Privacy Policy

Last updated: March 25, 2026 — Version 2.0

1. Data Controller

Nala (“we”, “us”, “our”) is a wellness companion application published by Mathias Robin, sole proprietor, domiciled in France.

Data protection contact: privacy@nala-meditation.com

2. Legal Bases for Processing (GDPR Article 6)

Processing	Legal basis
Account creation & authentication	Performance of contract (Art. 6(1)(b))
Wellness scores, journal, micro-actions	Performance of contract (Art. 6(1)(b))
AI chat conversations	Explicit consent (Art. 6(1)(a) & Art. 9(2)(a))
Analytics (usage events)	Consent (Art. 6(1)(a))
Push notifications	Consent (Art. 6(1)(a))
Subscription & billing	Performance of contract (Art. 6(1)(b))
Crash reports	Legitimate interest (Art. 6(1)(f)) — app stability

3. Data We Collect

Account data: Email address, display name (via Firebase Authentication), language preference (e.g. “fr” or “en”), and country code derived from your device settings (e.g. “FR”). These are used to display the app in your language.

Wellness data: Conversation transcripts with the AI, journal entries, wellness scores, mood selections, micro-actions. This data may include information relating to your emotional state, sleep habits, stress levels, or general well-being. While not strictly “health data” under GDPR Article 9, we treat it with the same level of protection as sensitive data.

Analytics data: Only collected with your explicit consent. Includes anonymized usage events (content played, features used, session duration). We do not collect your name or email in analytics events.

Technical data: Device type, app version, crash reports (Firebase Crashlytics). No IP addresses are stored permanently.

Payment data: Handled entirely by Google Play. We never see, process, or store your card details.

Push notification token: Collected only when you opt in to notifications. Used solely to deliver reminders you configured.

4. AI Conversations — Special Notice

When you use Nala’s AI chat feature, your messages are sent to the Anthropic API (Claude) for processing. This means:

• Your messages leave the EU and are processed on Anthropic’s servers in the United States.
• Anthropic does not use your data to train their AI models (per their commercial API terms).
• Your conversations are stored in our EU database to maintain continuity across sessions.
• Conversation messages older than 90 days are automatically deleted (only summaries are retained).
• Your first name is shared with the AI to personalize greetings. No other personal identifiers are sent.

Before your first AI conversation, the app asks for your explicit consent to this processing. You can use all other Nala features without using the AI chat.

5. How We Use Your Data

• Provide personalized AI wellness guidance (with your consent)
• Calculate and display your wellness scores
• Send notification reminders via Firebase Cloud Messaging (with your consent)
• Improve the app experience through anonymized analytics (with your consent)
• Detect and fix crashes (legitimate interest)

We never sell your data. We never share it with advertisers. We never use your data for profiling or automated decision-making.

6. Data Storage & Security (Article 32)

Your data is stored on Supabase (PostgreSQL, EU region) with:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Row-Level Security (RLS) on all database tables
• Firebase Authentication with industry-standard JWT tokens
• Rate limiting on all API endpoints
• Strict Content Security Policy (CSP) headers
• HSTS with preload for all web traffic

7. International Data Transfers (Chapter V)

Your primary data is stored in the EU (Supabase, EU region). Some processing involves sub-processors located in the United States. These transfers are protected by:

• The EU–US Data Privacy Framework (where certified)
• Standard Contractual Clauses (SCCs) adopted by the European Commission
• Each provider’s binding data protection commitments

8. Sub-processors (Article 28)

We use the following third-party services to operate Nala:

Provider	Location	Purpose	Data shared
Supabase	EU	Database & data hosting	All account and content data
Firebase (Google)	US	Authentication, push notifications, crash reports	Email, push token, crash logs
Anthropic	US	AI conversation processing (Claude API)	Chat messages, first name, wellness context
Railway	US	Backend server hosting	Requests in transit (encrypted)
ElevenLabs	US	Voice generation for audio content	No personal data (scripts only)
Upstash (Redis)	EU	Temporary caching (authentication tokens)	Encrypted tokens, TTL 30 seconds

9. Data Retention

Data type	Retention period
Account data (email, name)	Until account deletion
AI conversation messages	90 days, then automatically deleted (summaries retained)
Wellness scores	Until account deletion
Journal entries	Until account deletion
Analytics events	1 year, then automatically purged
Push notification tokens	Until account deletion or opt-out
Crash reports	90 days (Firebase Crashlytics default)

When you delete your account, all data is permanently erased immediately. Any residual backups are purged within 30 days.

10. Your Rights (GDPR Articles 15–22)

You have the right to:

• Access your data — Settings > Export my data (JSON download)
• Delete your account and all data — Settings > Delete my account
• Portability — download your data in machine-readable JSON format
• Rectification — update your profile information in the app
• Withdraw consent — disable analytics or notifications at any time in Settings
• Object — opt out of any processing based on legitimate interest
• Restrict processing — request limitation of specific processing activities
• Lodge a complaint with the French supervisory authority:
  CNIL (Commission Nationale de l’Informatique et des Libertés)
  3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
  www.cnil.fr/plaintes

To exercise your rights, use the in-app settings or email privacy@nala-meditation.com. We will respond within 30 days as required by GDPR.

11. Cookies

The Nala website uses no third-party cookies, no tracking cookies, and no advertising cookies. We use a minimal server-side analytics system that does not track individual users across sessions and does not use cookies.

12. Children (Article 8)

Nala is designed for users aged 13 and above. For users under 16 in the European Union, parental or guardian consent is required per GDPR Article 8. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us with personal data, contact us immediately at privacy@nala-meditation.com.

13. Data Breach Notification (Articles 33–34)

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the CNIL within 72 hours of becoming aware of the breach.
• If the breach is likely to result in a high risk to you, we will notify affected users without undue delay via email and/or in-app notification.
• We maintain a register of all data breaches, including those that do not require notification.

14. Changes to This Policy

We may update this policy. Significant changes will be communicated via the app and/or email. The “last updated” date at the top will be revised. Continued use after 30 days constitutes acceptance of the updated policy.