Privacy Policy
Effective Date: January 1, 2026
At NAOA we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our numerology platform and services.
By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.
1. Data Controller
The data controller responsible for your personal data is:
Aleksander Popek ul. Pawia 3/14 05-803 Pruszków, Poland NIP: PL7921820285 Email: hello@naoa.app
2. What Data We Collect
2.1 Account Data. When you create an account, we collect: email address (required), first name and last name (optional), display name (optional), avatar URL (optional), language preference, timezone (optional), location: country, city, region (optional), and preferred currency (optional).
2.2 Portrait and Analysis Data. When you use our numerology features, we collect: birth date, full name (optional), and AI-generated numerological content and reports.
2.3 Payment Data. Payments are processed by Stripe. We do not store your payment card details. Stripe collects and stores payment card information, billing address, and transaction history. We receive from Stripe: transaction IDs, payment amounts, subscription status, and invoice records.
2.4 Usage Data. We collect information about how you use the Service: pages visited, features used, session duration, and device and browser information (anonymized).
2.5 Technical Data. We collect IP address (anonymized in analytics) and error logs and diagnostic data.
3. How We Use Your Data
3.1 To Provide the Service. We use your data to create and manage your account, generate numerological analyses and reports, process payments and subscriptions, and send transactional emails (confirmations, receipts).
3.2 To Improve the Service. We use your data to analyze usage patterns, fix bugs and errors, develop new features, and ensure security and prevent fraud.
3.3 To Communicate With You. We use your data to respond to support requests, send service announcements, and notify you of important changes.
4. When We Act as a Processor (Business Users)
If you are a Business subscriber using our CRM features to store your clients' data: You are the Controller – you determine the purposes and means of processing your clients' personal data. We are the Processor – we process your clients' data only on your instructions.
As a Controller, you are responsible for ensuring you have a lawful basis to process your clients' data, informing your clients about how their data is processed, responding to your clients' data subject requests, and complying with applicable data protection laws.
Our Data Processing Agreement, incorporated into our Terms of Service, governs this relationship.
5. Legal Bases for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
Account data – Performance of contract (Art. 6(1)(b))
Portrait/analysis data – Performance of contract (Art. 6(1)(b))
Payment data – Performance of contract and legal obligation (Art. 6(1)(b), (c))
Usage analytics – Legitimate interest (Art. 6(1)(f))
Error logs – Legitimate interest (Art. 6(1)(f))
Our legitimate interests include improving our Service, ensuring security, and preventing fraud.
6. Data Sharing and Third Parties
6.1 Service Providers (Sub-processors). We share your data with service providers who help us operate the Service:
Google Cloud (Firebase/Firestore) – Data storage, located in EU
Google (Gemini AI) – AI content generation, located in US/EU
Supabase – Authentication, located in EU
Stripe – Payment processing, located in US (EU infrastructure)
Mailgun – Transactional emails, located in EU
Sentry – Error monitoring, located in US
PostHog – Product analytics, located in EU
A current list of sub-processors is available at our Sub-processors page.
6.2 We Never Sell Your Data. We do not sell, rent, or trade your personal data to third parties for marketing purposes.
6.3 Legal Requirements. We may disclose your data if required by law, court order, or to comply with legal obligations, protect our rights and property, prevent fraud or security threats, or respond to government requests.
7. International Data Transfers
7.1 Primary Storage. Your data is primarily stored in the European Union (Google Cloud region europe-west1, Belgium).
7.2 Transfers Outside the EU. Some of our service providers are located in the United States. For these transfers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and providers' compliance with applicable data protection frameworks. Sub-processors with US operations (Stripe, Sentry, Google) have signed Data Processing Agreements with SCCs.
8. Data Retention
Account data – Until account deletion + 30 days
Portrait/analysis data – Until account deletion + 30 days
Payment records and invoices – 5 years (legal requirement)
Usage analytics – 12 months
Error logs – 90 days
After the retention period, data is permanently deleted unless we are required by law to retain it longer.
9. Your Rights
Under GDPR, you have the following rights regarding your personal data:
9.1 Right of Access (Art. 15). You can request a copy of your personal data we hold.
9.2 Right to Rectification (Art. 16). You can request correction of inaccurate or incomplete data.
9.3 Right to Erasure (Art. 17). You can request deletion of your personal data (right to be forgotten).
9.4 Right to Restrict Processing (Art. 18). You can request that we limit how we use your data.
9.5 Right to Data Portability (Art. 20). You can request your data in a structured, machine-readable format.
9.6 Right to Object (Art. 21). You can object to processing based on legitimate interests.
9.7 Right to Withdraw Consent. Where processing is based on consent, you can withdraw it at any time.
How to Exercise Your Rights. To exercise any of these rights, contact us at: hello@naoa.app. We will respond to your request within 30 days. We may need to verify your identity before processing your request.
Right to Lodge a Complaint. You have the right to lodge a complaint with a supervisory authority. In Poland, this is UODO (Urząd Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland. Website: uodo.gov.pl
10. Children's Privacy
Our Service is intended for users who are at least 16 years old. We do not knowingly collect personal data from children under 16.
If you are under 16, you must have your parent's or guardian's consent to use the Service.
If we learn that we have collected data from a child under 16 without proper consent, we will delete that information promptly. Please contact us at hello@naoa.app if you believe we have data from a child under 16.
11. Cookies and Analytics
11.1 Analytics. We use PostHog for product analytics. PostHog stores data in localStorage (not cookies) and helps us understand how users interact with our Service. You can opt out of analytics tracking in your browser settings or by using privacy-focused browser extensions.
11.2 Authentication. We use essential cookies for authentication purposes (Supabase Auth). These cookies are strictly necessary for the Service to function and cannot be disabled.
11.3 No Advertising Cookies. We do not use third-party advertising or tracking cookies.
12. Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (all data is transmitted over HTTPS/TLS), encryption at rest (data stored in Firebase is encrypted), access controls (role-based access with principle of least privilege), and regular security reviews (we monitor and audit our systems).
However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective Date at the top, notify you via email or in-app notification, and post the updated policy on our website.
Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
14. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Email: hello@naoa.app
Address: Aleksander Popek ul. Pawia 3/14 05-803 Pruszków, Poland
We aim to respond to all inquiries within 30 days.