What we collect,
and what we do not.

Nomisma LLC (“Nomisma,” “we”) operates nomisma.ai. We use first-party analytics, we do not set tracking cookies, we do not ship third-party scripts, and we honor Do-Not-Track and Global Privacy Control. The only personal data we ever store is what you give us through the contact form — and our admin tooling for the small team that reads it.

From the contact form

• →Name, email address, organization (optional), and message content — only when you submit the form.
• →Submission metadata: IP address, browser user-agent string, and the referring URL (if any). Used to fight spam and to support the message if a follow-up is needed.

From first-party analytics

• →Pageview data: page path, referrer, UTM tags, time on page.
• →Coarse geo (country, region, city) derived from CloudFront request headers. We do not perform IP-to-location lookups.
• →Device class (desktop / tablet / mobile), operating system, and browser family, derived from the user-agent.
• →A pseudonymous, daily-rotating visitor identifier (server-computed SHA-256 hash of IP + user-agent + an internal secret, scoped to the current UTC day). It changes every 24 hours. It is not a persistent fingerprint.
• →Click events on elements we explicitly tag for tracking (e.g., “Apply to AI Startech,” “Request a briefing”). No keystrokes, no mouse trails, no session replay.

From admin sign-ins (Nomisma team only)

• →Email, Argon2id password hash, TOTP 2FA secret, last login timestamp + IP, append-only audit log of every action.

• →No tracking cookies. The analytics tracker stores a transient session ID in sessionStorage only, which clears when you close the tab.
• →No third-party scripts. No Google Analytics, Meta Pixel, advertising pixels, or fingerprinters.
• →No persistent cross-day identifier. The visitor hash rotates every UTC day.
• →No sale of data. Ever. Not to anyone.
• →We honor DNT and GPC. If your browser signals Do-Not-Track or Global Privacy Control, the analytics tracker disables itself.

• →Contact form data: to read your message and reply. To prevent abuse of the form.
• →Analytics:to understand which content is read, which CTAs are used, and where visitors come from — in aggregate.
• →Admin data: to authenticate the small Nomisma team and maintain an audit trail of who did what.

All application data is stored in AWS RDS PostgreSQL in the United States, encrypted at rest with AWS KMS and in transit with TLS. Email delivery uses AWS SES (US). The website itself is served by AWS Amplify behind CloudFront. AWS acts as our data processor and operates under their published security and compliance posture.

We do not store data outside the United States.

• →The Nomisma team. The studio is small — access is limited to operators with a legitimate need, behind 2FA.
• →AWS, as our infrastructure provider (the subprocessor operating our database, email, and hosting).
• →Nobody else. We do not transfer data to advertising networks, data brokers, or affiliate partners.

• →Contact messages: retained while the conversation is active, plus up to 24 months for follow-up, then archived or deleted.
• →Analytics pageviews: retained for up to 24 months in detail, then aggregated.
• →Admin audit log: append-only, retained indefinitely (compliance evidence).
• →Admin sessions: automatically expire after 8 hours.

If you submitted a message through the contact form, or if you believe we may hold information about you, you can ask us to:

• →Access the personal data we hold about you.
• →Correct anything inaccurate.
• →Delete it.
• →Export a copy in a portable format (CSV or JSON).
• →Opt out of analytics in your browser (DNT/GPC).

Email privacy@nomisma.ai and we will respond within 30 days.

We only set the cookies we absolutely need to operate the site — no advertising or analytics cookies.

• →nomisma_session— an httpOnly, Secure, SameSite=Lax cookie set only when an administrator signs into the admin app at /admin. Expires after 8 hours. Holds a random 256-bit token (the server stores only its SHA-256 hash).
• →sessionStorage (not a cookie)— the first-party analytics tracker stores a transient session ID in your browser’s sessionStorage, which clears automatically when the tab closes. It never leaves the site and is never read by third parties.

Under GDPR and ePrivacy these are considered strictly necessary and do not require a consent banner.

The website is not directed at children under 13 and we do not knowingly collect data about them. If you believe a child has submitted personal data through our site, please email privacy@nomisma.ai and we will delete it.

When this policy changes materially, we update the “Last updated” date at the top and, if appropriate, note the changes in a prior version archive. Current version: May 25, 2026.

Nomisma LLC
30 N Gould St, Sheridan, WY 82801
United States
privacy@nomisma.ai