Privacy Policy
Last updated: June 17, 2026
Nomee ("Nomee," "we," "us," or "our") operates the Nomee web application and related services (the "Service") for users worldwide. We are operated from Malaysia, but the Service is available to anyone, anywhere.
This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have — regardless of where you live. By using the Service, you agree to the practices described here. Where local law gives you additional rights (for example, in Malaysia, the European Economic Area, or the United Kingdom), those rights apply in addition to what is stated below.
Users in Malaysia may also read our Bahasa Malaysia summary at Notis Privasi. This policy is not legal advice; consult a qualified attorney in your jurisdiction if needed.
1. Information We Collect
Account information
When you create an account or sign in, we may collect:
- Name and email address
- Password (stored in hashed form if you use email/password sign-in)
- Profile photo URL (for example, from Google Sign-In)
- Optional phone number and short bio
- Referral information if you joined through an invite or registration link
Profile and link information
When you build your digital profile, we collect the content you choose to add, which may include:
- Display name, tags, description, and optional employer/organization text
- Profile and cover images you upload
- Social and contact links (LinkedIn, WhatsApp, email, website, and other platforms you add)
- Phone numbers and messaging preferences (including WhatsApp intro settings)
- Visual styling preferences for your profile name
Company accounts (B2B)
If your organization uses Nomee's company features, company administrators may create employee accounts and manage branding. We store company name, logo, platform restrictions, and membership roles (admin or member). Company admins can view member names, email addresses, and usage summaries.
Visitor and interaction data
- Public profile views: When someone visits your public profile or link page, we do not currently operate a dedicated analytics dashboard for profile owners, but standard server and hosting logs may record technical data (IP address, browser type, timestamps).
- AI chat: If AI chat is enabled on a profile, visitors' messages and conversation history are sent to our AI provider to generate replies. We do not store chat transcripts in our application database; history exists only for the duration of the visitor's session in their browser.
- WhatsApp intro flow: If a profile owner enables WhatsApp with an intro gate, visitors may submit optional intro text and/or a photo before opening WhatsApp. Intro text is used to pre-fill a WhatsApp message and is not stored in our database. Photos uploaded for this flow are stored on our file hosting provider and referenced in the message link.
- Waitlist: If you join a waitlist, we collect your email and optionally your name and phone number.
Automatically collected information
- Session tokens and authentication cookies (see Section 6)
- Cached account and profile data in your browser's local storage for performance
- Device and browser information through our hosting infrastructure and third-party services
2. How We Use Your Information
We use the information we collect to:
- Create and manage your account and authenticate you
- Build, display, and share your digital profile and links
- Enable NFC tag writing, QR codes, and link sharing features you initiate
- Operate company/team administration features for business customers
- Process invite and registration links and attribute referrals
- Provide AI-assisted chat on profiles where that feature is enabled
- Facilitate WhatsApp deep links and optional visitor intro flows
- Maintain security, prevent abuse, and troubleshoot the Service
- Comply with legal obligations
We do not sell your personal information. We do not use third-party advertising or behavioral analytics trackers in the application.
3. Public Profiles and What Others Can See
Nomee is designed to help you share a professional presence. When your profile is active, information you add to it may be publicly accessible to anyone with your profile URL (/user/… or /link/…), including:
- Your display name, photo, tags, description, and social/contact links you choose to publish
- Any phone number or email you add as a contact method on your profile
- AI chat, if enabled on your profile
Your account email address is used for authentication and is not displayed on your public profile by default, but will be reachable if you add it as a contact link. You control what you publish. Deactivating a profile or your account limits public visibility as described in Section 8.
4. How We Share Information
We share information only in these circumstances:
Service providers
We use trusted third parties to operate the Service, including:
- Google — Sign in with Google (OAuth); profile photo and basic account info
- Hosting and database providers — Application hosting and PostgreSQL database storage
- Vercel Blob Storage — Profile images, company logos, and visitor-uploaded photos (stored at publicly accessible URLs)
- DeepSeek — AI chat responses when that feature is enabled on a profile
- Google Fonts — Typography delivery (your browser may send standard request data to Google)
Other users and visitors
Information on your public profile is visible to visitors. If you use invite links, people you invite may see limited information about the referral relationship. Company administrators can see member account details for accounts in their organization.
Third-party platforms you link to
When you or a visitor clicks a social link (WhatsApp, LinkedIn, email, etc.), you leave Nomee and interact with that third party under their own privacy policies.
Legal and safety
We may disclose information if required by law, court order, or governmental request, or when we believe disclosure is necessary to protect rights, safety, or the integrity of the Service.
5. Image and File Uploads
Images you upload (profile photos, company logos, WhatsApp intro photos) are stored on cloud file storage and assigned a public URL. Anyone with that URL may be able to access the image. Do not upload sensitive, confidential, or illegal content. We do not currently automatically delete uploaded files from storage when you remove them from your profile; file lifecycle management may be updated in future versions.
6. Cookies and Local Storage
Cookies we set
- auth_token — Keeps you signed in to your Nomee account (HTTP-only, up to 30 days)
- next-auth.session-token — Used during Google Sign-In (cleared on logout)
- admin_session — Internal administration access only
Browser storage
We use local storage and session storage to:
- Cache your user and profile data for faster loading (typically 5–10 minutes)
- Preserve invite/registration codes during the sign-up flow
- Support session recovery in certain browsers (e.g. Safari)
You can clear cookies and site data through your browser settings. Doing so will sign you out and clear cached data.
7. NFC, QR Codes, and Sharing
If you use NFC writing or QR code features, you are encoding a URL to your public profile or link. NFC operations occur on your device through your browser; we do not receive or store NFC chip data. QR codes are generated in your browser and contain the same public URLs you choose to share.
8. Data Retention and Deletion
- Sessions expire after 30 days of inactivity or when you log out
- Profiles and links remain until you delete them or delete your account
- Company data may be deactivated (soft-deleted) while preserving member records
- OAuth tokens are retained while your account exists and removed when the account is deleted
You can delete individual profiles from within the app (subject to having at least one profile). Company administrators can deactivate member accounts or remove members from a company. Account deletion requests can be submitted to us at the contact address below. When an account is deleted, associated database records are removed in accordance with our data model; copies in backups or logs may persist for a limited period.
9. Security
We use industry-standard measures including password hashing (bcrypt), HTTP-only session cookies, and access controls on authenticated routes. No method of transmission or storage is 100% secure. You are responsible for keeping your password confidential and for the content you choose to make public on your profile.
10. Your Rights and Choices
Depending on where you live, you may have rights to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information (most fields are editable in your profile)
- Request deletion of your account and associated data
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
- Request data portability (where applicable under your local law)
- Lodge a complaint with your local data protection authority
To exercise these rights, contact us at info@nomee.my. We will respond within a reasonable timeframe as required by applicable law.
11. Additional Information for Users in Malaysia (PDPA)
If you are located in Malaysia, or if Malaysian law applies to our processing of your personal data, the following additional information applies under the Personal Data Protection Act 2010 (Act 709), as amended by the Personal Data Protection (Amendment) Act 2024 ("PDPA"). Users outside Malaysia can skip this section; your rights are covered in Section 10 and Section 13.
Legal basis and consent
In Malaysia, Nomee acts as a data controller. We process your personal data based on your consent (for example, when you register, accept these policies, or voluntarily add information to your profile) and where necessary to perform our contract with you. You may withdraw consent at any time by contacting us, subject to legal or contractual restrictions.
Purposes of processing
We collect and use personal data only for purposes that are lawful and directly related to the Service, including:
- Creating and managing your account
- Displaying and sharing your digital profile at your direction
- Operating company/team features for business customers
- Providing optional AI chat and WhatsApp intro features
- Security, fraud prevention, and service improvement
- Complying with legal obligations
We will not use your personal data for purposes other than those stated here without your consent, except as permitted by the PDPA.
Sensitive personal data
Under the PDPA (as amended), certain categories such as biometric data are treated as sensitive personal data. If you upload profile images or other content that could constitute sensitive personal data, you consent to our processing of that data solely to provide the features you enable (for example, displaying your profile photo or visitor photos in the WhatsApp intro flow).
Your rights under the PDPA
Subject to the PDPA, you have the right to:
- Access — request information about personal data we hold about you and how we process it
- Correction — request correction of inaccurate, incomplete, misleading, or outdated personal data
- Withdraw consent — withdraw consent to processing that is based on consent
- Prevent processing — request that we cease processing your personal data if you believe it is being misused or is likely to cause damage or distress
- Data portability — where technically feasible, request transmission of your personal data to another service provider (as provided under the PDPA Amendment Act 2024)
Submit requests to info@nomee.my. We may need to verify your identity before fulfilling a request. We aim to respond within 21 days where the PDPA requires a timely response.
Direct marketing
We do not sell your personal data. We may send you service-related communications (for example, account or security notices). If we ever send promotional marketing, you will be able to opt out at any time. Under the PDPA, you may at any time request that we cease processing your personal data for direct marketing purposes.
Cross-border transfers (Malaysia)
Under the PDPA, transfer of personal data outside Malaysia requires your consent or another lawful basis. By registering and using the Service, Malaysian users consent to transfers to our service providers in other countries, as described in Section 4 and Section 13.
Data breach notification
In line with the PDPA Amendment Act 2024, if a personal data breach occurs that is likely to cause significant harm, we will notify the Personal Data Protection Commissioner and affected individuals as required by law.
Data Protection Officer
You may contact our Data Protection Officer regarding PDPA matters at info@nomee.my.
Complaints to the regulator
If you believe we have not handled your personal data in accordance with the PDPA, you may lodge a complaint with the Personal Data Protection Department (JPDP): https://www.pdp.gov.my.
12. Children's Privacy
The Service is not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will take steps to delete it.
13. International Users and Cross-Border Processing
Nomee is a global service. No matter where you are, your information may be transferred to and processed in countries other than your own — including where our cloud hosting, database, file storage, and AI providers operate (such as the United States, European Union, or Southeast Asia). Those countries may have different data protection laws than yours.
By using the Service, you acknowledge that your data may be processed internationally for the purposes described in this policy. We take reasonable steps to ensure our service providers protect your information appropriately.
Regional rights: Depending on your location, you may have additional rights under local law — for example, the PDPA if you are in Malaysia (see Section 11), the GDPR if you are in the European Economic Area, or the UK GDPR if you are in the United Kingdom. Contact us at info@nomee.my to exercise rights that apply to you.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Material changes may also be communicated through the Service or by email where appropriate. Continued use after changes take effect constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
Nomee (operated from Malaysia)
Email: info@nomee.my
Data Protection Officer: info@nomee.my
See also our Terms of Service and Cookie Policy.