nomable

privacy policy

Last updated: April 21, 2026

This Privacy Policy describes how Raven Foundries LLC, a Delaware limited liability company doing business as "Nomable" at nomable.app ("Nomable," "we," "us," or "our"), collects, uses, and protects information when you use the Nomable reservation-booking service (the "Service").

Questions? Contact nomable@nomable.app.

1. Information We Collect

1.1 Account Information

  • Email address — required to create an account and receive reservation notifications.
  • Google account profile (name, avatar, Google user ID) — if you sign in with Google.
  • Password hash — if you use email/password sign-in, stored as a bcrypt hash; we never store your plaintext password.

1.2 Connected Service Authentication

To act on your behalf on the third-party services you connect to Nomable, we store authentication tokens for those services. These tokens are:

  • Encrypted at rest using AES-256-GCM (via the Fernet cryptography library) with a key that is not stored alongside the data.
  • Decrypted only momentarily while fulfilling a task you requested.
  • Never shared with any third party other than the service they authenticate you to.
  • Removable at any time from your account settings.

1.3 Booking Data

  • Restaurants, dates, party sizes, time preferences, and booking strategies you configure.
  • Booking attempt results (success, failure, reservation confirmation numbers).
  • Watches, discovery jobs, and other scheduling artifacts you create in the Service.

1.4 Payment Information

Subscription payments are processed by Stripe. Nomable receives only a Stripe customer ID and subscription status. We do not store your card number, CVV, or full payment details.

1.5 Technical Data

  • Session cookies (HTTP-only, secure) containing authentication tokens.
  • Server logs including IP address, user-agent, timestamps, and request paths, retained for up to 30 days for security and debugging.
  • We do not use advertising, analytics, or tracking cookies. There is no Google Analytics, Facebook Pixel, or similar on Nomable.

2. How We Use Information

  • To authenticate your account and keep you signed in.
  • To execute reservation bookings on the schedule and conditions you specify.
  • To send you transactional emails: booking confirmations, failed-booking notifications, password-reset links, and security alerts.
  • To process subscription payments and manage your plan.
  • To maintain the security and integrity of the Service and detect abuse.
  • To comply with legal obligations.

We do not sell, rent, or share your personal information for advertising purposes.

3. Third-Party Service Providers

Nomable relies on the following processors to operate the Service. Each processes your data only on our instructions and only to the extent necessary:

ProviderPurposePrivacy Policy
SupabaseAuthentication + database (PostgreSQL)Link
Fly.ioApplication hosting and executionLink
ResendTransactional email deliveryLink
StripeSubscription billingLink
Upstash (QStash)Scheduled job executionLink
Google OAuthSign in with GoogleLink

Note: Third-party services you choose to connect to Nomable (for example, reservation platforms where you already have an account) are not Nomable's data processors. Your use of those services is governed by their own terms and privacy policies, which you should review separately.

4. How We Protect Information

  • Encryption in transit: All traffic to and from Nomable is encrypted via HTTPS/TLS.
  • Encryption at rest: Reservation-platform credentials are encrypted with AES-256-GCM. Database backups are encrypted by our infrastructure provider.
  • Authentication: Passwords are hashed with bcrypt. Session tokens are short-lived and stored in HTTP-only, Secure, SameSite=Lax cookies.
  • Access controls: Per-user data isolation in our database. Employees have access only as needed for support or operations.
  • No security system is perfect. If we become aware of a breach that affects your data, we will notify you in accordance with applicable law.

5. Data Retention

  • Account data: Retained while your account is active.
  • Booking history: Retained for the life of your account unless you request deletion of specific entries.
  • Connected-service authentication tokens: Retained while your account is active. You can remove them at any time from your profile page.
  • Server logs: Up to 30 days.
  • Account deletion: When you delete your account, we soft-delete your data for 30 days (to allow accidental-deletion recovery), then permanently delete it, except where we are required to retain specific records for legal or financial reasons (e.g., tax records for paid subscriptions).

6. Your Rights

6.1 Universal Rights

Regardless of where you live, you can:

  • Access and export the data we have about you.
  • Correct inaccurate data via your profile page.
  • Delete your account, which deletes your personal data as described in Section 5.
  • Withdraw consent to data processing (which typically means deleting your account, since the service cannot operate without the data listed in Section 1).

6.2 GDPR (EEA, UK, Switzerland)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR and UK GDPR:

  • Right of access, rectification, erasure, portability, restriction, and objection.
  • Right to lodge a complaint with your local data protection authority.
  • The legal basis for our processing is (a) the performance of our contract with you (to operate the Service), and (b) our legitimate interest in keeping the Service secure.
  • Nomable's servers are located in the United States. By using the Service from outside the U.S., you consent to the transfer of your information to the U.S.

6.3 CCPA / CPRA (California)

California residents have the right to know what personal information we collect (see Section 1), the right to delete it (see Section 5), the right to opt out of "sale" or "sharing" (we do neither), and the right not to be discriminated against for exercising these rights.

Nomable does not sell or share personal information for cross-context behavioral advertising.

6.4 How to Exercise Your Rights

Email nomable@nomable.app from the address associated with your account. We respond within 30 days.

7. Cookies

Nomable uses only two cookies, both essential to operating the Service:

  • access_token — short-lived authentication token.
  • refresh_token — longer-lived token that keeps you signed in.

Both are HTTP-only (not accessible to JavaScript), set with the Secure and SameSite=Lax flags, and expire when you sign out or after a fixed period. No cookies are used for tracking, analytics, or advertising.

8. Children

Nomable is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect information from children. If you believe a child has signed up, email nomable@nomable.app and we will delete the account.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to your account address and/or via a banner on the Service. The "Last updated" date at the top reflects the most recent revision.

10. Contact

Raven Foundries LLC
d/b/a Nomable
Email: nomable@nomable.app

← Back to Nomable · Terms of Service