← Back to nuvrail.com

Privacy Policy

Nuvrail, Inc.

Effective date: May 1, 2026 · Last updated: 2026-05-28

1. Who We Are

Nuvrail, Inc. (“Nuvrail,” “we,” “us,” or “our”) operates the Nuvrail approval gateway — a proxy layer between AI agents and email servers that stages every AI-proposed email action for human review before execution.

Contact: hello@nuvrail.com

2. What This Policy Covers

This policy describes how we collect, use, store, and share personal information when you use:

  • The Nuvrail web application (app.nuvrail.com or test.nuvrail.com)
  • The nuvrail.com marketing website
  • The Nuvrail proxy service (IMAP/SMTP gateway)

3. Information We Collect

3.1 Information You Provide

  • Account information: email address, name, company name (at signup)
  • Email credentials: IMAP/SMTP server address, port, username, and password or OAuth2 token. These credentials are stored encrypted at rest using AES-256-GCM. A single master key, stored outside the database, is used to encrypt all credentials. We use them solely to operate the proxy on your behalf.
  • Configuration: rules, approval settings, and preferences you set in the application.

3.2 Information Generated by the Service

  • Pending operations: when an AI agent proposes an email action through the proxy, we record the proposed operation (e.g., “send email to X with subject Y”) along with its status (pending, approved, rejected).
  • Audit log: every operation that passes through the proxy is written to an immutable append-only log. This includes the timestamp, the action type, the proposing agent identifier, the approval decision, and the approving human’s identifier. Audit log entries are not deleted— this is a core feature of the service.
  • Email metadata: subject lines, sender and recipient addresses, and timestamps of emails touched by the proxy. We do not store full email body content except as required to stage an operation for human review, and only for the duration of the review window (default: 24 hours after approval, configurable).

3.3 Technical Information

  • Server logs: IP address, browser type, referring URL, pages visited, timestamps. Retained for up to 90 days for security and debugging purposes.
  • Authentication tokens: the web application stores your session token in browser localStorage (not a browser cookie). No analytics cookies are used; we use Plausible Analytics (no cookies) — see Section 9.

4. How We Use Your Information

We use the information we collect to:

  • Operate the Nuvrail proxy and web application
  • Stage AI-proposed email operations for your review
  • Maintain the audit log (integrity is a core service property; audit log entries are cryptographically hash-chained — each row's SHA-256 hash covers all its fields plus the previous row's hash, making any tampering detectable)
  • Authenticate you and keep your account secure
  • Send transactional emails (account confirmations, alerts for pending operations)
  • Respond to support requests
  • Improve the service (aggregate analytics only — we do not use your email content for training AI models)
  • Comply with legal obligations

We do not:

  • Sell your personal information or email credentials to third parties
  • Use your email content to train AI models (ours or anyone else’s)
  • Share your credentials with the AI agents that connect through the proxy (agents see only the proxy interface, not your underlying credentials)

5. How We Store and Protect Your Information

  • Email credentials are encrypted at rest using AES-256-GCM. A single master key — stored outside the database in an environment variable or a protected key file — is used to encrypt all credentials. The master key is never stored in the database.
  • Audit log entries are append-only — the application never issues DELETE or UPDATE against the audit log table. Once an event is written it stays in the record. Each entry is cryptographically chained to the previous one (SHA-256 hash linkage), making any retrospective modification detectable.
  • Data is stored on fly.io infrastructure in the United States: regions iad (Northern Virginia) and ord (Chicago, Illinois).
  • We use TLS for all data in transit.
  • For SMTP send operations, the full message body is stored in the staged operation record (required for delivery on approval). A background process scrubs both the full body and the short preview 7 days after a terminal decision. Only the envelope metadata (subject, sender, recipient) is retained thereafter.

6. Data Retention

Data TypeRetention Period
Account informationUntil you delete your account. Self-serve deletion is available in Settings → Account. On deletion: credentials scrubbed, agents revoked, pending operations cancelled. The audit log is retained.
Email credentialsUntil you disconnect the agent or delete your account
Pending operations (pre-approval)48 hours after creation if not approved — the operation is marked ‘expired’ and its optimistic local state is reverted. The operation record is retained in the database as part of the audit trail.
Audit log entriesIndefinite— by design. The audit log is append-only and is the core integrity guarantee of the service. If you need to close your account, we can provide an export; we will retain the log for compliance purposes.
Server logs90 days
Analytics dataAggregate, anonymised page-view data via Plausible Analytics. No personal data. Retained indefinitely by Plausible.

7. Sharing Your Information

We do not sell your information. We share it only in these circumstances:

  • Service providers: hosting providers, database operators, and other infrastructure vendors who process data on our behalf under confidentiality obligations.
  • Legal requirements: when required by law, court order, or governmental authority.
  • Business transfers: if Nuvrail is acquired or merges with another company, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.
  • With your explicit consent: for any other purpose.

8. Your Rights

Depending on where you are located, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your account — available in Settings → Account. Credentials scrubbed, agents revoked immediately. The audit log is retained per Section 6.
  • Export your data in a machine-readable format — available in Settings → Account → Download My Data.
  • Object to certain processing activities
  • Withdraw consent for optional processing (e.g., analytics cookies)

For EU/EEA residents (GDPR): Our lawful basis for processing your personal data is primarily the performance of a contract (operating the service you signed up for). For analytics, we rely on your consent. You have the right to lodge a complaint with your national data protection authority.

For California residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete it (subject to the audit log retention noted above), and the right to opt out of any sale of personal information (we do not sell personal information).

To exercise your rights, use our data subject request form or email hello@nuvrail.com with subject “Privacy Request”. We will respond within 30 days.

9. Cookies

We use:

  • Authentication tokens: the web application stores your session token in browser localStorage (not a browser cookie). This is required to stay logged in and cannot be disabled without breaking the service.
  • Analytics (optional, consent-gated): we use Plausible Analytics on nuvrail.com and app.nuvrail.com. Plausible collects no personal data, sets no cookies, and is hosted in the EU. Analytics activate only after you click “Accept all” in the cookie banner.

You can update your cookie preferences at any time by clicking “Cookie preferences” in the footer.

10. Children

The Nuvrail service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us their information, contact us at hello@nuvrail.com.

11. Changes to This Policy

We will post changes to this policy on this page and update the “Last updated” date. For material changes, we will notify you by email or by a prominent notice in the application before the change takes effect.

12. Contact

Nuvrail, Inc.

hello@nuvrail.com

For data protection inquiries (including GDPR requests):
hello@nuvrail.com— subject line: “Privacy Request”

© 2026 Nuvrail, Inc.