Privacy Policy

Last Updated: November 8, 2025

This Privacy Policy explains how NYLE Technologies collects, uses, shares, and protects information when you use our platform.

Key points:

• We collect only what's needed to provide the service

• You own your data

• We protect your data with encryption

• We don't sell your information

For service terms, acceptable use rules, and pricing, see our Terms of Service.

1. Who We Are

NYLE Technologies is a U.S. company governed by the State of Maryland. We provide a cybersecurity self-assessment platform for FedRAMP compliance.

2. Information We Collect

Account Information:

• Name

• Email address

• Password 

• Company name

• Company size

• Title/Role

Project Data:

• System name

• Multiple-choice questionnaire responses

• Optional comments you add

• Optional URLs/links you provide

Community Thread Data:

• Posts and comments you publish

Usage and Technical Information:

• IP address

• Browser type

• Pages visited

• Time and date of access

Payment Information:

• Processed and stored by Stripe (PCI Level 1 compliant)

• We don't store complete credit card information

Miscellaneous:

• Voluntary user feedback

• User data shared via our contact form and support requests

3. How We Use Your Information

We use your information to:

• Provide the NYLE service and generate gap analysis reports

• Process payments

• Provide customer support

• Improve our platform

• Protect against unauthorized access and fraud

• Comply with legal obligations

• Enforce our Terms of Service

4. How We Share Your Information

We do not sell your personal information.

We share information only with:

Service Providers (Subprocessors)

Bubble.io - Application hosting

• Access: Customer data, account information, usage data, community thread posts

• Location: United States

• Security: SOC 2 Type II certified

• Bubble's subprocessors: https://bubble.io/subprocessors (includes AWS, Google Cloud, SendGrid, Stripe)

https://bubble.io/subprocessors 

Stripe - Payment processing

• Access: Payment and billing information

• Location: United States

• Security: PCI Level 1 compliant, SOC 2 Type II, ISO 27001

• Note: Stripe directly collects and stores payment card data

https://stripe.com/jp/legal/preview/service-providers 

Tally - Customer feedback and support request forms

• Access: Contact form submissions (name, email, feedback, support requests)

• Location: European Union

• Security: GDPR

https://tally.so/help/gdpr 

Google Workspace - Customer correspondence and support

• Access: Email communications, support correspondence

• Location: United States

• Security: SOC 2, SOC 3, ISO 27001

https://workspace.google.com/terms/subprocessors-20230316/ 

Third-Party Contractors - Service delivery as needed

• Access: Minimum data necessary for specific tasks only

• Requirements: All sign NDAs, least-privilege access, just-in-time provisioning, automatic access expiration

New Subprocessors:
We'll notify you via email, our website, or NYLE console as our list of subprocessors change.

Other Sharing

When Required by Law

We may disclose your information when necessary to comply with laws or regulations, respond to valid legal processes (like subpoenas or court orders), protect our rights or safety, or prevent fraud or security issues.

Acquisition

If NYLE is involved in a merger, acquisition, or sale of assets, your information may be transferred to the acquiring company. We'll notify you before your information becomes subject to a different privacy policy.

Community Thread Visibility

Content you post in the community thread is visible to all other NYLE users. Don't post confidential or sensitive information in the community.

5. How We Protect Your Data

Encryption:

• Data in transit: TLS 1.2 (HTTPS)

• Data at rest: AES-256

Access Controls:

• Least-privilege access

• Role-based access controls

• Need-to-know basis

• Just-in-time access for contractors

• Automatic access expiration

Data Isolation:

• Your data is logically isolated from other customers

• Each project is segregated within your account

Security Incidents: If a security incident occurs, we'll notify you within 72 hours via email and provide details about the incident and our response.

6. Data Retention

While active: We keep your data to provide the service and comply with legal obligations

After account closure: You have 24 hours to download data, then we delete it per our retention schedule

Information spills: Contact us immediately for backend deletion and take the appropriate steps to delete the data from NYLE’s console.

7. Your Rights

You can:

• Access your data

• Download your data from the console

• Correct inaccurate information

• Delete your account and data

• Object to certain data processing

• Request data portability

To exercise these rights: Contact us or use console features.

8. Additional Details

Cookies: We use cookies to keep you logged in, remember preferences, and analyze platform usage. Control cookies through your browser settings.

International Transfers: NYLE operates in the United States. Your data is stored on cloud servers in the U.S. If you access NYLE from outside the U.S., your information will be transferred to and processed in the United States.

Changes: We may update this Privacy Policy and will notify you via email or console notice. Continued use means you accept changes.

9. Data Processing Addendum 

This section applies when you use NYLE to process personal data and need to comply with data protection regulations.

Our Roles

You (Data Controller): You determine what personal data is processed and why.
NYLE (Data Processor): We process data only as necessary to provide the service.

Our Commitments

We will:

• Process your data only to provide the NYLE service

• Not use your data for our own purposes or sell it

• Maintain the security measures described in Section 5

• Use only the subprocessors listed in Section 4

• Provide advanced notice before adding new subprocessors

• Assist you with data subject requests

• Notify you of security incidents 

• Delete or return your data upon request

• Provide information about our security practices upon request

Your Responsibilities

You're responsible for:

• Complying with applicable data protection laws as the Controller

• Responding to data subject requests (we provide the data, you handle the response)

• Determining whether to notify regulators or individuals about security incidents

• Ensuring you have legal basis to transfer data to us

Term and Termination

This policy remains in effect while we process your data. Upon termination, you have 24 hours to download your data, after which we delete it from active systems within 30 days.