Privacy Policy

1. We respect your privacy

(a)   Nepo Labs respects your right to privacy and is committed to safeguarding the privacy of our users and website visitors. This policy sets out how we collect and treat your personal information.

(b)  We adhere to the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) and, to the extent applicable, the EU General Data Protection Regulation (GDPR).

(c)   "Personal information" is information we hold which is identifiable as being about you. This includes information such as your name, email address, resume, professional background, or any other information that can reasonably identify you, either directly or indirectly.

(d)  You may contact us at any time via email at hello@nepolabs.com for further information about this Privacy Policy.

2. What personal information we collect

(a)   Nepo Labs will, from time to time, receive and store personal information you submit to our platform, provided to us directly or given to us in other forms.

(b)  You may provide basic information such as your name and email address to enable us to create your account and provide our services to you.

(c)   We may collect additional information at other times, including but not limited to, when you provide feedback, respond to surveys or promotions, update your preferences, or communicate with our support team.

2.1 Account and Profile Information

(a)   When you register and set up your Nepo account, we collect:

1. Your first and last name (and preferred name, if provided)
2. Your email address
3. Your resume (uploaded by you — we extract and store its text content)
4. Your LinkedIn profile URL (if provided)
5. Your current location
6. Your professional background or employment history (as provided during onboarding)
7. A profile photo (optional)

2.2 Job Search and Campaign Data

(a)   As you use the Nepo platform, we collect information related to your job search activity, including:

1. Target company, role, and location preferences you specify for each campaign
2. Your campaign history and settings
3. AI-generated outreach messages (LinkedIn DMs, cold emails, and follow-ups) created for your use
4. Outreach tracking data, including messages sent, replies received, and status updates you log

2.3 Third-Party Contact Information

(a)   A core feature of Nepo is surfacing relevant professional contacts ("insiders") at your target companies. To provide this, we collect and store information about those contacts, including:

1. Names, job titles, and employer information
2. LinkedIn profile URLs and publicly available professional background information

(b)   This information is sourced from publicly available professional networks and third-party data enrichment providers. It relates to professionals in their professional capacity and is used solely to help you identify relevant contacts for your job search.

2.4 Payment Information

(a)   If you subscribe to a paid plan, we collect billing-related information including your payment method details. All payment data is processed and stored by our third-party payment processor, Stripe. We do not store raw card numbers on our systems.

2.5 Device and Usage Data

(a)   When you visit our website or use our platform, we may automatically collect:

1. Your IP address and approximate location
2. Browser type, operating system, and device type
3. Pages visited and features used
4. Login times and session duration
5. Referral source (website visited immediately before coming to ours)
6. Cookie identifiers (see Section 15)

3. How we collect your personal information

(a)   Nepo Labs collects personal information in a variety of ways, including when you interact with us electronically, access our platform, or engage in business activities with us. We may also receive personal information from third parties, which we will protect in accordance with this Privacy Policy.

(b)  Direct input. We collect information that you provide directly during registration, onboarding, and your use of the platform — such as your name, email, resume, and job search preferences.

(c)   Google authentication. If you choose to sign in via Google, we may collect from Google the following data:

1. Your full name
2. Your Google account email address
3. Your Google account profile photo

(d)  Automatic collection. We automatically collect device and usage data when you access our platform, as described in Section 2.5.

(e)   Third-party enrichment. We use third-party data providers to source publicly available professional information about potential contacts to surface within your campaigns.

(f)  Payment processor. When you subscribe to a paid plan, Stripe collects and processes your payment information on our behalf.

(g)   By providing us with personal information, you consent to the supply of that information subject to the terms of this Privacy Policy.

4. How we use your personal information

(a)   Nepo Labs uses personal information collected from you to provide, operate, and improve our platform and services. We will use personal information only for the purposes that you consent to, or where we otherwise have a lawful basis to do so. This may include to:

1. create and manage your account;
2. provide the networking and outreach automation services described on our platform;
3. generate personalised, AI-drafted outreach messages (LinkedIn DMs, cold emails, follow-ups) based on your profile and target role;
4. surface relevant professional contacts at your target companies;
5. track and manage your outreach campaigns and conversations;
6. process your subscription payments;
7. send you service-related communications (e.g. account notifications, feature updates, usage alerts);
8. send you marketing communications where you have opted in (you may opt out at any time);
9. research, develop, and improve our products and services using anonymised or aggregated usage data;
10. investigate and respond to complaints or support requests;
11. comply with legal obligations; and
12. protect the security and integrity of the platform.

(b)  If you withhold your personal information, it may not be possible for us to provide you with our services or for you to fully access the platform.

(c)   We may disclose your personal information to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, or in response to a law enforcement agency request.

(d)  If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer, to the extent permissible at law, our user databases, together with any personal information contained in those databases.

5. How we store your personal information

5.1 General data storage

1. We collect, store, and process your data on Supabase-hosted servers located in the United States (AWS us-east-1, Virginia). Please refer to Section 7 for information about international data transfers.
2. All data is encrypted at rest using industry-standard encryption algorithms (AES-256). "Encrypted at rest" means that all data written to disk — including databases, backups, logs, and file storage — is automatically transformed into ciphertext that cannot be read or modified without access to the corresponding decryption keys. Encryption keys are managed according to Supabase's standard key-management practices.
3. You can view Supabase's full Privacy Policy at: https://supabase.com/privacy.

5.2 Artificial Intelligence

We use Google Gemini, a large language model hosted by Google, to generate personalised outreach messages on your behalf. You acknowledge that Google's terms of service govern the use of this AI service. Google's API usage policies are available at https://ai.google.dev/gemini-api/terms. Your personal data is only provided to Google Gemini to the extent necessary to generate your requested outreach messages, and it is used solely for the purposes outlined in this Privacy Policy.

5.3 Payment data

All payment processing is handled by Stripe, Inc., a PCI-DSS compliant payment processor. We do not store raw card numbers or sensitive payment credentials on our systems. Stripe's privacy policy is available at https://stripe.com/privacy.

5.4 Data retention

1. We will retain your personal information for as long as your account is active or as necessary to provide you with our services.
2. If you delete your account or request deletion of your data, we will anonymise or delete your personal information within 90 days, except where we are required to retain it for legal or regulatory purposes.
3. Payment and transaction records may be retained for up to 7 years to comply with applicable financial and tax record-keeping obligations.
4. You may request deletion of your personal information at any time by contacting us at hello@nepolabs.com.

6. Disclosure of your personal information

1. Nepo Labs may disclose your personal information to our employees, officers, insurers, professional advisers, agents, suppliers, or subcontractors insofar as is reasonably necessary for the purposes set out in this Privacy Policy.
2. We may share your information with third-party service providers who assist us in operating our platform, including cloud infrastructure providers, AI service providers, payment processors, and analytics tools. These providers are only permitted to use your information to the extent necessary to perform their services for us.
3. If we do disclose your personal information to a third party, we will take reasonable steps to ensure it is protected in accordance with this Privacy Policy and applicable law.

7. International data transfers

1. Nepo Labs is an Australian business. However, our platform data is stored and processed on servers located in the United States (AWS Virginia) operated by Supabase. As such, your personal information is transferred outside of Australia when you use our services.
2. Under Australian Privacy Principle 8, before transferring personal information overseas, we must take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information.
3. We use Supabase and other service providers who maintain data protection standards consistent with or equivalent to the Australian Privacy Principles. By using our services, you consent to your personal information being transferred to and processed in the United States and potentially other countries where our service providers operate.
4. If you are located in the European Union, please refer to Sections 8 and 9 for information about your additional rights under the GDPR.

8. General Data Protection Regulation (GDPR) for the European Union (EU)

1. Nepo Labs will comply with the principles of data protection set out in the GDPR for the purpose of fairness, transparency, and lawful data collection and use, to the extent that the GDPR applies to our activities.
2. We process your personal information as a Controller as defined in the GDPR.
3. We must establish a lawful basis for processing your personal information. The legal basis on which we collect and use your information depends on the type of data and the context in which we use it. We rely on the following lawful bases:
   • Contract performance — processing necessary to provide you with the services you have subscribed to;
   • Legitimate interests — processing necessary for our legitimate business interests (e.g. platform security, fraud prevention, service improvement), where those interests are not overridden by your rights;
   • Consent — where you have given us specific, informed consent (e.g. marketing communications); and
   • Legal obligation — where we are required to process your data to comply with a legal obligation.
4. We will only collect personal information that is necessary and not excessive for its purpose. We will keep your data safe and secure.
5. We do not collect or process any personal information considered "Special Category" data under the GDPR (such as data relating to health, race, religion, or sexual orientation) unless you have provided explicit consent or it is otherwise required by law.
6. You must not provide us with your personal information if you are under the age of 16 without the consent of a parent or guardian. See Section 16 for our full age requirements.

9. Your rights under the GDPR

1. If you are an individual residing in the EU, you have certain rights regarding how your personal information is obtained and used. Nepo Labs complies with your rights under the GDPR as to how your personal information is used and controlled.
2. Except as otherwise provided in the GDPR, you have the following rights:
   • to access your personal information (we will provide you with a copy free of charge);
   • to be informed how your personal information is being used;
   • to correct your personal information if it is inaccurate or incomplete;
   • to delete your personal information (also known as the "right to be forgotten");
   • to restrict the processing of your personal information;
   • to data portability — to receive your personal information in a structured, commonly used format;
   • to object to your personal information being processed; and
   • to object to automated decision-making and profiling.
3. Please contact us at any time to exercise your rights under the GDPR using the contact details in Section 17.
4. We may ask you to verify your identity before acting on any of your requests.

10. Hosting

(a)  Our platform data is hosted on Supabase infrastructure running on Amazon Web Services (AWS), specifically in the us-east-1 region (Virginia, United States). This means your personal data is stored and processed in the United States. Please refer to Section 7 for information about international data transfers and the safeguards we have in place.

11. Security of your personal information

1. Nepo Labs is committed to ensuring that the information you provide to us is secure. In order to prevent unauthorised access or disclosure, we have implemented suitable technical and organisational measures to safeguard your personal information against misuse, interference, loss, and unauthorised access, modification, or disclosure.
2. All data stored on our platform is encrypted at rest (AES-256) and in transit (TLS). Access to personal information is restricted to personnel and systems that require it to provide or improve the service.
3. Where we engage third-party data processors to process personal information on our behalf, we only do so on the basis that such processors maintain adequate technical and organisational measures to protect personal information.
4. The transmission and exchange of information is carried out at your own risk. Although we take significant measures to safeguard against unauthorised disclosures, we cannot guarantee the absolute security of any information transmitted to us over the internet.

12. Access to your personal information

(a)  You may request details of the personal information we hold about you in accordance with the provisions of the Privacy Act 1988 (Cth) and, to the extent applicable, the EU GDPR. If you would like a copy of the information we hold about you, or if you believe any information we hold is inaccurate, out of date, incomplete, irrelevant, or misleading, please email us at hello@nepolabs.com. We will respond to your request within a reasonable timeframe.

13. Complaints about privacy

(a)  If you have any complaints about our privacy practices, please send details of your complaint to hello@nepolabs.com. We take complaints seriously and will respond promptly after receiving written notice of your complaint.

(b)  If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, or, if you are located in the EU, to your relevant national data protection authority.

14. Changes to Privacy Policy

(a)  We may change this Privacy Policy from time to time. We may modify this Policy at any time at our sole discretion and all modifications will be effective immediately upon posting on our website. We will update the "last updated" date at the top of this page whenever changes are made. Where changes are material, we will make reasonable efforts to notify you (for example, via email or a notice on the platform). Please check back from time to time to review our Privacy Policy.

15. Website

(a)  Website analytics. When you visit our website (https://nepolabs.com), we may collect certain information such as browser type, operating system, and the website visited immediately before coming to our site. This information is used in an aggregated manner to analyse how people use our site so that we can improve our service.

(b)  Cookies. We may use cookies on our website. Cookies are small files that a website uses to identify you when you return to the site and to store details about your use of the site. Cookies are not malicious programs and do not access or damage your computer. Most web browsers automatically accept cookies, but you can choose to reject cookies by changing your browser settings. However, this may prevent you from taking full advantage of our platform. We may use cookies to analyse website traffic and provide a better user experience.

16. Age requirements

1. Nepo is intended for use by individuals who are 16 years of age or older. By using our platform, you represent that you meet this age requirement.
2. We do not knowingly collect personal information from individuals under the age of 16. If you are a parent or guardian and believe that your child under 16 has provided us with personal information without your consent, please contact us immediately at hello@nepolabs.com so that we may delete the information as soon as possible.
3. If you are between 16 and 18 years of age, we recommend that you review this Privacy Policy with a parent or guardian before using our services.

17. Contact us

(a)  If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal information, please contact us using the details below.

18. Effective date

This policy is effective from 24 March 2026.