Skip to main content

Nebul Services Privacy Policy

Version 1.0 — March 2026

This Services Privacy Policy is incorporated into the Agreement (as defined in the Master Agreement) between Nebul and Customer and the employees of the Customer.

1. Context and Scope

This Services Privacy Policy outlines the privacy principles applicable when using Nebul's services. The following sections will provide an overview of the contract structure, including supporting frameworks, terms, and agreements such as the Service Specific Terms, Service Level Agreement and Customer Data Incident Response Process.

1.1 Contract Structure

The agreements and contracts outlined in this dossier (collectively this "Agreement") operate within a specific hierarchy to ensure clarity and consistency in our services and obligations. In the event of any inconsistency or contradiction between these documents, the order of precedence is as follows:

  1. Service Contract: This is the primary agreement tailored to each specific Service provided. It contains the details of the Services and their pricing as well as Customer-specific terms where applicable.
  2. Nebul Acceptable Usage Policy: A set of rules applied by Nebul to guide the proper use of the Nebul cloud, enforce information security measures and prevent misuse or harm to others.
  3. Service Specific Terms: These terms outline each Service's specific terms, conditions and guidelines. They provide the foundational rules governing the use of the Service.
  4. SLA (Service Level Agreement): This agreement defines the expected level of service performance, including uptime and support metrics, for specific services.
  5. Customer Data Incident Response Process: This document describes the procedure concerning Customer Data security incidents.
  6. Master Agreement: This agreement governs the overall relationship between Nebul and the Customer, providing the broad terms and conditions applicable to all Services.

In case of any conflicts between these documents, the terms of the document higher in the order will prevail.

2. Introduction

This Privacy Policy applies to the personal data that Nebul ("Nebul," "we," "us," or "our") processes as a controller in connection with the provided services ("Services"). This Privacy Policy does not apply to:

  • Job applicants: a separate policy is available here: Job application privacy statement — Nebul.
  • www.nebul.com: a separate policy is available here: Privacy Statement — Nebul.
  • Third-party offerings: any products, services, or content provided by third parties.

3. Terms and Definitions

This Privacy Policy uses the key terms as defined by the EU General Data Protection Regulation (GDPR). Unless we explicitly state otherwise, these terms carry the same meanings and must be interpreted in accordance with the GDPR.

4. Personal Data We Collect

4.1 Registration

When you register to use our Services, you provide us with the following data:

  • Full name
  • Contact information, such as email address and phone number
  • Job title
  • Company name
  • Company size
  • Industry
  • Any other information you supply in the registration form

4.2 Third-Party Authentication Services

If you choose to sign up using a supported third-party account such as your Google, Microsoft, Apple or GitHub account, you authorize us to receive, store, and use any information that you have permitted the third party to share via its API. This may include, for example, your name, email address, profile picture, and any other data you have agreed to share.

4.3 Service Usage

When you interact with our Services through the Nebul AI Factory interface, the Nebul NeoCloud and other Nebul services, you submit your inputs via the interface. The categories of processed personal data include:

  • The initiation, stopping, scaling and other mutations of services by a user.

4.4 Service Payments

When you pay for our Services, we collect and process:

  • Payment details
  • Billing address (street, city, postal code, country)
  • Tax/VAT identification, if required for invoicing
  • Transaction records (dates, amounts, invoice/order numbers, payment status)
  • Invoice email address
  • Additional payment-related details you provide

4.5 Support Communications

We collect any information you provide when you communicate with us by email, live chat, support tickets, or other means, including the content of your messages and any associated details.

4.6 Know Your Customer (KYC)

We may ask you to provide information to verify your identity as part of our KYC procedures. This helps us comply with legal and regulatory requirements. You might be asked to submit a partially obscured copy of your government-issued ID, showing only:

  • Your photograph
  • Your full name and surname
  • Your nationality
  • The place and type of document
  • The first four digits of the document number
  • Any other information necessary to complete our KYC checks

4.7 Personal Sensitive Data

We do not intentionally collect sensitive personal data (e.g., information revealing race, ethnicity, political opinions, religion, or similar) and ask that data subjects refrain from submitting such information.

4.8 Providing Personal Data

Some personal data has an anonymized alternative that can sometimes be used — for example, a general email address instead of a personal email address, and a general phone number instead of a direct phone number. Not providing personal data can result in not being able to use (the full extent of) the Services.

5. Personal Data We Collect Automatically

5.1 Service Use

When you use our Services, we automatically collect and generate metadata needed to provide, administer, and improve those services. This may include:

  • User identifiers and authentication credentials
  • Resource identifiers and related attributes
  • IP addresses
  • Operational status, software errors, and crash reports
  • Quality and performance metrics (e.g., latency, throughput, uptime)
  • Other technical details essential for the operation, maintenance, and troubleshooting of our Services
  • Zero data retention status

5.2 Automated Decision-Making

Nebul does not have any automated decision making in relation to personal data.

6. Submissions on Behalf of Others

When you provide information on behalf of another person or entity — whether during registration or through any other interaction — you confirm that you are authorized to:

  • Supply and process the submitted details for that person or entity;
  • Grant us the right to collect, use, and retain their information in accordance with this Privacy Policy.

By submitting third-party information, you represent and warrant that you have obtained all necessary consents and permissions from the data subject or entity to permit us to handle their data as described herein.

7. Why We Process Your Personal Data

We collect and use personal data only for purposes that are necessary to:

  • Process your requests and queries
  • Verify your identity if you contact us
  • Enhance the performance and content of our Services
  • Tailor our Services to your preferences
  • Analyze trends
  • Comply with applicable laws
  • Protect us and our users/customers from fraud or other illegal activities
  • Provide timely feedback to your questions and requests and/or take the necessary steps to conclude an agreement with you
  • Deliver our Services, including creating, updating, and personalizing your account; enabling accessibility features; processing payments; performing all operations required to provide and maintain the Services; handling support requests and other inquiries; sending notifications about Service changes; and supplying information relevant to your use of the Services
  • Develop, improve, and secure our Services
  • Evaluate the effectiveness of our promotional campaigns so we can better tailor them to your interests
  • Conduct analytics, statistics, development, and research, including sharing aggregated statistical data with our business partners and affiliates

Additionally, we may process your personal data to:

  • Comply with legal obligations, judicial enforcement, and administrative orders under applicable law
  • Protect and enforce our rights, privacy, security, safety, systems, and property as well as those of other persons we are responsible for, and to resolve disputes
  • Verify your identity during onboarding as part of our KYC (Know-Your-Customer) checks, authenticate you as an authorized user of the Services, and detect or prevent possible fraud
  • Perform audits and internal checks to ensure our processes comply with legal, contractual, and regulatory requirements

All of the above is based on our legitimate interest in providing you with the agreed services.

8. Disclosure of Your Personal Data & Data Retention

8.1 Service Providers

We engage third-party providers to help deliver our Services — such as for maintenance, auditing, payment processing, customer support, marketing, and development. These providers may access the personal data they need solely to perform their tasks on our behalf, and they are contractually prohibited from using or disclosing it for any other purpose. If you purchase Nebul services, we may also use a payment provider who may independently collect additional information about you (for example, for fraud prevention or compliance with legal requirements).

For a list of subprocessors see our Data Processing Addendum.

8.2 Data Retention

We retain your personal data only for as long as it is necessary to fulfil the scopes described in this Privacy Policy. The exact length of time may vary depending on the type of data, the scope of processing, the category of users involved and — most importantly — whether we are compelled to retain certain personal data due to, for example, tax requirements or other legal obligations under applicable law, fraud-prevention or safety considerations. Non-personal data may be retained and used by Nebul without limitation, in particular for archiving purposes, public-interest, statistical, historical or scientific research purposes.

8.3 No Selling of Information

Nebul does not sell your personal information to third parties.

8.4 Transfer of Data

We store your personal data in our data centres in the European Union. However, as a European organization, we may also process and transfer your personal data to other group companies or to third parties around the world for the purposes set out in this Privacy Policy — specifically, to fulfil our agreements with you, to respond to your requests, or, where applicable, based on your consent.

Whenever we transfer your personal data outside the EU and EEA, we ensure its protection by implementing appropriate safeguards such as:

  • Encrypting personal data in transit;
  • Maintaining internal policies to restrict access and promote awareness.

9. Your Rights & Contact

9.1 Your Rights

Based upon GDPR, you have certain rights as a data subject, including the right to access, right to data portability, right to rectification, right to withdraw consent, right to object, right to erasure, right to restriction of processing, right to lodge a complaint, and right to contact a Data Protection Authority (DPA). Please be aware that there may be limitations or exceptions to these rights, depending on the specific circumstances and legal requirements. If anything is unclear, please don't hesitate to contact us and ask any questions. Below, you can find more information about these rights and how you can exercise them.

  • Right of Access. You may request access to the personal data we hold about you. We will provide details about how and why we process your data, the categories of data involved, any recipients, and other relevant information.
  • Right to Data Portability. You may receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and you can request that we transmit it directly to another controller where technically feasible.
  • Right to Rectification. If you believe your personal data is inaccurate or incomplete, you may request that we correct or update it.
  • Right to Withdraw Consent. If our processing relies on your consent, you can withdraw it at any time. Withdrawal will not affect the lawfulness of any processing carried out before you withdrew consent.
  • Right to Object. You can object to our processing based on legitimate interests or for direct marketing. We will stop processing unless we have compelling legitimate grounds or a legal requirement to continue. Objections to direct marketing are always honored.
  • Right to Erasure ("Right to Be Forgotten"). You may request deletion of your personal data unless processing is necessary for freedom of expression and information, compliance with a legal obligation, public-interest tasks, or the establishment, exercise, or defence of legal claims.
  • Right to Lodge a Complaint. You may lodge a complaint with the supervisory authority in your country of residence, or with our lead supervisory authority — the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) — if you believe we have infringed your rights.
  • Right to Restrict Processing. You may request that we suspend processing of your personal data if:
    • You contest its accuracy;
    • The processing is unlawful, and you oppose erasure;
    • We no longer need it, but you require it to establish, exercise, or defend legal claims;
    • You have objected to processing pending verification of our legitimate grounds.

9.2 Contact Details

In case you would like to contact the Nebul Data Protection Officer (DPO), or if you have any general questions, please send an email to:

Please make sure to include a description of the question or request in the email. Once you submit a request, we will review and respond within 1 month. In certain cases, we may need additional time to investigate and fulfil your request. Once completed, we will confirm via the email address you provided.

This Privacy Policy is applicable to Nebul B.V. and its affiliates.

Nebul B.V. Sylviusweg 74 2333 BE Leiden The Netherlands

By submitting a request, you confirm that you are the individual to whom the data relates and that you have the legal capacity and authority to act on your own behalf. We may verify your identity using the information you supply if there is any doubt. Additionally, where required by law, we may need to share your request and our response with third parties, including regulatory authorities.

10. Security

Nebul maintains a dedicated security and privacy team and employs a combination of technical, administrative and physical controls to safeguard the personal data we process. We continually update and rigorously test these measures to ensure they remain state-of-the-art. For a detailed description of the implemented technical measures please see the Data Processing Addendum.

Version Table

VersionDateStatusInformation
1.0March 2026PublishedInitial version
Last updated on