Privacy Policy

Last updated: March 24, 2026

This Privacy Policy describes how personal information is collected, used, and shared when you use the Nopi website at nopi.me (the "Site"), the Nopi Chrome extension (the "Extension"), the Nopi web dashboard at app.nopi.me (the "Dashboard"), and the review portal (collectively, the "Service").

1. Information We Collect

Account information

When you register for an account we collect your email address and password. If you subscribe to a paid plan we also collect billing information through our payment processor, Stripe. We do not store your credit card details directly.

Extension data

The Nopi Chrome extension collects the following data when you create a feedback pin:

  • Page URL — the URL of the page where the pin is placed.
  • Screenshot — a screenshot of the visible browser tab, captured at the moment you create a pin.
  • Pin position and DOM selector — coordinates and an element reference so the pin can be displayed in the correct location.
  • Viewport metadata — browser name, viewport width and height, device pixel ratio, and user agent string, so your team can reproduce the issue in the same environment.
  • Description — the text you write to describe the issue.

The Extension stores your authentication session locally via chrome.storage.local so you stay signed in across browser restarts. It also stores your analytics consent preference and a "show/hide pins" toggle. If you consent to analytics, the extension records a single install event labeled as source: store. No data is collected when you are simply browsing — data is only captured when you actively create a pin.

Review portal (guest) data

Guests who receive a review link can leave feedback without creating an account. They may optionally provide a display name and email address. The same pin data listed above (URL, screenshot, position, viewport metadata, description) is collected when a guest creates a pin.

Device and usage information

When you visit the Site, we automatically collect standard device information such as your browser type, IP address, and time zone. We use this for security (rate limiting) and to improve the Service.

2. How We Use Your Information

  • Provide, operate, and maintain the Service, including displaying pins, screenshots, and task details to your team.
  • Process subscriptions and billing through Stripe.
  • Communicate with you about your account, support requests, and product updates.
  • Enforce usage limits and prevent abuse (rate limiting by IP address).
  • Improve the Service based on aggregated, anonymised usage patterns (only with your analytics consent).

3. Legal Bases for Processing

Where required by applicable law, we process personal data under one or more of the following legal bases:

  • Performance of a contract — to provide the Service you request (for example, account access, task and feedback workflows, and billing operations).
  • Legitimate interests — to secure, maintain, and improve the Service (for example, abuse prevention, reliability monitoring, and product improvements).
  • Consent — for optional analytics and marketing cookies/technologies that are not strictly necessary.
  • Legal obligations — where we must retain or disclose data to comply with applicable law, lawful requests, or enforcement obligations.

4. Data Sharing

We do not sell or rent your personal data. We share data only with the following categories of service providers, solely to operate the Service:

  • Supabase — database hosting and authentication.
  • Stripe — payment processing.
  • Vercel — hosting for the Site and Dashboard.
  • PostHog — product analytics (only when you have consented to analytics; see below).
  • Google Analytics — marketing site analytics (only when you have consented; see below).

5. Cookies and Analytics

We use cookies and similar technologies only where we have your consent or where strictly necessary for the Service to function.

Tools we use:

  • Google Tag Manager and Google Analytics — to measure how visitors use our marketing site (e.g. which pages and links are used). We use Google's Consent Mode so that analytics and advertising cookies are only set if you accept optional cookies.
  • PostHog — to understand how you use our product (e.g. Dashboard and Extension usage) when you have accepted analytics.

You can accept or reject optional cookies (analytics and marketing) when you first visit, or at any time via the Cookie preferences link in the footer or in the Extension/Dashboard settings. Withdrawal of consent will stop future optional tracking; existing browser cookies/storage may persist until deleted through your browser settings.

We do not use analytics or marketing tools to track you without your consent.

6. International Data Transfers

Our service providers may process data in countries other than your own. Where required, we apply appropriate safeguards for cross-border transfers, such as contractual protections (including standard contractual clauses where applicable), and we assess transfer risks on a service-by-service basis.

7. Data Retention

We retain personal data only for as long as needed for the purposes described in this policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

  • Account profile and workspace data — retained while your account is active.
  • Task and feedback content (including screenshots, pins, comments, and metadata) — retained until deleted by your workspace or account deletion is processed.
  • Review access cookies/tokens — password-based review access tokens expire after up to 7 days unless revoked earlier.
  • Consent preferences — retained in local/browser storage until changed or cleared by you.
  • Billing and transaction records — retained as needed for accounting, tax, and legal compliance.

If you delete your account, we will delete or de-identify your personal data within 30 days, except where retention is required by law or for legitimate security/compliance purposes.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Object to or restrict certain processing.
  • Export your data in a portable format.

To exercise any of these rights, contact us at hello@nopi.me and include the request type, account email, and relevant scope details (workspace/project/time range where possible). We may request information needed to verify your identity and authority before fulfilling a request. We respond within the timelines required by applicable law, and where an extension is permitted we will notify you accordingly.

Where permitted by law, authorized agents may submit requests on your behalf, subject to proof of authorization and identity verification requirements.

Where local law provides additional rights (for example, specific rights for California residents or other regional laws), we will honor those rights as required.

9. Regional Rights Addendum

EEA/UK: You may have rights including access, correction, erasure, portability, restriction, objection, and complaint to your local supervisory authority.

US state privacy laws: Depending on your state, you may have rights to know, access, delete, correct, opt out of certain processing, and appeal refusal decisions. Where required, we provide non-discriminatory treatment for exercising privacy rights.

Other jurisdictions: We will apply rights and disclosure obligations required by applicable local law based on your residency and context of processing.

10. Children and Minors

The Service is intended for business and professional use and is not directed to children. We do not knowingly collect personal data from children where prohibited by law. If you believe a child has provided personal data to us, contact us and we will investigate and take appropriate action.

11. Security

We implement industry-standard security measures including encrypted connections (HTTPS), hashed and salted passwords, HMAC-signed session tokens, and scoped API access. While no method of transmission over the internet is 100% secure, we take reasonable steps to protect your data.

12. Incident and Breach Communications

If we confirm a personal-data incident affecting customer data, we will provide notifications without undue delay as required by applicable law and contractual obligations. Notifications will include, to the extent known at the time, incident scope, likely impact, mitigation actions taken, and recommended next steps where relevant.

13. Changes

We may update this Privacy Policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will notify registered users of material changes by email or via the Dashboard.

14. Contact Us

For questions about this Privacy Policy, or to exercise your data rights, please contact us at hello@nopi.me.

Related legal documents: Terms of Service, Data Processing Addendum, Subprocessors, Cookie Notice, and Legal Center.