Privacy Policy

This policy explains how AnkleBreaker Consulting (SAS, RCS Versailles 912 705 860, 34 rue du Président Wilson, 78230 Le Pecq, France) processes personal data in connection with Nodary, in accordance with Regulation (EU) 2016/679 (“GDPR”) and the French Data Protection Act.

For your account and billing data, AnkleBreaker is the data controller. For the content you place inside a workspace (documents, diagrams, files, comments and the personal data they may contain), AnkleBreaker acts as a data processor on behalf of the workspace owner, who is the controller of that content. The processor relationship is governed by our Data Processing Addendum.

We process the following categories of personal data:

• Account data:name, email, password hash, avatar, optional profile fields, two-factor settings, preferences.
• Workspace data:workspace and team membership, roles, invitations.
• Content:the documents, diagrams, files and comments you create or upload (processed on the controller’s behalf).
• Billing data:plan, seat count, subscription status, and payment metadata. Card details are handled directly by Stripe; we never store full card numbers.
• AI usage:the prompts you send to the assistant, minimal response metadata, and usage counters, retained for security, abuse-prevention, billing and workspace administration.
• Technical data:sign-in events, session and device information, IP address, and security logs.

We do not sell personal data, and we do not use Your Content to train foundation models or for advertising.

When you use the AI assistant, the relevant prompt and context are sent to our model provider (Amazon Web Services, via Amazon Bedrock) to generate a response, and are processed under a data-processing agreement that prohibits using your data to train their models. We retain prompts and minimal metadata to operate, secure and bill the feature, and to let workspace owners administer AI usage within their team.

We share data only with vetted service providers acting on our instructions under a data-processing agreement:

We may also disclose data where required by law, to enforce our terms, or to protect the rights and safety of users; and, in the event of a merger or acquisition, to the successor entity under equivalent protections.

Some providers process data outside the European Economic Area. Where they do, transfers are protected by appropriate safeguards under the GDPR, in particular the European Commission’s Standard Contractual Clauses and additional technical measures such as encryption in transit and at rest.

• Account & content:for as long as your account is active. After deletion, we remove or anonymise it, subject to backup cycles (typically up to 30 days).
• Billing records:retained for the period required by French accounting and tax law (generally 10 years).
• Security & AI logs:retained for a limited period proportionate to security and abuse-prevention needs.

We apply technical and organisational measures including encryption in transit and at rest, hashed passwords, scoped access controls, session and token revocation, rate limiting, and audit logging. More detail is on our Security page. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify you and the relevant authority of any breach as required by law.

Subject to applicable law, you have the right to access, rectify, erase and port your personal data, to restrict or object to processing, and to withdraw consent at any time without affecting prior processing.

To exercise these rights, write to francois@anklebreaker-studio.com. If your data is held within a workspace you do not own, we will forward your request to the workspace owner (the controller). You also have the right to lodge a complaint with the French data protection authority, the CNIL.

Nodary uses only strictly necessary cookies for authentication and security, and sets no advertising or third-party tracking cookies. See our Cookie Policy for details.

Nodary is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

We may update this policy as the Service evolves. Material changes will be notified by email or in-app, and the “last updated” date above will change. Continuing to use the Service after the effective date constitutes acceptance of the updated policy.