Back Privacy Policy

Privacy policy.

Last updated May 26, 2026

Last updated: 2026-05-26.

This Privacy Policy explains what personal information Naym (naym.app, "we", "us", or "our") collects, why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to anyone who visits the site, creates an account, or makes a purchase. This Policy is written to satisfy, at minimum, the substantive disclosure expectations of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Turkish KVKK (Law No. 6698), and the California Consumer Privacy Act (CCPA/CPRA).

If anything in this Policy is unclear, email hey@naym.app.

1. The controller

The data controller for the personal information described here is the operator of NAYM.APP (FORTY4TURES LLC). For data-protection enquiries, contact hey@naym.app.

2. What we collect

2.1 Information you give us directly

  • Account data: email address and a salted password hash (we never see your plaintext password).
  • Profile data (optional, during onboarding): a display name, the names of one or two parents, names of any existing siblings, and your gender preference for suggested names. You decide what to share; you can edit or remove any of it later from your account dashboard.
  • Search and unlock activity: the names you search, the names you unlock, the compatibility reports generated for you, and any names you mark as favorites.
  • Support communications: if you email us, we keep that correspondence.

2.2 Information collected automatically

  • Session data: a single first-party session cookie keeps you logged in (cookie name naym_sess, expires after 30 days of inactivity).
  • Theme preference: stored in your browser's localStorage — never sent to us.
  • Anti-abuse data: when an anonymous visitor triggers AI name generation, we store a SHA-256 hash of the IP address (not the raw IP) together with the slug requested. This lets us cap free generations per visitor per 24 hours to prevent automated abuse of the underlying AI tokens. Hashed IP records older than 24 hours can be safely pruned and are not used for any other purpose.
  • Server logs: our hosting provider records standard web-server logs (IP address, user agent, timestamp, requested URL, response status) for short retention periods, used solely for security and reliability.
  • Email-delivery log: for every transactional email we send (welcome, password reset, unlock receipt, etc.) we record the recipient, subject, type, and success/failure status. We use this to debug delivery and to rate-limit (so a single email address cannot be used to send unlimited password-reset emails).

2.3 Information collected by third parties on our behalf

  • Payment data (Stripe): when you make a purchase, your card details are submitted directly to Stripe, Inc. Stripe is the controller of that information; we never see your full card number, CVC, or PIN. Stripe shares with us a transaction reference, the amount, the masked last-four digits, the brand of card, and — for anonymous (guest) checkouts — the email address you supplied at checkout so we can create your account.
  • AI processing inputs (Anthropic): to generate a name analysis or a compatibility report we send the relevant inputs to Anthropic, PBC's Claude API. Those inputs include: the name you searched; for a compatibility report, your stored profile names (parents, siblings, gender preference). We do not send your email address, IP address, account ID, or any other personal identifier to Anthropic. Anthropic processes these requests under its own commercial terms and privacy policy, including its commitment not to train its models on API-submitted data by default.
  • Optional analytics (admin-configurable): the site operator may, via the admin panel, paste a Google Analytics, Plausible, Meta Pixel, Hotjar, or similar tracking snippet that then runs on every page. If such a tracker is active, the third-party provider may set its own cookies and collect data subject to its own policy. Where a tracker is enabled it will be disclosed in the cookie banner / table at the foot of this Policy.

3. How and why we use your information (legal bases under GDPR/KVKK)

PurposeData usedLegal basis
Create and operate your account; let you sign inEmail, password hash, session cookiePerformance of a contract (GDPR Art. 6(1)(b))
Process payments and prevent payment fraudStripe-collected payment data, transaction logsContract performance; legal obligation
Generate name analyses and compatibility reportsSearched name, profile namesContract performance
Personalize results and remember unlocks across sessionsProfile, unlock history, favorites, balanceContract performance
Send transactional emails (welcome, receipts, password reset, name share)Email address, send logContract performance
Rate-limit abuse of free AI generationsSHA-256 hash of IP, slug requestedLegitimate interests (Art. 6(1)(f)) — protecting the service from automated abuse
Improve, debug, and secure the ServiceServer logs, error logs, email-delivery logLegitimate interests — keeping the service operational and secure
Comply with legal obligationsWhatever data is required by the applicable lawLegal obligation (Art. 6(1)(c))

We do not sell your personal information. We do not share your personal information with advertisers or data brokers. We do not engage in cross-context behavioral advertising. We do not use your information to make decisions that produce legal or similarly significant effects about you (no automated decision-making in the GDPR Art. 22 sense).

4. Who we share information with

We share personal information only with the following categories of recipients, and only to the extent strictly necessary:

  • Stripe, Inc. — payment processing.
  • Anthropic, PBC — AI inference (name-only and profile-name inputs as described in §2.3).
  • Our SMTP/email-delivery provider — to actually transmit transactional emails.
  • Our hosting and infrastructure providers — to operate the database and serve the site.
  • Professional advisers — lawyers, accountants, and auditors, where strictly necessary and under a duty of confidentiality.
  • Law-enforcement or regulators — where we are legally compelled, or where we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or protect public safety.
  • An acquirer or successor — if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred to the relevant party, subject to the protections described here.

5. International transfers

The third-party processors described above (notably Stripe and Anthropic) are based in the United States and may process your information there or in other countries. Where required, we rely on the European Commission's Standard Contractual Clauses (or equivalent transfer mechanisms under the UK GDPR / KVKK) to provide an adequate level of protection. You can request a copy of those clauses by emailing us.

6. Cookies and similar technologies

We use the following:

  • Strictly necessary, first-party only: naym_sess — session cookie that keeps you logged in. Without it the site cannot work.
  • Browser storage (not cookies): localStorage entry for your light/dark theme preference. Stored on your device, never transmitted to us.
  • Optional analytics / tracking (off by default): if the site operator has enabled an analytics integration via the admin panel, it will appear here when active. As of the date at the top of this Policy: none enabled.

You can clear or block cookies in your browser settings. Blocking the session cookie will prevent you from signing in.

7. How long we keep your information

  • Account data, profile, unlocks, balance transactions: kept for as long as your account exists, plus a short technical buffer after deletion to remove residual backups.
  • Email-delivery log: kept indefinitely for deliverability debugging; you may request deletion of records relating to your address.
  • Anonymous-generation rate-limit records (hashed IP + slug): functionally relevant only for 24 hours; older rows may be pruned at any time.
  • Payment/transaction records: retained as long as legally required (typically 5–10 years for tax and accounting law).
  • Server and security logs: short retention (typically days to weeks) at the hosting layer.

8. Security

We take reasonable and appropriate technical and organizational measures to protect personal information: TLS in transit, salted password hashing (bcrypt), parameterized database access to prevent injection, CSRF tokens on every state-changing form, secure session cookies (HttpOnly, SameSite=Lax), least-privilege database credentials, and Stripe-handled card storage so we never possess sensitive payment data. No system is perfectly secure, however; we cannot and do not guarantee absolute security.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and (where required) affected users without undue delay.

9. Your rights

Subject to the conditions and exceptions in the applicable law, you have the right to:

  • Access the personal information we hold about you;
  • Rectify inaccurate or incomplete information;
  • Erase ("right to be forgotten") your information — most of this you can do yourself from the account dashboard (Delete account);
  • Restrict or object to certain processing, particularly processing based on legitimate interests;
  • Data portability — request a copy of the information you have provided to us in a structured, commonly used, machine-readable format;
  • Withdraw consent, where processing is based on consent (this does not affect the lawfulness of processing carried out before withdrawal);
  • Not be subject to solely automated decisions producing legal or similarly significant effects — we don't do that;
  • Lodge a complaint with your local data-protection supervisory authority (in Türkiye: KVKK — Kişisel Verileri Koruma Kurumu; in the EU: your member-state DPA; in the UK: the ICO).

To exercise any of these rights, email hey@naym.app from the address associated with your account, or use the in-product controls in the account dashboard. We respond within 30 days. We may need to verify your identity before acting on a request.

California residents (CCPA/CPRA): the categories of personal information we collect, the purposes for which it is used, and the categories of third parties with whom we share it are listed in §2–§4 above. We do not sell or share personal information for cross-context behavioral advertising. You have the right to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising those rights.

10. Children

The Service is not directed to, and is not intended to be used by, children under 13 (or under 16 in jurisdictions where that is the digital-consent age). We do not knowingly collect personal information from such users. If you believe we have collected information from a child, contact us and we will delete it.

11. Changes

We may update this Policy from time to time. When we make material changes we will update the "Last updated" date and, where reasonable, surface a notice in the product. Your continued use of the Service after changes take effect constitutes your acknowledgement of the updated Policy.

12. Contact

Data-protection enquiries, requests, or complaints: hey@naym.app.

Terms of service → Back to home