Naive AI

Privacy Policy

Effective date: March 1, 2026

Naive AI (“we”, “us”, “our”) operates the naive.nyc website and the ai.naive.nyc platform (the “Service”). This policy explains what data we collect, how we use it, and your rights.

1. Information we collect

Account data

When you create an account we collect your email address, name, and a hashed password (or OAuth tokens if you sign in with Google). We use this to authenticate you and send you product-related emails.

Website and scan data

To perform accessibility scans you provide us with URLs. Our crawler visits those URLs, renders the pages in a headless browser, and stores the resulting accessibility report. We do not store full page HTML; we store structured issue data derived from the page.

Usage data

We collect standard server logs (IP address, browser, pages visited, timestamps) and product analytics (feature usage, scan counts). We use this to improve the Service and detect abuse. We do not sell this data.

Payment data

Billing is handled by Stripe. We store your Stripe customer ID and subscription status, but never your full card number. Stripe's privacy policy applies to payment data.

Cookies

We use a session cookie to keep you logged in. We use no third-party advertising cookies. We may use a first-party analytics cookie (e.g., Plausible or PostHog) to understand aggregate product usage.

2. How we use your data

  • Provide, operate, and improve the Service
  • Send transactional emails (scan results, billing receipts, security alerts)
  • Send product update emails — you can unsubscribe at any time
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not sell your personal data to third parties.

3. Data retention

We retain account data for as long as your account is active. Scan reports are retained for 12 months on the Free plan and indefinitely on paid plans. You can delete your account and all associated data at any time from Settings.

4. Data sharing

We share data only with:

  • Service providers — Supabase (database), Vercel (hosting), Stripe (billing), Resend (email). Each is bound by a data processing agreement.
  • Legal authorities — when required by law or to protect our rights.

5. Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256). We use row-level security in our database. Access to production systems is restricted to authorized personnel and protected by multi-factor authentication.

6. Your rights

Depending on your jurisdiction you may have the right to access, correct, delete, or export your personal data, and to object to or restrict certain processing. To exercise these rights email privacy@naive.nyc. We will respond within 30 days.

If you are in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.

7. Children

The Service is not directed to children under 13. We do not knowingly collect personal data from children. If you believe we have done so, contact us and we will delete it promptly.

8. Changes to this policy

We may update this policy from time to time. We will notify you by email and update the effective date above. Continued use of the Service after changes constitutes acceptance of the new policy.

9. Contact

Naive AI
New York, NY
privacy@naive.nyc