FuseBase Privacy Policy

Thank you for visiting thefusebase.com, Nimbusweb.me and/or nimbusweb.co (collectively, the “Websites”) and/or one of our interconnected products, such as a FuseBase, Nimbus Note, Nimbus Clipper (kiokdhlcmjagacmcgoikapbjmmhfchbi), FuseBase Pro (fddbloohgcjopkmnjdeodjcfbgiimpcn), FuseBase Assistant (haafigbapbpbpnmgcknnmilaaaimggpk) and others (collectively, the “Products”), whether you access them online or by downloading the Product to your computer and/or mobile device.

This Privacy Policy describes how Nimbus Web Inc. d/b/a FuseBase (“FuseBase,” “Nimbus Web,” “we,” “us,” or “our”) collects, uses, discloses, stores, and otherwise processes Personal Data in connection with thefusebase.com, our applications, APIs, browser extensions, customer workspaces, AI-enabled features, and related products and services (collectively, the “Services”).

1. Scope and Roles

This Privacy Policy applies to Personal Data processed through the Services and our website, including when you create an account, use a workspace, use AI-enabled features, contact support, request a demo, subscribe to communications, attend an event, integrate third-party services, or otherwise interact with us.

Depending on the context, FuseBase may act as a controller (or business) for Personal Data we collect for our own purposes, such as account administration, website analytics, billing, marketing communications you choose to receive, product improvement, security, and support; and as a processor (or service provider) when we process customer content, workspace data, or end-user data on behalf of a business customer under the applicable customer agreement and, where applicable, our Data Processing Addendum.

If you use the Services through an organization, that organization may control your use of the Services and may control certain processing of your Personal Data within the workspace.

2. Categories of Personal Data We Collect

We may collect the following categories of Personal Data, depending on how you interact with the Services:

• Account and profile information, such as name, email address, password or authentication credentials, profile photo, job title, company name, team role, workspace identifiers, and contact preferences.
• Contact, communications, and support information, such as phone number, mailing address, calendar and meeting details you provide, support tickets, survey responses, webinar registrations, demo requests, messages, attachments, and communications with us.
• Billing and transaction information, such as billing contact details, subscription information, order details, invoices, payment status, and limited payment-related metadata. Payment card data is typically processed by our payment service providers rather than stored by FuseBase.
• Device, network, and usage information, such as IP address, approximate location derived from IP, device and browser details, operating system, app version, timestamps, referral URLs, crash data, audit logs, authentication events, session data, feature usage, clicks, and performance telemetry.
• Workspace and content data, such as documents, files, notes, portal content, knowledge base entries, messages, comments, forms, workflow inputs, app configuration data, permissions settings, and other content uploaded to or created in the Services.
• AI-related content and metadata, such as prompts, instructions, code, files, attachments, generated outputs, summaries, automations, workflow artifacts, and application or portal configurations when you use AI-enabled features.
• Integration and connected-service data from systems you link to the Services, including Google Workspace, CRM systems, file storage, email systems, and similar integrations.
• Marketing and cookie-related data, such as cookie identifiers, analytics identifiers, page views, conversion data, campaign source data, and preferences collected through cookies and similar technologies, subject to your choices where required by law.
• Information from third parties, such as lead enrichment data, account invitation data, fraud-prevention signals, and information we receive from your employer or workspace administrator.

3. Sources of Personal Data

We collect Personal Data directly from you; automatically when you use the Services or visit our website; from your organization, workspace administrator, or account owner; from integrated third-party services and authentication providers; from our vendors, analytics providers, security providers, and payment providers; and from publicly available or lawfully obtained third-party sources used for business contact data, fraud prevention, or account support.

4. How We Use Personal Data

We use Personal Data to provide, operate, host, secure, and maintain the Services; create and administer accounts, organizations, workspaces, permissions, and billing; provide collaboration, portal, workflow, automation, API, and AI-enabled functionality; authenticate users, prevent fraud, detect abuse, investigate incidents, and enforce our terms and policies; provide customer support and troubleshoot issues; process purchases, subscriptions, renewals, invoices, and related commercial transactions; improve performance, reliability, usability, accessibility, and functionality of the Services; develop, evaluate, and improve product features, subject to our contractual commitments and applicable law; send service-related notices, account communications, legal notices, and administrative messages; send marketing communications where permitted by law or with your consent; comply with legal obligations, resolve disputes, exercise legal rights, and protect users, FuseBase, and others; perform analytics, reporting, forecasting, and business operations; and support mergers, acquisitions, financings, or other corporate transactions, subject to appropriate safeguards.

Where required under applicable law, we rely on one or more legal bases, including performance of a contract, compliance with legal obligations, legitimate interests, and consent.

5. De-identified and Aggregated Information

We may de-identify, aggregate, anonymize where appropriate, or otherwise process Personal Data so that it no longer reasonably identifies, relates to, describes, or can be linked to an identified or identifiable individual (“De-identified Information”). Subject to applicable law, De-identified Information is not treated as Personal Data under this Privacy Policy to the extent it cannot reasonably be used to identify you. We may use De-identified Information to operate, administer, analyze, secure, improve, and develop the Website, Services, and related features; for reporting, benchmarking, product analytics, research, and service improvement; and for other lawful business purposes. We may also disclose De-identified Information to service providers and other third parties for these purposes, provided that the information does not reasonably identify you or any specific individual.

6. AI-Enabled Features and Third-Party AI Providers

FuseBase offers AI-enabled features within the Services. Those features may rely on third-party AI and infrastructure providers, and customers may also be permitted to connect or use customer-selected AI providers, models, APIs, customer-provided API keys, or external AI applications and workflows.

When you use AI-enabled features, we may process AI-related content and metadata to provide the requested functionality, secure and maintain the Services, monitor abuse, troubleshoot issues, support users, perform analytics, and improve the Services, as described in the applicable agreement, this Privacy Policy, any DPA, and related documentation.

For FuseBase’s standard provider arrangements, FuseBase seeks to use commercial provider offerings that do not permit general-model training on customer AI content by default unless the customer expressly chooses to share data for that purpose. At the same time, ‘not used for training’ does not necessarily mean that data is never retained, logged, or otherwise processed for service delivery, security, support, abuse prevention, troubleshooting, analytics, or similar operational purposes.

Different providers and configurations may have different terms, retention settings, technical limitations, and compliance scope. For example, if you use customer-provided API keys, customer-managed model accounts, third-party AI providers, or external AI integrations, you are responsible for reviewing whether those providers and configurations are appropriate for your intended use case, risk tolerance, and regulatory requirements. Additional information about relevant providers may be listed in our provider, subprocessor, or third-party services materials.

7. Customer-Built Apps, Portals, Workflows, and Integrations

FuseBase may allow customers to build, configure, publish, host, deploy, or connect applications, portals, workflows, agents, automations, forms, websites, or other implementations using the Services, including with the assistance of AI-enabled features.

This Privacy Policy describes how FuseBase processes Personal Data for its own Services. It does not replace any privacy notices or disclosures that a customer may need to provide for a customer-built implementation. If you build or deploy an implementation that collects or processes Personal Data from end users, visitors, customers, patients, applicants, or other third parties, you are responsible for determining what additional privacy notices, consents, cookies disclosures, rights workflows, or compliance controls are required for that implementation.

For example, if you use FuseBase to build a portal, app, or workflow that is hosted in your environment, connected to your own AI provider, or integrated with another third-party service, the third-party providers involved in that setup may have their own privacy, security, retention, and compliance posture that you should evaluate.

8. Disclosure of Personal Data

We may disclose Personal Data to our affiliates and corporate group members; to hosting, infrastructure, security, analytics, support, communications, AI, payment, and other service providers and subprocessors acting on our behalf; to integration partners or providers where required to support a feature you request or enable; to your organization, workspace administrator, or account owner where your use of the Services is managed by that organization; in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar corporate transaction; to comply with law, legal process, lawful requests, court orders, or government requests; to protect the rights, safety, property, or security of FuseBase, our users, or others; and with your direction or consent.

We do not sell Personal Data for money. Depending on how you interact with our website and cookie settings, some analytics or advertising-related disclosures may be treated as ‘sale,’ ‘sharing,’ or targeted advertising under certain U.S. privacy laws. Where required, we provide notice and applicable opt-out rights.

FuseBase does not sell Personal Data and does not disclose Personal Data to third parties for their own direct marketing or advertising purposes.

9. International Data Transfers

FuseBase may process Personal Data in the United States and in other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

Where required, we take steps intended to provide an appropriate level of protection for transferred Personal Data, such as contractual safeguards, vendor due diligence, and security measures appropriate to the nature of the data and processing. If you would like additional information about available transfer safeguards, you may contact us using the details below.

10. LEGAL BASES FOR PROCESSING (EEA, UK, AND SIMILAR JURISDICTIONS)

Where required by applicable law, we process Personal Data on one or more of the following legal bases:

• to perform a contract with you or take steps at your request before entering into a contract;
• to comply with legal obligations;
• with your consent;
• to protect your vital interests or those of another person; and
• for our legitimate interests, such as operating, securing, maintaining, improving, supporting, and developing the Website and Services, preventing fraud and abuse, enforcing our agreements, conducting analytics, communicating with customers and prospective customers, and protecting our business, users, and infrastructure, where those interests are not overridden by your rights and freedoms.

If you have questions about the legal bases we rely on for a particular processing activity, you may contact us using the contact information provided in this Privacy Policy.

11. Your Data Protection and Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your Personal Data. These may include the right to request access to the Personal Data we hold about you; request correction of inaccurate or incomplete Personal Data; request deletion of Personal Data; object to or request restriction of certain processing; withdraw consent where processing is based on consent; receive a portable copy of certain Personal Data in a structured, commonly used, and machine-readable format; opt out of certain marketing communications; appeal certain privacy-rights decisions where applicable; and lodge a complaint with a supervisory authority, regulator, or other competent data protection authority.

You may exercise applicable rights by contacting us using the contact information provided in this Privacy Policy. We may need to verify your identity before fulfilling certain requests, and we may limit or decline requests where permitted by applicable law.

11.1.1. to access the Personal Data which means you may obtain a confirmation if we process your Personal Data, and / or to access your Personal Data and the information, how we use your Personal Data;

11.1.2. to rectify inaccurate Personal Data which means you may request that we correct any incomplete or inaccurate Personal Data about you;

11.1.3. to object to processing which means that you may object to processing your Personal Data if we process them based on the legitimate interests (please, see the examples of our legitimate interests in clause 3.2), use them for statistical purposes;

11.1.4. to make us your Personal Data portable which means that you may request that in certain circumstances we provide you with a copy of your Personal Data in structured, commonly used and machine-readable format. If you wish to have a copy of your Personal Data, we will aim to provide you with them within 14 days;

11.1.5. to have your Personal Data erased which means that you may request that we delete your Personal Data in some circumstances: for example, we no longer need them, or you withdraw your consent which was the basis for processing;

11.1.6. to withdraw consent to processing your Personal Data which means that you may withdraw your consent for processing your Personal Data. Such withdrawal will only affect processing of your Personal Data after it is given;

11.1.7. to restrict the processing which means that you may ask us to restrict or stop collection, use, processing and/or disclosure of your Personal Data;

11.1.8. to withdraw consent to electronic marketing which means that you may opt out receiving our marketing emails (if any);

11.1.9. to be informed about the safeguards which we arrange to transfer your Personal Data transfer to a third country or an international organization which means that you may ask us about these safeguards;

11.1.10. to file complaints which means that you may complain to a data protection authority about our collection and use of your Personal Data.

11.2. If you wish to exercise any of the rights specified in clauses 11.1.1-11.1.9, or have any questions concerning the Policy and / or your Personal Data, please, contact us at legal@thefusebase.com. We will review your request and offer a resolution or help to begin a dialogue to find a way out.

11.3. If you wish to opt out receiving our marketing emails (clause 11.1.8), please, contact us at legal@thefusebase.com or click the unsubscribe link in any our marketing email

11.4. If you believe our processing of your personal information violates applicable law and would like to file a complaint to a data protection authority (clause 11.1.10), please, contact your local data protection authority. Anyway, we will always aim to help you if you wish to exercise your rights, so, we would appreciate you contact us first.

11.5. Please, note that we may ask you to verify your identity before we respond to the request and, in certain circumstances, charge a fee to cover our costs. Our time limit to respond is one month after we receive the request. If it takes longer to process your request we will notify you. In any case, we cannot extend the response timeframe for more than two months after the first month for response passes. This clause 11.5 is not applied to your requests, which are specified in clauses 11.1.8 and 11.1.10.

11.6. If you opt out of our marketing emails (clause 11.1.8) we may still need to send you emails in relation to the Website and Services; for instance, to inform you of the changes made to this Policy (section 14).

11.7. Please keep in mind that there may be exceptions to these rights under the EU data protection law, with which we must comply, or under the legislation, with which a data processor we engage must comply. Thus, we may reject the request about execution of your rights where permitted or required by these laws.

11.8. If we reject your request, we will describe the grounds for it in our response. In any case, you may file a complaint for our refusal to the supervisory authority.

12. Data Retention

We retain Personal Data for as long as necessary to provide the Website and Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, protect against fraud and abuse, and support legitimate business and operational needs. The specific retention period depends on the type of data, the context in which it was collected, the nature of the applicable relationship, and our legal or operational requirements.

For example:

• Account and profile data may be retained for the duration of your account and for a reasonable period thereafter for recordkeeping, account reactivation, dispute resolution, enforcement, and legal compliance.
• Customer workspace content, submissions, files, prompts, outputs, and related materials may be retained in accordance with the applicable subscription, account settings, deletion requests, backup cycles, support requirements, and legal obligations.
• Support, communications, and inquiry data may be retained as needed to respond to requests, improve support operations, maintain records, and protect the Website and Services.
• Billing, transaction, and tax-related data may be retained as required for accounting, financial reporting, tax, audit, and legal compliance purposes.
• Security, audit, and system logs may be retained for security, fraud prevention, troubleshooting, compliance, service integrity, and incident-response purposes.
•  Marketing and lead information may be retained until you opt out, withdraw consent where applicable, or until the information is no longer needed for the relevant business purpose.
• De-identified and aggregated information may be retained for analytics, research, security, benchmarking, and service improvement to the extent permitted by applicable law.

When we no longer need Personal Data for the purposes described in this Privacy Policy, we will delete, de-identify, aggregate, or otherwise dispose of it in accordance with applicable law and our retention practices, subject to backup, archival, legal, or technical limitations.

13. Cookies and Similar Technologies

We and our service providers may use cookies, pixels, SDKs, local storage, and similar technologies (collectively, “Cookies”) to operate, secure, maintain, measure, and improve the Website and Services.

These technologies may include:

•  Strictly Necessary Cookies, which are required for core functionality such as authentication, security, fraud prevention, session management, and network management.
•  Functional or Preference Cookies, which help remember settings and preferences such as language, interface choices, and user configuration.
• Analytics or Performance Cookies, which help us understand how users interact with the Website and Services, measure traffic and usage patterns, diagnose technical issues, and improve performance and functionality.
•  Advertising or Targeting Cookies, if used, which help support, measure, or optimize marketing and advertising activities.

Depending on your location and applicable law, we may request your consent before using non-essential Cookies. You can also manage cookie preferences through your browser settings, device settings, or cookie consent tools made available on the Website, where applicable.
Please note that disabling certain Cookies may affect the availability or functionality of some Website or Service features.

Types of Cookies we Use

FuseBase does not currently use Personal Data collected through Cookies to allow third parties to advertise their products or services to you based on your use of the Website or Services.

14. Security

We use administrative, technical, and organizational safeguards designed to protect Personal Data appropriate to the nature of the data and the Services. These measures may include access controls, encryption in transit, logging, monitoring, vendor management, security testing, incident response processes, and role-based access restrictions.

No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for using appropriate safeguards for your own environment, credentials, connected providers, and deployed implementations, including where you use external integrations, customer-provided API keys, or customer-selected AI providers.

15. U.S. State Privacy Disclosures

Residents of certain U.S. states may have additional privacy rights, including rights to know, access, delete, correct, appeal, and opt out of certain profiling, targeted advertising, sale, or sharing practices as defined under applicable state law.

The Personal Data we collect is only accessible by a limited number of employees. Any of them have special access rights to the systems where we store the Personal Data. They are all bound by obligations of confidentiality.

FuseBase does not knowingly sell Personal Data for monetary consideration. Where state law requires us to treat certain analytics, advertising, or similar disclosures as ‘sale,’ ‘sharing,’ or targeted advertising, we will provide any required notice and opt-out mechanisms.

Authorized agents may submit requests where permitted by law. We will not discriminate against you for exercising applicable privacy rights.

By accepting the Policy and providing us with your Personal Data you agree to such transfers pursuant to the consent for processing of the Personal Data you grant. If you don’t agree to such transfers you will no longer be able to use the Website. If you are a resident in the EEA we may transfer your data outside the EEA to fulfill our contract with you (to provide you with information you request), as we provide an international service. When we make such transfers we: (1) comply with our legal and regulatory obligations; (2) estimate if the country to which we intend to transfer the Personal Data provides for sufficient level of data protection; and (3) implement the appropriate safeguards such as executing standard data protection contractual clauses. We will take all the steps to ensure that your data are treated securely and in accordance with the Policy.

16. Children

The Services are not directed to children, and we do not knowingly collect Personal Data directly from children under the age required by applicable law without appropriate authorization. If you believe a child has provided Personal Data to us inappropriately, please contact us and we will take reasonable steps to investigate and, where appropriate, delete the information.

If you are 14-17 years old and nonetheless request for the Services yourself we may require you to provide us with the documents confirming your emancipation or your parents’ or legal guardian’s permission to access and use the Website and / or the Services.

If you provide us with the Personal Data of other data subjects than yourself, you shall ensure that such Personal Data do not contain information of individuals under 14 years old.

17. Third-Party Links and Services

The Services may contain links to third-party websites, applications, marketplaces, or services that are not controlled by FuseBase. This Privacy Policy does not apply to those third-party services. Please review their privacy notices and terms before using them or submitting Personal Data to them.

18. Google Workspace and Similar APIs

If you connect Google Workspace or similar APIs, we process the data made available through those integrations to provide the integration feature you request, such as automation, syncing, invitation flows, productivity features, or workflow execution. We do not use Google Workspace API data to develop, improve, or train generalized AI or machine learning models, except as may be expressly permitted by the applicable Google terms and your settings or instructions.

Other connected APIs and integrations may have their own contractual and privacy requirements, and your use of those integrations may also be governed by the applicable third-party provider terms.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the Services, on our website, by email, or by other appropriate means, as required by law. The ‘Version date’ at the top of this Privacy Policy indicates when it was last updated.

20. CALIFORNIA AND OTHER U.S. STATE PRIVACY RIGHTS

If you are a resident of California or another U.S. state with an applicable privacy law, you may have certain rights regarding your Personal Data, subject to applicable exceptions and limitations. Depending on your state of residence and the nature of our processing, these rights may include the right to request access to, correction of, or deletion of your Personal Data; to request information about the categories of Personal Data we collect, use, disclose, or otherwise process; to opt out of certain types of processing, such as the sale or sharing of Personal Data where applicable; and to be free from unlawful discrimination for exercising your privacy rights.

FuseBase does not sell Personal Data and does not disclose Personal Data to third parties for their own direct marketing or advertising purposes. If you believe you are entitled to exercise any privacy rights under applicable U.S. state law, you may contact us using the contact information provided in this Privacy Policy. We will review and respond to your request in accordance with applicable law and may take steps to verify your identity before fulfilling certain requests.

If applicable law requires that we offer additional rights or disclosures to residents of a particular U.S. state, we will provide those rights and disclosures as required.

21. THIRD PARTY LINKS

We may post links to our partners’ websites and applications from time to time, and other websites and applications may link to the Website or the Services. These third-party services are not controlled by us.

Please note that we are not liable for data protection at such websites; please refer to privacy policies of these websites to understand how the Personal Data are processed there. Visiting these other websites or applications is at your own risk.

22. Contact Us

If you have questions, requests, or complaints regarding this Privacy Policy or our privacy practices, you may contact us at:

FuseBase / Nimbus Web Inc.
Email: legal@thefusebase.com