Privacy Policy

Nufa (“we”, “us”) is an independent app operated by a solo developer based in Singapore. This policy explains what we collect, why, and your rights under Singapore’s Personal Data Protection Act (PDPA) and, where applicable, the EU/UK General Data Protection Regulation (GDPR).

1. Who we are & how to contact us

Nufa is operated by an independent developer based in Singapore. For any privacy request — or to reach the person responsible for data protection — contact us at undoublednebula@gmail.com.

2. Data we collect

• Account. Your email address and password. Your password is stored only as a secure hash by our authentication provider — we never see it.
• Preferences. Your native and target languages, reading goal, and reader settings.
• Learning data. Vocabulary words you save, their translations, the sentence context around them, saved quotes, your reading progress, and reading-time statistics.
• Analytics. A randomly generated device identifier (“anon ID”) and product-usage events — for example, which screens you view or features you use. These events never contain the text of your books, your saved words, or your translations.
• Subscriptions. Your purchase and subscription status, via our payments provider.

3. What we do not collect

We do not collect your name, photo, precise location, or contacts. We do not use advertising identifiers and we do not track you across other apps or websites. We do not send the text of your books or your vocabulary to our analytics.

4. Why we use your data & our legal basis

• To provide your account and sync your data — performance of our contract with you.
• To provide AI translation and explanation when you request it — performance of our contract.
• To improve the app through privacy-respecting analytics — our legitimate interest. You can opt out at any time in Settings → Privacy.
• To process subscriptions — performance of our contract.

5. AI processing (Google Gemini)

When you tap Translate, Explain, or analyse a page, the text you selected, a short surrounding context (up to roughly 800 characters), and basic book metadata (title, author, chapter) are sent — through our secure servers — to Google’s Gemini AI to generate the result. We do not send your selection to Google for any other purpose. Translations may be cached on your device to save quota. AI output is generated automatically and may be inaccurate; please don’t rely on it as professional translation or advice. Google’s handling of this data is governed by Google’s privacy policy.

6. Who we share data with

The following providers process data on our behalf, under data-processing agreements:

• Supabase — hosting, database, and authentication. Policy
• Google (Gemini, via our servers) — AI generation. Policy
• RevenueCat — subscription management. Policy
• Apple and Google Play — billing for in-app purchases.

We do not sell your personal data.

7. International transfers

We are based in Singapore. Our providers may process your data outside Singapore, including in the United States and the European Union. Where data is transferred overseas, we ensure comparable protection through contractual safeguards such as our providers’ data-processing agreements and standard contractual clauses.

8. How long we keep it

We keep your account and learning data until you delete your account. Analytics events are retained for up to 90 days. When you delete your account, we remove your account record, profile, vocabulary, reading progress, and analytics rows from our servers. Data stored only on your device is removed when you delete the app or use the in-app controls.

9. Your rights

You may:

• access and export your data (Settings → Data → Download my data);
• correct your data;
• delete your account and data (Settings → Account → Delete account, or request it here);
• opt out of analytics (Settings → Privacy);
• withdraw consent at any time.

To exercise any right, use the in-app controls or email undoublednebula@gmail.com. Under the PDPA you may also contact Singapore’s Personal Data Protection Commission (PDPC); under the GDPR you may contact your local supervisory authority.

10. Security

Your data is encrypted in transit. Server access is restricted to your own records through row-level security. The API keys for AI and payments are held only on our servers and are never shipped inside the app.

11. Children

Nufa is not directed to children under 16, and we do not knowingly collect data from them.

12. Changes to this policy

We will update this policy as the app evolves and revise the date above. We will notify you of material changes in the app.