Privacy Policy
This Privacy Policy explains how NEW WATT SOLAR LTDA CNPJ 65.930.189/0001-67 ("Company", "we", "us") collects, uses, and protects information when you use Nic Hyper Flow ("Service").
1. What Runs Locally vs. What Leaves Your Machine
Nic Hyper Flow is designed as a local-first tool. The vast majority of what the extension does never leaves your computer:
Stays entirely on your machine
- Chat history, messages, and conversation context (stored in a local SQLite database)
- File checkpoints and time-travel backups (stored in
.nic_hyper_flow/) - Project knowledge base (stored in
.nic-hyper-flow/pkb_v2.jsonl) - Your API keys (stored in VS Code’s encrypted secret storage, never transmitted to our servers)
- Your prompts and code — AI requests go directly from your PC to the AI provider (OpenAI, Anthropic, Google, etc.) using your own API keys. We do not see, store, or relay your prompts.
Goes to our backend (Firebase/Firestore)
- Authentication data (user ID, email) — used for access control and subscription management
- Device presence metadata (online/offline status, extension version, workspace name) — used so the Remote Control app can find your device
- Basic tool usage statistics (e.g., which tools were used, not their content) — used to improve the extension
- Subscription and billing status (via Stripe) — used to enforce plan limits
2. Remote Control & Cloudflare Tunnel
The Remote Control feature allows you to control the extension from a mobile device. When this feature is active:
How the connection works
The extension starts a Cloudflare Tunnel on your PC. This creates an encrypted connection between your machine and the Cloudflare network, exposing a stable public hostname (e.g., abc123.ctrl.domain.com) that your mobile app can reach over the internet.
- The tunnel is provisioned under our Cloudflare account and associated with your device
- Only a tunnel-specific connector token is stored on your machine — not our Cloudflare account credentials
- Live communication (chat messages, streaming, commands) flows through this tunnel directly between your phone and your PC
- This traffic does not pass through our backend servers. Our backend (Firebase) is only used for device discovery, presence, and authentication coordination — not for the content of your sessions
- Cloudflare acts as a network routing layer. It does not store the content of your WebSocket sessions. See Cloudflare’s Privacy Policy for details on their data handling
What our backend stores about Remote Control
- The public hostname assigned to your device tunnel (to enable discovery)
- Device presence (online/offline, last seen timestamp)
- The tunnel connector token (used only to reconnect cloudflared on your machine)
3. Account & Authentication Data
If you sign in using GitHub or Google, we may collect:
- User ID and email address
- Display name and profile photo (if provided by the auth provider)
- Session tokens (stored securely, short-lived)
We use your email address for access control and, occasionally, product announcements. You may opt out of marketing emails at any time.
4. Usage Statistics
We may collect limited, anonymous telemetry to improve the Service:
- Which tools were invoked (not their inputs or outputs)
- Extension version and platform
- Error and crash reports
5. Payments
Payments are processed by Stripe. We may receive subscription status, plan, and billing timestamps. We do not store full card numbers. See Stripe’s Privacy Policy for details.
6. How We Use Your Information
We use collected data to:
- Authenticate users and manage subscriptions
- Enable the Remote Control feature (device discovery and pairing)
- Improve reliability, performance, and features
- Prevent abuse and unauthorized access
- Provide customer support
7. Sharing of Information
We may share limited data with:
- AI Providers you choose — your prompts go directly from your PC to the provider using your own API keys; we are not in this path
- Cloudflare — tunnel routing infrastructure for the Remote Control feature
- Google Firebase / Firestore — device presence, auth coordination, and session metadata
- Stripe — subscription billing
- Law enforcement or authorities — when legally required
We do not sell your personal information.
8. Legal Bases (GDPR/LGPD)
Where applicable, we process data based on:
- Contract — to provide the Service
- Legitimate interests — improving security and stability
- Consent — where required for specific processing
- Legal obligations — compliance with applicable law
9. Data Retention
We keep data only as long as necessary to provide the Service, resolve disputes, and comply with legal obligations. Device tunnel configuration and presence data are deleted when you revoke access or close your account. Logs and diagnostics may be retained for security and debugging purposes.
10. Security
We use reasonable technical and organizational measures including:
- Encrypted transport (HTTPS/WSS) for all connections
- Short-lived JWT session tokens with expiry
- Scoped tunnel tokens (one per device, revocable)
- API keys stored only in VS Code’s encrypted secret storage on your machine
No system is 100% secure. You use the Service at your own risk.
11. International Transfers
Your data may be processed in countries where our providers operate (Google Cloud, Cloudflare, Stripe). Where required, we use appropriate safeguards for international transfers.
12. Your Rights
Depending on your location, you may have rights to access, correct, delete, or restrict processing of your personal data, as well as data portability. To exercise these rights, contact: [email protected]
13. Children’s Privacy
The Service is not intended for children under 13. We do not knowingly collect data from children.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Continued use after changes means you accept the updated policy. The "Last updated" date at the top of this page reflects the most recent revision.
15. Contact
For questions about this Privacy Policy, contact:
Email: [email protected]
Company: NEW WATT SOLAR LTDA CNPJ 65.930.189/0001-67