Privacy, in plain English.

The short version

We collect the minimum needed to run a study app for you and your friends: an email address, a username, a school (optional), the sessions you start, the friends you add, and any reflection notes you choose to write. We don't sell your data, we don't run ads inside the app, and we don't load third-party trackers. Friends you've explicitly added are the only people who can see your activity. You can delete everything at any time.

What we collect

Account information. Your email address (for sign-in and password recovery), a username you pick, a display name, and an optional school field.

Session data. Start time, end time, mode (pomodoro / free-study / scheduled Nook), and an optional subject. This is how the weekly rhythm heatmap and stats work.

Reflection notes. Any text you type into per-block notes or final reflection fields. These are visible only to you — even our application code is scoped so that other users can't read them.

Friend graph. The list of people you've sent friend requests to or accepted requests from.

Device metadata. A push notification token, your iOS version, and the Nooklo app version — used to deliver notifications and triage bugs.

What we don't collect

• Your contacts. Nooklo doesn't request access to your iOS contacts and doesn't scan them.
• Your location.
• Which apps you choose to block. Apple's Family Controls framework runs on-device — we never see your selections.
• Any analytics from third-party SDKs. The iOS app does not include third-party trackers or ad networks.

Google user data

When you choose to connect your Google account in Nooklo, you grant Nooklo permission to read your Google Calendar events through Google's Calendar API. We use this access for one purpose only: to display your existing calendar events as faint background blocks in Nooklo's scheduling grid so you can see your existing commitments while planning study sessions.

What we access

• Read access to events on your Google Calendar (https://www.googleapis.com/auth/calendar.readonly)
• Your Google account email and basic profile information (name) so we can show which account is connected in your Nooklo settings

How we handle this data

Nooklo's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• Processed only on your device. Calendar event titles, times, locations, attendees, and any other event content stay on your iPhone. None of this data is transmitted to Nooklo's servers, ever.
• Not stored persistently by Nooklo. We do not save your calendar events to our databases. They are read into memory only while you have Nooklo's calendar grid on screen, then discarded.
• Never sold or shared. We do not sell, rent, or share your Google data with any third party.
• Never used for advertising. We do not use your Google data for ad targeting, ad personalization, or any advertising purpose.
• Never used for credit assessment. We do not use your Google data to make creditworthiness or lending decisions.
• Never read by humans. No Nooklo employee, contractor, or AI system reads your calendar data. The only exception is if you explicitly send it to us as part of a customer support request that you initiate.

Authentication tokens

When you connect Google, Google issues Nooklo a secure access token. We store this token in your iPhone's encrypted Keychain. Tokens never leave your device. You can revoke the token at any time from:

• Inside Nooklo: Settings → calendar → connect accounts → disconnect
• From Google: https://myaccount.google.com/permissions

Disconnecting in either place immediately stops Nooklo from accessing your calendar.

Retention

Because we never receive your Google data on our servers, there is nothing for us to retain. The on-device cache is cleared whenever you disconnect, sign out, or delete the app.

How your data is shared with friends

Friends you have explicitly added (and who have accepted) can see: whether you're studying, online, or offline; the subject you've optionally set; the duration of a session you're currently in; and your shared session history if you've studied with them. Nobody else — no other users, no public directory, no leaderboard — can see any of this.

You can override this at any time by turning on appear offline in Settings. With it on, friends see you as offline regardless of your actual activity.

Who we share data with

We use a small set of vendors that process data on our behalf:

• Supabase — our database and authentication provider. Stores your account, sessions, and reflections.
• Apple Push Notification Service — delivers push notifications.
• Resend — sends transactional emails (sign-up confirmation, password reset).

We don't sell your data. We don't share it with advertisers. We don't share it with data brokers.

How long we keep it

For as long as your account is active. If you delete your account, your data is removed from our production database. We may retain a backup for up to 30 days for disaster recovery, after which it is permanently deleted.

Your rights

You can:

• Access your data — email hello@nooklo.com for an export.
• Correct or update your account information in-app.
• Delete your account in-app (You → Settings → Account → Delete account) or by emailing us.
• Object to processing or withdraw consent at any time.

Children

Nooklo is not directed at children under 13. We don't knowingly collect personal information from children under 13. If you believe a child has provided us their information, email hello@nooklo.com and we'll remove it.

Changes to this policy

If we make a material change, we'll update the "Last updated" date at the top of this page and notify users by email and in-app the next time they open Nooklo.

Contact

Questions? Reach us at hello@nooklo.com.