Privacy Policy

Important — not medical advice

Nurlo provides informational analyses of publicly available supplement research. It is not medical advice, is not a substitute for professional healthcare, and does not diagnose, treat, cure, or prevent any disease or medical condition. Always consult a qualified healthcare provider before starting, stopping, or changing any supplement, medication, or treatment. Read our full medical disclaimer.

1. Data Controller

Nurlo is operated by Nikraj as sole trader in the United Kingdom. For data protection enquiries, contact hello@trynurlo.com. ICO registration number: pending (to be added on registration).

1a. Explicit consent for health-related special-category data

Nurlo processes health-related information under Article 9(2)(a) of the UK GDPR and EU GDPR. By using the service, you explicitly consent to Nurlo processing your health-related information — including your supplement intake, doses and timing, health goals, pregnancy status if you provide it, medication status if you provide it, and any HealthKit data you choose to share on iOS — for the purpose of providing personalized supplement stack analysis.

This consent is specific, informed, and freely given. You can withdraw it at any time from Settings > Privacy > Withdraw Health Data Consent. Withdrawal will prevent further analyses until you reinstate consent, but will not affect the lawfulness of any processing carried out before withdrawal. Withdrawal does not delete previously processed data — use the Delete account control for that.

2. Data We Collect

When you use Nurlo, we collect the following data that you provide:

• Supplements, doses, and health goals you enter
• Check-in scores (mood, energy, sleep, focus)
• Profile information (age, activity level, lifestyle notes)
• Daily routine times
• Bottle photos (processed ephemerally to extract supplement data; images are not stored)
• Analytics events (e.g. feature usage, page views)
• Health metrics synced from Apple Health (sleep duration, heart rate variability, active energy, heart rate, blood pressure, weight, height, body temperature, blood oxygen, step count) — only if you opt in on iOS
• Supplement groups (names you assign to organize your supplements)
• Calendar feed tokens (opaque tokens for iCal schedule access)
• Notification preferences (digest schedule, timezone)

3. Legal Basis for Processing

Under Article 6 of the UK and EU GDPR, we process your data on the following lawful bases:

• Supplement analysis and scheduling: Contract (necessary to provide the service you signed up for).
• Health metrics from Apple Health: Consent (you grant permission via the iOS Health permission dialogue, and optionally enable server sync).
• AI-powered narrative insights (Google Gemini): Consent (you agree via the in-app consent notice before your first AI analysis).
• Payment processing (Stripe): Contract (necessary to manage your subscription).
• Error monitoring (Sentry): Legitimate interest (maintaining service reliability; no health data is sent).
• Performance monitoring (Vercel Analytics, Speed Insights): Legitimate interest (improving page load times; no personally identifiable information is collected).
• Rate limiting (Upstash Redis): Legitimate interest (protecting the service from abuse; IP addresses are stored transiently).
• In-app analytics events: Legitimate interest (understanding feature usage to improve the product).

4. Third-Party Processors and Sub-processors

Nurlo relies on the following third-party services to operate. For each processor we list the purpose of processing, the corporate jurisdiction and data-processing region, and the status of our data-processing agreement (DPA) or equivalent transfer mechanism.

• Supabase— Postgres database and authentication (Google OAuth session storage). US corporation (Supabase, Inc.); database hosted on AWS in eu-central-1 (Frankfurt) for EU data residency. Covered by Supabase's standard DPA, which incorporates EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Row-level security ensures only you can access your own records.
• Vercel — web hosting, serverless functions, Speed Insights, and Analytics. US corporation (Vercel, Inc.); our project is pinned to the EU region fra1(Frankfurt) for function execution. Covered by Vercel's DPA, which incorporates EU Standard Contractual Clauses and the UK addendum. Vercel Analytics and Speed Insights are cookieless and do not collect personally identifiable information.
• Stripe— payment processing and subscription management. US corporation (Stripe, Inc.) with an EU entity in Ireland (Stripe Payments Europe, Ltd.) acting as processor for EU and UK customers. Covered by Stripe's standard DPA, which incorporates EU Standard Contractual Clauses and the UK addendum. Card details are handled on Stripe's PCI-DSS Level 1 infrastructure and never touch our servers.
• Google(Gemini via the Vercel AI Gateway) — generation of AI narrative insights. US corporation (Google LLC); prompts are processed on Google Cloud. Covered by Google's Data Processing Amendment (Cloud), which incorporates EU Standard Contractual Clauses, the UK addendum, and Google's certification under the EU-US Data Privacy Framework. Prompts are not used to train Google's models and are not retained beyond the duration of the request.
• Sentry— error monitoring and performance telemetry. US corporation (Functional Software, Inc. dba Sentry). Covered by Sentry's standard DPA, which incorporates EU Standard Contractual Clauses and the UK addendum. Personally identifiable information and health-related request data are scrubbed client-side and server-side before transmission (see sentry.client.config.ts, sentry.server.config.ts). Session Replay is disabled.
• Upstash — Redis for IP rate limiting. US corporation (Upstash, Inc.); our database is provisioned in the EU region eu-west-1(Ireland). Covered by Upstash's DPA, which incorporates EU Standard Contractual Clauses and the UK addendum. Only rate-limit counters keyed by IP are stored, and records expire within the rate-limit window (under one minute).

Where data is transferred outside the UK or EU, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, and — for Google — the EU-US Data Privacy Framework as the legal mechanism for transfer. We will notify you of material changes to this sub-processor list via email or prominent in-app notice at least 30 days before the change takes effect.

5. HealthKit Data (iOS)

On iOS, Nurlo may read data from Apple HealthKit with your permission, including sleep analysis, heart rate variability, and active energy burned. HealthKit data is used on-device to display health trends on your dashboard. If you enable health metric syncing, selected metrics may be transmitted to our servers and stored in your account to enable cross-device access and historical trend analysis. Synced health data is protected by the same row-level security as all your other data. HealthKit data is never used for advertising and never shared with third parties.

6. International Data Transfers

Your data may be processed by our service providers in the following locations:

• Supabase (database): EU
• Vercel (hosting): Global edge network
• Google Gemini (AI processing): United States
• Stripe (payments): United States
• Sentry (error tracking): United States
• Upstash (rate limiting): United States

Where data is transferred outside the UK or EU, we rely on Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework as the legal mechanism for transfer.

7. Data Retention

Your data is retained for as long as your account exists. When you delete your account, all associated data is permanently removed from our systems via cascading deletion. Specific retention periods for operational data:

• Analytics events: automatically purged after 2 years
• Payment webhook logs: automatically purged after 1 year
• Notification queue: automatically purged after 90 days
• Bottle photos: processed ephemerally and never stored
• AI processing: data sent to Google Gemini per-request and not retained by Google

8. Your Rights

Regardless of your jurisdiction (including under UK GDPR, EU GDPR, and CCPA), you have the following rights:

• Access: Export a full copy of your data from the Settings page.
• Deletion: Delete your account and all associated data from Settings. Account deletion also cancels any active subscription.
• Portability: Export your data in machine-readable JSON format from Settings.
• Restriction: You may request that we restrict processing of your data by contacting us at hello@trynurlo.com.
• Objection: You may object to processing based on legitimate interest by contacting us.
• Consent withdrawal: Where processing is based on consent, you may withdraw at any time. For AI analysis, withdraw consent from Settings > Privacy. For HealthKit, revoke access from iOS Settings > Privacy & Security > Health. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Automated-decision opt-out: Nurlo uses automated analysis to generate supplement suggestions. You can opt out of AI-generated narrative processing while retaining the deterministic analysis from Settings > Privacy, and you can request human review of any specific result by contacting hello@trynurlo.com.
• Complaint:You have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office: ico.org.uk/make-a-complaint. In the EU, contact your local data protection authority.

9. Cookies and similar technologies

Nurlo uses only strictly-necessary cookies. We do not set or permit any advertising, analytics, profiling, social-media, or other non-essential cookies, and we do not use localStorage or other device-storage mechanisms for tracking. Because we rely solely on strictly-necessary storage, we do not display a cookie consent banner.

The strictly-necessary cookies we use are:

• Supabase authentication session (sb-<project>-auth-token and related sb-* cookies) — keeps you signed in and enforces row-level security. Required for any authenticated page to function.
• Stripe Checkout and Portal (__stripe_mid, __stripe_sid, and related session cookies set on checkout.stripe.com / billing.stripe.com during payment flows) — fraud prevention and session continuity while you complete a purchase or manage your subscription. Set only on Stripe-hosted domains when you start a checkout or billing-portal session.
• Session and CSRF protection cookies set by Next.js and Supabase (including PKCE code-verifier cookies during OAuth) — prevent cross-site request forgery and protect the OAuth sign-in flow.

These cookies fall within the exemption in Regulation 6(4) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), which provides that the consent requirement does not apply where storage or access is "strictly necessary for the provision of an information society service requested by the subscriber or user." The equivalent carve-out in Article 5(3) of the EU ePrivacy Directive applies in the EU.

Vercel Analytics and Vercel Speed Insights are cookieless by design; they collect anonymous page-view and web-vitals measurements without setting identifiers on your device. Sentry is used for error monitoring only; Session Replay is disabled and no Sentry identifier is persisted in browser storage. In-app analytics events (feature usage, page views) are stored in our own Supabase database against your authenticated account and are not shared externally.

10. Children

Nurlo is not intended for users under the age of 16. We do not knowingly collect data from children.

11. Contact

If you have questions about this policy or wish to exercise your data rights, please contact us at hello@trynurlo.com.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be notified via the app. Continued use of Nurlo after changes constitutes acceptance of the updated policy.