Privacy Policy

Effective Date: January 15, 2025

This Privacy Policy ("Policy") describes how Nowah Labs, Inc., a Delaware corporation ("Nowah," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you use our website (nowah.xyz), mobile applications, and related services (collectively, the "Services"). This Policy is incorporated into and subject to our Terms of Service.

BY USING THE SERVICES, YOU CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED IN THIS POLICY. If you do not agree, please discontinue use of the Services immediately.

Data We Collect How We Use It Who We Share With International Transfers Data Retention Your Rights Children's Privacy Security

1. Information We Collect

We collect personal information through various means, including directly from you, automatically through your use of the Services, and from third parties. The categories of information we collect include:

Category	Examples	Source
Identity Data	Name, username, date of birth, government ID (for verification)	You provide directly
Contact Data	Email address, phone number, mailing address	You provide directly
Financial Data	Payment card details, billing address, transaction history	You provide / Payment processors
Travel Data	Passport info, frequent flyer numbers, travel preferences, booking history, itineraries	You provide / Travel Providers
Technical Data	IP address, device ID, browser type, OS, app version, crash logs	Collected automatically
Usage Data	Features used, search queries, clicks, session duration, navigation paths	Collected automatically
Location Data	GPS coordinates, city/region (derived from IP), airport proximity	Device sensors / IP geolocation
Communication Data	Chat messages with AI, support tickets, emails, feedback	You provide directly
Marketing Data	Preferences, opt-ins, campaign interactions, referral sources	You provide / Third parties

Sensitive Data: We do not intentionally collect sensitive personal information (racial/ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data) unless you voluntarily provide it (e.g., dietary restrictions for travel). We process such data only with your explicit consent.

2. How We Use Your Information

We process your personal information for the following purposes and legal bases:

Service Delivery (Contractual Necessity)

Create and manage your account
Process travel searches and bookings
Facilitate payments and refunds
Send booking confirmations, itineraries, and travel alerts
Provide customer support

Legitimate Interests

Improve and optimize the Services through analytics
Develop new features and products
Personalize your experience with AI-powered recommendations
Detect, prevent, and address fraud, abuse, and security issues
Enforce our Terms of Service
Conduct research and analysis

With Your Consent

Send marketing communications and promotional offers
Share data with advertising partners for targeted ads
Process sensitive personal information
Use precise location data

Legal Compliance

Comply with applicable laws and regulations
Respond to legal process and government requests
Protect our rights, property, and safety
Meet tax, accounting, and reporting obligations

AI Processing: Your conversations with Nowah's AI assistant are processed by third-party AI providers to generate responses. These conversations may be used to improve our AI systems. You can request deletion of your conversation history at any time.

3. Information Sharing & Disclosure

We do not sell your personal information. However, we may share your information with the following categories of recipients:

Travel Providers

Airlines, hotels, car rental companies, and other travel service providers to fulfill your bookings. These providers operate under their own privacy policies.

Service Providers

Third-party vendors who process data on our behalf:

Clerk — Authentication & identityProcessor

Stripe — Payment processingController

Duffel — Travel booking APIController

OpenAI — AI conversation processingProcessor

Google Analytics — Website analyticsController

Amplitude — Product analyticsProcessor

Mixpanel — User behavior analyticsProcessor

RevenueCat — Subscription managementProcessor

Sentry — Error monitoringProcessor

AWS — Cloud infrastructureProcessor

Resend — Transactional emailProcessor

Expo / Firebase — Push notificationsProcessor

Business Transfers

In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity.

Legal Requirements

When required by law, subpoena, court order, or government request; to protect our rights, property, or safety; or to investigate fraud or security issues.

With Your Consent

For any other purpose disclosed at the time of collection or with your explicit consent.

Third-Party Disclaimer: Nowah is not responsible for the privacy practices of Travel Providers or other third parties. Their collection and use of your information is governed by their own privacy policies, which we encourage you to review.

4. International Data Transfers

Nowah is based in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from your jurisdiction.

For EEA/UK Users: When we transfer personal data outside the European Economic Area or United Kingdom, we rely on:

Standard Contractual Clauses approved by the European Commission
Binding Corporate Rules where applicable
Adequacy decisions (for transfers to countries deemed adequate)
Your explicit consent where other mechanisms are unavailable

By using the Services, you consent to the transfer of your information to the United States and other jurisdictions. Nowah does not guarantee that all third-party recipients maintain equivalent data protection standards.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including:

Account Data: For the duration of your account, plus 3 years after deletion
Booking Records: 7 years (for legal and tax compliance)
Payment Records: 7 years (legal requirement)
Support Communications: 3 years after resolution
Analytics Data: 26 months (then aggregated/anonymized)
Marketing Data: Until you withdraw consent or unsubscribe

We may retain anonymized or aggregated data indefinitely for research, analytics, and business purposes. Upon account deletion, we will delete or anonymize your personal data within 90 days, except where retention is required by law or for legitimate business purposes.

6. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

All Users

Access: Request a copy of your personal data
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data (subject to legal exceptions)
Opt-Out: Unsubscribe from marketing communications

EEA/UK Users (GDPR)

Portability: Receive your data in a structured, machine-readable format
Restriction: Request restriction of processing in certain circumstances
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
Complaint: Lodge a complaint with your local supervisory authority

California Residents (CCPA/CPRA)

Right to Know: Request disclosure of data collected, sources, purposes, and third parties
Right to Delete: Request deletion of personal information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out: Opt out of "sale" or "sharing" of personal information
Right to Limit: Limit use of sensitive personal information
Non-Discrimination: Not be discriminated against for exercising rights

Notice of Financial Incentive: We may offer loyalty rewards, discounts, or other benefits in exchange for providing personal information. The value of these incentives is reasonably related to the value of your data to us, calculated based on expenses related to data collection and program administration.

To Exercise Your Rights:

Email: [email protected]
In-App: Settings → Privacy → Data Requests
Authorized Agent: Submit proof of authorization

We will verify your identity before processing requests. Response time: 30 days (extendable to 45 days for complex requests).

7. Children's Privacy

The Services are not intended for children under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

If we discover that we have collected personal information from a child under 18 without parental consent, we will delete that information promptly. We comply with the Children's Online Privacy Protection Act (COPPA) and similar laws.

8. Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Secure authentication through Clerk with optional multi-factor authentication
Regular security assessments and penetration testing
Access controls limiting data access to authorized personnel
Employee security training and confidentiality agreements
Incident response procedures for data breaches

No Guarantee: Despite our efforts, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information. You transmit data at your own risk.

9. Communications

We may send you the following types of communications:

Transactional: Booking confirmations, itinerary updates, account notifications (cannot opt out)
Service: Product updates, feature announcements, policy changes (cannot opt out)
Marketing: Promotions, deals, newsletters (opt out via email link or Settings)
Push Notifications: Manage via device settings or in-app preferences

10. Third-Party Links & Services

The Services may contain links to third-party websites, apps, or services. We are not responsible for the privacy practices of these third parties. This Policy does not apply to information collected by third parties. We encourage you to review the privacy policies of any third-party services you access through our Services.

11. Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. There is no industry consensus on how to respond to DNT signals. Nowah does not currently respond to DNT signals. For information on our tracking practices, see our Cookie Policy.

12. Changes to This Policy

We may update this Policy from time to time. Changes will be effective upon posting with an updated "Effective Date." We may notify you of material changes via email or in-app notification, but it is your responsibility to review this Policy periodically.

Your continued use of the Services after any modifications constitutes acceptance of the revised Policy.

13. Contact Us

For questions, concerns, or to exercise your privacy rights:

Privacy Team: [email protected]

Data Protection Officer: [email protected]

Mailing Address:

Nowah Labs, Inc.

Attn: Privacy Team

8 The Green, Suite R

Dover, DE 19901

United States

EEA Representative: For inquiries from the European Economic Area, contact our representative at [email protected]

BY USING THE NOWAH SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.