Legal

Privacy Policy

Effective 2026-05-11 | Last updated 2026-05-14

01Introduction

Nexaworks LLC d/b/a Nira Labs (operating as Niralabs) runs the marketing website at niralabs.ai and the Customer Intelligence service at app.niralabs.ai. Niralabs helps small businesses monitor reviews across Google, Yelp, TripAdvisor and other public platforms, draft replies in their brand voice, and surface what customers want fixed.

This Privacy Policy explains how we collect, use, share, and protect personal information when you visit our website, sign up for an account, or use the service. By using Niralabs you agree to the practices described here.

02Information we collect

Information you give us

When you create an account or use Niralabs, we collect the email address you sign up with, your business name, your business location and contact information, payment information (handled by Stripe so we never store card numbers), the business URLs and handles you connect (Google Maps, Yelp, TripAdvisor, and similar public profiles), content you upload such as brand guidelines and knowledge base files, and any email correspondence you send to us.

Information from public sources

To run the service, Niralabs collects reviews, ratings, reviewer names where publicly displayed, and business metadata from public review platforms including Google Maps, Yelp, TripAdvisor, and similar public sources. This collection happens while your subscription is active and is scoped to the business locations you connect.

Information collected automatically

When you visit the website or use the service, we automatically collect technical information such as IP address, browser type and version, device identifiers, pages visited, timestamps, and referrer URLs. This data is gathered through standard server logs and Google Analytics 4.

03How we use information

We use the information described above for the following purposes:

  • Provide and operate the service, including ingesting reviews, generating reply drafts, and rendering your dashboard.
  • Send transactional emails such as welcome and onboarding messages, weekly briefs, negative review alerts, win notifications, billing receipts, and password resets.
  • Respond to support requests, questions, and feedback you send us.
  • Improve product features, fix bugs, and understand how customers use the service.
  • Prevent fraud, abuse, and other harmful activity, including bot protection on public forms.
  • Comply with legal obligations and enforce our terms.

04How we share information

We do not sell or share personal information for cross-context behavioral advertising.

We rely on a small set of trusted sub-processors to run the service. Each operates under a written agreement that limits what they may do with the information we send them. The current sub-processor list:

Stripe
Payment processing for monthly subscriptions. Stripe handles card data directly so we never store card numbers.
Railway
Cloud hosting, PostgreSQL database, and Redis cache infrastructure for the application.
Anthropic
Claude AI inference for generating review responses and analyzing sentiment and themes.
Apify
Review scraping from public platforms such as Google Maps, Yelp, and TripAdvisor.
DataForSEO
Google Maps search engine results data for the Google Visibility rank tracker.
Mapbox
Static map images rendered on the Visibility dashboard.
Google Workspace
Gmail SMTP delivery for transactional and lifecycle email.
OpenStreetMap Foundation
Address geocoding via the Nominatim service.
Cloudflare
Turnstile bot protection on the public snapshot form.
Google Analytics 4
Aggregate analytics for the marketing website.
Google
OAuth for reading and posting replies on connected Google Business Profile accounts.

We may also share information when required by law, in response to valid legal process, to protect the rights, property, or safety of Niralabs, our customers, or others, or in connection with a merger, acquisition, financing, or sale of business assets. In any such transaction the receiving party will be required to honor the commitments in this policy.

05Google API Services User Data Policy

Niralabs' use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What Google data we access

When you connect your Google Business Profile account to Niralabs, we request a single OAuth scope: https://www.googleapis.com/auth/business.manage. This is the Google scope that grants permission to post reply messages to reviews on your Google Business Profile listings on your behalf.

How we use it

We use the business.manage scope exclusively to (1) enumerate the Business Profile locations associated with your Google account during onboarding, so you can pick which locations Niralabs should manage, and (2) post reply messages to reviews that you have authorized Niralabs to respond to, either via auto-reply rules you configure or by explicit one-click approval in our dashboard. We do not access business insights, manage business hours or contact information, modify your profile, or perform any action other than posting review replies.

How we store it

When you complete the Google OAuth flow, Google returns a refresh token to Niralabs. We encrypt that refresh token at rest using authenticated symmetric encryption (Fernet, which is AES-128-CBC with HMAC-SHA256) before persisting it to our database. We never log or transmit the plaintext token. We do not share the token with any third party.

Limited Use commitments

Niralabs commits to the following with respect to information received from Google APIs:

  • We do not use Google user data for advertising, including retargeting, personalized advertising, or interest-based advertising.
  • We do not sell Google user data.
  • We do not transfer Google user data to third parties except as necessary to provide and improve the user-facing features of the service, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to affected users.
  • We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes such as investigating abuse, to comply with applicable law, or for internal operations only where the data has been aggregated and anonymized.

How you can revoke

You can disconnect Niralabs from your Google account at any time from the Settings page in the Niralabs application. Disconnecting calls Google's token revocation endpoint to invalidate the refresh token at Google and immediately deletes our local encrypted copy. You can also revoke access directly at myaccount.google.com/permissions.

06Cookies and analytics

We use Google Analytics 4 to understand how visitors find and use the marketing site. GA4 sets cookies in your browser to measure aggregate usage. You can opt out of GA4 tracking by installing the official browser add-on from Google at tools.google.com/dlpage/gaoptout.

We do not currently use a cookie consent banner. We will introduce one before any expansion that requires it under applicable law.

We honor Global Privacy Control (GPC) signals where technically feasible. If your browser sends a GPC signal, we treat it as a request to opt out of any sale or sharing of personal information for cross-context behavioral advertising, which we do not do in the first place.

07Data retention

We keep personal information only as long as we need it to run the service or to meet legal obligations. The general retention windows:

Reviews collected while your subscription is active
Duration of subscription
Reviews after cancellation
90 days, then purged or anonymized
Account and user data after cancellation
90 days, then hard-deleted
Billing records held by Stripe and by us
7 years (US tax compliance)
Server logs and email delivery logs
12 months

We retain a small subset of records beyond the 90 day window where required for billing, tax, fraud prevention, or legal recordkeeping. Historical review data is kept while your subscription is active so trend reports and year over year comparisons remain accurate.

08Security

We use encryption in transit (TLS) for every connection between your browser, the service, and our sub-processors. Sensitive fields such as Google Business Profile OAuth refresh tokens are encrypted at rest using authenticated symmetric encryption with a key held only on the application server.

Access to production systems is restricted to authorized personnel. We monitor application activity for suspicious behavior, and we rotate credentials and review access on a regular basis.

No system can be guaranteed perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security.

09Your privacy rights

US state privacy rights

If you live in California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, or another US state with a comprehensive privacy law, you may have the right to access the personal information we hold about you, correct inaccuracies, delete that information, receive a portable copy, limit how we use it, and opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.

California residents. Under the California Consumer Privacy Act as amended by the California Privacy Rights Act, you have the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of sale (we do not sell), the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights.

EU and UK visitors

Niralabs is operated from the United States. If you are in the European Union, the European Economic Area, or the United Kingdom, you may have rights under the GDPR or UK GDPR, including access, correction, deletion, restriction of processing, portability, and objection. Where processing is based on consent, you have the right to withdraw consent at any time. We will respond to verified requests consistent with applicable law.

How to exercise your rights

Email us at privacy@niralabs.ai from the address on file with your account, or write to us at the postal address in Section 14. We may need to verify your identity before acting on a request.

10Children's privacy

The service is intended for businesses and is not directed at individuals under 18. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a minor, please contact privacy@niralabs.ai and we will delete it.

11International data transfers

Personal information we collect is processed and stored in the United States. By using the service, you understand that your information will be transferred to and processed in the United States, which may have data protection laws that differ from those in your country. Where required, we rely on appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses, to protect your information consistent with applicable law.

12Security incident notification

In the event of a security incident affecting your personal information, we will notify you without undue delay and consistent with applicable law. Notification will describe what we know about the incident, the categories of information involved, the steps we are taking, and what you can do to protect yourself.

13Changes to this policy

We may update this policy from time to time. When we do, we will post the revised policy on this page and update the "Last updated" date above. Material changes will be communicated by email or by in-product notice where feasible.

14Contact us

For privacy questions or to exercise any of the rights described above:

Email
privacy@niralabs.ai