Nyad Privacy Policy

Effective Date: May 8, 2026 Last Updated: May 8, 2026

Nyad, Inc. (“Nyad,” “we,” “us,” or “our”) builds AI-powered decision-support tools for industrial wastewater

treatment operators. We respect your privacy and have written this Privacy Policy in plain language so

you can understand what we collect, why we collect it, and the choices you have.

This Privacy Policy describes how we collect, use, disclose, protect, and retain information when you:

• Visit nyad.ai or any associated Nyad domain;

• Interact with our marketing pages, demo bookings, contact forms, or chat tools;

• Use Nymph AI or other Nyad products, including pilots, demonstrations, and evaluations;

• Communicate with our team by email or phone; or

• Engage with us at industry events, trade shows, or through partner channels.

Together, the items above are the “Services.”

1. Scope and Relationship to Customer Agreements

This Privacy Policy applies to information Nyad collects in its capacity as a data controller — primarily

information about website visitors, prospects, demo participants, partners, investors, candidates, and

customer points of contact.

Where Nyad processes information on behalf of a customer under an executed customer, pilot, or

evaluation agreement (for example, microscopy images and operational data uploaded by a plant operator

into Nymph AI), we act as a data processor / service provider. That information is governed by the terms

of the applicable customer agreement and our Data Processing Addendum (DPA), not by this Privacy

Policy. If those terms conflict with this Policy, the customer agreement controls.

This Privacy Policy also does not govern:

• Data processed under government contracts or grant-funded research, which is governed by the

applicable agreement;

• Information our customers’ end users submit directly to a customer’s own systems; or

• The privacy practices of third-party websites or services we link to (see Section 13).

2. Information We Collect

We try to collect the minimum information needed to operate, improve, and secure the Services. We never

require you to provide sensitive personal information to use our marketing site or to request a demo.

2.1 Information You Provide Voluntarily

• Identifiers and contact data — name, job title, employer / facility, work email address, phone number,

mailing address.

• Inquiry content — messages, demo requests, partnership or press inquiries, investor outreach, job

applications, and any files or attachments you choose to send (e.g., resumes, sample images for

evaluation).

• Account and authentication data — if you create an account in Nymph AI: username, hashed

password, role, and similar credentials.

Nyad Privacy Policy · Page 1 of 8• Operator inputs in Nymph AI — microscopy images of activated sludge, process parameters (e.g.,

SVI, MLSS, F:M ratio, RAS/WAS settings), facility metadata, and notes you enter into the product.

(Where applicable, this is processed under your employer’s customer agreement — see Section 1.)

• Communications — emails, support tickets, chat transcripts, and recorded calls or meetings (when

you have consented to recording).

2.2 Information Collected Automatically When you use our website or product, we and our service providers automatically collect:

• Device and connection data — IP address, browser type and version, operating system, device

identifiers, language, time zone.

• Usage data — pages viewed, referring URLs, search terms, links clicked, time spent, scroll depth,

feature usage, and similar diagnostic information.

• Marketing attribution data — UTM parameters (utm_source, utm_medium, utm_campaign, utm_term,

utm_content), gclid, fbclid, and similar campaign identifiers passed to our pages.

• Cookies and similar technologies — see Section 9.

2.3 AI Interaction Data (Nymph AI) If you interact with Nymph AI or other Nyad AI features, we may collect:

• The inputs you submit (e.g., microscopy images, operational parameters, prompts, queries);

• The outputs the system returns (e.g., organism classifications, density grades, corrective-action recommendations);

• Operational metadata used for system reliability, safety, performance monitoring, and quality assurance

(e.g., latency, model version, confidence scores, error states); and

• Operator-provided feedback (thumbs up / down, corrections, notes) that we use to evaluate and improve

model performance, as further described in Section 8.

2.4 Information from Third Parties

We may receive information about you from:

• Public and commercial sources — for example, business registries, professional networking sites

(e.g., LinkedIn), and B2B contact databases used for prospecting;

• Partners and referrals — investors, distributors, and industry partners who introduce us to potential

customers;

• Service providers — analytics, attribution, CRM, and form-hosting vendors (see Section 5).

We do not knowingly collect information from sources that are not authorized to share it.

3. How We Use Information

We use the information we collect for the purposes below. Where required by law, we rely on one of the

following legal bases under GDPR/UK-GDPR: performance of a contract, legitimate interests (e.g.,

operating, securing, and improving the Services and conducting B2B marketing), consent (e.g., for non-

essential cookies and certain marketing emails), or compliance with legal obligations.

We use information to:

• Provide, operate, secure, and maintain the Services;

• Respond to inquiries, demo requests, support tickets, and partnership outreach;

• Evaluate Nymph AI performance, accuracy, safety, and reliability;

Nyad Privacy Policy · Page 2 of 8• Detect, prevent, and respond to fraud, abuse, security incidents, and policy violations;

• Conduct internal analytics and research about how the Services are used;

• Send you product updates, marketing communications, and event invitations (you can opt out at any

time using the unsubscribe link in our emails);

• Recruit and evaluate candidates for open roles;

• Comply with legal, regulatory, audit, and contractual obligations; and

• Protect Nyad, our customers, our team, and the public.

We do not use website-visitor data to make automated decisions that produce legal or similarly significant

effects about you. Nymph AI generates decision support for trained operators; it does not replace the

operator’s judgment, and any treatment action remains the operator’s responsibility (see Section 13).

4. Government-Funded Research and Pilots

From time to time Nyad may participate in research, evaluation, or pilot activities funded in whole or in part

by U.S. federal, state, or non-profit grant programs (e.g., EPA, NSF, state Departments of Environmental

Quality).

When we do, the following applies:

• Data may be used for research, evaluation, and reporting purposes consistent with the funding agreement.

• Data may be aggregated, anonymized, or de-identified before being shared with funders, auditors, or

oversight bodies.

• We do not intentionally publish personally identifiable information (PII) or customer-confidential operational

data in public research outputs.

• Participation in any government-funded program does not grant the public, the funder, or third parties

unrestricted rights to Nyad’s proprietary models, training data, source code, or trade secrets, except as

expressly required by applicable law.

If a specific pilot or research engagement requires additional disclosures, we will provide them in a

supplemental notice or in the applicable agreement.

5. How We Share Information

We do not sell your personal information. We do not “share” personal information for cross-context

behavioral advertising, except to the extent that loading certain analytics or attribution pixels on our

marketing site may meet the technical CPRA definition of “sharing.” If you opt out (Section 11) or transmit

a Global Privacy Control (GPC) signal, we will treat that as a request to limit such sharing on our marketing

pages.

We disclose information only as described below:

Recipient 

Purpose

Service providers and sub-

processors under contractual

confidentiality and data-protection

terms

Hosting, storage, analytics, CRM, email delivery, form intake,

customer support, security monitoring, and similar back-office functions.

Current categories include: U.S. cloud hosting and storage,

web analytics (Google Analytics), marketing attribution (Maverick),

Nyad Privacy Policy · Page 3 of 8Recipient Purpose

form hosting (Tally), website hosting (Vercel), CRM (Attio), and

email services. A current sub-processor list is available on request

to legal@nyad.ai.

Customers and their authorized

users

When data was generated on a customer’s behalf (e.g., a facility’s

microscopy images), it is made available to that customer per the

customer agreement.

Government agencies, regulators,

and grant administrators

As required by funded programs, NPDES / state DEQ inquiries

directed at Nyad as a vendor, audits, or lawful requests.

Legal and safety recipients To comply with subpoenas, court orders, or other legal process; to

enforce our agreements; to investigate suspected fraud or abuse;

or to protect the rights, safety, or property of Nyad, our customers,

our team, or the public.

Corporate transactions In connection with a merger, acquisition, financing, reorganization,

or sale of all or part of our business — subject to the receiving party

honoring the commitments in this Policy.

With your direction When you ask us to share information with a third party (e.g., a

partner integration, a reference call, an investor introduction).

All disclosures are limited to what is necessary and appropriate for the stated purpose.

6. Data Security

We implement administrative, technical, and organizational safeguards designed to protect information

against unauthorized access, loss, misuse, alteration, disclosure, and destruction. These include role-

based access controls, encryption in transit, encryption at rest for sensitive stores, logging and monitoring,

vendor due diligence, and security training for personnel.

No system is 100% secure. You are responsible for keeping your account credentials confidential and for

using the Services in a secure environment. If you believe your account or any Nyad system has been

compromised, contact us immediately at chris@nyad.ai.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy,

including to:

• Operate and provide the Services to you or your organization;

• Meet our contractual, legal, regulatory, audit, tax, accounting, and reporting obligations;

• Support research integrity, model evaluation, and product improvement (in aggregated or de-identified

form where feasible);

• Resolve disputes and enforce our agreements; and

Nyad Privacy Policy · Page 4 of 8• Maintain reliable backups for disaster-recovery purposes.

When information is no longer needed, we delete, anonymize, or archive it according to our internal

retention schedules. For customers whose subscription has ended, our Terms of Service govern the

post-termination data lifecycle: customers may request a copy of their Customer Data within 30 days

of termination, and upon written request within that window we delete Customer Data from production

systems within 60 days, subject to backup retention schedules and any applicable legal hold. Specific

retention periods otherwise vary by data category and may be longer where required by law, by a funded

research program, or by an executed customer agreement. You can request more detail at legal@nyad.ai.

8. AI Systems, Model Training, and Customer Data

Trust is non-negotiable in our market — operators have been burned by tools that promised more than they

delivered, and regulatory compliance is mission-critical. We hold ourselves to the following commitments:

• Customers own their data. Customer Data submitted to Nymph AI — including microscopy images,

operational parameters, and facility metadata — remains owned by the customer. Nyad’s rights to

access, host, copy, process, and transmit Customer Data are limited to providing, securing, and

supporting the Service, as described in our Terms of Service.

• Aggregated and de-identified use only. Consistent with our Terms of Service, Nyad may generate

aggregated or de-identified data derived from Customer Data (“Aggregated Data”) and use it to operate,

improve, and develop the Service, including to train and evaluate models and produce analytics and

benchmarks — provided that Aggregated Data does not identify any customer, user, individual, or facility,

and is not shared in a form that permits re-identification.

• No cross-customer training of identifiable data. We do not use one customer’s identifiable Customer

Data to train models we make available to other customers without that customer’s express permission.

• Data is ring-fenced per facility. Proprietary customer data is logically segregated by facility and is

never commingled across customers in production model serving. Operator conversations are private

by default.

• Internal improvement. We may use service-operations data, system telemetry, error logs, and operator-provided

feedback (e.g., a “this classification is wrong” correction) to evaluate, debug, and improve

Nymph AI. These uses are subject to internal access controls.

• Public model providers. Where we use third-party AI providers (for example, large-language-model

APIs) in any portion of the Services, we contractually require those providers not to use Nyad inputs or

outputs to train their public models.

• No automated decisions of legal effect. Nymph AI produces decision-support recommendations for

trained human operators. It does not make automated decisions that have legal or similarly significant

effects on individuals.

If you are a California resident, see Section 11 for additional rights regarding Automated Decision-Making

Technology under the 2026 CPRA amendments.

9. Cookies and Tracking Technologies

We use cookies and similar technologies (pixels, tags, local storage, SDKs) to:

• Make the website work (essential / strictly necessary);

• Remember your preferences;

Nyad Privacy Policy · Page 5 of 8• Measure traffic, attribution, and feature usage; and

• Improve the user experience.

Categories we currently use include:

• Strictly necessary — required for the site to load and for forms to submit.

• Analytics — Google Analytics 4 (GA4) for aggregate usage analytics.

• Marketing / attribution — the Maverick attribution pixel and UTM capture, used to understand which

campaigns drive interest. We do not run programmatic advertising or third-party retargeting on nyad.ai

today; if that changes, we will update this Policy and our cookie banner.

You can control cookies through your browser settings (most browsers allow you to block, delete, or be

alerted to cookies) and through any cookie-preferences control we surface on the site. Disabling some

cookies may affect site functionality.

We honor the Global Privacy Control (GPC) browser signal as an opt-out of “sale” or “sharing” of personal

information for residents of jurisdictions that recognize it.

10. Children’s Privacy

The Services are intended for industrial and municipal wastewater professionals — not children. We do

not knowingly collect personal information from children under 13 (or under 16 in jurisdictions that set a

higher age). If you believe a child has provided us with personal information, contact us at legal@nyad.ai

and we will delete it.

11. Your Privacy Rights

Depending on where you live, you may have the rights described below. We will not discriminate against

you for exercising these rights.

11.1 Rights for All U.S. Residents You may:

• Access — request confirmation of whether we process your personal information and a copy of it.

• Correct — request that we correct inaccurate information.

• Delete — request that we delete your personal information.

• Opt out of marketing — unsubscribe from marketing emails using the link in any message, or by

contacting us.

11.2 California (CCPA / CPRA, including 2026 amendments) In addition to the rights above, California residents have the right to:

• Know the categories and specific pieces of personal information we have collected about you, the

categories of sources, the business or commercial purpose for collection, and the categories of recipients.

• Opt out of “sale” and “sharing” of personal information for cross-context behavioral advertising. As

noted in Section 5, we do not sell personal information; you may exercise the opt-out for any “sharing”

by transmitting GPC or by contacting us. Where our systems honor an opt-out, we will display an “Opt-

Out Request Honored” confirmation as required by the 2026 CPRA amendments.

• Limit the use of sensitive personal information. We do not knowingly process sensitive personal

information for purposes other than those permitted by the CCPA without your consent.

Nyad Privacy Policy · Page 6 of 8• Receive notice and exercise rights with respect to Automated Decision-Making Technology (ADMT)

as those rules take effect under the 2026 CPRA amendments. As of the Effective Date, we do not use

ADMT to make decisions producing legal or similarly significant effects on California consumers.

• Non-discrimination for exercising your rights.

11.3 Other U.S. State Laws

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah,

Texas, Oregon, Montana, Tennessee, and others — have rights similar to those above, including the right

to opt out of targeted advertising, sale of personal data, and certain profiling. Where applicable, you also

have the right to appeal a denial of your request.

11.4 European Economic Area, United Kingdom, and Switzerland If you are in the EEA, UK, or Switzerland, you have the right to: access; rectification; erasure; restriction

of processing; data portability; objection (including to direct marketing); and to withdraw consent at any

time. You may also lodge a complaint with your local supervisory authority.

The legal bases on which we rely are described in Section 3.

11.5 How to Exercise Your Rights Send a request to legal@nyad.ai with the subject line “Privacy Request” and tell us which right you want

to exercise. We may need to verify your identity before responding (we’ll only ask for what’s reasonably

necessary). You can also designate an authorized agent to make a request on your behalf, subject to

verification.

We will respond within the timeframe required by applicable law.

12. International Data Transfers

We are headquartered in the United States and operate primarily there. If you access the Services from

outside the U.S., your information will be transferred to, and processed in, the U.S. and other countries

where we or our service providers operate. These countries may have data-protection laws different from

those in your country.

For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European

Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented

by additional measures where required.

13. Disclaimer for Regulated and Mission-Critical Use

Information provided on our website and in product marketing materials is for informational purposes only.

It does not constitute regulatory, legal, environmental, or operational advice.

Nymph AI is a decision-support tool. Its outputs are intended to assist trained, qualified wastewater

operators and process engineers. Operators remain responsible for verifying results, exercising professional

judgment, and complying with all applicable permits and regulations (including NPDES permits

and state DEQ requirements). Nyad does not guarantee that use of the Services will result in regulatory

compliance or specific operational outcomes.

Nyad Privacy Policy · Page 7 of 814. Third-Party Links

The Services may contain links to third-party websites, tools, or content. We are not responsible for the

privacy practices or content of those third parties. We encourage you to review the privacy policies of any

third-party site you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date

at the top of this page and, for material changes, take additional steps required by law (such as notifying

you by email or through the Services). Your continued use of the Services after the updated Policy takes

effect constitutes acceptance of the changes.

16. Contact Us

us at:

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, contact

Nyad, Inc.

Innovation Depot, 1500 1st Avenue North, Birmingham, AL 35203, United States

Email: legal@nyad.ai

Web: nyad.ai/contact

For media: press@nyad.ai · For investors: investors@nyad.ai · For careers: jobs@nyad.ai

This Privacy Policy is incorporated into Nyad’s Terms of Service. If there is any conflict between this Policy and an executed

customer agreement (including a Data Processing Addendum), the customer agreement controls with respect to data processed

under it.

Nyad Privacy Policy · Page 8 of 8