Privacy policy

Naykora, a European company, is the data controller within the meaning of the GDPR. Dedicated contact for data protection matters: contact@naykora.ai Naykora is not currently required to appoint a Data Protection Officer (DPO) given the current scale of processing, but reassesses this obligation at each growth milestone. Note: Naykora is a monitoring and alerting service supplemental to your security protections (antivirus, firewall, backups). Naykora is not an antivirus and does not act as active protection. This policy describes the technical data collected for monitoring and alerting purposes.

We collect the following categories of data: • Account data (first name, last name, email, date of birth, language) - Legal basis: contract performance (art. 6.1.b GDPR). • Authentication data: one-time codes sent by email, magic links, session tokens, and identifiers linked to the third-party provider when you sign in with Google (OAuth). If you enable two-factor authentication (TOTP), an encrypted secret is stored on our servers. Two-factor authentication is mandatory for administrators - Legal basis: contract performance and legal security obligation (art. 6.1.b and 6.1.c GDPR). • Payment data (Stripe customer token, billing history, subscription status) - Legal basis: contract performance and applicable accounting obligation. • Referral data (unique code, referrer/referral relationships, IBAN/BIC for payouts, earnings history) - Legal basis: contract performance and AML obligations. • Technical monitoring data (collected by the Naykora Dragon Shield application): hostname, operating system, version, model, manufacturer, serial number, patch status, system health alerts, antivirus status, available updates, and installed software inventory. The installed software list is hidden by default in your dashboard; you choose when to reveal it. We DO NOT ACCESS files, emails, documents, photos, browsing history, or personal content - Legal basis: contract performance. • Communication data (messages exchanged via the built-in messaging, notifications) - Legal basis: contract performance. • Connection and usage data (IP address, user-agent, pages visited, dashboard actions, currency preference) - Legal basis: legitimate interest (security, fraud prevention, Service improvement). • Essential cookies (session, preferences) - Legal basis: strictly necessary for operation.

Your data is used to: 1. Provide the Service: monitor device health, generate alerts, manage your subscription. 2. Manage billing: automatic charges, invoice issuance, recovery. 3. Operate the referral program: track referrals, monthly earnings calculation, commission payouts, fraud prevention. 4. Communicate with you: security alerts, transactional emails, support replies, product notifications. 5. Ensure security: intrusion attempt detection, brute-force prevention, access auditing. 6. Comply with legal obligations: accounting retention, anti-fraud, response to judicial requests. 7. Improve the Service: aggregated and anonymized analytics to understand usage and identify improvements.

To provide the Service, Naykora relies on the following subprocessors. Each has signed a Data Processing Agreement (DPA) or equivalent contractual commitment: • Supabase (USA with EU instances): database, authentication, storage. Data: account, referral, monitoring, communications. Transfer governed by EU Standard Contractual Clauses (SCCs). • Stripe (Ireland / USA): payment processing, billing, and automatic VAT calculation. Data: name, email, customer ID, transactions, IBAN where applicable, country of residence. Transfer governed by SCCs. • SuperOps (USA): underlying RMM (Remote Monitoring and Management) infrastructure powering the Naykora Dragon Shield application, white-label. Data: device technical metrics, alerts, software inventory. Transfer governed by SCCs. • Resend (USA): transactional email delivery (confirmation, alerts, invoices). Data: email, transactional content. • Vercel (USA): website and API hosting, plus anonymous audience measurement and technical page performance (Vercel Analytics and Speed Insights). Data: server logs, technical IP addresses, anonymized page identifiers, load metrics. No third-party cookie is placed. Transfer governed by SCCs. • Sentry (USA): technical error monitoring on the server and browser side, used exclusively for quality and security. Data: technical error trace, request context (URL, device type), user identifier when relevant. Filters discard errors coming from third-party browser extensions. Transfer governed by SCCs. • Upstash (Ireland / USA): rate-limiting for security. Anonymized technical data. • ipapi.co and frankfurter.dev: IP geolocation and exchange rates for price display. No personal data stored. We never sell your data to third parties for advertising or commercial purposes. No marketing access is granted to our subprocessors. The up-to-date list of our subprocessors can be requested at any time at contact@naykora.ai.

Some subprocessors are located outside the European Economic Area, mainly in the United States. These transfers are governed by: • EU Standard Contractual Clauses (SCCs), 2021 version. • EU-US Data Privacy Framework (DPF) for certified subprocessors (Stripe, Vercel are eligible). • Additional technical measures: end-to-end encryption, access controls, administrative access logging. The up-to-date list of our subprocessors and their location can be requested at any time at contact@naykora.ai.

Naykora implements technical and organizational measures appropriate to the risk, in line with industry standards and GDPR obligations. To preserve the effectiveness of these measures, we do not publicly disclose the exact configurations, versions, or specific products used internally. Our general commitments: • Encryption of data in transit and at rest. • Strong authentication with strict session management. • Data isolation: each user can only access their own information, including at the database level. • Protection against brute-force attacks and automated abuse on sensitive routes. • Integrity verification on communications with our providers (payment, authentication, monitoring). • Strict browser-side security headers to limit attack vectors (clickjacking, injection, etc.). • Administrative access limited to a small circle, audited and logged. • Continuous monitoring of dependencies and rapid application of security patches. • Mandatory code reviews and regular security testing before each deployment. Are you an auditor, a security professional, or a customer wishing a more detailed technical write-up? Contact us at contact@naykora.ai and we will provide a technical document under a confidentiality agreement.

We retain your data only as long as necessary for the purposes for which it is collected: • Account data: for the duration of the subscription and 30 days after account deletion. • Accounting and tax data (invoices, Stripe history): according to applicable legal obligations (typically 10 years in most EU countries). • Monitoring data (devices, alerts): 90 days after the event, then automatically purged. • Messaging data: retained for the duration of the subscription, user-side archive available once a conversation is resolved, admin deletion on request. • Referral data (earnings, IBAN, payouts): applicable statutory duration (accounting and AML obligations, typically 10 years). • Connection logs: 12 months for security purposes, anonymized beyond. After these periods, data is irreversibly deleted or anonymized.

You have the following rights under the GDPR: • Right of access: obtain a copy of your data. • Right to rectification: correct inaccurate or incomplete data. • Right to erasure (right to be forgotten): request deletion of your data, subject to legal retention obligations. • Right to portability: receive your data in a structured, machine-readable format (JSON), or transfer it to another provider. • Right to object: object to processing based on legitimate interest. • Right to restriction: freeze processing while a dispute is being verified. • Right to withdraw consent: withdraw a specific consent at any time, without retroactive effect. • Right to define post-mortem directives on the fate of your data. • Right not to be subject to an automated decision: Naykora does not perform profiling with significant legal effects. To exercise these rights, write to contact@naykora.ai. We respond within one month (extendable to three months for complex requests, with prior notice). You also have the right to lodge a complaint with the supervisory authority in your EU country of residence: • France: CNIL - cnil.fr • Portugal: CNPD - cnpd.pt • Belgium: APD - autoriteprotectiondonnees.be • Other EU countries: national data protection authority.

Naykora uses a minimal number of cookies, all strictly necessary: • Authentication cookie: maintains the logged-in session. Duration: based on Supabase Auth rules, typically 7 days with automatic refresh. • Currency preference cookie (CHF/EUR): remembers user choice. Duration: 1 year. • Locale cookie (FR/EN/PT): remembers language. Duration: 1 year. No advertising tracking cookie, third-party analytics, or social network cookie is used. We do not have a cookie consent banner because no non-essential cookies are placed. Some preferences are also stored in browser localStorage (theme, UI state). This data is not transmitted to our servers.

Naykora is a family-oriented service. Only adults (18+) may create an account. Monitoring may cover devices used by minors within the household, under the responsibility of the parents or legal guardians who hold the account. We do not collect any personal data directly from children. If you believe a minor has transmitted data to us without parental consent, write to contact@naykora.ai for immediate deletion.

In case of a personal data breach likely to result in a high risk to your rights and freedoms, we commit to: • Notify the competent supervisory authority within 72 hours of becoming aware. • Inform you as soon as possible by email with a clear description of the nature of the breach, the data concerned, the likely consequences, and the measures taken or recommended. An internal incident registry is maintained and regularly audited.

Naykora does not make fully automated decisions producing legal or significant effects on you. Monitoring alerts are generated by deterministic technical rules (e.g., critical security patches pending) and do not constitute profiling within the meaning of Article 22 of the GDPR. Referral fraud prevention relies on automatic detection rules. However, any account suspension is subject to a prior human review, and you have a right of appeal at any time.

We may update this Privacy Policy to reflect legal, technical, or new subprocessor changes. Any substantial modification will be notified to you by email at least 30 days before its entry into force. The last update date is indicated at the top of this page. The previous version may be obtained on request.

For any question, request to exercise rights, or report: Dedicated email: contact@naykora.ai Recommended subject: "Personal data - your request" Postal address: available on request to contact@naykora.ai. We acknowledge any request within 7 days and respond on the substance within one month.