Privacy Policy

• Account data — Email address and a hashed password — those are the only two fields required to create an account. You can optionally add a first and last name from the setup-profile page; both default to empty if you skip them. We never store passwords in plain text.
• Workspace content — Projects, translation keys, translation values, modules, and any other content you create inside the platform.
• Usage data — Pages visited and features used, collected in aggregate to understand how the product is being used and to fix bugs. We do not build individual behavioural profiles.
• Payment data — Billing address and payment method are handled directly by Stripe. We store only a Stripe customer ID — we never see or store raw card numbers.
• Support communications — Any emails or messages you send us.

• To create and operate your account and provide the nlit service.
• To send transactional emails: sign-up confirmation, password reset, subscription receipts, and important service notices.
• To calculate billing, enforce plan limits, and process payments via Stripe.
• To improve the product through aggregated, anonymised usage analysis.
• To respond to support requests.

We do not use your content to train AI models and we do not use your data for advertising.

We use a small set of trusted sub-processors to operate nlit. Headline categories below; the full list — purpose, data shared, location, and transfer mechanism for each — is on our sub-processors page.

• AI translation — Anthropic (Claude API). Your source strings are sent for processing; Anthropic does not use API-submitted data to train their models. See anthropic.com/legal/privacy.
• Payments — Stripe. Stripe handles all card data under PCI DSS compliance — we never see or store card numbers. See stripe.com/privacy.
• Hosting & database — Fly.io (EU region) hosts our API; Neon (Frankfurt) hosts our PostgreSQL database; Cloudflare R2 stores context images.
• Operational tooling — Resend (email delivery), Vercel (frontend hosting), Sentry (error tracking), Axiom (server log aggregation).
• Identity providers — Google and Microsoft, only when you choose to sign in via OAuth — we receive your email, name, and provider account ID from them.

We do not sell your data to any third party, and we do not share it with anyone outside the list maintained on the sub-processors page. We commit to giving customers at least 30 days' notice before adding or replacing a sub-processor.

Retention periods for workspace content depend on your plan:

When you delete your account we delete your personal data within 30 days. Workspace content shared with other organisation members may be retained until the organisation is deleted or all members have left.

If you are in the European Economic Area or the United Kingdom you have the following rights under GDPR / UK GDPR:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Deletion — ask us to delete your personal data (“right to be forgotten”). You can also self-serve full account deletion from Settings; we will then purge your personal data within 30 days as set out in §4.
• Portability — receive your data in a machine-readable format.
• Objection — object to certain types of processing.
• Withdraw consent — where processing relies on your consent, withdraw it at any time without affecting prior lawful processing.
• Lodge a complaint with your supervisory authority. In Sweden that is the Integritetsskyddsmyndigheten (IMY) — imy.se/en.

How to exercise these rights. Email support@nlit.app from the address on your account. For access and portability requests we will compile a copy of your personal data — profile, organisation memberships, audit-log entries you authored, the workspace content you own, and your billing history — and return it to you in a machine-readable format (JSON / CSV) within 30 days, free of charge for a first request in any 12-month period. Manifestly unfounded or repeated requests may incur a reasonable fee or be refused, as permitted by GDPR Art. 12(5).

nlit uses only the cookies it needs to operate the service — an auth session cookie, an OAuth CSRF cookie, and Stripe's payment cookies when you make a purchase. We do not set advertising cookies, behavioural-tracking cookies, or third-party analytics cookies that profile you individually. Our aggregated, anonymised page-view metrics come from Vercel Analytics, which is cookie-less by default.

The full list — name, purpose, lifetime, attributes — lives on our dedicated cookies page.

nlit is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. Note that our Terms of Service additionally require all users to be at least 18 (or the age of majority in your country, if higher) so they have legal capacity to enter into the contract — the 16-year threshold here reflects EU/UK data-protection rules rather than the right to use the service. If you believe we have inadvertently collected data from someone under 16, contact us and we will delete it promptly.

We will notify you by email or in-app notice before making material changes to this policy. The "last updated" date at the top of this page reflects the most recent revision.

Questions about this policy or a Data Processing Agreement (DPA) for your organisation: support@nlit.app.