Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Nivo ("Company," "we," "us," or "our"), the operator of Nivo, an AI-powered code migration service accessible at https://nivo.run (the "Service"), collects, uses, discloses, and otherwise processes your personal information when you access or use the Service. Nivo is a company incorporated and operating in India.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, you must discontinue use of the Service immediately.

This Policy is designed to comply with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and other applicable data protection laws.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, name (optional), and authentication provider identifier. If you choose to authenticate via a third-party OAuth provider (e.g., GitHub, Google), we receive limited profile information as permitted by the provider and your authorization scope. Authentication is managed through Supabase Auth.

2.2 Payment Information

Payment processing is handled exclusively by Razorpay, a third-party payment processor regulated by the Reserve Bank of India. We do not collect, store, or have access to your credit card numbers, debit card numbers, bank account details, or other payment credentials. We retain only the transaction identifier, subscription plan type, billing status, and payment timestamp as necessary for maintaining your account and complying with financial record-keeping obligations.

2.3 Migration Metadata

We collect and store metadata associated with each migration you perform, including the migration type (e.g., "Next.js 14 to Next.js 15"), file count, timestamp of initiation and completion, processing status, and any error messages generated during the process. We do not store the content of your source code or the migrated output after processing is complete.

2.4 Source Code (Transient Processing)

When you initiate a migration, your source code is uploaded to the Service and processed in memory and/or temporary storage for the sole purpose of performing the requested code transformation. During processing, your source code is transmitted to Anthropic, our AI provider, via their API for AI-assisted transformation. Your source code is deleted from our systems upon completion of the migration or within twenty-four (24) hours of upload, whichever occurs sooner. We do not retain, archive, or create persistent copies of your source code or migrated output.

2.5 Usage Data

We collect information about how you interact with the Service, including pages visited, features used, and associated timestamps. This data is derived from server-side logs and is not collected through client-side tracking scripts or third-party analytics services.

2.6 Device and Connection Information

Our servers automatically record certain information transmitted by your browser or device, including your Internet Protocol (IP) address, browser type and version, operating system, referring URL, and the date and time of each request. This information is collected through standard server logs.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery and maintenance: To provide, operate, and maintain the core functionality of the Service, including user authentication, migration processing, and account management.
• Migration processing: To perform the code migrations you request, including transmitting source code to our AI provider for transformation.
• Payment and subscription management: To process payments, manage subscription plans, issue receipts, and maintain billing records.
• Communication: To send you transactional communications related to your account, including migration status notifications, payment confirmations, and security alerts.
• Service improvement: To analyse aggregated usage patterns and migration metadata to improve the performance, reliability, and feature set of the Service.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Third-Party Service Providers

We engage the following third-party service providers to operate the Service. Each provider receives only the data necessary to perform its designated function:

5. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:

Upon account deletion, we will erase or anonymise your personal data within thirty (30) days, except where retention is required by law or necessary for the establishment, exercise, or defence of legal claims.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption in transit: All data transmitted between your browser and the Service is encrypted using HTTPS (TLS 1.2 or higher).
• Database access controls: Supabase Row Level Security (RLS) policies enforce that authenticated users can access only their own data.
• Secrets management: API keys, database credentials, and other sensitive configuration values are stored as encrypted environment variables and are not committed to source control.
• Ephemeral code processing: Source code is not persistently stored. Processing occurs in transient memory and/or temporary storage that is purged upon completion.
• Authentication controls: Access to user data and Service functionality is restricted to properly authenticated users via Supabase Auth with secure session management.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may delete your account and all associated personal data through the Service settings, or by contacting us at the address below.
• Right to data portability: You may request an export of your personal data in a structured, commonly used, and machine-readable format.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint: You may lodge a complaint with the relevant supervisory authority in your jurisdiction.

7.1 For Users in India

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), you have the right to access your personal data, correct inaccurate data, request erasure of your data, and nominate another individual to exercise your rights in the event of your death or incapacity. You also have the right to seek grievance redressal through the Grievance Officer designated in Section 13 of this Policy, and, if unsatisfied, to file a complaint with the Data Protection Board of India.

7.2 For Users in the EU/EEA

Under the General Data Protection Regulation (GDPR), you have additional rights including the right to restrict processing, the right to object to processing based on legitimate interests, and the right not to be subject to automated decision-making. The legal bases for our processing include performance of a contract (providing the Service), legitimate interests (improving the Service, fraud prevention), and compliance with legal obligations. You may exercise your rights by contacting us at the address provided in Section 12, or by lodging a complaint with your local data protection authority.

8. International Data Transfers

The Service is operated from India, but your personal information may be processed in multiple jurisdictions depending on the infrastructure of our third-party service providers, including India, the United States, and the European Union.

Vercel's global edge network may process server-side requests in the geographic region closest to you. Supabase and Anthropic process data in the United States. Razorpay processes payment data primarily within India.

Where personal data is transferred outside your country of residence, we ensure that appropriate safeguards are in place, including reliance on standard contractual clauses approved by the European Commission, adequacy decisions, or service provider compliance certifications (such as SOC 2 Type II), as applicable.

9. Children's Privacy

The Service is not directed at, and is not intended for use by, individuals under the age of eighteen (18). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without appropriate parental or guardian consent, we will take reasonable steps to delete such data promptly. If you believe that a child has provided us with personal information, please contact us at the address provided in Section 12.

10. Cookies and Similar Technologies

The Service uses cookies solely for essential functionality:

• Authentication session cookies: Managed by Supabase Auth, these cookies maintain your authenticated session while using the Service. They are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. We do not engage in cross-site tracking or behavioural profiling. Should we introduce analytics or non-essential cookies in the future, we will update this Policy and implement appropriate consent mechanisms in accordance with applicable law.

11. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will notify you by email (to the address associated with your account) or by displaying a prominent notice within the Service prior to the change becoming effective.

The "Effective date" at the top of this Policy indicates the date of the most recent revision. Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of the revised terms. If you do not agree with the revised Policy, you must discontinue use of the Service.

12. Contact Information

If you have questions, concerns, or requests relating to this Policy or our data practices, please contact us at:

We endeavour to respond to all legitimate requests within thirty (30) days. In certain circumstances, we may require additional time, in which case we will notify you of the extension and the reasons for the delay.

13. Grievance Officer

In accordance with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000, we have designated the following Grievance Officer to address any concerns or grievances regarding your personal data:

The Grievance Officer shall acknowledge receipt of your complaint within forty-eight (48) hours and shall resolve the grievance within one (1) month from the date of receipt. If you are not satisfied with the resolution, you may escalate your complaint to the Data Protection Board of India established under the DPDP Act, or, for EU/EEA residents, to the competent supervisory authority.