Your data. Full stop.

1. What we collect

We collect:

• Your email address, to create and manage your account.
• Anonymous analytics events (via PostHog, EU-hosted), to understand how the app is used in aggregate. Events are not linked to your name or email. They are associated with an anonymous device identifier that we do not connect to your identity.
• Your voice recording, transcribed on your device. On supported devices, your microphone is used to transcribe speech to text using on-device AI, and the audio never leaves your device. On a small number of older iPhones that cannot transcribe on-device, Apple's speech service performs the transcription with your explicit consent, which means the audio is sent to Apple for that purpose. In both cases, only the text transcript is sent to our server to generate your reflection. See Section 3 for detail.
• A cryptographic recovery value and your notification preferences, stored with our database provider. The recovery value (a random "salt", created at first sign-in) lets you recover your encrypted journal on a new device, though on its own it cannot decrypt your journal. Your notification preferences are stored so your reminder settings follow you across devices. See Section 3 for detail.

Legal basis (GDPR):

• Email: necessary to perform the service you've signed up for (Art. 6(1)(b))
• Voice transcripts processed by AI: explicit consent for special category (health) data (Art. 9(2)(a)) combined with contract performance (Art. 6(1)(b)). You give this consent the first time you use AI reflection
• Analytics: your consent, which you can withdraw at any time in Settings > Privacy (Art. 6(1)(a))
• Error monitoring (Sentry): your consent, separately toggleable in Settings > Privacy (Art. 6(1)(a))

Obligation to provide (Art. 13(2)(e)): Your email address is required to create an account; without it you cannot use Nagi. Providing your voice when recording is required to receive an AI reflection; without it that feature cannot function. Analytics and error monitoring are optional: you can use Nagi fully without enabling either.

2. What we don't collect

Your journal entries are stored on your device only. Nagi has no copy of them and no means of accessing them. Your conversations with guides and your reflections never leave your phone.

Cloud backup (optional): If you choose to connect a cloud account, your encrypted journal data is stored in your own personal storage (Google Drive, Microsoft OneDrive, or Apple iCloud), not on Nagi's servers. Your data is encrypted on your device before it is uploaded, and only you hold the key, so Nagi cannot read the contents and these providers are not Nagi sub-processors for this feature. This is entirely opt-in and managed in Settings.

3. Voice & AI processing

When you record, your device's microphone transcribes your voice to text using on-device AI. On supported devices, the audio never leaves your device. On a small number of older iPhones that cannot transcribe on-device, Apple's speech service performs the transcription with your explicit consent (asked the first time it is needed), which means the audio is sent to Apple for that purpose; Apple acts as the processor for that transcription. In every case, only the resulting text, never the audio, is used to generate your reflection. Before the transcript leaves your device, Nagi removes direct identifiers it can detect: email addresses, phone numbers, web links, and ID- or card-like numbers. The transcript is then sent over an encrypted connection to our secure proxy (Supabase, EU) and forwarded to Anthropic to generate your reflection. The proxy does not store or log your transcript, and Nagi does not retain it after the reflection is returned.

Automated decision-making (Art. 13(2)(f)): Your reflection is produced entirely by automated processing; no human at Nagi reads your journal entries. The AI identifies themes in what you share to generate follow-up questions and a written reflection. This processing does not produce legal or similarly significant effects. You can delete any reflection from within the app at any time.

Anthropic (AI inference, US): Anthropic generates your reflection and retains API inputs and outputs for up to 30 days for safety and abuse monitoring, after which they are automatically deleted. Anthropic is contractually prohibited from using your data to train AI models. Anthropic is certified under the EU–US Data Privacy Framework (DPF), providing an adequate transfer mechanism for EEA and UK residents. The DPA also satisfies the cross-border disclosure requirements of the Australian Privacy Act 1988 (APP 8).

Supabase (database & auth, EU): Your account data (email), session tokens, your cryptographic recovery value, and your notification preferences are stored with Supabase on EU-hosted infrastructure. Supabase is bound by a data processing agreement with Nagi and complies with GDPR. None of this data can decrypt your journal; your journal entries are never stored with Supabase.

4. Sub-processors

Nagi uses the following third-party processors. Each is bound by a data processing agreement.

• Anthropic (US): AI inference (text transcripts, reflection generation). Anthropic retains API inputs and outputs for up to 30 days for safety monitoring, then automatically deletes them. They do not use your data to train AI models. Transfer basis: EU–US Data Privacy Framework.
• Apple (US): Speech-to-text transcription on older iPhones only (voice audio), where the device cannot transcribe on-device. Used only with your explicit consent; not used on supported devices, where transcription happens entirely on your device. Transfer basis: Standard Contractual Clauses.
• Supabase (EU): Database and authentication (email, session tokens, a cryptographic recovery value, and notification preferences).
• PostHog (EU): Analytics (anonymous usage events, opt-in only).
• Sentry (EU): Error monitoring (anonymised crash reports, opt-in only).
• Resend (US): Transactional email (account emails only). Transfer basis: Standard Contractual Clauses.
• RevenueCat (US): Subscription management (purchase status only, no payment card data). Transfer basis: Standard Contractual Clauses.

We will update this list before adding new processors and notify you by email of any material changes.

5. Analytics

We use PostHog (EU-hosted) to understand how the app is used in aggregate, for example how many people use the Zen Monk guide, or where people drop out of onboarding.

Analytics events are not linked to your name or email. They are associated with an anonymous device identifier that we do not connect to your identity. We do not use this data for advertising or share it with third parties. You can opt out in Settings > Privacy at any time.

6. Data retention

• Email address: held for as long as your account is active, plus 30 days after deletion to resolve any pending issues.
• Analytics data: retained for 12 months, then automatically deleted.
• Voice audio: not retained; discarded after your reflection is generated.
• Journal entries: stored on your device only. Uninstalling the app deletes them.
• Recovery value & notification preferences: held for as long as your account is active, and deleted automatically and permanently when you delete your account.

7. Security

Your account is protected by industry-standard authentication (Supabase Auth). All data in transit between the app and our servers is encrypted using TLS. Journal entries are stored on your device only and are not transmitted to our servers.

8. Your rights

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and all associated data
• Restrict or object to how we process your data
• Receive your data in a portable format (data export available in app)
• Withdraw consent for analytics at any time (Settings > Privacy)
• Lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) or, for EU residents, your national data protection authority

To exercise any of these rights, email [email protected]. We'll respond within 30 days.

9. Contact & changes

Questions: [email protected]. We respond within 2 business days.

If we make material changes to this policy, we'll notify you by email before they take effect.