Privacy Policy
Last updated: March 25, 2026 - Version 2.0
1. Data Controller
Nala (“we”, “us”, “our”) is a wellness companion application published by Mathias Robin, sole proprietor, domiciled in France.
Data protection contact: privacy@nala-meditation.com
2. Legal Bases for Processing (GDPR Article 6)
| Processing | Legal basis |
|---|---|
| Account creation & authentication | Performance of contract (Art. 6(1)(b)) |
| Wellness scores, journal, micro-actions | Performance of contract (Art. 6(1)(b)) |
| Analytics (usage events) | Consent (Art. 6(1)(a)) |
| Push notifications | Consent (Art. 6(1)(a)) |
| Subscription & billing | Performance of contract (Art. 6(1)(b)) |
| Crash reports | Legitimate interest (Art. 6(1)(f)) - app stability |
3. Data We Collect
Account data: Email address, display name (via Firebase Authentication), language preference (e.g. “fr” or “en”), and country code derived from your device settings (e.g. “FR”). These are used to display the app in your language.
Wellness data: Journal entries, wellness scores, mood selections, micro-actions. This data may include information relating to your emotional state, sleep habits, stress levels, or general well-being. While not strictly “health data” under GDPR Article 9, we treat it with the same level of protection as sensitive data.
Analytics data: Only collected with your explicit consent. Includes anonymized usage events (content played, features used, session duration). We do not collect your name or email in analytics events.
Technical data: Device type, app version, crash reports (Firebase Crashlytics). No IP addresses are stored permanently.
Payment data: Handled entirely by Google Play. We never see, process, or store your card details.
Push notification token: Collected only when you opt in to notifications. Used solely to deliver reminders you configured.
4. Reserved
This section is reserved for future features. No AI conversational chat is currently available in Nala.
5. How We Use Your Data
- Calculate and display your wellness scores
- Send notification reminders via Firebase Cloud Messaging (with your consent)
- Improve the app experience through anonymized analytics (with your consent)
- Detect and fix crashes (legitimate interest)
We never sell your data. We never share it with advertisers. We never use your data for profiling or automated decision-making.
6. Data Storage & Security (Article 32)
Your data is stored on Supabase (PostgreSQL, EU region) with:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Row-Level Security (RLS) on all database tables
- Firebase Authentication with industry-standard JWT tokens
- Rate limiting on all API endpoints
- Strict Content Security Policy (CSP) headers
- HSTS with preload for all web traffic
7. International Data Transfers (Chapter V)
Your primary data is stored in the EU (Supabase, EU region). Some processing involves sub-processors located in the United States. These transfers are protected by:
- The EU-US Data Privacy Framework (where certified)
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Each provider’s binding data protection commitments
8. Sub-processors (Article 28)
We use the following third-party services to operate Nala:
| Provider | Location | Purpose | Data shared |
|---|---|---|---|
| Supabase | EU | Database & data hosting | All account and content data |
| Firebase (Google) | US | Authentication, push notifications, crash reports | Email, push token, crash logs |
| Railway | US | Backend server hosting | Requests in transit (encrypted) |
| ElevenLabs | US | Voice generation for audio content | No personal data (scripts only) |
| Upstash (Redis) | EU | Temporary caching (authentication tokens) | Encrypted tokens, TTL 30 seconds |
| Mixpanel | EU (api-eu.mixpanel.com) | Behavioral analytics (event tracking, funnels) | Anonymous event IDs, app interactions (no email) |
| Brevo (Sendinblue) | EU (France) | Transactional and lifecycle emails | Email address, first name |
9. Data Retention
| Data type | Retention period |
|---|---|
| Account data (email, name) | Until account deletion |
| Wellness scores | Until account deletion |
| Journal entries | Until account deletion |
| Analytics events | 1 year, then automatically purged |
| Push notification tokens | Until account deletion or opt-out |
| Crash reports | 90 days (Firebase Crashlytics default) |
When you delete your account, all data is permanently erased immediately. Any residual backups are purged within 30 days.
10. Your Rights (GDPR Articles 15-22)
You have the right to:
- Access your data - Settings > Export my data (JSON download)
- Delete your account and all data - Settings > Delete my account
- Portability - download your data in machine-readable JSON format
- Rectification - update your profile information in the app
- Withdraw consent - disable analytics or notifications at any time in Settings
- Object - opt out of any processing based on legitimate interest
- Restrict processing - request limitation of specific processing activities
- Lodge a complaint with the French supervisory authority:
CNIL (Commission Nationale de l’Informatique et des Libertés)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
www.cnil.fr/plaintes
To exercise your rights, use the in-app settings or email privacy@nala-meditation.com. We will respond within 30 days as required by GDPR.
11. Cookies
The Nala website uses no third-party cookies, no tracking cookies, and no advertising cookies. We use a minimal server-side analytics system that does not track individual users across sessions and does not use cookies.
12. Children (Article 8)
Nala is designed for users aged 13 and above. For users under 16 in the European Union, parental or guardian consent is required per GDPR Article 8. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us with personal data, contact us immediately at privacy@nala-meditation.com.
13. Data Breach Notification (Articles 33-34)
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the CNIL within 72 hours of becoming aware of the breach.
- If the breach is likely to result in a high risk to you, we will notify affected users without undue delay via email and/or in-app notification.
- We maintain a register of all data breaches, including those that do not require notification.
14. Changes to This Policy
We may update this policy. Significant changes will be communicated via the app and/or email. The “last updated” date at the top will be revised. Continued use after 30 days constitutes acceptance of the updated policy.