Join to waiting listJoin to waiting listNautillo (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website and browser extension (“Services”).
We process your personal data in accordance with the General Data Protection Regulation (GDPR). Certain types of processing (such as sending you marketing communications or setting non-essential cookies) require your consent, which you can withdraw at any time. Other processing is based on contract, legitimate interests, or legal obligations as explained below.
Nautillo is developed and operated by Lab88 OÜ, providing secure browsing services through a browser extension that helps detect phishing, block tracking, and manage online privacy in real time.
For inquiries, contact us at:
support@nautillo.com
https://www.nautillo.com
We have not appointed a Data Protection Officer, as this is not required under Article 37 GDPR. If this changes, we will update this Policy.
We collect only the data required to provide and improve our Services. We do not intentionally collect special categories of personal data (such as health or biometric data). Please do not submit such data.
a. Personal Data (Provided by You)
- Email address (user ID)
Legal basis: contract (Article 6(1)(b) GDPR)
- Marketing preferences
Legal basis: consent (Article 6(1)(a) GDPR)
- Subscription plan and billing status
Legal basis: contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) for tax/accounting
b. Behavioral & Usage Data
- Trusted, blocked, and high-risk website lists (stored securely)
- Website analysis results
- Security metrics
- Extension settings and preferences
Legal basis: contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) for improving security and performance
c. Payment Information
Payments are processed via Stripe, which acts as an independent controller for certain activities. We do not store your card details.
Legal basis: contract (Article 6(1)(b)) and legal obligations (Article 6(1)(c)).
Where Stripe processes data outside the European Economic Area, appropriate safeguards are applied (such as Standard Contractual Clauses and/or participation in the EU–US Data Privacy Framework). See Stripe’s Privacy Policy.
If enabled, Nautillo temporarily retains clipboard content for 10 seconds, after which it is automatically cleared. We do not store or transmit clipboard data externally.
Legal basis: performance of a contract (Article 6(1)(b) GDPR), as this feature is only active if you enable it.
We use collected data for the following purposes:
- Authenticate and manage your account
Legal basis: contract (Article 6(1)(b) GDPR).
- Operate and personalize extension features
Legal basis: contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) to improve user experience.
- Detect and block online threats in real time
Legal basis: legitimate interests (Article 6(1)(f)) in providing a secure service.
- Send OTP codes for secure login
Legal basis: contract (Article 6(1)(b)).
- Improve our threat detection models and services
Legal basis: legitimate interests (Article 6(1)(f)), with anonymization or aggregation wherever possible.
We do not sell, rent, or trade your personal data to third parties.
We do not use personal data for automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR.
Privacy & Security Controls
- Enable/Disable Privacy Guardian
Prevent tracking by third parties. When enabled, you can also manage your Trusted, Blocked, and High-Risk websites list.
- Manage Trusted, Blocked, and High-Risk Websites
Available when Privacy Guardian is enabled. Customize which websites are allowed, restricted, or flagged as high-risk.
- Enable/Disable Real-Time Monitoring
Turn on or off live website scanning to detect threats and malicious activity in real time.
- Enable/Disable Secure Copy
Control whether sensitive data copied to your clipboard (e.g., passwords, payment details) is automatically secured.
- Enable/Disable Auto Logout
Automatically log out after a period of inactivity to protect your account from unauthorized access.
Communication Preferences
- Opt In/Out of Marketing Emails
Choose whether to receive product updates, offers, and other promotional emails.
Subscription Management
- Cancel Your Subscription
Cancel at any time from the extension settings. Your account will retain access to premium features until the end of your current billing period (monthly or yearly, depending on your plan). No refunds are provided for early cancellation.
- Deactivate Your Account
Deactivate your account entirely if you no longer wish to use the service. Deactivation also stops future billing, but does not refund previous payments.
- Change Your Subscription Plan
You can switch between Monthly and Yearly plans. The new plan will take effect after your current billing period ends.
Nautillo Extension
The Nautillo browser extension does not use cookies. Instead, it utilizes local storage to:
- Manage session states,
- Store user preferences,
- Maintain trusted and blocked lists,
- Enable core functionalities such as real-time monitoring and security scoring.
All data stored locally remains on the user’s device. It is not shared with third parties, is not synced unless you choose to do so, and is not used for advertising or profiling purposes. The extension does not integrate any third-party analytics tools, including Google Analytics or similar tracking services.
Nautillo Website
The Nautillo website, developed using Webflow and Typeform, may use essential cookies to support basic site functionality, such as:
- Remembering your language or region preferences,
- Improving user experience during navigation.
We use Google Analytics to collect aggregated data on website usage. Analytics cookies are only set with your prior consent through our cookie banner in accordance with Article 6(1)(a) GDPR and the ePrivacy Directive.
- IP addresses are anonymized before storage to reduce identifiability.
- Data retention in Google Analytics is set to a maximum of 14 months.
- Transfers of Analytics data outside the European Economic Area are safeguarded by Google’s participation in the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
You may withdraw your consent to Analytics cookies at any time by revisiting the cookie banner in the site footer. Withdrawal is as easy as giving consent.
You can learn more about how Google collects and processes data here.
To deliver a secure, reliable, and user-friendly experience, Nautillo integrates with a limited number of carefully selected third-party services. These integrations are divided between the browser extension and the website, depending on the functionality required.
Nautillo Extension
The following services support the secure operation and core functionality of the Nautillo browser extension:
- Stripe – Handles secure payment processing. All payment data is processed externally by Stripe in compliance with PCI-DSS standards.
- Brevo – Sends transactional and notification emails, such as account verification, alerts, or service-related communications.
- Amazon Web Services (AWS) – Provides cloud hosting infrastructure used to securely store and manage essential data, including user settings, site lists, and risk scoring data.
- Browser APIs – Used for core security features including clipboard protection, tab scanning, session management, and permission handling. These APIs are native to the browser and operate within its secure environment.
Nautillo Website
The Nautillo website integrates the following services to support content delivery, user engagement, and analytics:
- Webflow – Provides the content management and front-end platform for hosting and designing the Nautillo website.
- Typeform – Enables form submissions on the site, such as contact or feedback forms, and securely transmits submitted data.
- Google Analytics – Collects aggregated, anonymized usage data to help us analyze website traffic and improve user experience. Data is not used for profiling or advertising unless explicitly stated and consented to.
- HubSpot – Used for customer communication, engagement tracking, and contact form management. All interactions are subject to user consent and are handled in accordance with GDPR.
We use secure cloud infrastructure to store data with encryption and access control.
We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law (Article 5(1)(e) GDPR). For example:
- Subscription and billing records: retained for up to 7 years to meet accounting and tax obligations.
- Authentication and security logs: retained for up to 12 months, unless required longer to investigate security incidents.
- Clipboard data: retained temporarily for 10 seconds and then cleared automatically.
- Consent records: retained as long as required to demonstrate compliance.
Even if you cancel or deactivate your account, we may:
- Retain irreversibly anonymized or aggregate usage data for analytics and service improvement.
- Retain anonymized trusted/blocklist entries to improve detection models.
- Preserve subscription records for legal or operational purposes.
You may request deletion of your personal data at any time by contacting us. We will delete or anonymize your data unless we are legally required to retain certain information (e.g., for tax or fraud prevention purposes). Please note that data in backups may persist for a short additional period before being overwritten.
We implement technical and organizational measures appropriate to the risk, in line with Article 32 GDPR, to ensure the confidentiality, integrity, and availability of your data. These include, but are not limited to:
- TLS (Transport Layer Security) encryption for all data in transit
- Encryption at rest for sensitive user data stored in the cloud
- Secure clipboard handling and sandboxed extension environments to protect against unauthorized access
- Access-restricted backend APIs protected by authentication and rate-limiting
- Automatic logout or session termination from high-risk environments after periods of inactivity
We also require our subprocessors to implement equivalent security measures.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will comply with Articles 33 and 34 GDPR, including notifying the relevant supervisory authority and, where required, affected users without undue delay.
We continuously evaluate and update our security protocols to align with industry best practices and regulatory requirements.
We process and store data using infrastructure located in the European Economic Area (EEA). Some of our subprocessors (such as Stripe or Google) may transfer personal data outside the EEA.
Where this occurs, we ensure appropriate safeguards in accordance with Articles 44–49 GDPR, including:
- Adequacy decisions adopted by the European Commission (for example, the EU–US Data Privacy Framework), or
- Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary measures where required.
You may request further information on these safeguards, or a copy of them, by contacting us at support@nautillo.com.
Nautillo is not intended for users under 16 years of age (or the minimum digital consent age in your country, which may be 13–15). We do not knowingly collect personal data from children.
If you believe we have inadvertently collected data from a child, please contact us at support@nautillo.com, and we will delete it without undue delay.
Depending on your jurisdiction (e.g., EU/EEA), you may have the right to:
- Access the data we hold about you (Article 15 GDPR)
- Request correction of inaccurate data (Article 16)
- Request deletion of your data (Article 17)
- Restrict certain processing (Article 18)
- Object to processing based on legitimate interests (Article 21)
- Data portability for data you provided to us under contract or consent (Article 20)
- Withdraw marketing consent at any time without affecting prior lawful processing (Article 7(3))
- Not be subject to automated decision-making with legal or similarly significant effects (Article 22)
To exercise these rights, contact us at support@nautillo.com. We will respond within one month as required by Article 12(3) GDPR (extendable by up to two months if necessary).
You also have the right to lodge a complaint with your local data protection authority. In Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
We may update this Privacy Policy as needed. If material changes are made, we will notify users through the website, the extension, or direct communication where appropriate.
If changes significantly affect how we process your personal data (for example, new purposes or legal bases), we will notify you directly before such changes take effect.
If you have any privacy concerns or questions, reach out to us at: support@nautillo.com
