SystemIntelligenceSecurityPricing

Privacy Policy

Effective Date: April 18, 2025

1. Introduction

NOT A STUDIO LLC ("we", "us", or "our") is committed to protecting the privacy and security of your business and personal data. This Privacy Policy explains how we collect, use, and safeguard information when you use the NaS_OS platform (the "Service").

This Policy is designed to comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the UK GDPR.

Data Controller contact details:

Where we process personal data contained in documents uploaded by our clients (e.g., deal documents, financial data), we act as a data processor on behalf of our clients, who are the data controllers. In those cases, our Data Processing Agreement (DPA) governs the processing.

2. What Data We Collect

2.1 Account and Registration Data

  • Full name and professional title
  • Business email address
  • Company name and type (e.g., M&A advisory firm, financial boutique)
  • Password (stored in hashed form — we never store plain-text passwords)
  • Billing contact information

2.2 Payment Data

Payment transactions are processed by third-party payment providers (e.g., Stripe). We do not store credit card numbers or full payment credentials. We retain only transaction identifiers, amounts, and dates for accounting purposes.

2.3 Client Content — Deal Documents and Financial Data

This is the most sensitive category of data we process. When you use the Service, you upload documents that may contain:

  • Confidential business information, financial statements, and M&A deal materials
  • Personal data of third parties (e.g., names of company officers, directors, shareholders, advisors, or counterparties referenced in deal documents)
  • Commercially sensitive data including revenues, valuations, cap tables, and financial projections

We process this Client Content exclusively to provide the Service as described in our Terms of Service. We do not use Client Content for any other purpose, including AI model training, without your explicit written consent.

2.4 AI Processing Data

NaS_OS uses artificial intelligence systems to analyze, extract, and structure data from uploaded documents. This AI processing involves:

  • Automated reading and parsing of document content
  • Extraction of structured data fields (financial metrics, entities, dates, terms)
  • Cross-document comparison and discrepancy detection
  • Generation of Information Memorandums and structured summaries

AI-generated outputs are stored in our systems associated with your account. These outputs are subject to the same confidentiality and retention policies as Client Content.

2.5 Usage and Technical Data

  • Pages and features accessed, session duration, and interaction logs
  • IP address, browser type, device type, and operating system
  • Server logs and error reports
  • Cookies and similar technologies (see Section 8 and our Cookie Policy)

2.6 Communications Data

Any messages, support requests, or feedback you send us, including email correspondence.

3. Legal Basis for Processing (GDPR)

  • Contract performance (Article 6(1)(b)): processing necessary to provide the Service you have subscribed to, including processing Client Content to generate AI outputs.
  • Legitimate interests (Article 6(1)(f)): service improvement, security monitoring, fraud prevention, and business analytics — where our interests do not override your rights.
  • Legal obligation (Article 6(1)(c)): compliance with applicable laws, including financial record-keeping requirements.
  • Consent (Article 6(1)(a)): for marketing communications and any optional processing where we request your consent.

4. How We Use Your Data

  • Providing, operating, and maintaining the Service and AI features
  • Processing and analyzing uploaded deal documents to generate outputs
  • Managing your account, subscription, and billing
  • Sending service communications (account notices, security alerts, product updates)
  • Responding to support requests and inquiries
  • Detecting and preventing security threats and abuse
  • Complying with legal obligations

We do not sell your personal data. We do not use Client Content to train AI models without explicit written consent.

5. Data Sharing and Disclosure

5.1 Service Providers (Sub-processors)

We share data with third-party providers who help us operate the Service. All sub-processors are bound by data processing agreements. Current sub-processors include:

  • Supabase Inc. — database and file storage infrastructure (EU Frankfurt region)
  • AI infrastructure providers — for document processing and generation features
  • Stripe Inc. — payment processing

5.2 Legal Disclosure

We may disclose data if required by law, court order, or to protect our legal rights.

5.3 Business Transfers

In a merger, acquisition, or sale of assets, data may be transferred subject to confidentiality obligations.

We never share Client Content with third parties for their own commercial purposes.

6. International Data Transfers

Our primary infrastructure is located in Frankfurt, Germany (EU Central), specifically to support GDPR compliance for our European clients.

NOT A STUDIO LLC is registered in the United States (Wyoming). Where data is transferred outside the European Economic Area, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

  • Account and registration data: retained for the duration of your subscription plus 30 days after termination.
  • Client Content and AI-generated outputs: retained for the duration of your subscription plus 30 days post-termination, then permanently deleted.
  • Usage and technical logs: up to 12 months for security and performance purposes.
  • Financial and billing records: as required by applicable law (typically 7 years).
  • Support communications: up to 3 years.

You may request deletion of your data at any time by contacting legal@nas-os.io.

8. Cookies

We use cookies and similar technologies on our website and platform. For full details, see our Cookie Policy at https://nas-os.io/legal/cookies.

9. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights:

  • Right of access: obtain a copy of personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your data where legally permitted.
  • Right to restriction: request that we limit how we process your data.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to processing based on legitimate interests.

To exercise any of these rights, contact us at legal@nas-os.io. We will respond within 30 days. You also have the right to lodge a complaint with your national Data Protection Authority.

10. Security Measures

We implement appropriate technical and organizational measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and authentication requirements
  • Infrastructure hosted in EU data centers with physical security controls
  • Regular security monitoring and vulnerability assessments

In the event of a personal data breach affecting your rights, we will notify you and relevant authorities as required by law within 72 hours.

11. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or website notice at least 14 days before they take effect.

13. Contact

NOT A STUDIO LLC
30 N Gould St, STE R, Sheridan, WY 82801, USA
Email: legal@nas-os.io
Website: https://nas-os.io

© 2026 NOT A STUDIO LLC. All rights reserved.