Privacy Policy

Last updated: May 29, 2026

Nebula ("we", "our", or "us") operates the Nebula application and the website at getnebula.tech (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create a Nebula account, we collect your name, email address, and authentication credentials provided via third-party sign-in (such as Google OAuth).

1.2 Communication Metadata

When you connect your email or messaging accounts, Nebula accesses communication metadata to provide its core functionality. This includes:

Sender and recipient information (names, email addresses)
Subject lines and timestamps
Message read/unread status
Labels, folders, and thread identifiers
Engagement patterns (e.g., response frequency, typical response time)

1.3 Message Content

Nebula is an email client: providing the inbox UI requires storing your email messages on our servers. When you connect a mailbox, Nebula syncs your messages — subject, body (text and HTML), sender, recipients, labels, threading, and any attachments — into our database. We do this so we can display them in the app, let you search and triage them, and power the AI features that are part of Nebula's core functionality: priority classification, message and thread summarization, and draft suggestions. These features run automatically on messages arriving in your connected mailbox.

One AI feature is opt-in and off by default: the daily briefing email. You can enable it in Settings.

Message content remains stored until you delete the messages, disconnect your mailbox, or delete your Nebula account (see Section 5 and Section 8). Triage actions you take in Nebula — archive, delete-to-Trash, mark as read, reply — are mirrored back to your mailbox via the Gmail API or IMAP, so your mailbox provider stays the system of record.

Sub-processors that receive message content for AI features are listed at getnebula.tech/sub-processors, together with what data is shared, the provider's region, and any no-train commitments.

1.4 Usage Data

We collect information about how you interact with the Service, including feature usage, preferences, session duration, and error logs. This data is used to improve the Service and diagnose issues.

1.5 Device Information

We may collect device type, operating system, browser type, and IP address for security and analytics purposes.

2. Google API Services — Limited Use Disclosure

Nebula's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Nebula:

Only uses Google user data to provide and improve the core user-facing features described in this policy.
Does not transfer Google user data to third parties, except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger/acquisition with adequate data protection.
Does not use Google user data for serving advertisements or for any purpose unrelated to the Service's core functionality.
Does not allow humans to read Google user data unless: (a) we have the user's affirmative agreement, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service
Classify and prioritize your communications using AI
Generate draft responses and message summaries
Build and refine your sender engagement profiles
Protect against unauthorized access and abuse
Communicate with you about the Service (updates, security alerts)
Comply with legal obligations

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

Sub-Processors: We may share data with trusted third-party providers who assist in operating the Service (cloud hosting, AI inference, push-notification delivery), subject to data-processing agreements. The current list of Sub-Processors that may receive your data — together with their purpose, location, and links to their terms — is published at getnebula.tech/sub-processors and updated when it changes.
Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred, subject to this Privacy Policy.
With Your Consent: We may share data for other purposes with your explicit consent.

5. Data Retention

We retain your account profile, email messages, and AI-derived data (summaries, classifications, draft suggestions) for as long as your account is active. Application logs and audit records are retained per our internal retention policy. You may export or request deletion of your data at any time (see Section 8).

When you request account deletion, your messages and other personal data are scheduled for permanent removal after a 30-day grace window, during which you can recover the account by contacting support. After the grace window closes, all personal data is removed except where retention is required by law (for example, security audit records may be retained for a defined period for compliance reasons).

6. Data Security

We implement industry-standard security measures to protect your information, including:

Encryption in transit using TLS 1.2 or 1.3 on every connection
Authenticated encryption (AES-128-CBC with HMAC-SHA256, via Fernet) at rest for sensitive credentials — OAuth refresh tokens, TOTP secrets, and any stored email passwords
Mobile clients store auth tokens in OS-managed secure storage (iOS Keychain, Android EncryptedSharedPreferences with AES-256-GCM)
Regular static (SAST) and dynamic (DAST) security scanning of the application against OWASP CWE families
OAuth 2.0 for connecting Google accounts — we never see your Google password
For users who connect non-Google mailboxes via IMAP, your IMAP password is encrypted at rest using the encryption described above. We use it only to connect to your mailbox on your behalf.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. International Data Transfers

Nebula is operated from Germany. If you access the Service from outside the European Economic Area (EEA), your data may be transferred to and processed in Germany. We ensure that any data transfers comply with applicable data protection laws, including the General Data Protection Regulation (GDPR).

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access & Portability — self-service: You can download a structured JSON copy of your account, messages, chat memberships, devices, and audit events at any time from Settings → Account → "Download my data". This satisfies both the right of access and the right to data portability.
Erasure — self-service: You can schedule your account for deletion at any time from Settings → Account → "Delete account…". A 30-day grace window applies, during which you can recover by contacting support@getnebula.tech. After the grace window closes, your messages and personal data are permanently removed.
Rectification: You can update your display name in Settings. To correct other data we hold about you, contact us at the address below.
Restriction, Objection, Withdraw Consent: These rights are handled manually today. Contact privacy@getnebula.tech with your request and we will action it within 30 days.

For any of the rights handled manually, or any question about the self-service flows above, write to privacy@getnebula.tech. We aim to respond within 30 days.

Google Account Permissions

You can revoke Nebula's access to your Google account at any time by visiting your Google Account permissions page.

9. Cookies and Tracking

We use essential cookies and similar technologies to maintain your session, authentication tokens, and preferences. These are required for the Service to function and cannot be disabled while you remain signed in.

We use Google Analytics 4 (GA4) to measure how Nebula is used — which pages are viewed, which buttons are clicked, which onboarding steps stall. GA4 receives page views, custom product events, and after you sign in, your Nebula user ID, so a session's events are linkable to your account for internal analysis. GA4 does not receive any email content, message bodies, subjects, sender information, or contact data. GA4 is listed on our sub-processors page together with how to opt out site-wide. We do not use any third-party advertising cookies.

10. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete that data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Nebula
Alexander Grosse
Berlin, Germany
Email: privacy@getnebula.tech