Privacy Policy

Last updated: June 2, 2026

Harmonik Studio d.o.o. ("we", "us") is the data controller for the personal data processed through Naumu. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Information We Collect

We collect the following categories of data:

  • Account data: Name, email address, and profile picture (provided via Google OAuth)
  • Content data: Graph structures, nodes, edges, chat messages, notes, and other content you create
  • Usage data: Feature interactions, page views, and performance metrics (only with your analytics consent)
  • Technical data: Browser type, device information, and IP address (for security and abuse prevention)
  • Billing data: If you upgrade to a paid plan, the identifiers required to operate the subscription (Stripe customer and subscription IDs, billing email, country, VAT details where required, last four digits and brand of your payment card for display purposes, and invoice history). We do not store full payment card numbers — these are handled directly by Stripe.
  • Connected-app data:If you connect a third-party application (such as an AI client) to your Naumu account, we store the identity of the connected application, the date you authorized it, and the access tokens needed to operate the connection. You can view and revoke connected applications at any time in Settings > Connected Apps.

2. How We Use Your Data

  • To provide, maintain, and improve the Service (legal basis: contract performance)
  • To process your content through AI models for graph and chat features (legal basis: contract performance)
  • To send service-related communications such as security alerts (legal basis: legitimate interest)
  • To send product updates and tips, if you opted in (legal basis: consent)
  • To analyze usage patterns and improve the product (legal basis: consent, via analytics cookies)
  • To process payments, manage subscriptions, issue invoices, and meet tax and accounting obligations (legal basis: contract performance and legal obligation)

3. Sub-processors & Data Sharing

We do not sell your personal data. We share data with the following service providers who assist in operating the Service:

  • Google Cloud (Vertex AI)(US) — OAuth authentication and our primary AI provider: it processes your content for graph and chat inference, generates the embeddings that power search, and transcribes audio you record. Per Google Cloud's terms, your data is not used to train Google's models.
  • Anthropic (US) — additional AI model provider for graph and chat features. Your content is sent for processing and is not used for model training.
  • PostHog (EU, Frankfurt) — feature flags and product analytics. Analytics capture runs only with your consent (see our Cookie Policy); feature flags are functional and always on.
  • Dokploy (EU) — Infrastructure hosting provider.
  • Stripe Payments Europe, Ltd. (Ireland, with infrastructure in the US) — payment processing, subscription billing, invoicing, and customer portal. Card data is collected and processed directly by Stripe; we never see or store full card numbers.
Third-party applications you connect

Naumu lets you connect third-party applications — for example AI clients such as Claude (Anthropic) or ChatGPT (OpenAI) — to your account using OAuth. When you authorize such an application, it can read and act on the content in your spaces on your behalf, including your graphs, nodes, threads, notes, and canvases, using your own access and permissions. To provide this functionality, the content you or the connected application access is transmitted to that application's provider, where it is handled under that provider's own privacy policy and terms, which we do not control. We share data with these applications only on your instruction, and only for as long as the connection remains authorized. You can revoke a connected application's access at any time from Settings > Connected Apps; revocation takes effect immediately.

4. International Data Transfers

Some of our sub-processors (Anthropic, Google, and Stripe) operate infrastructure in the United States. Transfers to these processors are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, or by adequacy decisions where applicable.

5. Data Retention

  • Account data: Retained while your account is active and deleted within 30 days of account deletion
  • Content data: Retained while your account is active; deleted when you delete content or your account
  • Usage/analytics data: Retained for up to 12 months, then anonymized or deleted
  • Session data: Expires after 365 days of inactivity
  • Connected-app data:Retained while the connection is authorized; deleted immediately when you revoke the app (Settings > Connected Apps) or delete your account
  • Billing records (invoices, transactions, tax data): Retained for 11 years to comply with Croatian tax and accounting law (General Tax Act and Accounting Act), even after account deletion. Personal data within these records is retained only to the extent legally required.

6. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate data (you can edit your name and avatar in Settings)
  • Erasure — Delete your account and data (available in Settings > Delete account)
  • Data portability — Export your spaces (available via the export feature in-app)
  • Withdraw consent — Revoke marketing consent at any time via Settings
  • Object — Object to processing based on legitimate interest
  • Lodge a complaint — File a complaint with your local data protection authority
  • Manage connected apps — View and revoke any third-party applications you have connected to your account (available in Settings > Connected Apps). Revoking an application immediately ends its access to your spaces.

To exercise rights not available through the app, contact [email protected]. We will respond within 30 days. Note that erasure cannot remove billing records we are legally required to retain; those are kept for the statutory period and then deleted.

7. Data Security

We implement industry-standard security measures including encrypted connections (TLS), secure session management, and access controls. While no system is perfectly secure, we take reasonable measures to protect your data.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notice. The "Last updated" date at the top reflects the latest revision.

9. Contact

For privacy-related questions or to exercise your rights, contact us at [email protected].