Privacy Policy

Last updated: May 28, 2026 · Effective immediately

This Privacy Policy describes what information Noctua ("we", "us") collects when you use our mobile app and related services (the "Service"), how we use it, who we share it with, and the choices you have.

We believe in collecting the minimum we need to deliver the product. No tracking pixels. No advertising networks. No resale of your data, ever.

Information we collect
How we use it
AI processing of your chats
Push notifications
Sharing & third-party services
Cookies (web only)
Data retention
Your rights
Security
International transfers
Children's privacy
Changes to this policy
Contact

1. Information we collect

Account information

When you sign up — whether through Apple, Google, or email/password — we store:

Your email address (for account recovery, transactional emails, and trial reminders).
Your chosen display name.
A provider identifier from Apple or Google (so we can identify you on future sign-ins). We do not receive your password from Apple or Google.

Onboarding preferences

To personalise your daily insight, we store the answers to the onboarding questions:

Your motivation for using Noctua.
The topics you've chosen to follow.
Your preferred reading depth (1–4).
Your chosen delivery time slot and timezone.
Your daily-goal target.

Engagement signals

To improve the Service and personalise what we send you next, we record:

Which insights you opened, completed, saved, or rated.
Quiz answers and spaced-recall ratings (Hard / OK / Easy).
Aggregate timing data: when push notifications are opened or dismissed (used to fit a personal Gaussian model of your optimal delivery hour — see §4).

Go Deeper chat messages

When you use the AI chat feature, the messages you send and the article they relate to are processed to generate a response. See §3 below for details on AI processing.

Subscription & payment

Payments are handled by the platform store you used to install the app — Apple (on iOS) or Google (on Android). We do not see or store your payment details. We do receive, via RevenueCat (our subscription mirror), your anonymised subscription status (trial / active / canceled) and trial expiration date so we know which features to unlock.

Device & technical info

We collect minimal device information needed to run the app:

Push notification token — on iOS, from Apple's APNs; on Android, from Firebase Cloud Messaging (FCM). Both are delivered through OneSignal, and we only request a token if you grant notification permission.
App version, OS version, device model — for diagnostics and crash reports (via Sentry).
IP address, briefly, when API requests are made — for security and abuse prevention.

2. How we use it

We use the information above to:

Deliver one personalised insight per day at your chosen time.
Run the AI chat, quizzes, and spaced-recall practice features.
Recommend topics and adjust depth, based on what you read.
Send you the daily push notification and (rarely) transactional emails — e.g. trial-ending reminders.
Improve content quality and surface bugs.
Prevent abuse, fraud, and security incidents.
Comply with our legal obligations.

We do not sell your personal information, nor do we use it to train any third-party advertising or recommendation system outside of Noctua itself.

3. AI processing of your chats

When you ask a follow-up question in the Go Deeper chat, your message — along with the article it relates to and a short rolling history of the conversation — is sent to our AI provider (currently Anthropic) to generate a response. The article and your message are also briefly held in server logs for abuse-prevention and quality monitoring.

We have configured our AI providers to not use your chat content to train their models, where that option is available, in accordance with their respective enterprise agreements.

You should still avoid pasting personal data (names, addresses, identifiers, secrets) into the chat. Treat it like any other AI chat interface.

4. Push notifications

We use push notifications because that is the product: one a day, hand-picked. To deliver them we:

Request your permission through the operating system — you can turn it off any time in iOS Settings → Notifications → Noctua or Android Settings → Apps → Noctua → Notifications.
Store an anonymous device token (from Apple APNs on iOS, or Firebase Cloud Messaging on Android, delivered through OneSignal).
Log when notifications are sent, delivered, opened, or dismissed — used in aggregate to learn your best send time (a personal Gaussian-fit model) and to debug delivery issues.

5. Sharing & third-party services

We share information only with vendors who help us operate the Service. They are bound by contractual obligations to protect your data and use it solely on our instructions:

Anthropic (Claude) — generating insight content and answering Go Deeper chats.
OpenAI — generating embeddings for content recommendation (text only, no personal identifiers).
OneSignal — delivering push notifications (via Apple APNs on iOS and Firebase Cloud Messaging on Android).
RevenueCat — mirroring subscription state from Apple App Store and Google Play.
Resend — sending transactional email.
Sentry — collecting anonymised crash reports.
Postgres database hosted by a reputable cloud provider for application data.

We may disclose information if required by law, valid legal process, or to protect the rights, property, or safety of Noctua, our users, or the public.

In the event of a merger, acquisition, or sale of assets, your information may transfer as part of that transaction. We will notify you in advance via email if your data becomes subject to a different privacy policy.

6. Cookies (web only)

The Noctua mobile app does not use cookies. Our marketing website (noctua.app) uses only essential cookies for security and basic site functionality. We do not run advertising or third-party analytics cookies.

7. Data retention

We retain your account data while your account is active. If you delete your account, we delete personal identifiers within 30 days, except where we are legally required to keep certain records (e.g. tax and payment records held by Apple App Store or Google Play). Aggregate, de-identified analytics may be retained for longer to improve the product.

Push notification event logs and chat content older than 90 days are automatically purged unless retained for specific abuse-prevention or legal reasons.

8. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your data ("right to be forgotten").
Export your data in a portable format.
Object to or restrict certain processing.
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email us at privacy@noctua.app. We will respond within 30 days.

9. Security

We take security seriously:

All traffic is encrypted in transit via HTTPS/TLS.
Passwords are stored using salted Argon2 hashes, never in plain text.
Sign-in tokens are stored on your device in the platform's secure enclave (iOS Keychain on iPhone, Android Keystore on Android — both accessed via Expo SecureStore).
Access to production data is restricted, logged, and limited to the staff that need it.

No system is perfectly secure, however. If you suspect a vulnerability or a breach affecting your account, please email security@noctua.app immediately.

10. International transfers

Noctua operates globally and may transfer, store, and process your information outside your country of residence. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms to ensure your data continues to be protected at a level equivalent to the country you reside in.

11. Children's privacy

Noctua is not directed to children under 13 (or the higher local minimum age of digital consent). We do not knowingly collect personal information from children under that age. If you believe a child under that age has provided us with personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you in the app or by email at least 14 days before the changes take effect. The "Last updated" date at the top will always reflect the current version.

13. Contact

Questions, requests, or concerns about this Privacy Policy? Reach us at:

General: hello@noctuaapp.io
Privacy & data requests: privacy@noctua.app
Security disclosures: security@noctua.app

Thanks for trusting us. We take that responsibility seriously.