Privacy Policy

Last updated: 2026-04-23

1. Who we are

Nessy operates meetnessy.com and is the controller of personal information collected through this site. Contact us at privacy@meetnessy.com with any privacy questions.

2. What we collect

When you join the waitlist, we collect:

• Email address — so we can verify it's yours and contact you about Nessy.
• Username — so we can identify you on the waitlist and, later, on the platform.
• Referral code (optional) — if you signed up through someone else's link, we record who referred you.
• Email verification codes — stored as a bcrypt hash (never in plaintext) and expired 15 minutes after we send them.
• IP address — used transiently to prevent abuse (rate limiting). We do not build profiles from it.
• Standard server logs — request metadata retained by our hosting provider.

We do not use tracking cookies, analytics pixels, or advertising tags at waitlist stage. The only cookies we set are strictly necessary for the site to function.

3. Why we process it (legal basis under GDPR)

• Consent — for sending you updates about Nessy's launch. You can withdraw consent at any time.
• Legitimate interest — preventing abuse, fraud, and duplicate signups (rate limiting, verification).
• Contractual necessity — operating the waitlist you signed up for.

4. Who we share it with

We use a small number of trusted service providers to operate Nessy. Each processes data only on our instructions:

• Supabase — database hosting. Data may be processed in the US and/or EU.
• Postmark — transactional email delivery (US).
• Vercel — application hosting (US).
• Upstash — Redis-backed rate limiting that stores request identifiers and IPs transiently (US).

We do not sell or "share" personal information as those terms are defined under the CCPA/CPRA. We have no advertising partners.

5. International transfers

When personal data is transferred outside the European Economic Area or the UK, we rely on Standard Contractual Clauses (SCCs) with our processors to ensure adequate protection.

6. How long we keep it

Waitlist data is retained until Nessy launches (at which point it's used to create your account, if you choose) or until you request deletion — whichever comes first. Verification codes expire automatically and are invalidated once used. Rate-limit records are kept only as long as needed to prevent abuse.

7. Your rights

If you're in the EEA or UK (GDPR): you can request access, rectification, erasure, restriction, portability, or object to processing. You can withdraw consent at any time without affecting prior processing. You have the right to lodge a complaint with your local data-protection supervisory authority.

If you're a California resident (CCPA/CPRA): you have the right to know what we've collected, to delete it, to correct it, and to opt out of sale or sharing. We do not sell or share personal information. You won't be discriminated against for exercising these rights.

To exercise any right, email privacy@meetnessy.com. We'll verify your identity using the email address on file and respond within the timeframes required by applicable law.

8. Children

Nessy is not intended for anyone under 18, and we do not knowingly collect personal information from minors. If you believe a minor has signed up, email privacy@meetnessy.com and we'll remove the record.

9. Security

Verification codes are bcrypt-hashed before they're stored — the plaintext code exists only for the minutes it takes to deliver and verify. All traffic to the site uses TLS. Database access is restricted to service credentials, and rate limiting protects against brute-force and abuse.

10. Changes to this policy

We may update this policy. For material changes, we'll email verified waitlist members. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Privacy questions or requests: privacy@meetnessy.com.