NomadOS

Legal · Privacy Policy

Privacy Policy

What personal data NomadOS processes, why, with which third-party processors, and how you can exercise your rights under the GDPR.

Last updated · April 25, 2026

1. Controller

The controller responsible for processing personal data within the meaning of Art. 4 (7) GDPR is Brandenburger Digital Systems UG (haftungsbeschränkt), Ströherstr. 20, 35683 Dillenburg, Germany, registered at the Local Court of Wetzlar under HRB 9602, represented by Managing Director Dennis Brandenburger.

Contact for privacy enquiries: info@brandenburger-digital-systems.com (subject line "Datenschutz" or "Privacy"). Full contact details are listed in the Imprint.

2. Data Protection Officer

We have not appointed a Data Protection Officer because the statutory thresholds of § 38 BDSG and Art. 37 GDPR are not met. For privacy enquiries please use the contact channel above.

3. Categories of personal data we process

  • Account data: email address, display name, authentication identifiers (Google OAuth ID or magic-link token).
  • Profile data: citizenship, tax-home country, preferred language, units, timezone, notification preferences.
  • Travel data: trips, segments, visited countries, presence days, scenarios, wishlists.
  • Document data: documents you upload to your vault (passport scans, visa letters, certificates) including metadata like expiry dates.
  • Billing data (where applicable): Stripe customer ID, subscription status, invoices. Payment-card details are processed exclusively by Stripe; we never see them.
  • Usage data: page views, feature usage, error events, performance metrics. Where this contains personal identifiers it is processed only for security and product-improvement purposes.

4. Purposes and legal basis

  • Performance of contract (Art. 6 (1) (b) GDPR) — to operate the Service: account creation, compliance calculations, document storage, AI features you trigger, payments.
  • Legitimate interest (Art. 6 (1) (f) GDPR) — security monitoring, fraud prevention, aggregated product analytics, communications about service changes.
  • Consent (Art. 6 (1) (a) GDPR) — for non-essential cookies and any optional analytics or third-party embed categories you enable in our cookie banner. You can withdraw consent at any time without affecting the lawfulness of past processing.
  • Legal obligation (Art. 6 (1) (c) GDPR) — to fulfil tax-record-keeping duties (§ 147 AO) for invoicing data.

5. Third-party processors and recipients

We use the following data processors. Each is bound by a Data Processing Agreement under Art. 28 GDPR. Where a processor is based outside the EU/EEA we rely on EU Standard Contractual Clauses and the EU–U.S. Data Privacy Framework.

  • Supabase Inc. (USA, EU region) — hosting, Postgres database, authentication, storage. Customer data is stored in the EU region.
  • Stripe Payments Europe Ltd. (Ireland) — subscription billing, payment processing, and EU VAT handling. Card numbers and other sensitive payment credentials are entered directly in Stripe's hosted Checkout and never reach our servers. Stripe acts as our processor (for customer-record management) and as an independent controller for the payment transaction itself. For transactions processed through Stripe Managed Payments, Stripe additionally acts as merchant of record — i.e. as the legal seller for tax and invoicing purposes — and is responsible for calculating, collecting, and remitting the applicable indirect taxes (VAT/GST/sales tax) as well as for issuing the corresponding tax invoices to the customer. (Stripe Privacy Policy: stripe.com/de/privacy).
  • Google Ireland Ltd. (Ireland) / Google LLC (USA) — (a) Google Gemini API for AI features you actively trigger (Daily Briefing, Assistant, scenario planning, country chat, document scan). We send the minimum context required for the request. Google processes these inputs under the Gemini API terms and data-use policy applicable to the service tier we have configured. (b) Google OAuth for sign-in. The OAuth flow exchanges only your email address, your Google account ID, and (optionally) your display name and profile picture.
  • Mapbox, Inc. (USA)— map rendering on the dashboard, country pages, trip details. The map only loads after you accept the Embeds & maps cookie category (see Cookie Policy); without consent we show a static placeholder. Loading the map transmits at least your IP address and viewport coordinates to Mapbox.
  • Vercel Inc. (USA) / Vercel Germany GmbH — application hosting, edge delivery, and (after your explicit Analytics consent) cookieless web analytics and Speed Insights. Server logs can include IP-address information where technically necessary for security, delivery, and abuse-prevention purposes.
  • Functional Software Inc. d/b/a Sentry / Sentry GmbH (Germany) — runtime error and performance monitoring. We send anonymised stack traces, the URL where the error occurred, browser/OS metadata, and a pseudonymous user ID so we can correlate the same user across sessions while debugging. Personal data carried in error payloads (e.g. Supabase JWTs, Stripe keys) is stripped client-side via a beforeSendfilter before transmission. Data is hosted in Sentry's German region (Frankfurt) for GDPR data residency.

We do not pass personal data to advertising networks, do not run cross-site tracking pixels (Facebook Pixel, Google Ads, TikTok, etc.), and do not sell or rent personal data to anyone.

6. Retention periods

  • Account, profile, and travel data: for the lifetime of your account. After account deletion, active records are deleted or anonymised without undue delay unless legal retention duties or unresolved abuse-prevention reasons require longer storage.
  • Subscription cancellation does not delete your data. When you cancel a paid plan, all content you created — trips, presence days, vault documents, country profiles, packing lists, AI conversation history — remains stored under your account for the full account lifetime. The Free tier only changes how much new content you can add, never what is already there. If you re-subscribe, every paid feature lights up again immediately on the existing data set; no migration, re-upload, or recovery step is required. Account deletion (Settings → Delete account) is the only mechanism that erases stored content.
  • Billing data: 10 years after the end of the calendar year of the invoice (§ 147 AO).
  • Security, server, and error logs: only for as long as needed for security, stability, abuse prevention, and troubleshooting, then deleted, anonymised, or rolled off under the retention windows of the respective infrastructure provider.
  • Cookie consent records: 12 months from the last consent event.

7. Your rights

You have the right to:

  • Access the personal data we hold about you (Art. 15 GDPR).
  • Have inaccurate data corrected (Art. 16 GDPR).
  • Have your data deleted (Art. 17 GDPR).
  • Restrict processing (Art. 18 GDPR).
  • Receive your data in a portable, machine-readable format (Art. 20 GDPR).
  • Object to processing based on legitimate interests (Art. 21 GDPR).
  • Withdraw consent at any time (Art. 7 (3) GDPR).
  • Lodge a complaint with a supervisory authority. The competent authority for our establishment is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), Wiesbaden.

Certain rights can already be exercised directly in the Settings page, in particular data export and account deletion. For all other requests, contact us at the email address listed in the Imprint.

8. Security

We use HTTPS/TLS for data in transit. Data at rest is protected by the security controls of our infrastructure providers. Within the application, Row Level Security is enforced on relevant Supabase tables so that one user cannot read another user's account data through the API. Access to production tooling is limited to authorised access paths and provider-side permissions.

9. How we handle AI data

When you use AI features we send the minimum context needed (e.g. your tax-home, citizenship, the trip you are asking about) to Google Gemini. Prompts and model responses are processed by Google under the contractual and technical conditions of the Gemini API service tier configured for NomadOS. AI responses may be stored in your account so you can revisit them, and are deleted together with your account unless legal retention duties require otherwise.

10. Cookies and similar technologies

We use cookies and localStorage for authentication, session management, and (with your consent) analytics or third-party embeds. Details and controls are described in our Cookie Policy.

11. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe we have done so, please contact us so we can delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes are announced at least 30 days before they take effect. The date at the top reflects the latest version.