Privacy Policy

This Privacy Policy explains how Nombrio (operated by sydacos GmbH, a German limited liability company) collects, uses, and protects your personal data when you use our brand name validation service. It satisfies the disclosure requirements of Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data controller

The data controller within the meaning of Art. 4(7) GDPR is:

Full provider information is available in our Imprint.

2. Data Protection Officer

sydacos GmbH is not required to appoint a Data Protection Officer. We do not meet the thresholds of §38(1) BDSG (number of employees regularly processing personal data), we do not process special categories of personal data within the meaning of Art. 9 GDPR as part of our core business, and we do not engage in large-scale systematic monitoring. For privacy-related questions, please contact contact@nombrio.com.

3. General principles of data processing

We process personal data only when this is necessary to provide a functional service. Each processing operation has an explicit legal basis under Art. 6 GDPR: consent (Art. 6(1)(a)), performance of a contract (Art. 6(1)(b)), compliance with a legal obligation (Art. 6(1)(c)), or legitimate interests (Art. 6(1)(f)). Each section below names the legal basis it relies on.

4. Server logs (website hosting)

When you visit our website, technical data is processed by our hosting provider (Vercel — see §10): IP address, date and time, requested resource, HTTP status code, transferred data volume, referrer URL, and user agent.

Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: providing, securing, and stabilizing the website.

Retention: 30 days in server logs, then automatically deleted or anonymized.

5. Account and authentication (Clerk)

When you create a Nombrio account, we process the following data via our authentication provider Clerk Inc.: email address, hashed password, optional name and avatar, session tokens, IP address at sign-in, last login timestamp.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — authentication is required to use the service).

Retention: for as long as your account exists, plus 30 days after a deletion request to allow for any tax-law or fraud-prevention retention obligations.

Third country: Clerk processes data primarily in the United States. Transfers occur on the basis of the EU Standard Contractual Clauses (SCCs, Module 2 controller → processor) per Implementing Decision (EU) 2021/914.

6. Payments (Stripe)

Payments are processed exclusively through Stripe Payments Europe Ltd. We do not collect or store full payment details ourselves — credit card information, SEPA mandates, etc. are captured directly by Stripe. Stripe returns to us a Stripe customer ID, payment status, paid amount, and the last 4 digits of the card for display in your account.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (statutory retention obligations under §147 of the German Fiscal Code (AO) and §257 of the German Commercial Code (HGB)).

Retention: 10 years for accounting-relevant data per §147 AO. Stripe stores its own data per its own privacy policy.

Third country: Stripe is established in Ireland (EEA). Individual processing steps may occur at Stripe locations in the United States. Transfers are based on the EU Standard Contractual Clauses.

7. AI-powered name generation (Anthropic Claude)

When you use our generation feature, we transmit your business description (e.g. “A mobile app for beginner yoga”) to Anthropic, PBC to produce brand name suggestions. The transmission contains no direct personal data, but free text input may implicitly contain personal data.

Information per Art. 22 GDPR: The generated name suggestions are produced by an AI language model. This is a form of automated processing. The suggestions are recommendations that you independently review and choose from — there is no automated decision in the sense of Art. 22(1) GDPR because the final choice of a name is always made by you. We nevertheless transparently disclose the AI involvement (transparency obligation under the EU AI Act).

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Retention: Anthropic states that API inputs are not used for training by default and are deleted after 30 days (as of April 2026). For details see the Anthropic Privacy Policy.

Third country: Anthropic is established in the United States. Transfers based on the EU Standard Contractual Clauses.

8. Trademark searches (USPTO, EUIPO, UK IPO)

When you check a generated name, we transmit the name (no personal data) to the official trademark offices USPTO (United States), EUIPO (European Union) and UK IPO (United Kingdom). These queries are technically necessary to identify trademark conflicts.

Legal basis: Art. 6(1)(b) GDPR.

9. Analytics (Vercel Analytics) — consent-based only

We use Vercel Analytics to collect aggregated, privacy-friendly usage statistics (page views, anonymized geo data, device type, funnel events). Vercel Analytics sets a short-lived, hashed visitor identifier that rotates daily; it does not set personally identifiable tracking cookies or cross-site trackers.

Vercel Analytics is loaded only if you have explicitly granted consent via the cookie banner. Without consent, the script does not run. We additionally honor your browser's “Do Not Track” (DNT) header: if DNT is active we do not load Vercel Analytics, even if you have granted consent.

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time via the “Cookie Settings” link in the footer.

10. Hosting and processors

We use the following processors. We have a Data Processing Agreement (DPA) under Art. 28 GDPR in place with each.

11. Third-country transfers

Where personal data is transferred to recipients outside the EU/EEA (in particular the USA for Vercel, Clerk, and Anthropic), the transfer takes place on the basis of the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914), unless the relevant provider is already covered by an adequacy decision (e.g., the EU-US Data Privacy Framework). We apply additional technical and organizational measures with each provider to ensure an appropriate level of protection.

12. Your rights

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (“right to be forgotten”, Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing based on legitimate interests (Art. 21 GDPR)
• Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

For access, rectification, and erasure requests, please contact contact@nombrio.com. We respond to requests within the statutory one-month deadline (Art. 12(3) GDPR). Within the application, you can also export your data or delete your account at any time under “Settings”.

13. Competent supervisory authority

The supervisory authority responsible for sydacos GmbH (registered in Schleswig-Holstein, Germany) is:

You also have the right to lodge a complaint with the supervisory authority of your habitual residence or place of work.

14. Cookies

For details on every cookie we set (necessary and analytics), see our Cookie Policy.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements or in our service. The current version always applies on your next visit. For material changes, we will notify signed-in users by email in advance.