Privacy Policy

Privacy Policy

Effective date: 23 June 2026

This Privacy Policy explains how the Nimloth desktop application and the Sindarin calculation engine and command-line interpreter (“Nimloth”, “Sindarin”, “we”, “the software”) handle personal data. Nimloth and Sindarin are free, academically oriented X-ray diffraction (XRD) tools usable from any country. There are no user accounts.

We have written this in plain language for scientists and researchers, not lawyers. Where we use a legal term, we try to explain it.

Who we are

The data controller is Guilherme Oliveira Siqueira, established in Brazil, the developer of Nimloth and Sindarin.

  • Privacy contact: nimlothapp@gmail.com
  • Website: nimloth.app

If you have any question about this policy or about your data, please write to the e-mail above.

What we collect

We collect very little, and only in two situations.

1. Automatic crash and error diagnostics (telemetry)

This is sent only when an unhandled error occurs in the software — not during normal use, and never as a continuous stream. When the software crashes or hits an unexpected error, it sends a short technical report so that the bug can be found and fixed. A report contains:

  • the exception type, its message, the stack trace, and the contents of the exception’s Data dictionary;
  • the application name and version;
  • the operating-system name and major version only — for example “Windows 11”, “Linux” or “macOS” (never the exact build);
  • a local timestamp;
  • a short technical tag describing the operation in progress (for example the feature in use or the source class name).

Built-in minimization. Before a report leaves your device, file paths are scrubbed: the user-account segment of a path (C:\Users\<name>, /home/<name>, /Users/<name>) is replaced with <redacted>.

What this telemetry does NOT include:

  • not your operating-system build number, your machine/computer name, or your OS username;
  • no IP-based geolocation;
  • no advertising identifiers;
  • no behavioural tracking or profiling of how you use the software.

One honest caveat. A scrubbed file path can still contain a folder, file or project name that you chose — for example a sample name or a work title. Some of this path-derived text is captured incidentally from the diagnostic context, rather than being something you deliberately submitted to us. We do not intentionally collect any sensitive or special-category data, but please keep this in mind when naming files. The OS username and machine name are not collected.

2. Feedback you choose to send

If you use the in-app or command-line “Send feedback” feature, we receive:

  • the message text you type; and
  • only if you choose to provide it (for example so we can reply to a question), the e-mail address you type.

Feedback is never sent automatically — it is sent only when you actively submit it.

Why we process this data (legal basis)

  • Crash diagnostics are processed on the basis of our legitimate interests (GDPR Article 6(1)(f); UK GDPR; Brazil’s LGPD art. 7, IX and art. 10) — namely keeping the software stable and fixing defects. We have carried out a legitimate-interests balancing test, weighing this interest against your rights and freedoms; you can request a summary of it by writing to nimlothapp@gmail.com. We keep the data minimal, and you have the right to object / opt out at any time (see “Your right to object and opt out” below).
  • Feedback submissions are processed on the basis of your consent (GDPR Article 6(1)(a); LGPD art. 7, I and art. 8) — you actively choose to send them, and you may withdraw that consent at any time.

Where your data goes

Diagnostic and feedback data are sent to Microsoft Azure — Application Insights / Azure Monitor, in the Brazil South region. From there, telemetry is exported to Azure Blob Storage so that the developer can read it and fix bugs.

Microsoft acts as our data processor (under the GDPR / UK GDPR) and as our operator — operador (under Brazil’s LGPD, art. 5, VII), processing the data only on the controller’s instructions and solely for the purpose described above. Under the LGPD this constitutes a shared use of data (uso compartilhado) with Microsoft for that sole purpose. The relationship is governed by the Microsoft Products and Services Data Protection Addendum (DPA).

Data is protected in transit (TLS) and at rest through Azure’s platform encryption.

We do not sell your data, and we do not share it for advertising.

International data transfers

The controller and the Azure region are in Brazil.

For data subjects in Brazil: your data is processed within Brazil (Azure Brazil South), so under the LGPD no international transfer of your data takes place.

If you are in the EEA, the United Kingdom or Switzerland: using the software means your data is transferred to Brazil and processed there by Microsoft. This transfer is covered by Microsoft’s DPA, which incorporates:

  • the EU Standard Contractual Clauses (SCCs);
  • the UK International Data Transfer Addendum (IDTA); and
  • the Swiss addendum.

The controller has carried out a Transfer Impact Assessment to check that your data remains adequately protected. You can request a copy of the relevant safeguards (the SCCs / UK IDTA) by writing to nimlothapp@gmail.com.

How long we keep it

  • Crash diagnostics: kept for 90 days, then deleted.
  • Feedback: kept until your question or report is resolved, and then deleted — in any case no longer than 12 months after resolution.

Your right to object and opt out

Because crash diagnostics rely on our legitimate interests, you have the right to object to this processing at any time (GDPR / UK GDPR Article 21). The opt-out controls below are how you exercise that right. Diagnostics use an opt-out model: they are on by default, but you can turn them off at any time, and turning them off does not affect the software’s functionality.

  • In Nimloth (graphical app): open Settings and switch the “Send anonymous diagnostic reports” toggle OFF. (The default is ON.)
  • In Sindarin (command line): either pass the flag --no-telemetry, or set the environment variable SINDARIN_TELEMETRY_OPTOUT=1 (the variable NIMLOTH_TELEMETRY_OPTOUT is also honoured).
  • Mainland China: telemetry is automatically suppressed where the system’s region indicates mainland China.

Feedback is always voluntary, so there is nothing to opt out of — you simply choose whether or not to send it. You can also withdraw your consent and ask us to delete feedback (and any e-mail address) you have already sent, by writing to nimlothapp@gmail.com.

Your rights

Depending on where you live, you have rights over your personal data. To exercise any of them, contact us at nimlothapp@gmail.com.

Under the GDPR / UK GDPR, you have the rights of:

  • access to your data;
  • rectification (correction) of inaccurate data;
  • erasure;
  • restriction of processing;
  • objection to processing (see the section above);
  • data portability.

Under Brazil’s LGPD (art. 18), you have the rights to:

  • confirmation that we process your data (I);
  • access to your data (II);
  • correction of incomplete, inaccurate or outdated data (III);
  • anonymisation, blocking or deletion of unnecessary, excessive or unlawfully processed data (IV);
  • data portability to another provider (V);
  • deletion of data processed on the basis of your consent (VI);
  • information about the public and private entities with which we have shared your data (VII);
  • information about the possibility of refusing consent and the consequences of refusal (VIII);
  • withdrawal of consent (IX).

An honest limitation. Crash diagnostics are not linked to your name or to any stable identifier, so they are pseudonymous rather than truly anonymous. Because of this, we often cannot find a particular person’s reports in our data. If you ask us to act on your diagnostic data, we may be unable to identify it unless you give us identifying detail — for example a username or file path that appeared in a specific report. Under GDPR Article 11(2) we are not obliged to collect additional data just to identify you; but you are still welcome to provide such detail so we can help, and you may still exercise your rights if you do.

Complaints

If you believe we have mishandled your data, please contact us first so we can try to put it right. You also have the right to lodge a complaint with your local supervisory authority:

  • in the EU, your national Data Protection Authority (DPA);
  • in the UK, the Information Commissioner’s Office (ICO);
  • in Brazil, the Autoridade Nacional de Proteção de Dados (ANPD).

Because our processing of EEA / UK data is limited to occasional, low-risk crash diagnostics, we rely on the Article 27(2)(a) exemption and have not appointed an EU / UK representative. For any concern, please use the controller contact above or your local authority.

Automated decisions and profiling

We do not carry out automated decision-making that produces legal or similarly significant effects about you, and we do not build behavioural profiles.

Children

Nimloth and Sindarin are scientific tools that are not directed to children, and we do not knowingly collect data from them.

Changes to this policy

We may update this policy from time to time — for example if the software changes or to reflect legal requirements. When we do, we will revise the effective date at the top and publish the new version on nimloth.app and within the app. Significant changes will be made clear.

Contact

Questions, requests, or privacy concerns: