Privacy Policy

Last updated: May 2026

What we collect

NomisFile is built for US business compliance teams. We collect the minimum data needed to operate the service and maintain your regulatory records:

  • Account information, such as business email address, display name, role, and organization membership.
  • Organization and entity records you enter, including legal-entity names, US state formation details, license records, regulator names, fiscal-year dates, and reminder preferences.
  • Compliance workflow records, including obligation status, due dates, filing history, notes, evidence metadata, and audit-trail events.
  • Documents and evidence files you upload or link, such as policies, examination materials, surety-bond documents, and generated audit-package materials.
  • Service logs and usage data, such as page requests, feature usage, error logs, and security events used to operate, secure, and improve NomisFile.

How we use your data

We use your data to operate NomisFile: generating compliance calendars, calculating deadline reminders, maintaining filing records, building audit-ready exports, providing support, securing the service, and improving product reliability. We do not sell or rent customer data, and we do not share it with third parties for their own marketing.

Subprocessors and sharing

NomisFile uses a small set of US-focused service providers to operate the product. The current subprocessor list is maintained on our security page and includes transactional email delivery, error reporting, edge networking, encrypted backup storage, and database hosting. We share only the data each provider needs to perform its service for NomisFile.

We may also disclose customer data if required by US law, to protect the service from abuse or security threats, or as part of a business transfer involving appropriate confidentiality protections.

Data storage and security

NomisFile stores application data in PostgreSQL with row-level security for tenant isolation. Sensitive fields and backups use encryption controls described on our security page. We keep security claims specific to controls we operate today.

Data retention

We retain customer data while your account is active. After cancellation or account closure, your access to the service ends and NomisFile provides a 30-day export window during which you can export your customer data. After that window, your data is deactivated and removed from active use in the product. We retain limited records only as required for legal, dispute-preservation, security-investigation, and backup-integrity purposes, and we periodically purge deactivated data on a scheduled basis. You may request export or deletion of your customer data at any time by emailing [email protected]. Encrypted backups age out on their normal backup-retention schedule.

US state privacy rights

NomisFile is a business-to-business service, but individuals in some US states may have privacy rights that apply to account-level personal information. California residents may request access to or deletion of personal information under the California Consumer Privacy Act (CCPA). Virginia and Colorado residents may have similar rights under applicable state privacy laws. To make a request, email [email protected]. We may need to verify your identity and organization relationship before acting on a request.

Children

NomisFile is for US business users and compliance teams. It is not directed to children, and we do not knowingly collect personal information from minors.

Changes to this policy

We may update this policy as the service, legal requirements, or subprocessors change. We will provide at least 30 days' notice by email before material changes take effect.

Contact

Questions about this policy or privacy requests should be sent to [email protected].