Legal
Privacy Policy
Nomenon, Inc. (“Nomenon,” “we,” “us”) builds sovereign identity infrastructure. This Policy explains what information we collect when you visit nomenon.io, contact us, apply to be a design partner, or schedule a call — and what rights you have over that information.
1. Who we are
Nomenon, Inc. is a Delaware corporation. For purposes of the EU and UK General Data Protection Regulation, Nomenon is the controller of personal information described in this Policy. Our contact details are at the end.
2. Scope
This Policy covers personal information we collect through nomenon.io and any subdomain that links to this Policy (the “Site”), and through related off-Site interactions such as emails you send us, calls you book with us, and applications you submit to be a design partner.
This Policy does not cover websites or services operated by other companies, even if we link to them. When you click through to a third-party site, that site’s privacy practices govern.
3. Information we collect
3.1 Information you give us directly
When you fill out our contact form, you typically provide your name, email address, organization (if any), and the contents of your message. The form data is delivered to us; if you elect to schedule a call, the relevant details are also forwarded to our scheduling provider, Calendly, to provision a meeting time. When you apply to be a design partner, you provide additional information you choose to share — for example, your role, your company, the problem you’re trying to solve, and any technical context.
If you email us, the contents of your email and any attachments become information we hold.
3.2 Information collected automatically
When you load the Site, our infrastructure provider (Cloudflare) and host (Hostinger) automatically receive standard request metadata, including your IP address, user-agent string, referrer, and request timestamps. This data is used for delivering the Site, defending against abuse, and diagnosing operational issues.
We do not run analytics or advertising trackers on the Site.
3.3 Information from third parties
If you book a call through Calendly, Calendly transmits booking details (the time you selected, the email address you provided, and any answers you gave to its intake questions) back to us. We may also receive information about you from public sources or from people who refer you to us, but only when relevant to a conversation you are having with us.
4. How we use it
We use the personal information described above to:
- respond to your inquiries and continue conversations you start with us;
- schedule, confirm, and conduct calls;
- evaluate design partner applications and follow up on them;
- operate, secure, and debug the Site and our email systems;
- keep records sufficient to establish that we received and acted on your request;
- comply with legal obligations and enforce our legal rights.
We do not use your personal information to train machine learning models. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not engage in profiling that produces legal or similarly significant effects.
5. Legal bases for processing (EEA/UK)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 GDPR:
- Consent — for any processing where you have given us consent (for example, completing a non-essential field on a form or receiving a non-transactional follow-up).
- Performance of a contract or pre-contractual measures — to evaluate your design partner application or to take steps you have asked us to take prior to entering an agreement.
- Legitimate interests — to operate and secure the Site, prevent fraud and abuse, and respond to communications you initiate. We have considered your rights and freedoms and concluded these uses are proportionate. You may object at any time (see Section 11).
- Legal obligation — to comply with law, valid legal process, or regulatory request.
6. How we share it
We share personal information only with parties who help us operate, and only as needed for that purpose:
- Calendly — our scheduling provider, when you book or are routed to book a call.
- Cloudflare — our network and security infrastructure provider, which sees request metadata for every request to the Site.
- Hostinger — our hosting provider, which serves Site content.
- Email providers — the email infrastructure that delivers your messages to us and ours to you.
- Professional advisors — lawyers, accountants, and similar advisors, where their advice requires it.
- Acquirers and successors — in the event of a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred. We will require recipients to honor this Policy or to give you notice and choices to the extent required by law.
- Law enforcement and others — when we have a good-faith belief that disclosure is required to comply with applicable law, valid legal process, or to protect our rights, our users, or the public.
We do not sell or share personal information for cross-context behavioral advertising.
7. Cookies and similar technologies
The Site uses only strictly necessary cookies and equivalent technologies needed to deliver the Site and protect against abuse (for example, those set by Cloudflare).
On pages that load Calendly’s scheduling widget, Calendly may set its own cookies. Those cookies are governed by Calendly’s privacy and cookie practices, which are available at calendly.com. If you do not wish those cookies to be set, do not load Calendly-enabled pages or do not interact with the embedded scheduler.
We do not use advertising cookies, cross-site tracking pixels, or analytics cookies.
8. Retention
We keep personal information for as long as we have a legitimate purpose for keeping it. In practice:
- Contact form and design partner submissions — for as long as the conversation is active and for a reasonable follow-up period after, typically up to twenty-four months from your last interaction with us, after which we delete or anonymize unless we have a continuing legal or contractual basis to retain.
- Email correspondence — for the duration of the relevant business relationship plus any period required for legal, accounting, or audit purposes.
- Server and security logs — for the rolling window maintained by our infrastructure providers (typically thirty days for Cloudflare edge logs).
You may request earlier deletion under Section 11. Some information may be retained beyond these periods where law requires or where it is necessary to establish, exercise, or defend legal claims.
9. Security
We use commercially reasonable administrative, technical, and physical safeguards to protect personal information, including transport encryption (TLS), restricted access, and infrastructure providers with mature security practices. No system is perfectly secure; we cannot guarantee that personal information will never be accessed by an unauthorized party, but we will tell you if we are required to under applicable breach-notification law.
10. International transfers
Nomenon is based in the United States. Our service providers are located primarily in the United States and the European Union. If you are located outside the United States, your personal information will be transferred to and processed in countries whose data protection laws may differ from those of your home country.
For transfers of personal information from the EEA, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards including the Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum where applicable), or other lawful transfer mechanisms. You may request a copy of the relevant safeguards by contacting us at the address below.
11. Your rights
11.1 Rights available to everyone
You can email us at grc@nomenon.io at any time to ask what we hold about you, ask us to correct it, or ask us to delete it. We will respond within a reasonable time and at no charge except where the law allows us to charge or to refuse manifestly unfounded or excessive requests.
11.2 If you are in the EEA, the United Kingdom, or Switzerland
You have the rights granted by Articles 15–22 GDPR (and the equivalent UK and Swiss provisions): the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing based on legitimate interests, the right not to be subject to a decision based solely on automated processing (we do not engage in such decision-making), and the right to withdraw consent where processing is based on consent.
You also have the right to lodge a complaint with a supervisory authority — in particular, the supervisory authority of the EU Member State of your habitual residence, place of work, or alleged infringement, or the UK Information Commissioner’s Office (ico.org.uk), or the Swiss Federal Data Protection and Information Commissioner.
11.3 If you are a California resident
You have the rights granted by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), including the right to know, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising those rights. We do not sell or share personal information for cross-context behavioral advertising and we do not collect or use sensitive personal information for purposes that would trigger the right to limit. See Section 12 for the full California disclosures.
11.4 How to exercise your rights
Email grc@nomenon.io with the subject line “Privacy Request.” Tell us what you want us to do and provide enough information for us to verify that the request is yours. For California residents, an authorized agent may submit a request on your behalf with appropriate written authorization; we may still need to verify your identity directly. We will not discriminate against you for exercising any right.
12. California disclosures
This section provides additional disclosures required by the CCPA.
12.1 Categories of personal information collected, sources, purposes, and recipients
In the twelve months preceding the date above and on an ongoing basis, we have collected the following categories of personal information:
| Category (CCPA) | Examples | Source | Purpose | Disclosed to |
|---|---|---|---|---|
| Identifiers | Name, email address, IP address | You; your device | Communicate with you, schedule calls, secure the Site | Calendly, Cloudflare, Hostinger, email provider |
| Customer records (Cal. Civ. Code § 1798.80(e)) | Name and contact details you submit | You | Communicate with you, evaluate design partner applications | Calendly, email provider |
| Internet or other electronic network activity | Server log data, request metadata | Your device | Operate and secure the Site | Cloudflare, Hostinger |
| Professional or employment-related information | Your role, your company (only if you tell us) | You | Evaluate design partner applications, contextualize calls | Email provider |
| Inferences | None drawn programmatically | — | — | — |
We do not collect personal information in the categories of biometric information, geolocation (beyond city-level inferred from IP), sensory data, sensitive personal information, or any other category not listed above.
12.2 Sale and sharing
We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not done so in the twelve months preceding the date above.
12.3 Sensitive personal information
We do not collect or process sensitive personal information for purposes that, under CCPA, would entitle you to limit its use.
12.4 Retention
See Section 8.
12.5 Shine the Light
California Civil Code Section 1798.83 permits California residents to request information regarding our disclosure of personal information to third parties for the third parties’ direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
13. Children
The Site is not directed to, and we do not knowingly collect personal information from, individuals under sixteen. If you believe a child has provided us personal information, contact us and we will delete it.
14. Changes to this Policy
We may update this Policy from time to time. The “Effective” date at the top reflects the version currently in force. Material changes will be reflected by an updated “Last updated” date and, where appropriate, by additional notice. Your continued use of the Site after changes take effect indicates acceptance of the updated Policy.
15. How to contact us
For questions about this Policy or to exercise your rights, email us. We treat grc@nomenon.io as the canonical privacy address. It reaches our governance, risk, and compliance function and is monitored by Nomenon personnel; it does not necessarily route to outside legal counsel.