Who We Are
Nusli is an independent app studio based in Athens, Greece. We develop mobile applications for iOS and Android in the health, wellness, and lifestyle space — including CycleStack (supplement and cycling protocol tracker) and other apps available at nusli.app. This Privacy Policy applies to all Nusli apps and our website, unless a specific app provides its own supplemental policy.
Data controller contact: privacy@nusli.app
What Data We Collect
We collect only what is necessary to operate our services. Depending on which Nusli app you use and which features you enable, this may include:
- Account data: If you create an account, we collect your email address and a hashed authentication credential, or an authentication token if you use Sign in with Apple or Sign in with Google.
- App content data: Information you enter into the app — such as supplement logs, cycle protocols, wellness habits, or lifestyle entries. Where cloud sync is enabled, this is stored in our cloud database (see Third-Party Processors below). Where cloud sync is disabled, this data remains on your device only and we cannot access it.
- Subscription and purchase state: Whether you hold an active premium subscription. We do not receive or store your payment card details — these are managed entirely by Apple or Google.
- Usage and crash data: Anonymous, aggregated crash reports and performance diagnostics to improve app stability. This data is fully anonymised and cannot be used to identify you.
- Advertising identifiers: Where you have consented to personalised advertising in a free app, Google AdMob may access your device advertising identifier (IDFA on iOS, GAID on Android).
Health Data — Special Category Notice (GDPR Art. 9)
Some Nusli apps collect information that may constitute health-related personal data under GDPR Article 9 — for example, supplement schedules, medication tracking, or wellness metrics. We treat all such data as special category data and process it only on the basis of your explicit consent, obtained within the app before the relevant feature is activated.
You may withdraw consent at any time by deleting your data within the app or by contacting us at privacy@nusli.app. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
Legal Basis for Processing (GDPR Art. 6 & 9)
- Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)): Health-related app data and personalised advertising.
- Contract performance (Art. 6(1)(b)): Account creation, cloud sync, and subscription management — processing necessary to deliver the service you have requested.
- Legitimate interests (Art. 6(1)(f)): Anonymous crash reporting and app stability improvements, where our interest in providing a reliable service does not override your fundamental rights.
- Legal obligation (Art. 6(1)(c)): Where required by applicable EU or Greek law.
Third-Party Data Processors
We use the following third-party services to operate our apps. Each acts as a data processor under a written Data Processing Agreement (DPA) and is permitted to process your data only on our instructions and in accordance with GDPR.
| Processor | Purpose | Data location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Cloud database — stores your app content (e.g. supplement logs, user account) when cloud sync is enabled | EU (AWS eu-central-1, Frankfurt) | Standard Contractual Clauses (SCCs); Supabase DPA |
| RevenueCat Inc. | Subscription and in-app purchase management — stores your subscription status and an anonymous app user identifier | USA | Standard Contractual Clauses (SCCs); RevenueCat DPA |
| Google AdMob (Google LLC) | Advertising in free apps — may use device advertising identifier to serve ads where you have consented | USA / global | Standard Contractual Clauses (SCCs); Google DPA |
| Apple Inc. | App Store distribution, payment processing, and optional Sign in with Apple authentication | USA / global | Apple acts as an independent controller for payments and Apple ID data; SCCs for processor activities |
| Google LLC (Play Store) | Google Play distribution and payment processing for Android | USA / global | Google acts as an independent controller for payments and Google account data; SCCs for processor activities |
International Data Transfers
Some processors above are based outside the European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in the form of Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c). You may request a copy of the relevant SCCs by contacting privacy@nusli.app.
Our primary database (Supabase) is hosted in Frankfurt, Germany (EU), meaning your app content data does not leave the EEA.
Advertising
Free Nusli apps may display advertisements served by Google AdMob. Before showing personalised ads, our apps present a consent management prompt (CMP) in accordance with the IAB Transparency and Consent Framework (TCF v2.2) and applicable GDPR requirements. If you decline personalised ads, contextual ads are shown instead. You may update your advertising consent at any time through the app's Settings screen. Users with an active premium subscription are not shown ads.
In-App Purchases and Subscriptions
Payments are processed entirely by Apple (App Store) or Google (Google Play), who act as independent data controllers for all payment information. We never receive your full payment card details. Via RevenueCat, we receive confirmation of your subscription status (active or expired) and an anonymous user identifier, which we use solely to unlock premium features within the app.
Data Retention
We retain your data only for as long as necessary for the purposes described in this policy:
- App content data: retained until you delete it within the app or close your account.
- Account credentials: retained until account deletion is requested and processed.
- Subscription records: retained by RevenueCat for up to 3 years for financial audit compliance, after which they are anonymised.
- Anonymous crash data: retained for a maximum of 12 months.
- Advertising consent records: retained for 3 years as required by applicable law.
To request deletion of your account and all associated personal data, contact privacy@nusli.app. We will process your request within 30 days.
Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR. To exercise any of these rights, contact privacy@nusli.app. We will respond within 30 days and may ask you to verify your identity.
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right of rectification (Art. 16): Have inaccurate or incomplete data corrected.
- Right of erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to applicable legal retention obligations.
- Right of restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
- Right of portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests at any time.
- Right to withdraw consent (Art. 7(3)): Withdraw any consent you have given at any time without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making (Art. 22): We do not make automated decisions that produce legal or similarly significant effects based on your data.
Supervisory Authority
You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), our lead supervisory authority: www.dpa.gr. You may also contact the supervisory authority in your country of residence within the EU.
Data Breach Notification
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay and in compliance with GDPR Articles 33–34. We will report notifiable breaches to the HDPA within 72 hours of becoming aware of them. Notifications will be sent to the email address associated with your account.
Children's Privacy
Our apps are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact privacy@nusli.app and we will delete it promptly.
California Residents (CCPA / CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know what personal information we collect and how it is used, the right to request deletion, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioural advertising. To exercise your California privacy rights, contact privacy@nusli.app.
Changes to This Policy
We may update this policy from time to time. Where changes are material, we will notify you through the app or via the email address associated with your account at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of our apps after the effective date constitutes acceptance of the updated policy.