Noma
Back to home

Privacy Policy

Last updated: April 13, 2026

This Privacy Policy describes how the business operating the "Noma" website and hosted platform (the "Company"). For our current legal name and registered address, contact [email protected] (we, us, or our) collects, uses, discloses, and protects personal information in connection with:

  • The public website at https://nomacms.com (the Site);
  • The hosted platform, APIs, and related services at https://app.nomacms.com (the Platform); and
  • Communications with us (for example, support or sales inquiries).

If you do not agree with this policy, please do not use the Site or Platform. Our Terms of Service govern use of the Services.

1. Data controller and contact

We are established in Türkiye. Under Turkish Law No. 6698 on the Protection of Personal Data (KVKK), we act as the data controller when we determine the purposes and means of processing personal data in connection with the Site and Platform, except where we process personal data only on your instructions as a processor (for example, certain Customer Content you control).

For the purposes of the EU/UK General Data Protection Regulation (GDPR), we are typically the controller of personal data described in this policy when we decide why and how that data is processed in connection with the Site and Platform.

Legal entity and registered address: Contact [email protected] for the legal name and postal address of the controller where required for your request.

Legal and privacy (including data rights requests): [email protected]
Product and account support: [email protected]

2. Personal information we collect

The categories below depend on how you interact with us. Your rights under KVKK, GDPR, and other applicable laws are described in Section 9. The next sentence is included for residents of U.S. states with comprehensive privacy laws (for example, California): we do not sell your personal information, and we do not share it for cross-context behavioral advertising, in each case as those terms are defined in the California Consumer Privacy Act (CPRA), as amended. We do not sell personal information to data brokers. If you are not located in the United States, this U.S. disclosure is provided for transparency and does not replace KVKK, GDPR, or other rules that apply to you.

2.1 Information you provide

  • Account and profile: name, email address, password (stored using one-way hashing where applicable), organization name, and similar identifiers you provide when registering on the Platform.
  • Billing: when you subscribe, our payment partner (for example, Lemon Squeezy) collects payment details and billing address. We receive limited transaction metadata (such as subscription status and customer identifiers) needed to provide access.
  • Communications: content of emails, support tickets, or forms you send us, including optional phone numbers or other details you choose to include.
  • Newsletter or marketing preferences: email address and any preferences you submit through the Site.

2.2 Information collected automatically

  • Usage and device data: IP address, approximate location derived from IP, browser type, device identifiers, pages viewed, referring URLs, timestamps, and similar diagnostics when you use the Site or Platform.
  • API and product telemetry: request metadata, error logs, and security signals needed to operate, secure, and improve the Platform.
  • Cookies and similar technologies: see Section 5.

2.3 Customer Content and end-user data

When you use the Platform, you may upload or configure Customer Content (structured content, assets, webhooks, authentication settings, etc.). Customer Content may include personal information about your end users or employees. In those cases, you are typically the controller of that personal information and we process it as a processor or service provider on your instructions, as described in our agreement with you (these Terms and any order or checkout terms) and any data processing addendum we provide when required.

2.4 Information from third parties

If you sign in with a third-party identity provider (for example, Google or GitHub), we receive basic profile information according to your privacy settings with that provider.

3. How we use personal information

We use personal information to:

  • Provide, maintain, secure, and improve the Site and Platform;
  • Create and manage accounts, authenticate users, and process subscriptions;
  • Provide customer support and respond to inquiries;
  • Send service-related notices, security alerts, and administrative messages;
  • Send marketing communications where permitted (you can opt out using the unsubscribe link or by contacting us);
  • Detect, investigate, and prevent fraud, abuse, and security incidents;
  • Comply with legal obligations and enforce our terms;
  • Develop and improve products, including measuring engagement (see analytics in Section 5);
  • Operate AI-assisted features, including generating logs needed for safety, debugging, and quality (as described in product documentation and your plan terms).

3.1 Legal bases (EEA, UK, and Switzerland)

Where GDPR or similar laws apply, we rely on:

  • Contract — processing necessary to provide the Services you request;
  • Legitimate interests — for example, securing the Services, improving reliability, and understanding aggregate usage, balanced against your rights;
  • Consent — where required for certain cookies, marketing, or optional features;
  • Legal obligation — where we must comply with law or respond to lawful requests.

4. How we share personal information

We may share personal information with:

  • Service providers and subprocessors who assist us with hosting, infrastructure, logging, monitoring, email delivery, customer support tooling, security, analytics (Google Analytics when enabled), payment processing (Lemon Squeezy), fraud prevention, and AI inference providers that power product features.
  • Professional advisors (lawyers, accountants) under confidentiality obligations.
  • Authorities when required by law, legal process, or to protect rights, safety, and security.
  • Corporate transactions — in connection with a merger, financing, or sale of assets, subject to appropriate safeguards.

We require subprocessors to protect personal information appropriately and to use it only for the purposes we authorize.

5. Cookies and analytics

We and our partners may use cookies, local storage, and similar technologies to operate the Site (for example, session and security cookies) and to understand how visitors use the Site.

When NEXT_PUBLIC_GA_TRACKING_ID is configured, this Site may use Google Analytics to collect usage statistics. Google's privacy information is available at policies.google.com/privacy. You can control cookies through your browser settings.

6. International transfers

We may process and store information in the United States and other countries where we or our providers operate. If we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate, we use appropriate safeguards such as the EU Standard Contractual Clauses or equivalent mechanisms, unless another valid transfer tool applies.

7. Retention

We retain personal information for as long as necessary to provide the Services, comply with law, resolve disputes, and enforce agreements. Retention periods vary: for example, account data is kept while your account is active and for a reasonable period afterward; security logs may be kept for a shorter or longer period depending on operational needs. Customer Content retention is governed by your use of the Platform (for example, when you delete projects or request deletion).

8. Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, loss, or alteration. No method of transmission over the Internet is completely secure; we cannot guarantee absolute security.

9. Your privacy rights

9.1 Türkiye (KVKK)

If you are in Türkiye or your personal data is processed under Turkish law, you have rights under KVKK (including Article 11), which may include the right to learn whether your personal data is processed, request information, learn the purpose of processing and whether it is used for that purpose, know third parties to whom data is transferred in Türkiye or abroad, request correction of incomplete or inaccurate data, request deletion or destruction of data in certain cases, object to outcomes against you that arise solely from automated processing, request compensation for unlawful processing, and lodge a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu). To exercise these rights, contact [email protected]. We may need to verify your request.

9.2 EEA, UK, and Switzerland

Depending on your location, you may have the right to access, rectify, erase, restrict, or object to certain processing, and to data portability. You may withdraw consent where processing is consent-based. You may lodge a complaint with a supervisory authority. To exercise rights, contact [email protected]. We may need to verify your request.

9.3 United States — state privacy laws

Residents of certain U.S. states may have rights to access, delete, or correct personal information, and to opt out of certain processing (such as "sale" or "sharing" as defined under laws such as the California CPRA). Because we do not sell personal information or share it for cross-context behavioral advertising as described in Section 2, many opt-out rights may not apply to our current practices. To submit a request, email [email protected]. We will not discriminate against you for exercising privacy rights where prohibited by law.

9.4 Authorized agents

Where applicable law allows, you may designate an authorized agent to make a request on your behalf. We may require proof of authorization and verify your identity directly.

10. Children

The Services are not directed to children under 13 (or the age required by local law), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will take appropriate steps to delete it.

11. AI processing

When you use AI features, we and our AI vendors may process prompts, context, and outputs to provide the feature, maintain safety, troubleshoot, and improve quality. Do not submit sensitive categories of data (for example, health information or government identifiers) unless you have a lawful basis and our product is appropriate for that use. AI providers may process data according to their policies as subprocessors.

12. Automated decision-making

We do not use personal information to make solely automated decisions that produce legal or similarly significant effects about you in the sense of GDPR Article 22. Product automation (for example, rate limits or abuse detection) may affect access to the Services but is not intended to replace human judgment for significant individual decisions.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on the Site and update the "Last updated" date. For material changes, we will provide additional notice as appropriate.

14. Contact

Questions about this Privacy Policy or exercising your privacy rights: [email protected]. For billing, access, or technical help with the Platform, contact [email protected].