Privacy Policy
Last updated: March 22, 2026
1. Who we are
Nabbed ("we", "us", "our") operates the nabbed.media website (the "Landing Page"), the app.nabbed.media control plane (the "Control Plane"), and publishes the open source Nabbed Agent (the "Agent"). Together, these are referred to as the "Service".
For data protection purposes, Nabbed is the data controller for personal data processed through the Landing Page and Control Plane.
2. What we collect
2.1 Waitlist (Landing Page)
When you join our waitlist, we collect:
- Email address — to notify you when Nabbed launches.
- UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) — to understand how you found us. These are derived from the URL you arrived at, not from tracking pixels.
- HTTP Referer header — to understand traffic sources.
- IP address hash — a one-way SHA-256 hash of your IP address, used solely for rate limiting (preventing abuse). We do not store your raw IP address.
- A cookie (
nabbed_waitlist) — set after signup to remember your waitlist status across visits. HttpOnly, Secure, SameSite=Lax, 1-year expiry. Not used for tracking.
We do not use analytics scripts, tracking pixels, fingerprinting, or any third-party tracking on the Landing Page. We do not use Google Analytics, Facebook Pixel, or equivalent services.
2.2 Control Plane (when available)
When you create an account on the Control Plane, we will collect:
- Account data — email, hashed password (bcrypt, cost factor ≥ 12), display name.
- Session data — session tokens, device fingerprint, IP address, last-seen timestamp.
- Library metadata — titles, monitored status, quality preferences. This is metadata about your library, not the media files themselves.
- Agent telemetry — agent version, connection status, job completion events. Reported by the Agent to the Control Plane.
- Billing data — processed entirely by Stripe. We never store card numbers. We store only Stripe customer IDs and subscription status.
2.3 The Agent (your hardware)
The Agent is open source software that runs on your hardware. By design, the Agent processes data locally and communicates only metadata to the Control Plane.
The Control Plane never receives:
- Search queries sent to indexers
- Indexer results or API responses
- NZB files or torrent files
- Download traffic or file contents
- Peer-to-peer transfer data (the relay sees only ciphertext)
- Media files, file paths, or directory structures
This is verifiable in the Agent source code (MIT licensed).
The Agent collects no telemetry by default. If you opt into telemetry, the Agent reports anonymized crash reports and performance metrics. Telemetry can be disabled at any time via the NABBED_TELEMETRY=false environment variable.
3. How we use your data
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Waitlist email | Notify you when Nabbed launches | Consent (you submitted the form) |
| UTM / referrer | Understand traffic sources | Legitimate interest |
| IP hash | Rate limiting only | Legitimate interest (abuse prevention) |
| Account data | Authenticate you, provide the Service | Contract performance |
| Library metadata | Coordinate jobs between you and your agents | Contract performance |
| Billing data | Process payments via Stripe | Contract performance |
We do not sell, rent, or share your personal data with third parties for marketing purposes. We never have and never will.
4. Data storage and residency
- Waitlist data is stored in Cloudflare D1 (edge database). Cloudflare processes data in accordance with their Privacy Policy.
- Control Plane data is stored in EU-region infrastructure. All user metadata is stored exclusively in the EU from day one.
- We architect for data residency from day one. When additional regions become available, you will choose your region at signup. Data will never be replicated outside your selected region.
5. Data sharing and sub-processors
We share data only with:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Cloudflare | Hosting, CDN, D1 database, Workers | Waitlist data, HTTP requests |
| Stripe | Payment processing | Billing info (we never see card numbers) |
We do not use any advertising networks, analytics platforms, or data brokers.
6. Peer sharing (Nexus)
Nabbed's peer sharing feature ("Nexus") allows Pro users to share library metadata with trusted friends and transfer files between agents.
- Library visibility — when you connect with a peer, they can see the titles in your library. This is metadata only (title, quality, availability), not file contents.
- Peer connections require mutual approval. You control who sees your library at all times.
- File transfers happen directly between agents (P2P via QUIC, with relay fallback). The Control Plane brokers the introduction and steps out. The relay is a dumb pipe that sees only encrypted data.
- You can disconnect from any peer at any time, immediately revoking their access to your library metadata.
7. Cookies
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
nabbed_waitlist | Remember waitlist signup status | 1 year | Strictly necessary |
We do not use advertising cookies, analytics cookies, or any third-party cookies. The single cookie we set is strictly necessary for the waitlist functionality and is not used for tracking.
8. Your rights
Under the GDPR and applicable data protection laws, you have the right to:
- Access — request a copy of all personal data we hold about you.
- Rectification — correct inaccurate personal data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Portability — receive your data in a structured, machine-readable format.
- Restriction — restrict processing of your data in certain circumstances.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — for waitlist emails, email us to be removed at any time.
To exercise any of these rights, email privacy@nabbed.media. We will respond within 30 days.
Account deletion: when the Control Plane is available, you can delete your account from the settings page. Deletion triggers a background job that purges all tenant data within 30 days. You will receive a confirmation email when deletion is complete.
9. Data retention
| Data | Retention |
|---|---|
| Waitlist email | Until launch + 90 days, or until you request removal |
| IP hashes | Rolling 1-hour window (rate limiting only) |
| Account data | Until account deletion + 30-day purge window |
| Free tier history | 30 days (rolling) |
| Pro tier history | Unlimited while subscribed; 30 days after downgrade |
10. Security
- Passwords hashed with bcrypt (cost factor ≥ 12).
- All connections over TLS. No plaintext HTTP.
- Row-level security (RLS) at the database layer ensures tenant isolation.
- Agent credentials stored locally on your hardware; the Control Plane stores only refresh token hashes.
- Peer transfer data is encrypted end-to-end. The relay sees only ciphertext.
If you discover a security vulnerability, please report it to security@nabbed.media. Do not open a public issue.
11. Children
Nabbed is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@nabbed.media and we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email (if you are on the waitlist or have an account) and posted on this page with an updated "Last updated" date. Your continued use of the Service after changes constitutes acceptance.
13. Contact
For privacy-related inquiries: privacy@nabbed.media
For general inquiries: hello@nabbed.media