Privacy

Privacy Policy

Last updated: May 31, 2026

This is the privacy policy for Nervoxin Smart Planning ("the app"). It's written plainly because privacy policies should be readable.

What we collect

Account info — your email and the display name you set. Used to sign you in and to address you in the UI.
The financial data you enter — goals, income amounts, bills, debt balances, monthly logs, life events. All of it is data you typed in yourself; we don't pull from your bank.
App settings — your theme, dashboard layout, paycheck schedule, and similar preferences.
Service logs — when you sign in, when requests fail, how long they took. Standard server logs, kept for debugging.

What we don't collect

We don't connect to your bank, broker, or any third-party financial provider. Nothing is imported automatically.
We don't run analytics trackers, ad pixels, or session-replay tools.
We don't sell, rent, or share your data with marketers, brokers, or "partners". There's no upsell to a partner who pays us for access — and there won't be.

How we use what we collect

Your data is used to operate the app for you: render your dashboard, compute projections, send the password-reset and paycheck-reminder emails you've opted into, and respond to support requests you initiate.

Aggregate, fully anonymized counts (e.g., "how many active accounts") may be used for product decisions. We never look at the contents of your goals, bills, or logs except when you've explicitly asked us to help with a support issue.

Signing in with Google

You can choose to sign in with Google instead of an email and password. When you do, Google shares your basic profile information — your email address and name — with us, and we use it only to create and authenticate your account. We request no other Google scopes. We do not read, store, or process your Gmail, Google Drive, contacts, calendar, or any other Google user data, and we never use Google sign-in data for advertising. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Where it lives

Your data is stored in our managed Postgres database (Supabase). All traffic between your browser and the server is TLS-encrypted. The service-role key that can read across users lives only on the server.

Supabase runs daily backups on a 1-day rolling window on our current tier — yesterday's snapshot is retained, then automatically overwritten. A deletion request removes you from the live database immediately, and you fall out of the rolling backup window within 24 hours after that.

Service providers we use

We use the following third-party services to operate the app. Each one only receives the data needed to do its job.

Supabase — Postgres database, authentication, file storage. Hosts every row of your data.
Fly.io — runs our API server. Sees request and response traffic in transit; does not retain bodies.
Cloudflare — serves the frontend and proxies API traffic. Sees IP addresses and TLS metadata.
Stripe — payment processing. Card numbers go directly to Stripe and never reach our servers; we receive a token and the last 4 digits for receipts.
Resend — sends transactional email (email confirmation, password reset, paycheck reminders, weekly digest). Sees your email address and the message body.
Google — only when you choose Google sign-in or connect Google Calendar. Scopes are limited to authentication and (if connected) read/write access to a dedicated "Nervoxin" calendar.

If you'd like a current list of subprocessors before signing up, email [email protected].

Your rights

Export — download a ZIP of every record tied to your account from Settings → Data export → "Export all my data". One JSON file per table plus a manifest.
Delete — wipe your account and every record tied to it from Settings → Danger zone → "Delete my account". Cascades through every user-keyed table immediately; backups fall out of the rolling window as described in Where it lives above.
Correct — every value in the app is editable by you from inside the app.

You can also email [email protected] from the address on your account to request any of these if the in-app buttons aren't working for you.

Your California rights

If you live in California, the CCPA gives you these specific rights:

Right to know — what personal information we collect, why, and who we share it with. This whole policy is the answer; email us if you want a more formal disclosure.
Right to delete — see "Delete" under Your rights above. The same self-serve button covers this.
Right to opt out of sale — we do not sell personal information and have no plans to. There is nothing to opt out of.
Right to non-discrimination — exercising any of these rights will not change your account standing or pricing.

To exercise a California right, email [email protected] from the address on your account. We respond within 45 days as the law requires.

Cookies and local storage

We use localStorage to keep you signed in across page loads, remember your theme, and cache the most recent dashboard data so the app paints quickly. sessionStorage is used briefly when handing scenarios from a calculator into the what-if page. No third-party cookies.

Children

The app isn't aimed at, or designed for, anyone under 16. If you believe a child has signed up, email us and we'll delete the account.

Changes to this policy

If we change anything material, we'll update the date at the top and either notify you in the app or by email. Older versions of this policy will be linked from the changelog.

Contact

Questions or requests: [email protected].