Privacy Policy

1. Introduction

Nomacore is operated by Vimerk. This policy describes what data we process when you use the Nomacore API and what we do with it. We operate by data minimization: we keep what we need to bill and run the service, nothing more.

2. What we collect

2.1 Account information

When we issue you an API key we record an email address (which you gave us) and a SHA-256 hash of the key. The plaintext key is shown to you exactly once at issuance and is never stored on our side.

2.2 API usage

For each authenticated request we record:

• The key prefix that made the request (not the full key)
• A monthly counter of credits consumed against your quota
• The most recent timestamp the key was used

We do not store the names you submit for prediction. They are processed in memory and discarded when the response is returned. There is no name database, no log of submitted inputs, and no way for us to enumerate "who has predicted what."

2.3 Operational logs

Our server emits structured request logs to systemd-journald with HTTP status, latency, request bytes, and the requester's IP address (so we can diagnose outages and abuse). These logs rotate and are not exported to any external system.

3. How we use the data

• Authenticate API requests against issued keys
• Enforce monthly credit quotas
• Diagnose technical issues and detect abuse
• Comply with legal obligations

4. Data retention

Account information (email, key hash, monthly usage row) is retained while your key is active and for 12 months after revocation for audit purposes. Operational logs are retained for the configured journald rotation window (currently 30 days). You can request deletion of your account data at any time by contacting us.

5. Data security

• All traffic is served over HTTPS (TLS 1.2+).
• API keys are stored as SHA-256 hashes; the plaintext is never persisted.
• The application database is replicated continuously to encrypted off-site storage so an outage doesn't lose your account.
• The server runs under a strict systemd sandbox that limits filesystem and network access to what the service actually needs.

6. Third-party processors

Today we use a single third-party processor:

• Backblaze B2 — encrypted off-site backup of the application database (account email + key hashes + usage counters). Names submitted for prediction are not in this database.

If we add payment processing or transactional email in the future, we'll update this section before turning those features on.

7. Your rights

Depending on your location you may have the right to:

• Access the data we hold about you
• Request correction or deletion of that data
• Object to processing or request data portability

Email privacy@nomacore.com and we'll respond within 30 days.

8. Cookies

We don't use cookies. The Nomacore API is a stateless, key-authenticated HTTP service; there is no session or login.

9. Children

Our service is not intended for individuals under the age of 18. We do not knowingly accept account requests from children.

10. Changes

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Privacy questions: privacy@nomacore.com
General contact: contact@nomacore.com