Nomi — Privacy Policy

Last updated: 14 May 2026 Effective date: 14 May 2026

Matias Fineschi - ABN 29 158 152 158 trading as Nomi Labs ("Nomi", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, hold, disclose and protect personal information when you use the Nomi service (the "Service"), which connects people for introductions over WhatsApp based on shared interests and goals.

This Policy is issued in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Spam Act 2003 (Cth). Where relevant, we also align our practices with the EU General Data Protection Regulation (GDPR) for users in the EEA.

1. Who this Policy applies to

This Policy applies to anyone who:

• creates a Nomi account or onboards via WhatsApp;
• is introduced to another Nomi user through the Service;
• visits our website, marketing pages, or contacts our support team.

You must be at least 18 years old to use the Service. We do not knowingly collect personal information from anyone under 18.

2. Personal information we collect

We collect only the personal information reasonably necessary to operate the Service.

2.1 Information you provide directly

• Account identifiers: your WhatsApp phone number (mobile number in E.164 format), display name and, where available, your WhatsApp profile photo.
• Matching information: your stated interests, goals, professional background, location (city-level), and any free-text bio you write to help us recommend introductions.
• Account and billing information: your email address (if provided), password hash (for non-WhatsApp logins), subscription tier, and payment metadata (we do not store full card numbers — see section 3).
• Support correspondence: records of any communication with our support team.

2.2 Information generated by your use of the Service

• Conversation content exchanged through Nomi-facilitated introductions: message text, timestamps, sender/recipient identifiers, and any media you send through the introduction flow. We collect this to facilitate the introduction, prevent abuse, and improve matching quality. See section 4 for how long we retain this.
• Match and interaction data: introductions you accept, decline, mute, or report; ratings and feedback; meeting outcomes if you choose to share them.
• Device and technical data: IP address, device type, operating system, browser type, app version, language, and crash diagnostics.
• Usage data: pages and screens you view, features you use, and time-stamped events.

2.3 Information from third parties

• WhatsApp / Meta Platforms: when you authenticate via the WhatsApp Business API, we receive your phone number, display name and profile photo (where permissioned).
• Payment processor (Stripe): subscription status, last 4 digits of your card, expiry date, billing country, and transaction outcomes.
• Identity & abuse-prevention providers: if we suspect fraud or platform abuse, we may verify limited details against reputable third-party providers.

2.4 Sensitive information

We do not request sensitive information (as defined under APP 3.3 — including health, racial or ethnic origin, sexual orientation, religious beliefs, or trade union membership). Please do not share sensitive information in your bio, goals, or conversations through Nomi. If you do, you consent to its collection and handling under this Policy.

3. How we use your personal information

We use your personal information to:

1. Operate the Service — create your account, deliver introductions, route messages through WhatsApp, and maintain your match history.
2. Match you with relevant people — analyse interests, goals and prior interaction signals to suggest introductions. This includes automated matching algorithms; you can request human review of any match decision that materially affects you.
3. Communicate with you — service-related notices via WhatsApp, email or in-app messages.
4. Process payments — manage subscriptions, billing, renewals, refunds and tax invoices.
5. Maintain trust and safety — detect spam, harassment, impersonation, fraud and breaches of our Terms; investigate reports; enforce community guidelines.
6. Improve the Service — analytics, A/B testing, product research, and aggregate reporting (using de-identified or aggregated data where practical).
7. Comply with legal obligations — respond to lawful requests, court orders, regulatory inquiries, and tax/records obligations.
8. Marketing and lifecycle messaging — only with your consent and always with a one-tap opt-out, consistent with the Spam Act 2003 (Cth).

We will not use your personal information for any other purpose unless permitted by law or with your express consent.

4. How long we retain your information

A summary is provided here; full detail is in our Data Retention Policy.

When the retention period ends, we either delete the information or irreversibly de-identify it.

5. How we share your information

We do not sell your personal information.

We share your personal information only as follows:

• Other Nomi users: when you accept an introduction, the other party sees your display name, profile photo, city, bio summary and any context you allowed Nomi to share to facilitate the connection. Once introduced, the conversation continues on WhatsApp; messages thereafter are governed by WhatsApp's own terms.
• Service providers (data processors): we use carefully selected vendors to host infrastructure, process payments, send transactional messaging, deliver email, and run analytics. Each is bound by written contract requiring confidentiality, security and use limited to providing services to Nomi. Key providers include: Stripe (payments), Vercel and AWS (hosting), Meta / WhatsApp (messaging delivery), Sentry (error monitoring), and PostHog (product analytics).
• Legal and safety disclosures: to comply with subpoenas, court orders, or other legal obligations; to enforce our Terms; or where we reasonably believe disclosure is necessary to prevent harm, fraud, or illegal activity.
• Business transfers: if Nomi is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred to the relevant party, subject to the same protections in this Policy.

6. Cross-border data transfers

Nomi is operated from Australia. Some of our service providers store or process data overseas, including in the United States and the European Union. Before disclosing personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs, including by using providers with appropriate certifications (e.g. ISO 27001, SOC 2) and contractual safeguards (Standard Contractual Clauses where relevant). By using the Service you consent to your information being processed in those jurisdictions.

7. Security

We use industry-standard administrative, technical and physical safeguards to protect your information, including:

• TLS 1.2+ encryption for data in transit;
• Encryption at rest for production databases and backups;
• Role-based access controls and audited admin access;
• Vulnerability scanning, dependency monitoring and regular penetration testing;
• Production data segregation and least-privilege engineering practices.

No system is perfectly secure. If a notifiable data breach occurs, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

8. Your rights and choices

Under the APPs you have the right to:

• Access the personal information we hold about you;
• Correct any information that is inaccurate, out of date, incomplete or misleading;
• Withdraw consent for marketing communications at any time;
• Delete your account (see section 9);
• Complain about how we have handled your information (see section 11).

EEA / UK residents additionally have the right to data portability, restriction of processing, and to object to certain processing under GDPR / UK GDPR.

To exercise any of these rights, email [email protected]. We will respond within 30 days. We may need to verify your identity before acting on a request.

9. Deleting your account

You can delete your account at any time from the in-app settings or by emailing [email protected]. Once you confirm deletion:

• your profile is hidden immediately;
• personal information is deleted or de-identified within 30 days, except where retention is required by law (e.g. tax records) or to defend legal claims;
• conversation content already delivered to other users via WhatsApp remains on their devices and on WhatsApp's infrastructure, which Nomi does not control.

10. Cookies and similar technologies

Our website uses essential cookies (for authentication and security) and, with your consent, analytics cookies. You can manage your preferences via the cookie banner or your browser settings. The Service itself (delivered through WhatsApp) does not use cookies.

11. Complaints

If you believe we have breached the APPs or this Policy, please email [email protected] with the details. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the OAIC:

• Website: oaic.gov.au
• Phone: 1300 363 992

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you via WhatsApp, email or in-app notice at least 14 days before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

13. Contact us

Nomi Labs Attn: Privacy Officer [Registered office address] Email: [email protected] General support: [email protected]