Nuri/Trust Center
Sign in

Privacy Policy

Last updated March 11, 2026

1. Introduction

This Privacy Policy describes how DeWitt Strategic Advisors, LLC (doing business as “DeWitt Labs,” “we,” “us,” or “our”) collects, uses, and shares information in connection with Nuri, our AI productivity assistant available as a macOS desktop application, iOS mobile application, embeddable chat widget, and web portal at nuri.dewitt.us, as well as our company website at dewitt.us.

By using Nuri or our websites, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Account Information

When you create an account, we collect the information provided by your OAuth identity provider (Google, Apple, or GitHub) through Clerk, our authentication service. This typically includes your name, email address, and profile photo.

Chat Messages

We store the messages you send to and receive from Nuri to provide conversation history, contextual memory, and continuity across sessions. This applies to all surfaces: desktop, mobile, web portal, and embed widget.

Screen Context (Opt-In, Desktop Only)

If you enable the screen capture feature on the macOS desktop app, Nuri periodically captures OCR text from your screen to build context about your current work. This feature is disabled by default and requires your explicit consent. Screen capture is not available on iOS, the web portal, or the embed widget. See Section 5 for details on data minimization.

Calendar Metadata

If you connect Google Calendar or Apple Calendar, we access event metadata (times, durations, attendee counts) to power task prioritization and meeting intelligence. Event titles are anonymized by default. See Section 6 for details.

Task & Project Data

If you connect Linear (project management), we access issue titles, statuses, and assignments within your workspace. This data is used to provide task-aware assistance and prioritization. Access is scoped to your workspace and follows Linear’s OAuth permissions.

Website Analytics

On dewitt.us and nuri.dewitt.us, we collect page views, session data, and traffic source attribution using a self-hosted, first-party analytics system (Tinybird). We do not use Google Analytics, advertising pixels, or third-party tracking services. Analytics are subject to your cookie consent choice.

Native App Data

The Nuri macOS and iOS applications do not include any third-party analytics SDKs. We collect error logs locally for diagnostic purposes. No usage analytics, device fingerprints, or behavioral data are transmitted from native apps to third parties.

3. How We Use Your Information

  • Provide the Service — power AI chat, task prioritization, meeting intelligence, and contextual assistance across all surfaces.
  • Improve the Product — analyze aggregate, de-identified usage patterns to improve features and user experience. Website analytics help us understand how visitors discover and use our services.
  • Ensure Security — detect and prevent fraud, abuse, and unauthorized access. All sensitive operations are recorded in a tamper-evident audit log.
  • Communicate — send service-related notifications, security alerts, and (with your consent) product updates.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Performance of a Contract — processing necessary to provide the Nuri service you have requested.
  • Consent — for optional features such as screen capture, full calendar title sharing, and analytics cookies, which require your explicit opt-in.
  • Legitimate Interests — security monitoring and product improvement, balanced against your privacy rights.

5. Screen Capture & Data Minimization

Screen capture is disabled by default and only available on the macOS desktop application. It requires your explicit opt-in. When enabled:

  • OCR text is extracted from your screen periodically to provide work context to the AI assistant.
  • Client-side PII redaction runs before any data leaves your device. Social Security numbers, credit card numbers, email addresses, and phone numbers are automatically detected and redacted. You can add custom regex patterns for additional sensitive data.
  • You can blocklist specific applications whose screen content should never be captured.
  • Only processed text is transmitted — raw screenshots are never sent to our servers.
  • Screen context data is retained according to your configured retention period (default 90 days) and can be deleted at any time.

6. Calendar Data

When you connect Google Calendar or Apple Calendar, Nuri accesses your events in read-only mode. By default, event titles are anonymized to “Meeting” before being processed by the AI. You may opt in to share full event titles for more context-aware prioritization.

Google Calendar OAuth refresh tokens are encrypted with AES-256-GCM at rest. Apple Calendar data is accessed via the local EventKit framework on macOS and is never transmitted to our servers — it is processed on-device only.

7. AI & Your Data

Nuri uses the Anthropic Claude API to power its AI features. When you interact with Nuri:

  • Your messages are sent to Anthropic’s API for processing under their zero-retention API terms — Anthropic does not store your inputs or outputs after processing.
  • Your data is never used to train Anthropic’s or any third-party AI models.
  • We use text embedding services (Voyage AI) for semantic search. Text snippets are sent for embedding and are not stored by the embedding provider.

8. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with the subprocessors necessary to operate the Service. Each subprocessor receives only the minimum data required for its function.

We may disclose information if required by law, legal process, or to protect the rights, property, or safety of DeWitt Labs, our users, or the public. In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity under equivalent privacy protections.

9. Embed Widget

The Nuri chat widget can be embedded on third-party websites. When you interact with the embed widget:

  • Your chat messages are processed by the same Nuri AI backend as all other surfaces.
  • The widget authenticates via a signed token, not cookies. It does not set cookies on the host site.
  • The host site’s own privacy and cookie policies apply independently of this policy.

10. Data Retention

Data retention is user-configurable. The defaults are:

  • Screen context — 90 days
  • Chat history — 365 days
  • Audit logs — 1-year minimum (not user-configurable)

Expired data is permanently deleted by a daily cleanup process that runs at 04:00 UTC. You may reduce your retention period or delete your data at any time through the app or by contacting us.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access & Portability — export all your data as JSON via the DSAR form, the in-app data management panel, or GET /user/data/export.
  • Deletion — delete all data or selectively remove screen context, chat history, or memory. Deletion is permanent and irreversible.
  • Correction — update your account information through your profile settings.
  • Consent Withdrawal — disable screen capture, calendar sharing, or analytics cookies at any time. Withdrawal does not affect data processed before withdrawal.
  • CCPA Rights — California residents may request disclosure of data collected and shared, and may opt out of any future sale of personal information (we do not currently sell personal information).
  • GDPR Rights — EEA residents have additional rights including the right to object to processing and the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, use the Data Request form or email us at privacy@dewitt.us. We will respond within 30 days (GDPR) or 45 days (CCPA).

12. Data Security

  • OAuth tokens and sensitive credentials are encrypted at rest with AES-256-GCM.
  • All data in transit is protected by TLS 1.2+ encryption.
  • Vector databases (Qdrant) run in VPC-isolated environments with no public internet access.
  • An append-only, hash-chained audit log records all sensitive data operations with a minimum 1-year retention period.
  • Authentication is handled by Clerk via OAuth providers (Google, Apple, GitHub), which delegate MFA/passkey enforcement to the identity provider.

For a detailed view of our security posture, see the Security Controls page.

13. International Data Transfers

Your data is processed and stored in the United States. If you are located outside the United States, your information will be transferred to, stored, and processed in the United States. By using Nuri, you consent to such transfer and processing. We take steps to ensure your data receives adequate protection in accordance with applicable law.

14. Children’s Privacy

Nuri is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a person under 18, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us at privacy@dewitt.us.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the “Last updated” date at the top of this page and, where appropriate, through in-app notification or email. Your continued use of Nuri after such changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

DeWitt Strategic Advisors, LLC
8910 University Center Lane, Suite 400
La Jolla, CA 92122
privacy@dewitt.us

See also: Terms of Service · Cookie Policy · Subprocessors · Data Requests · FAQ