Privacy Policy

This Privacy Policy describes how MonetizeDesign LLC (“we,” “us,” or “our”) — operator of NabuKit and controlled by Wynter Jones — collects, uses, discloses, and protects information about you when you use the NabuKit website, application, APIs, and downloadable artifacts (collectively, the “Service”).

1. What we collect

We collect the following categories of information:

• Account data. Email address, password hash (we never store your plaintext password), display name, role (founder / engineer / researcher / designer / other), and an optional one-line goal you supply during onboarding.
• Customer content. The text, markdown, mockups, sketches, and other inputs you submit to the Service, plus the artifacts and bundles NabuKit produces for your account.
• Usage telemetry. Per-account counters for monthly input and output tokens consumed by AI generation, plus per-action timestamps used for product analytics (project created, artifact generated, bundle downloaded). We do not run third-party advertising trackers.
• Billing data. Subscription status, plan, trial end, period boundaries, and Stripe customer / subscription IDs. We do not store full payment-card numbers; Stripe processes those directly.
• Avatar uploads. If you choose to set an avatar, the image is uploaded via Filestack and the resulting URL is stored on your user record.
• Operational logs. Request method, path, response code, IP address, and user agent for the past 30 days, used for debugging and abuse prevention.
• Cookies. A single session cookie for authentication and a CSRF token. No third-party advertising cookies.

2. How we use information

We use the information above to:

• Operate, maintain, and improve the Service.
• Authenticate you, send transactional email, and provide support.
• Process payments and enforce subscription / quota state.
• Generate the artifacts you ask for via third-party AI providers.
• Detect abuse, fraud, and security threats.
• Comply with legal obligations.

We do not sell your personal information. We do not use your Customer Content to train any model owned by MonetizeDesign LLC. Whether third-party providers train on Customer Content is governed by those providers’ contracts and policies; see §4.

3. Legal bases (EU/UK)

If you are in the EU, EEA, or UK, the legal bases on which we rely are: (a) performance of a contract with you, to provide the Service you signed up for; (b) legitimate interests, to keep the Service safe, prevent fraud, and improve product quality; (c) consent, where required (e.g., optional features that share data with vendors beyond the operational minimum); and (d) legal obligation, where we must retain or disclose information by law.

4. Third parties we share with

We share the minimum information needed with the following processors:

• Anthropic — receives the prompts and content you submit for generation, plus minimal metadata to invoke the Claude Messages API. Anthropic’s commercial terms and privacy policy apply to their handling of that data. Their default commercial offering does not train on customer inputs.
• OpenRouter (optional, when running the generate-images script) — receives prompts you author for image generation.
• Stripe — receives the data necessary to manage your subscription, including email, customer ID, plan, and payment events. Stripe stores payment cards.
• Filestack — receives any image you upload for your avatar.
• Railway — hosts our application servers and Postgres database. Customer Content lives in our Railway-hosted Postgres instance.
• Google Fonts — serves the typefaces used on our marketing site.

We may also disclose information to comply with a valid legal process or to protect the rights, safety, and property of MonetizeDesign LLC, our customers, or the public.

5. Retention

We retain your account data and Customer Content for as long as your account is active and for a reasonable period thereafter so that you can reactivate without losing your bundles. After 12 months of inactivity, or upon your written request, we delete account data and Customer Content from our active systems within 30 days; encrypted backups age out within 90 days. Stripe and other processors retain billing records as legally required.

6. Security

We use TLS in transit, encrypted backups at rest, hashed passwords (bcrypt), per-user session tokens that can be rotated remotely, signed Stripe webhook payloads, and content-security policies on rendered pages. No system is perfectly secure; please report suspected vulnerabilities to security@nabukit.com.

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict our processing of your personal information, and to object to certain processing. You may exercise these rights by emailing hello@nabukit.com. We will respond within the timeframes required by applicable law (typically 30 days). California residents may make a “do not sell or share” request; we do not sell or share personal information for cross-context behavioral advertising.

8. Children

The Service is not directed to children under 13 (16 in the EU/EEA/UK) and we do not knowingly collect personal information from them. If we learn we have collected personal information from a child under those ages, we will delete it.

9. International transfers

MonetizeDesign LLC is based in the United States and our processors may transfer data to, from, or store it in, jurisdictions including the United States, Canada, the European Union, and the United Kingdom. We rely on standard contractual clauses and equivalent safeguards where required by law.

10. Changes

We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect.

11. Contact

MonetizeDesign LLC
Attn: NabuKit Privacy
hello@nabukit.com