Privacy Policy

Effective date: April 26, 2026

nohow.ai ("we", "our", "us") respects your privacy. This policy explains what data we collect, how we use it, and your rights.

1. What We Collect

When you contact us or purchase a license, we may collect:

• Name and email address
• Company name
• Payment information (processed by our payment provider — we do not store card details)

When you visit nohow.ai, we may collect anonymized analytics data (page views, referrer, country) using privacy-friendly analytics.

2. Your Documents & Data

We never see, access, or store your documents. nohow.ai deploys entirely within your own AWS account. All documents, conversations, and configuration data remain in your infrastructure under your control. We have zero access to your AWS resources.

Data controller / processor. Because the deployed software runs in your AWS account on your infrastructure, you are the sole controller and processor of any personal data your bot processes (visitor questions, lead-capture form submissions, uploaded documents). nohow.ai is the licensor of the software only; we are not a data processor with respect to your end-users' data and do not require a Data Processing Agreement (DPA) to be signed with us for that data. If your customers' end-users have GDPR or equivalent data-rights requests, those are directed to you.

2a. License-validation telemetry from your deployed stack

While we have no access to your customer data, the deployed software does communicate with our central license API for two narrow purposes:

• License validation — every ~12 hours, your stack sends your license key to license.nohow.ai to fetch a refreshed feature token. We log: license key, source IP, timestamp, the resulting feature set, and the refresh outcome (success/failure). This is the bare minimum needed to enforce tier feature gates and detect unauthorized license sharing.
• Aggregate telemetry — periodic counters of chat volume per tier (no prompts, no replies, no user identifiers). Used to detect license abuse (e.g., a Lite-tier customer hitting Max-tier traffic patterns). Disable-able on request for enterprise tiers; contact us if this is a concern.

What we explicitly do not receive: the contents of any chat message, document, lead-capture form, knowledge base file, or admin configuration. The validation and telemetry payloads carry no end-user data.

3. How We Use Your Data

• To process your license purchase and provide support
• To send essential product updates (you can opt out anytime)
• To improve our website and product based on anonymized usage patterns

4. Data Sharing

We do not sell, rent, or share your personal data with third parties. We may share data with:

• Payment processors (to complete transactions)
• Email service providers (to send transactional emails)

5. Cookies

Our website uses only essential cookies required for basic functionality. We do not use tracking cookies or third-party advertising cookies.

6. Your Rights

You have the right to access, correct, or delete your personal data at any time. Contact us at [email protected] to exercise these rights.

Right to erasure (GDPR Article 17). When you request deletion, we run a single internal command (/api/admin/forget) that wipes, in one transaction:

• Your license row in our central license database (ai-license-keys on AWS DynamoDB)
• Every aggregate-telemetry event tied to your license key (nohow-telemetry-events)
• All Cloudflare KV records for your purchase (license issuance, deploy callback, session lookups)

The CloudFormation stack and any data inside it remain in your AWS account — we have no way to reach into your AWS to delete those. You delete them by deleting the stack from CloudFormation. We process erasure requests within 7 business days from the email at checkout, after a brief identity check.

7. Data Retention

We retain your contact information for as long as your license is active, plus 12 months. You can request deletion at any time. Telemetry events are auto-expired by DynamoDB TTL after 90 days regardless of any erasure request.

8. Security

We use HTTPS encryption for all communications. Payment data is handled by PCI-compliant processors. We never store sensitive credentials.

9. Changes

We may update this policy from time to time. Material changes will be communicated via email.

10. Contact

For privacy-related inquiries, contact us at [email protected].