit Persoonsgegevens
  • Website: https://autoriteitpersoonsgegevens.nl
  • Phone: +31 (0)70 888 8500

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • All data transmitted between your device and our servers is encrypted using TLS/HTTPS
  • Authentication is managed by Clerk with industry-standard security practices
  • Payment processing is handled by Stripe (PCI DSS Level 1 compliant)
  • File storage uses Cloudflare R2 with access-controlled URLs
  • Database access is restricted and encrypted at rest
  • Rate limiting protects against abuse and unauthorized access
  • We regularly review and update our security practices

Despite these measures, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us immediately at contact@nimailabs.com.

9. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA), particularly the United States (via Clerk, Stripe, OpenAI, Google AI, Resend).

For these transfers, we ensure adequate protection through:

  • The EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all processors

10. Children's Privacy

The Platform is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16.

If we discover that we have inadvertently collected data from a user under 16, we will:

  • Terminate the account
  • Delete all associated personal data
  • Notify the user (or their parent/guardian if identifiable) of the deletion

If you believe a child under 16 has created an account, please contact us at contact@nimailabs.com.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or the Platform's features.

When we make material changes:

  • We will notify you via email or in-platform notification
  • The updated policy will be posted with a new "Last updated" date
  • We will provide at least 30 days' notice for material changes

12. Contact

For any privacy-related questions or requests:

  • Email: contact@nimailabs.com
  • Address: [RELLENAR CON SERVICIO DE DIRECCIÓN]
Privacy Policy | NIMAI Labs