Privacy Policy
Last updated: July 9, 2026
This Privacy Policy explains how Nombrio (operated by sydacos GmbH, a German limited liability company) collects, uses, and protects your personal data when you use our brand name validation service. It satisfies the disclosure requirements of Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Data controller
The data controller within the meaning of Art. 4(7) GDPR is:
sydacos GmbHHasenböge 17
21514 Klein Pampau
Germany
Email: contact@nombrio.com
Full provider information is available in our Imprint.
2. Data Protection Officer
sydacos GmbH is not required to appoint a Data Protection Officer. We do not meet the thresholds of §38(1) BDSG (number of employees regularly processing personal data), we do not process special categories of personal data within the meaning of Art. 9 GDPR as part of our core business, and we do not engage in large-scale systematic monitoring. For privacy-related questions, please contact contact@nombrio.com.
3. General principles of data processing
We process personal data only when this is necessary to provide a functional service. Each processing operation has an explicit legal basis under Art. 6 GDPR: consent (Art. 6(1)(a)), performance of a contract (Art. 6(1)(b)), compliance with a legal obligation (Art. 6(1)(c)), or legitimate interests (Art. 6(1)(f)). Each section below names the legal basis it relies on.
4. Server logs (website hosting)
When you visit our website, technical data is processed by our hosting provider (Vercel — see §10): IP address, date and time, requested resource, HTTP status code, transferred data volume, referrer URL, and user agent.
Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: providing, securing, and stabilizing the website.
Retention: 30 days in server logs, then automatically deleted or anonymized.
5. Account and authentication (Clerk)
When you create a Nombrio account, we process the following data via our authentication provider Clerk Inc.: email address, hashed password, optional name and avatar, session tokens, IP address at sign-in, last login timestamp.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract — authentication is required to use the service).
Retention: for as long as your account exists, plus 30 days after a deletion request to allow for any tax-law or fraud-prevention retention obligations.
Third country: Clerk processes data primarily in the United States. Transfers occur on the basis of the EU Standard Contractual Clauses (SCCs, Module 2 controller → processor) per Implementing Decision (EU) 2021/914.
6. Payments (Stripe)
Payments are processed exclusively through Stripe Payments Europe Ltd. We do not collect or store full payment details ourselves — credit card information, SEPA mandates, etc. are captured directly by Stripe. Stripe returns to us a Stripe customer ID, payment status, paid amount, and the last 4 digits of the card for display in your account.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (statutory retention obligations under §147 of the German Fiscal Code (AO) and §257 of the German Commercial Code (HGB)).
Retention: 10 years for accounting-relevant data per §147 AO. Stripe stores its own data per its own privacy policy.
Third country: Stripe is established in Ireland (EEA). Individual processing steps may occur at Stripe locations in the United States. Transfers are based on the EU Standard Contractual Clauses.
6a. Guest purchase — account provisioning
You can buy a Clearance Report without creating an account first. In that case, Stripe collects your email address during checkout and, after payment, we create a Nombrio account for that email address so we can deliver the purchased report to you. You sign in to it with a one-time email code — no password is set. We also store a short claim record (your email address, the checked name, and the checkout session reference) that links your payment to the provisioned account, so we can help you reach your report if anything goes wrong.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract — the account is required to deliver the digital content you purchased).
Retention: the claim record is deleted automatically after 180 days. The account itself is retained like any other account (see §5) — you can delete it at any time under “Settings” or by contacting contact@nombrio.com.
7. AI-powered name generation (Anthropic Claude)
When you use our generation feature, we transmit your business description (e.g. “A mobile app for beginner yoga”) to Anthropic, PBC to produce brand name suggestions. The transmission contains no direct personal data, but free text input may implicitly contain personal data.
Information per Art. 22 GDPR: The generated name suggestions are produced by an AI language model. This is a form of automated processing. The suggestions are recommendations that you independently review and choose from — there is no automated decision in the sense of Art. 22(1) GDPR because the final choice of a name is always made by you. We nevertheless transparently disclose the AI involvement (transparency obligation under the EU AI Act).
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Retention: Anthropic states that API inputs are not used for training by default and are deleted after 30 days (as of April 2026). For details see the Anthropic Privacy Policy.
Third country: Anthropic is established in the United States. Transfers based on the EU Standard Contractual Clauses.
7a. Personalized name suggestions (profiling)
If you leave personalization enabled, we build a small taste profile from the names you like and dislike (your thumbs-up/down and saves) and use it to gently bias future name suggestions toward the styles you prefer — their distinctiveness, boldness, and creative direction. This qualifies as profiling within the meaning of Art. 4(4) GDPR.
No automated decision: the profile only weights which ideas we surface. It is a soft nudge, never a hard filter, and produces recommendations you freely review and choose from — so there is no automated decision with legal or similarly significant effect under Art. 22(1) GDPR.
What data is used: only the feedback signals you generate within Nombrio (liked/disliked/saved names from your recent searches). No separate data is collected for this purpose; the profile is derived on demand from information you already see in your account and is bounded to your most recent searches.
Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in improving the relevance of the service). You can object at any time.
Your control (Art. 21 GDPR): personalization is optional. Turn it off anytime under Settings → Personalization, where you can also see exactly what the profile has learned. When switched off, we stop profiling you immediately and future suggestions are no longer tailored.
8. Trademark searches (USPTO, EUIPO, UK IPO)
When you check a generated name, we transmit the name (no personal data) to the official trademark offices USPTO (United States), EUIPO (European Union) and UK IPO (United Kingdom). These queries are technically necessary to identify trademark conflicts.
Legal basis: Art. 6(1)(b) GDPR.
8a. Free name watch (email notifications)
On our free checker you can ask us to “watch” a name for 30 days. If you do, we process your email address, the watched name, a hashed IP address (abuse prevention), and a record of your consent (timestamp and consent-text version). We use a double opt-in: nothing is sent to your address beyond a single confirmation email until you click the confirmation link. That confirmation email also contains the free-check result you asked us to send you, and we store that result summary alongside your consent record. During the 30-day watch we email you only about that name's status (domain or US trademark changes, one availability reminder, and one end-of-watch notice). Every email contains a one-click unsubscribe link.
Retention: unconfirmed requests are deleted automatically after 48 hours; watch records are deleted no later than ~30 days after the watch ends or you unsubscribe.
Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw consent at any time via the unsubscribe link in any watch email or by contacting us.
9. Analytics (Vercel Analytics) — consent-based only
We use Vercel Analytics to collect aggregated, privacy-friendly usage statistics (page views, anonymized geo data, device type, funnel events). Vercel Analytics sets a short-lived, hashed visitor identifier that rotates daily; it does not set personally identifiable tracking cookies or cross-site trackers.
Vercel Analytics is loaded only if you have explicitly granted consent via the cookie banner. Without consent, the script does not run. We additionally honor your browser's “Do Not Track” (DNT) header: if DNT is active we do not load Vercel Analytics, even if you have granted consent.
Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time via the “Cookie Settings” link in the footer.
10. Hosting and processors
We use the following processors. We have a Data Processing Agreement (DPA) under Art. 28 GDPR in place with each.
| Provider | Purpose | Location | Privacy |
|---|---|---|---|
| Vercel Inc. | Website hosting (region: Frankfurt, fra1) | USA | vercel.com/legal/privacy-policy |
| Amazon Web Services EMEA SARL | Backend hosting (region: Frankfurt, eu-central-1) — database, Lambda, S3, SQS, EventBridge | Luxembourg / EU | aws.amazon.com/privacy |
| Clerk Inc. | Authentication, session management | USA | clerk.com/legal/privacy |
| Stripe Payments Europe Ltd. | Payment processing, invoicing | Ireland / EU | stripe.com/privacy |
| Anthropic, PBC | AI generation of brand names (Claude API) | USA | anthropic.com/legal/privacy |
11. Third-country transfers
Where personal data is transferred to recipients outside the EU/EEA (in particular the USA for Vercel, Clerk, and Anthropic), the transfer takes place on the basis of the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914), unless the relevant provider is already covered by an adequacy decision (e.g., the EU-US Data Privacy Framework). We apply additional technical and organizational measures with each provider to ensure an appropriate level of protection.
12. Your rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (“right to be forgotten”, Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing based on legitimate interests (Art. 21 GDPR) — including our personalized name suggestions, which you can switch off anytime under Settings → Personalization
- Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
For access, rectification, and erasure requests, please contact contact@nombrio.com. We respond to requests within the statutory one-month deadline (Art. 12(3) GDPR). Within the application, you can also export your data or delete your account at any time under “Settings”.
13. Competent supervisory authority
The supervisory authority responsible for sydacos GmbH (registered in Schleswig-Holstein, Germany) is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)Holstenstraße 98
24103 Kiel
Germany
Phone: +49 431 988-1200
Email: mail@datenschutzzentrum.de
Web: datenschutzzentrum.de
You also have the right to lodge a complaint with the supervisory authority of your habitual residence or place of work.
14. Cookies
For details on every cookie we set (necessary and analytics), see our Cookie Policy.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements or in our service. The current version always applies on your next visit. For material changes, we will notify signed-in users by email in advance.