Privacy Policy

Last updated: March 31, 2026

1. Introduction

This Privacy Policy explains how GuusLab, trading as Nemi ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use our file sharing platform at nemilab.com (the "Service").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection legislation. We process your personal data lawfully, fairly, and transparently.

2. Data Controller

The data controller responsible for your personal data is:

GuusLab (trading as Nemi)
Emmaweg 46, 3603 AM Maarssen, Utrecht, The Netherlands
KVK: 95954600
BTW: NL005184094B33
Email: privacy@nemilab.com

If you have questions about data processing or wish to exercise your rights, please contact us using the details above.

3. What Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

Name and email address (provided via Google OAuth).
Profile picture (from your Google account).
Account creation date and authentication tokens.

3.2 Billing Data

Subscription status and plan type.
Payment information is processed directly by Stripe and is never stored on our servers. We only store your Stripe customer ID and subscription ID.

3.3 Usage Data

Files you upload (stored in encrypted form).
File metadata: name, size, type, upload date, expiry date.
Download analytics: number of downloads, download timestamps.
Workspace information.

3.4 Technical Data

IP address (for security and abuse prevention).
Browser type and version.
Device information.
Cookies and similar technologies (see Section 8).

3.5 Communication Data

Email address for transactional and marketing emails.
Email interaction data (opens, clicks) for improving our communications.
Your email preferences and unsubscribe choices.

4. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

Purpose	Legal Basis
Providing the Service	Performance of contract (Art. 6(1)(b) GDPR)
Processing payments	Performance of contract (Art. 6(1)(b) GDPR)
Sending transactional emails	Performance of contract (Art. 6(1)(b) GDPR)
Sending marketing emails	Legitimate interest (Art. 6(1)(f) GDPR)
Security & abuse prevention	Legitimate interest (Art. 6(1)(f) GDPR)
Analytics & service improvement	Legitimate interest (Art. 6(1)(f) GDPR)
Legal obligations	Legal obligation (Art. 6(1)(c) GDPR)

Where we rely on legitimate interest, we have conducted a balancing test to ensure your rights and freedoms are not overridden. You can request details of these assessments by contacting us.

5. How We Use Your Data

We use your personal data to:

Provide, maintain, and improve the Service.
Process your file uploads, conversions, and compressions.
Manage your account and subscriptions.
Process payments through Stripe.
Send transactional emails (account confirmations, download notifications, billing receipts).
Send marketing communications about new features and offers (with easy opt-out).
Monitor for abuse, fraud, and security threats.
Enforce our Terms of Service.
Comply with legal obligations.

6. Data Sharing & Third Parties

We share your personal data only with the following categories of third parties, and only to the extent necessary:

6.1 Service Providers (Data Processors)

Provider	Purpose	Data Location
Google (OAuth)	Authentication	EU/US (Standard Contractual Clauses)
Stripe	Payment processing	EU/US (Standard Contractual Clauses)
Wasabi	Encrypted file storage	EU (Amsterdam)
AWS SES	Email delivery	EU (Standard Contractual Clauses)

6.2 International Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision.

6.3 Legal Disclosure

We may disclose your data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Nemi, our users, or the public.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account data: Retained for the duration of your account. Deleted within 30 days after account deletion.
Files (free plan): Automatically deleted 30 days after upload.
Files (paid plans): Retained while your subscription is active. Deleted within 30 days after subscription cancellation and plan downgrade.
Billing data: Retained for as long as required by tax and accounting regulations (typically 7 years).
Server logs: Retained for up to 90 days for security and debugging purposes.

8. Cookies & Similar Technologies

We use the following cookies and similar technologies:

Cookie	Type	Purpose
Session cookie	Strictly necessary	Authentication and session management
CSRF token	Strictly necessary	Security — prevents cross-site request forgery
Referral cookie	Functional	Tracks referral codes for our referral program

We do not use third-party tracking cookies or advertising cookies. Our cookies are limited to those strictly necessary for the functioning of the Service and functional cookies that improve your experience.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of access (Art. 15): You can request a copy of all personal data we hold about you.
Right to rectification (Art. 16): You can request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): You can request deletion of your personal data ("right to be forgotten").
Right to restrict processing (Art. 18): You can request that we limit how we process your data.
Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): You can object to processing based on legitimate interest, including marketing.
Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at privacy@nemilab.com. We will respond within 30 days as required by law. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

10. Email Communications

We send the following types of emails:

Transactional emails: Account confirmations, download notifications, billing receipts, and security alerts. These are necessary for the Service and cannot be opted out of.
Marketing emails: Product updates, new features, and promotional offers. You can unsubscribe at any time using the link in every email or through your email preferences.

All marketing emails comply with GDPR requirements and include a clear unsubscribe mechanism. We honor all unsubscribe requests promptly.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Client-side encryption of uploaded files before they leave your device.
Encrypted data transmission using TLS/HTTPS.
Secure storage infrastructure with access controls.
Regular security reviews and updates.
Limited employee access to personal data on a need-to-know basis.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR Articles 33 and 34.

12. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. If we make material changes, we will notify you by email or by posting a prominent notice on the Service. The "Last updated" date at the top of this page indicates when this policy was last revised.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

GuusLab (trading as Nemi)
Emmaweg 46, 3603 AM Maarssen, Utrecht, The Netherlands
KVK: 95954600
BTW: NL005184094B33
Email: privacy@nemilab.com

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.