Privacy Policy

NestBrain is operated by Mike Gazzaruso (NextEpochs), Italy, the data controller for the purposes of GDPR. For any privacy-related request, write to privacy@nextepochs.com.

We collect only what is strictly necessary:

• Account data (when you sign in with Google): your Google ID, email address, full name, and profile picture URL. Provided by Google OAuth 2.0 at your explicit authorization.
• Session data: a randomly-generated session token stored in an HTTP-only cookie to keep you signed in for up to 30 days.
• Newsletter subscription (only if you subscribe): your email address and IP address (for rate limiting / anti-abuse).
• Purchase data (if you buy the Supporter License): processed directly by our payment provider Polar, who acts as Merchant of Record. We never see or store your card details. We only receive the order metadata (order ID, product, amount, email) via Polar's API to make your downloads available.

The NestBrain desktop app itself is fully local-first. All wiki content, settings, and workspace files live on your own machine. We do not collect any usage data, telemetry, crash reports, or analytics from the desktop app.

• Account & sessions — contractual necessity (Art. 6(1)(b) GDPR): we cannot provide the account feature without authenticating you.
• Newsletter — consent (Art. 6(1)(a) GDPR): you voluntarily enter your email. You can unsubscribe anytime with a single click in any email.
• Purchases — contractual necessity (Art. 6(1)(b) GDPR) and legal obligations regarding VAT / invoicing.
• Anti-abuse (IP logging on forms) — legitimate interest (Art. 6(1)(f) GDPR): preventing spam and automated abuse.

• Account data: until you delete your account or request deletion.
• Sessions: 30 days from creation, then automatically expired.
• Newsletter email: until you unsubscribe.
• Purchase data: as long as required by EU tax law (typically 10 years for invoices), kept by Polar as the Merchant of Record.

We share data with a small number of trusted processors:

• Google LLC — OAuth 2.0 sign-in. Governed by Google's privacy policy.
• Polar Software Inc. — payment processing, invoicing, VAT compliance (Merchant of Record). Governed by Polar's privacy policy.
• Our hosting provider — the website runs on a dedicated server located in the EU. Data is stored in a PostgreSQL database on the same server.

We do not sell or rent your personal data to anyone, ever.

Google (USA) and Polar (USA) are outside the European Economic Area. Transfers are protected by the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.

You have the right to:

• Access — ask for a copy of the data we hold about you
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — delete your account and all associated data
• Restriction — limit how we process your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — at any time, without affecting the lawfulness of processing before the withdrawal

To exercise any of these rights, email privacy@nextepochs.com. We'll respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority (in Italy: the Garante per la Protezione dei Dati Personali).

Sessions are stored in HTTP-only cookies with the Secure and SameSite=Lax flags to prevent XSS and CSRF attacks. All traffic is served over HTTPS (TLS 1.3). Passwords are never stored because we don't use passwords — authentication is delegated to Google OAuth.

See our detailed Cookie Policy for the full list. Short version: we only use strictly necessary cookies for authentication and security. No tracking, no analytics, no marketing.

We may update this policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be announced via the newsletter (if you're subscribed) and prominently on this page.