Privacy Policy
Last updated: 7 June 2026
This policy explains what Namoly collects when you use it, why, how long we keep it, where it goes, and the controls you have. Namoly is a free service that turns a candidate brand name into an objective, explained report.
Signing in with Google
Namoly uses Sign in with Google. There are no passwords. When you sign in, we store the profile Google shares with us: your email address, name, avatar URL, and your stable Google account identifier (the OpenID sub). We use the stable identifier, not your email alone, to recognise your account across sessions, so it keeps working even if your email changes. We never receive or store your Google password.
Trying without an account
You can run one analysis without signing in. When you do, the candidate name you enter, any context you add, and the resulting report are stored on our servers, keyed to a random token kept in a claim cookie on your device (no account, name, or email is attached to it). This lets you reopen that result from the same browser. An anonymous try is kept for up to about 30 days, after which it is deleted. If you sign in from the same browser, the saved result is moved into your account history and the separate anonymous copy is removed.
Cookies we use
Namoly sets only a few strictly functional cookies to make sign-in and the "try one" flow work. There are no advertising or third-party tracking cookies:
- Session cookie. Set when you sign in; it keeps you signed in as you move between pages. It is secure and HTTP-only, so page scripts cannot read it.
- Sign-in (OAuth) cookie. A short-lived cookie (about 10 minutes) that safely carries the Google sign-in step across the redirect, then is discarded.
- Claim cookie. Set when you try an analysis without an account; it holds the random token that links you to that result for up to about 30 days, and is cleared once the result is moved into your account at sign-in.
The external domain check (your name leaves Namoly)
One part of the report checks whether domains for your candidate name are available. To do this, the candidate name you type is sent to third-party services: authoritative RDAP registries (via rdap.org) and, as a fallback, DNS-over-HTTPS (cloudflare-dns.com). This means the name you enter leaves Namoly and is transmitted to those external providers solely to look up domain availability. We check your name across up to about 20 domain extensions (generic ones such as .com and .io, plus country extensions for your markets), so the name is sent for each of those lookups. We do not send your account details to them, only the domain query needed for the lookup. Treat candidate names you consider confidential accordingly.
What we store
- Your account. The Google profile fields above, plus the dates you created the account and last signed in.
- Your analyses and history. Each analysis you run (the candidate name, any context you add, and the resulting report) is saved privately to your own history and kept until you delete it (or delete your account). Your analyses are never shared with, or visible to, other users.
- An events log. We record lightweight activity events (for example sign-up, sign-in, analysis completion, and when an analysis is flagged as low-confidence) to understand usage and operate the service. Each event stores only a hashed (one-way) form of your IP address, never the raw IP. Your raw IP address is used only transiently for rate-limiting (to bound abuse on the free tier) and is not retained.
Your data rights
From your account page you can, at any time:
- Delete your account. We permanently remove your profile, every analysis in your history, your signals (feedback), and your sessions. Your activity events are kept but anonymised: your account id and the hashed IP are stripped, so they can no longer be linked to you while aggregate usage statistics stay intact. This is irreversible.
Where your data is stored
Your account, analyses, and events are stored with our infrastructure provider, Cloudflare, which operates a global network. We do not currently guarantee a specific storage region. The external domain-check providers (RDAP and DNS-over-HTTPS, above) operate their own global infrastructure.
Who can see your data
Your analyses are private to your account and are never shown to other users. The service operator (administrator), a single owner identity, can, however, read all users' analyses (each shown alongside its owner's email), the free-text reasons you attach when you signal a result, and aggregate usage and sign-in activity, for support, abuse-handling, quality, and operating the service.
Legal basis, retention, and complaints
The service operator is the data controller; you can reach the operator at contact@namoly.io. We process your account data and analyses to provide the free service you ask for; we keep an anonymisable events log under our legitimate interest in operating and securing the service. Your account and analyses are retained until you delete them or your account; anonymised usage events are retained for statistics. You can access and delete your data from your account page, and if you are in the EU/EEA you have the right to lodge a complaint with your local data-protection supervisory authority.
What we do not check
The report is an objective first screen. It does not perform trademark clearance or social-handle availability checks, and it is not legal advice. See our Terms of Service.
Contact
Questions about this policy or your data? Email us at contact@namoly.io.