What we collect, why, and what we never will.
§ 01Introduction
This Privacy Policy explains how Su Pengzhong, an individual resident in Singapore ("Nexu", "we", "us", or "our"), collects, uses, discloses, and protects personal information when you use the Nexu mobile application and related services (collectively, the "Service").
We are the data controller (or "business" under California law, or "organization" under Singapore's PDPA) for personal information processed through the Service, unless otherwise stated.
By using the Service, you confirm that you have read this Privacy Policy. If you do not agree with how we handle personal information, please do not use the Service.
This Privacy Policy should be read together with our Terms of Service at https://www.nexuhabits.com/terms.
§ 02Information We Collect
We collect information from three sources: (a) information you provide directly; (b) information collected automatically when you use the Service; and (c) information received from third parties.
Information You Provide
Account information:
- Email address and password (passwords are not stored in plaintext; authentication is handled by our processor Supabase)
- Google account identifier and email (if you sign in with Google OAuth)
- Display name, public User Code (auto-generated short identifier), bio, identity statement
- Profile avatar (image)
- Onboarding signature (an image of a signature you draw during onboarding)
- Selected app theme (Quest, Focus, or Momentum)
Habit and check-in information:
- Habit details: title, identity, "why this matters", "bad-day version", "success definition", difficulty mode (Easy/Focus/Proof), schedule (active days, reminder time), and habit icon (emoji or AI-generated image)
- Check-in records: date, time, status (complete/approved/needs review/needs resubmission), Focus-mode reflections, optional reward notes
- Schedule history (changes to a habit's schedule over time)
Proof Mode photos:
- Photo files you upload to demonstrate habit completion
- SHA-256 hashes of your photos (used to detect exact-duplicate submissions)
- Proof verification results (AI confidence score, status, reason)
- Partner review actions (accept / challenge with reason)
Social and accountability information:
- Friend requests (sent and received)
- Accountability invites (sent and received), partner role, status
- Habit Circle memberships and roles
- Partner nudges (sender, receiver, habit, message body)
Messaging information:
- Direct messages with friends
- Habit-linked chat messages
- Habit Circle messages
- Messages exchanged with Lumi (our AI accountability partner)
- Chat media (photos you share in chats)
- Message edits and deletions
- Read positions (which messages you have viewed)
AI-related information:
- Photos and habit context sent to our AI proof-verification service
- Prompts and conversational messages you send through Lumi
- Habit icon prompts you submit for AI image generation
Communications with us:
- Emails, support tickets, feedback, bug reports, and any other content you send to us
Information Collected Automatically
Device information:
- Device type, operating system and version, app version
- Device language, locale, time zone
- Expo push notification token (used to deliver remote notifications)
- Notification permission status
Usage information:
- Sign-in and sign-out events
- Feature usage, screens viewed, actions taken (e.g., habit created, check-in submitted, message sent)
- Error logs and crash reports
Local storage:
- Local cache of your data (in AsyncStorage on your device) so the app can work briefly offline and so signed-out / prototype mode can function
- Local theme preference
- Local Lumi reminder schedule
- Read/dismissal markers for Partner notifications
We do not use traditional web cookies in the mobile app. Our website may use cookies and similar technologies; those will be described separately if applicable.
Information From Third Parties
- Google OAuth: If you sign in with Google, we receive your name, email address, and Google account identifier from Google. We do not receive your Google password.
- Apple Sign-In (if/when enabled): If you use Sign in with Apple, we receive a unique identifier and the email address you choose to share (which may be a private relay address).
- Operating system: iOS and Android share certain permissions, push tokens, and (with your consent) photos and camera access.
Sensitive Information
Habit data may incidentally reveal sensitive information about you — for example, habits relating to physical or mental health, fitness, religious or spiritual practice, eating, sleep, sexuality, or substance use. We do not require this information, but you may choose to provide it through habits, identity statements, reflections, or messages. You provide such information at your own risk and are responsible for what you submit.
We do not deliberately collect special categories of data under the EU GDPR, the UK GDPR, Singapore's PDPA, or sensitive personal information under the CCPA without your explicit consent. If you choose to share such information through habits or chats, you consent to its processing for the purposes set out in this Policy.
Children
Nexu is not directed to children under 13 (or the higher minimum digital-consent age in your jurisdiction, such as 16 in many EU member states). We do not knowingly collect personal information from children below the applicable minimum age. If you are a parent or guardian and believe your child has provided personal information to us, contact support.nexu@gmail.com and we will delete it.
For Users aged 13–17 (or the local age of majority), parental or guardian consent is required and parents/guardians may exercise the rights described in Section 9 on the User's behalf.
§ 03How We Use Personal Information
We process personal information for the following purposes:
To Provide and Operate the Service
- Create and manage your account
- Authenticate you (email/password, Google OAuth)
- Save and sync your profile, habits, check-ins, friendships, invites, threads, messages, and Habit Circle memberships
- Schedule and deliver local and push notifications
- Process proof-photo uploads, hashing, and signed-URL rendering
- Operate accountability features (invites, partner reviews, nudges, circles)
To Provide AI Features
- Send proof images, habit titles, and identity context to our AI provider (OpenAI) for proof verification through our backend Edge Function
- Send chat context to OpenAI to generate Lumi's intro, conversational replies, and proof-message responses
- Send habit prompts to OpenAI to generate habit icons
We restrict the content sent to AI providers to what is necessary to perform the feature. We do not authorize our AI provider to use your content to train general AI models; however, AI provider terms and practices may change, and we encourage you to review them.
To Communicate With You
- Send transactional messages (verification, password reset, security alerts, account changes)
- Respond to your support requests and feedback
- Notify you of changes to the Service, Terms, or this Policy
- Deliver habit reminders, Lumi check-in reminders, and partner nudges
- (With consent, where required) marketing communications about the Service
To Improve and Develop the Service
- Diagnose problems, fix bugs, and improve performance
- Analyze usage patterns in aggregated or de-identified form
- Develop new features and content
- Conduct research and testing
To Maintain Safety, Security, and Integrity
- Detect, prevent, and respond to fraud, abuse, security incidents, and illegal activity
- Detect duplicate proof submissions (via SHA-256 hashing)
- Enforce our Terms of Service, content policies, and community guidelines
- Investigate reports of abusive or unlawful conduct
- Protect the rights, property, and safety of Nexu, our Users, and others
To Comply With Legal Obligations
- Comply with applicable laws, regulations, court orders, and lawful government requests
- Respond to legal processes and protect our legal rights
- Maintain records required by law (e.g., tax, accounting)
Aggregated and De-Identified Data
We may aggregate, anonymize, or de-identify personal information so that it can no longer be reasonably associated with you. We may use and share such data for any lawful purpose, including analytics, research, and improving the Service.
§ 04Legal Bases for Processing (EEA / UK / Switzerland)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR:
| Purpose | Legal Basis |
|---|---|
| Creating and operating your account, providing core features (habits, check-ins, chat, accountability) | Performance of a contract (Art. 6(1)(b)) |
| AI verification, Lumi chat, AI icon generation | Performance of a contract; legitimate interests in providing the AI features you request |
| Service emails and security alerts | Performance of a contract; legitimate interests in securing the Service |
| Marketing communications | Your consent (Art. 6(1)(a)) — you can withdraw at any time |
| Improving the Service and analytics | Legitimate interests in operating and improving the Service (Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interests; legal obligation |
| Compliance with law | Legal obligation (Art. 6(1)(c)) |
| Sensitive data that you voluntarily submit through habits/chats | Your explicit consent (Art. 9(2)(a)), or making manifestly public (where applicable) |
You have the right to object to processing based on legitimate interests; see Section 9.
§ 05How We Share Personal Information
We do not sell personal information. We share information only in the ways described below.
With Other Users
By design, certain content is shared with other Users you choose to connect with:
- Your public profile (display name, avatar, bio, User Code) is visible to other authenticated Users you connect with.
- Friends see your direct messages with them and your shared accountability context.
- Accountability partners see the linked habit, check-ins, proof photos, and chat for that habit.
- Habit Circle members see the circle thread, member check-ins, proof, messages, and media for the circle.
- Partner nudges are visible to the recipient (sender and habit are shown in the nudge).
You control which Users you connect with. You are responsible for the consequences of sharing User Content with other Users, including the risk that they may screenshot or otherwise copy what you share.
With Service Providers ("Processors")
We share personal information with third-party service providers who process it on our behalf to operate the Service. These providers are bound by contracts that restrict their use of the information.
| Provider | Purpose | Categories of Data |
|---|---|---|
| Supabase, Inc. | Authentication, database, file storage, realtime messaging, edge functions, push delivery to Apple/Google | All account, profile, habit, check-in, proof photo, chat, media, and connection data |
| OpenAI, L.L.C. | AI proof verification (image + prompt), Lumi chat replies (message text + context), habit icon generation (text prompts) | Proof images and metadata; chat text; habit context; identity statements |
| Google LLC | OAuth authentication (if you choose Google sign-in) | Email, name, Google account identifier |
| Apple Inc. (if/when Sign in with Apple is enabled) | OAuth authentication | Apple-provided identifier, optional email |
| Expo, Inc. / Expo Application Services | Push notification delivery, error reporting, app build infrastructure | Push tokens, device metadata, optional crash logs |
| Apple App Store / Google Play Store | App distribution, in-app purchases (when applicable) | Account-level purchase and platform data |
| Email/messaging providers (e.g., transactional email, support ticketing) | Sending service emails, handling support | Email address, support correspondence |
Service providers may change over time. We will update this list when we make material changes. The most current list is available on request at support.nexu@gmail.com.
In Business Transfers
If we are involved in a sale of all or part of the Service or its assets, your information may be transferred or disclosed as part of that transaction. We will require the recipient to honor this Privacy Policy or provide notice and choice as required by law.
For Legal Reasons
We may disclose personal information if we believe in good faith that disclosure is necessary to:
- Comply with a legal obligation, court order, subpoena, or government request
- Enforce our Terms of Service or other agreements
- Investigate, prevent, or take action regarding suspected fraud, security issues, technical issues, or violations of law
- Protect the rights, property, or safety of Nexu, our Users, or others, including in life-threatening emergencies
Where legally permitted, we will notify affected Users.
With Your Consent
We may share information for other purposes with your consent.
§ 06International Data Transfers
We and our service providers operate globally. Personal information may be transferred to, stored in, and processed in countries other than the country in which you reside, including the United States (where OpenAI and many service providers are located) and Singapore. Data-protection laws in those countries may differ from those in your country of residence.
When we transfer personal data outside the EEA, UK, or Switzerland (or, where applicable, outside Singapore under the PDPA), we rely on one or more of the following safeguards:
- The European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum / IDTA, as applicable)
- Adequacy decisions where applicable
- Other transfer mechanisms recognized under applicable law
- Your explicit consent, where required
For information on our transfer safeguards, contact support.nexu@gmail.com.
§ 07Data Retention
We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:
- Account information is retained for the life of your account.
- Habits, check-ins, proof photos, messages, friends, invites, Habit Circles are retained for the life of your account or until you delete them.
- Soft-deleted messages (deletion flags set by users) may remain in our database for up to 30 days before being permanently removed.
- Proof photos are deleted when the related check-in is deleted, when the habit is hard-deleted, or when your account is deleted.
- Backups may persist for up to 30 days after deletion, then are overwritten.
- Logs and security records are retained for up to 12 months.
- Records required for legal/tax/accounting compliance are retained for the period required by applicable law.
- Anonymized / aggregated data may be retained indefinitely.
When you delete your account (Section 9.3), we will delete or anonymize your personal information within a commercially reasonable period, subject to the retention exceptions above. Some information may persist in other Users' chats, Habit Circles, or screenshots; we cannot delete content from other Users' devices.
§ 08Security
We use commercially reasonable administrative, technical, and physical safeguards to protect personal information, including:
- Encryption in transit for all communications between the app and our backend
- Encryption at rest for stored data, where supported by our hosting providers
- Authentication via Supabase Auth with hashed credentials
- Row-Level Security (RLS) on database tables to restrict access to authorized Users
- Private storage buckets for proof photos, chat media, profile avatars, signatures, and AI habit icons (rendered only via short-lived signed URLs)
- Server-side handling of secrets — OpenAI and service-role credentials are never exposed to the mobile app
- AI provider safety — proof images are uploaded server-side and validated, and AI calls are made only through our authenticated Edge Functions
- Caller authentication for AI verification, AI chat, proof review, and nudge endpoints
- Permission checks for proof review based on actual accountability invite status (not just friendship)
No security system is impenetrable. We cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and using the Service responsibly. Notify us immediately at support.nexu@gmail.com if you suspect a security incident.
We will notify affected Users and relevant authorities of a data breach to the extent required by applicable law (including GDPR Art. 33–34, Singapore's PDPA Section 26B, and applicable U.S. state laws).
§ 09Your Rights
Depending on where you live, you may have the following rights regarding your personal information. We honor these rights to the extent required by applicable law.
Access and Portability
You can request a copy of the personal information we hold about you and, where applicable, receive it in a structured, commonly used, machine-readable format.
Correction
You can correct inaccurate or incomplete information. You can edit your profile, habits, identity statement, and bio directly in the app, or contact us for help.
Deletion / Erasure
You can request that we delete your personal information. You may delete your account from in-app Settings or by emailing support.nexu@gmail.com. Some information may be retained as described in Section 7.
Restriction and Objection
You can ask us to restrict processing, or object to processing based on legitimate interests or for direct marketing.
Withdraw Consent
Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of earlier processing.
Automated Decision-Making
Our AI proof-verification system makes an automated decision (approve / needs review) about your proof submission. You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Our AI verification is for accountability and motivation only and has no legal or similarly significant effect. If you disagree with a verification outcome, you can resubmit the proof or ask your accountability partner to review it.
Non-Discrimination
We will not discriminate against you for exercising any of these rights.
How to Exercise Your Rights
Send a request to support.nexu@gmail.com. We may need to verify your identity before responding (typically by confirming control of the email address on your account). We will respond within the timeframe required by applicable law (generally 30 days under GDPR, 45 days under CCPA, extendable as permitted).
Right to Complain
You have the right to lodge a complaint with a supervisory authority:
- Singapore: Personal Data Protection Commission (PDPC), https://www.pdpc.gov.sg
- EEA: Your local data protection authority. A list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en
- UK: Information Commissioner's Office (ICO), https://ico.org.uk
- California: California Privacy Protection Agency, https://cppa.ca.gov
We encourage you to contact us first so we can address your concern.
§ 10Region-Specific Disclosures
Singapore (PDPA)
If you are in Singapore, you have the right under the Personal Data Protection Act 2012 to:
- Access your personal data
- Correct any errors or omissions
- Withdraw consent (subject to legal and contractual restrictions)
We comply with the PDPA's Consent, Purpose Limitation, Notification, Access and Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Accountability obligations.
Our Data Protection Officer is Su Pengzhong, contactable at support.nexu@gmail.com.
California (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):
- Right to know the categories and specific pieces of personal information we collect, use, disclose, and (if applicable) sell or share
- Right to delete personal information, subject to exceptions
- Right to correct inaccurate personal information
- Right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising
- Right to limit the use of sensitive personal information
- Right to non-discrimination for exercising your rights
We do not sell personal information for money. We do not "share" personal information for cross-context behavioral advertising. We do not knowingly collect personal information from California residents under 16 without consent.
Categories of personal information collected in the past 12 months:
| Category (CCPA) | Examples |
|---|---|
| Identifiers | Email, User Code, Supabase user ID, Google account identifier, device IDs, push tokens |
| Customer records | Name, password (hashed), avatar, signature, contact email |
| Internet / network activity | App usage logs, error logs |
| Geolocation (coarse) | Time zone, device locale (we do not collect precise GPS by default) |
| Audio / visual | Proof photos, chat photos, avatar, signature image |
| Inferences | Habit patterns, streaks, progress metrics |
| Sensitive personal information | Account credentials; potentially health-related habits or content if you choose to submit them |
To exercise your CCPA/CPRA rights, contact support.nexu@gmail.com. We will not discriminate against you for exercising your rights.
You may designate an authorized agent to make a request on your behalf, subject to verification.
European Economic Area, United Kingdom, and Switzerland
If you are in the EEA, UK, or Switzerland, see Sections 4, 6, and 9 for legal bases, international transfers, and your GDPR / UK GDPR rights. We are not currently established in the EEA or UK and have not appointed an Art. 27 Representative. If we begin offering the Service in a manner that requires us to appoint one, we will update this Privacy Policy accordingly.
Australia
If you are in Australia, your rights under the Privacy Act 1988 and the Australian Privacy Principles include access, correction, and complaints. To complain, contact the Office of the Australian Information Commissioner at https://www.oaic.gov.au.
Other Jurisdictions
If you reside elsewhere, we will honor the rights afforded to you by applicable local law to the extent practicable.
§ 11Third-Party Services
The Service relies on third-party services whose privacy practices we do not control. We encourage you to review their policies:
- Supabase Privacy Policy: https://supabase.com/privacy
- OpenAI Privacy Policy: https://openai.com/policies/privacy-policy
- Google Privacy Policy: https://policies.google.com/privacy
- Apple Privacy Policy: https://www.apple.com/legal/privacy/
- Expo Privacy Policy: https://expo.dev/privacy
If you access third-party links from within the Service, those services collect information independently. We are not responsible for their practices.
§ 12Push Notifications, Local Storage, and Tracking
Push Notifications
We use Expo Notifications to deliver remote pushes (e.g., partner nudges, accountability events) and the operating system's local notification scheduler to deliver habit reminders and Lumi check-in reminders. You can disable notifications at any time in your device settings.
Local Storage
We use AsyncStorage on your device for the local cache, offline/prototype data, theme preference, and read/dismissal markers. You can clear this data by uninstalling the app or clearing app storage in your device settings (this may also remove unsynced local data).
Do Not Track
Our mobile app does not currently respond to "Do Not Track" browser signals because the standard does not apply to mobile apps. We do not engage in cross-context behavioral advertising.
Analytics
We may use analytics tools to understand how the Service is used, in aggregated/de-identified form. We will update this Policy if we add analytics providers that collect personal information.
§ 13Children's Privacy
Nexu is not directed to and is not intended for use by children under 13 (or the higher minimum age set by local law — for example, 16 under GDPR in some EU member states). We do not knowingly collect personal information from children below the applicable minimum age. If you believe we have inadvertently collected personal information from a child, contact support.nexu@gmail.com and we will delete it.
For Users between 13 and the local age of majority, parental or guardian consent is required, and parents/guardians may exercise the rights in Section 9 on the User's behalf.
We do not knowingly direct any marketing to children.
§ 14AI and Automated Processing
We provide AI features through OpenAI (called only through our backend). The following summarizes what is sent, why, and what we do (and do not) authorize.
| AI Feature | What We Send | Purpose | Authorization Limits |
|---|---|---|---|
| Proof verification | Proof image (or context), habit title, identity statement | Generate a confidence score and approve/needs-review status | Not authorized to train general models; subject to OpenAI's API data-use policy |
| Lumi chat | Message text, recent chat context, habit context, current theme | Generate Lumi's reply messages | Same as above |
| Habit icon generation | Habit title, prompt text, theme | Generate an image stored in private storage | Same as above |
We do not authorize our AI provider to use your data to train its general-purpose models. However, AI provider policies and practices may change. You should not submit information you would not want a third-party processor to receive. If you do not want a particular photo or message processed by AI, do not submit it through a Proof Mode, AI chat, or AI icon feature.
AI verification is automated and probabilistic. It may produce incorrect results. See Section 9.6 (automated decision-making) and our Terms of Service, Section 7, for the legal effect of AI outputs.
§ 15Profile, Friend, and Accountability Visibility — Important Notes
- Your User Code is shared with anyone who knows it; this is how friends find you.
- Your display name, avatar, and bio are visible to Users you connect with and, in some preview surfaces, to invited / pending Habit Circle members.
- Direct friendship alone does not reveal your private habits. Habit content is shared only with the partner or Habit Circle members linked to that specific habit.
- Accountability-only partners can see and review proof for your habit but do not get a copy of your habit data and cannot submit proof on your behalf.
- Pending Habit Circle invitees see only the membership/thread/source-habit preview needed to accept or decline; they cannot read circle messages, proof, or media until they are active members.
- Once a User has access to a chat, photo, or proof, we cannot prevent them from saving, screenshotting, or otherwise copying it.
Please connect only with people you trust and only share content you are comfortable with them seeing.
§ 16Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice, such as by posting a revised version with a new "Last Updated" date, displaying an in-app notice, or emailing you. We will obtain consent where required by law.
Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. If you do not agree, please stop using the Service and, if you wish, delete your account.
§ 17Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, contact us:
Su Pengzhong
Attn: Privacy
Email: support.nexu@gmail.com
Website: https://www.nexuhabits.com