Summary
nolyo is a hosted storage service for AI agents. We hold the minimum needed to run your account: an email, a hashed password, your collections and documents, billing records if you upgrade, and short-lived operational logs. We do not sell your data, we do not run analytics or advertising trackers, and we do not read your documents.
Who we are
This service is operated by Abdulbaki Zırıh, acting as an individual data controller for the purposes of the GDPR and equivalent laws. You can reach the operator at legal@nolyo.net for any privacy question, including the rights described below.
What we collect
Account data
- Email address — to identify your account, sign you in, send transactional email, and contact you about the service.
- Password — stored only as a bcrypt hash. We never see or store the cleartext.
- Email verification status — a timestamp marking when you confirmed your email.
Your content
Anything you store through the web UI or the MCP API: collections, documents (arbitrary JSON), JSON schemas, and the names and descriptions you give them. We treat this content as confidential. It is yours; you can read it, export it, and delete it at any time.
API keys and OAuth
When you create an API key, we store a SHA-256 hash of it plus a short,
non-secret prefix (e.g. nly_a1b2c3d4) so you can recognise
the key in the UI. The raw key is shown to you once at creation and
never stored. OAuth access tokens issued to client apps are hashed the
same way.
Subscription and billing
If you upgrade to a paid plan, payment is processed by Lemon Squeezy, who acts as the merchant of record. Lemon Squeezy collects the payment information directly — we never see your full card number. We store the subscription identifier, plan name, status, and renewal/expiry dates returned by Lemon Squeezy so we can bill you correctly and unlock paid features. See Lemon Squeezy's privacy policy.
Email delivery
Transactional email (verification, password reset, billing receipts) is sent through Twilio SendGrid. They process the recipient address and message content on our behalf as a data processor.
Operational data
- Audit log — every state-changing action you take through the UI or MCP is logged (actor, action, target, timestamp). Used for your own activity view and for abuse investigations.
- Session cookie — a single signed cookie named
nolyo_sessionkeeps you logged in. See the Cookie Policy for details. - Server access logs — short-lived records of request method, path, response status, and (when present) IP address, kept for operational debugging and to detect abuse.
Why we use it (lawful basis)
- Performance of a contract — running your account, storing your content, billing you for the plan you chose. (GDPR Art. 6(1)(b))
- Legitimate interest — keeping audit and access logs to detect abuse and protect the service. (Art. 6(1)(f))
- Legal obligation — keeping minimum billing records as required by tax and accounting rules. (Art. 6(1)(c))
- Consent — for anything beyond the above. We do not currently rely on consent for any processing; if that changes we will ask first.
Who we share it with
The third parties below act as data processors. They only receive what they need to do their job and may not use your data for their own purposes.
- Hetzner Online GmbH (Germany) — hosts the servers and the database. Your content lives on Hetzner infrastructure in the EU.
- Lemon Squeezy (United States) — payment processing and subscription management.
- Twilio SendGrid (United States) — transactional email delivery.
Transfers to the United States rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses, as applicable. We do not sell, rent, or trade personal data with anyone.
How long we keep it
- Account data — as long as your account exists, plus a short wind-down period (up to 30 days) so you can recover an accidentally-cancelled account.
- Your documents — kept indefinitely on paid plans. On the free plan, documents older than 30 days are auto-deleted (this is part of the plan, not a privacy decision).
- Audit log — up to 12 months, then summarised or removed.
- Server access logs — up to 30 days.
- Billing records — kept for the period required by tax law (typically up to 10 years), even after account deletion.
Your rights
Under GDPR and equivalent laws you can, free of charge:
- Access the personal data we hold about you.
- Correct data that is wrong (email, password — directly in the UI).
- Delete your account, which cascades to your collections and documents. Email legal@nolyo.net until self-serve deletion lands in the UI.
- Export a copy of your content. Paid plans include CSV/JSON export; on the free plan you can pull everything via the MCP API.
- Object to processing based on legitimate interest, or restrict processing while a dispute is open.
- Lodge a complaint with your local data-protection authority if you think we have mishandled your data.
We respond to rights requests within 30 days. You can use any working email address to identify yourself; we may ask one follow-up question to confirm you are the account holder.
Security
Traffic to nolyo is served over HTTPS. Passwords are hashed with bcrypt; API keys and OAuth tokens are stored as SHA-256 hashes only. The database is bound to the loopback interface in production and not exposed to the public internet. Backups are encrypted at rest. Despite these controls, no system is perfect — if you believe you have found a security issue, please email legal@nolyo.net before disclosing publicly.
Children
nolyo is not intended for use by children under 16. We do not knowingly collect data from anyone under that age; if you believe a child has signed up, contact us and we will remove the account.
International users
nolyo can be used from anywhere. Your content is stored on servers in the European Union (Germany). If you are outside the EU, you acknowledge that your data will be transferred to and processed in the EU under EU data-protection law.
Changes to this policy
We will update this page when our practices change and bump the "Last updated" date at the top. Material changes will be announced by email at least 14 days in advance so you have time to react.
Contact
Questions, complaints, or rights requests: legal@nolyo.net.