Privacy Policy

This Privacy Policy applies to the Nottle app for mobile devices (iOS and Android), together with any related services operated by Yurii Liubymov ("Service Provider", "we", "our"). By using the Application, you acknowledge this policy.

1. Data Stored Locally on Your Device

The Application does not provide an option to create an account. We do not store, upload, or have access to your entries and personal data.

All core content you create in Nottle - including mood ratings, energy levels, activity selections, written notes, and attached photos - is stored exclusively on your device using local on-device storage.

Important backup notice: We do not maintain server-side copies of your personal reflections. If you:

Delete the App
Lose or reset your device
Erase your data from within the App

...your data will be permanently and irrecoverably lost. We strongly recommend keeping your device backed up through iCloud (iOS) or Google One (Android) if you wish to preserve your data.

2. Information We Do Not Collect

Nottle does not collect, store, or have access to:

Your name, email address, phone number, or any contact details
The text content of your notes or reflections
Your mood ratings or emotional state as meaningful personal data
Your photos or media attachments
Your Apple ID or Google account information
Credit card, bank account, or any financial information
Your precise GPS location

3. Information Collected Automatically

When you use the Application, certain technical information is collected automatically by our third-party analytics and crash reporting services:

Your device's approximate location (country/region, derived from IP address - not GPS)
Device model and operating system version
App version and platform (iOS/Android)
Anonymous usage events (screens visited, buttons tapped, features used)
Crash reports and error logs

This information is anonymous and aggregated. It cannot be linked to your identity.

Legal basis (GDPR): Legitimate interest in improving the App and maintaining its technical stability.

4. Analytics - Amplitude

We use Amplitude, Inc. (USA) to understand how users interact with the App.

What Amplitude receives:
Anonymous behavioral events only. For example: that a reflection was completed, that the paywall was viewed, or that a language was changed. Properties contain only:

Boolean values (true/false): e.g., whether a note was included
Counts: e.g., how many activities were selected
Categorical labels: e.g., which screen triggered an action

What Amplitude never receives:

The text of any note or reflection
Mood labels - only an integer 1–5 treated as a behavioral signal
Activity names - only a count
Any content that could identify you

Device identifier: Amplitude assigns a random anonymous Device ID to your installation. We do not use account-based identification (setUserId() is never called).

Location: Amplitude derives approximate country and region from your IP address server-side. No GPS data is collected or transmitted.

Amplitude also automatically collects: device model, OS version, app version, platform.

Legal basis (GDPR): Legitimate interest. You may opt out by contacting support@getnottle.com.

5. Crash Reporting - Firebase Crashlytics

We use Firebase Crashlytics (Google LLC) to detect and diagnose App crashes.

What Crashlytics receives:

Device model (e.g., iPhone 15)
Operating system version (e.g., iOS 17.4)
App version
Memory state at the time of the crash
Stack trace (piece of code that caused the error)
Anonymous Crashlytics Installation UUID (assigned by Google)

What Crashlytics never receives:

Your reflection text, notes, or any personal content
Your mood ratings or emotional data
Any information that could identify you personally

Data retention: 90 days.

Legal basis (GDPR): Legitimate interest in maintaining technical stability.

6. AI Features — OpenAI

Nottle uses OpenAI's API to generate AI-powered insights based on your daily reflections.

What is sent to OpenAI:
When you complete a reflection, the following may be transmitted to OpenAI's API via our secure server (Supabase):

Your mood rating (a number from 1 to 5)
Your energy level (if provided)
Selected activity categories (not personal text)
Your written note (if provided)
For Premium users: a limited history of recent reflections (up to 7 days)

Anonymization: This data is transmitted without any personal identifier - no name, no email, no device ID, no account ID. From OpenAI's perspective, the request is an anonymous set of text and numbers with no connection to your identity.

No model training: Data sent through OpenAI's paid API is not used to train OpenAI's models. This is guaranteed by OpenAI's API data usage policies.

No server-side storage: We do not store the text of your notes or reflections on our servers. Data is processed in real time and the AI response is returned directly to your device.

OpenAI privacy policy: https://openai.com/policies/privacy-policy
OpenAI API data usage policy: https://openai.com/policies/api-data-usage-policies

Legal basis (GDPR): Legitimate interest in providing core App functionality. The App remains functional without AI features if you choose not to use them.

7. Backend Infrastructure - Supabase

We use Supabase (Supabase Inc., USA) as our secure backend infrastructure for processing AI requests. Supabase acts as the intermediary between the App and OpenAI's API. No personal user data is stored on Supabase servers beyond the duration of the API request.

8. Payment Processing

Nottle offers a paid subscription ("Nottle Premium") processed exclusively through:

Apple App Store (iOS) - subject to Apple's Terms of Service and Privacy Policy
Google Play Store (Android) - subject to Google Play's Terms of Service and Privacy Policy

We do not collect, store, or have access to your name, address, credit card details, bank account information, or any other financial data.

To verify your subscription status, the App may use anonymous technical identifiers provided by Apple or Google (Transaction ID or purchase token). These cannot be used to identify you personally.

For refund requests, contact Apple or Google directly through your device's App Store or Play Store settings.

9. Third-Party Services Summary

Provider	Purpose	Data shared	Privacy policy
Amplitude, Inc.	Analytics	Anonymous behavioral events	https://amplitude.com/privacy
Google LLC (Firebase)	Crash reporting	Technical crash data	https://firebase.google.com/support/privacy
OpenAI, LLC	AI insight generation	Anonymized reflection content	https://openai.com/policies/privacy-policy
Supabase Inc.	Backend infrastructure	Anonymous API requests only	https://supabase.com/privacy
Apple Inc. / Google LLC	Payment processing	Handled entirely by them	Per their policies
Google Play Services	Android platform services	Standard Android device data	https://policies.google.com/privacy

We do not sell your personal data. We do not share your data with third parties for marketing or advertising purposes.

10. Data Retention

Data type	Retention
Reflection content (notes, mood, photos)	On your device only; deleted when you erase data or uninstall
Analytics events (Amplitude)	Up to 24 months on Amplitude's servers
Crash logs (Crashlytics)	Up to 90 days on Google's servers
AI processing data (OpenAI)	Not retained beyond the API request
Payment data	Retained by Apple/Google per their policies

11. International Data Transfers

Our third-party service providers (Amplitude, Firebase, OpenAI, Supabase) may process data in the United States and other countries. Where required by applicable law, transfers are safeguarded through Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized mechanisms.

12. Security

We apply industry-standard security measures:

All communication between the App and our servers uses HTTPS/TLS encryption
OpenAI API calls are made through our secure Supabase edge functions, never directly from the client
No personal reflection content is stored on our servers

No method of internet transmission is 100% secure. We cannot guarantee absolute security of data in transit.

13. Children's Privacy

Nottle is not directed at children under the age of 16 (or 13 in jurisdictions where 13 is the applicable minimum age). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided personal information, please contact us at support@getnottle.com and we will delete such information promptly.

14. Your Rights

All users:

Access: View all your reflection data directly within the App at any time
Deletion: Erase all local data via Settings - Erase personal data
Opt-out of analytics: Contact support@getnottle.com

EU/EEA Users - GDPR:

You have the right to: access your data, correct inaccurate data, request erasure, restrict processing, data portability, object to processing based on legitimate interest, and lodge a complaint with your national data protection authority.

To exercise these rights, contact: support@getnottle.com. We will respond within 30 days.

California Residents - CCPA/CPRA:

You have the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights.

To exercise your rights, contact: support@getnottle.com.

15. Data Breach Notification

If a data breach occurs that affects your personal data, we will notify you in accordance with applicable legal requirements, including information about the nature of the breach and steps being taken to address it.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of the App after changes constitutes acceptance of the updated policy. Previous versions are available upon request.

17. Contact

Email: support@getnottle.com
Website: https://getnottle.com

Effective date: June 11, 2026 · Last updated: June 11, 2026