How we handle your data.

1. Who we are

Nunca (“we,” “us,” “our”) is operated by Yzzy LLC, a California limited liability company, the data controller for this service. Contact: hi@nunca.app. The service is accessible at nunca.app.

We are a small operator outside the scope of mandatory Data Protection Officer appointment under GDPR Art. 37, but we take privacy seriously and you can contact us directly at the email above for any privacy matter.

2. What data we collect

Session data (all users)

• Your platform selections (Netflix, HBO, Prime, etc.), country, preferred language, and optional mood filter.
• Your 12 reactionsto shows during profiling (Seen It / Loved / Didn’t / Curious / Pass) and the step-1 / step-2 tap latencies, used internally to improve recommendation quality. We never display this back to you or share it externally.
• Your generated taste DNA (a short AI-generated text describing your taste) and the 15 recommendations we produce.
• IP address — used briefly for rate limiting and approximate country detection. We never store the raw IP; only a short-lived hashed counter is kept (about an hour), and the edge layer discards the IP after the request.
• Anonymous usage events — page loads, button taps, funnel progress. Never contains personal data. Used to improve the product.

Data collected only if you sign in with Google

• Your Google account email and display name, and profile photo URL. We only receive what you explicitly consent to on the Google OAuth screen. No access to contacts, Calendar, Drive, or any other Google service.
• Your saved taste DNA, ratings, and session history, linked to your user ID so you can return later and retrieve your saved picks.

Data collected only if you opt in to the email digest

• Your email address and the session it was collected from, with your preferred language. We use it solely for the weekly digest you opted into; you can unsubscribe at any time from any digest email.

3. Why we collect it — legal bases (GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)) — processing your reactions to generate your taste DNA and recommendations is the core service you request.
• Legitimate interest (Art. 6(1)(f)) — anonymous usage analytics, rate limiting, bot protection, and internal quality metrics (reaction timing). We balance our interest in operating a reliable service against your privacy.
• Consent (Art. 6(1)(a)) — Google sign-in and email digest subscription are opt-in only. You can withdraw consent at any time by signing out or unsubscribing.

4. Who processes your data on our behalf

We use a limited set of third-party processors, each under their own data-protection terms. We do not sell your data to any party and we do not share it for advertising.

• AI services for recommendation generation. Your data is processed for that purpose only and is not used to train AI models.
• Infrastructure and hosting providers for the application, database, authentication, and edge security.
• Content metadata services for show information. We send only show identifiers, not personal data.
• Analytics services for anonymous, cookie-less usage statistics.
• Email delivery services (only if you opt in to the email digest).

We have data processing agreements with all our processors. A current list of named sub-processors is available on request to hi@nunca.app.

5. International transfers

Most of our processors are based in the United States. For data subjects in the European Economic Area or United Kingdom, we rely on lawful transfer mechanisms our processors have in place, such as Standard Contractual Clauses or participation in the EU-U.S. Data Privacy Framework where applicable. You may request more details by emailing us at hi@nunca.app.

6. How long we keep it

• Sessions (reactions + DNA + recommendations): 90 days from last activity, then automatically deleted. If you sign in, your saved sessions are retained for as long as your account exists.
• Analytics events: 90 days, then aggregated and personal references deleted.
• Prompt logs (internal quality metrics): 180 days.
• IP hashes / rate-limit counters: 1 hour sliding window.
• Email subscriptions: kept until you unsubscribe. Within 30 days after unsubscribing your email is purged.

7. Your rights

Under GDPR, CCPA, Dominican Law 172-13 and similar regimes, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure (“right to be forgotten”) — request deletion. For signed-in users, deletion includes all past sessions. For anonymous users, include your result URL so we can find the row.
• Portability — receive your data in a machine-readable format (JSON).
• Objection — object to processing based on legitimate interest (notably analytics).
• Withdraw consent — unsubscribe from email, sign out of Google (which disconnects the app from your Google account).
• Complaint — lodge a complaint with your supervisory authority (for EU users: your national Data Protection Authority; for California users: the California Privacy Protection Agency; for Dominican users: INDOTEL).

To exercise any right, email hi@nunca.app. We reply within 30 days.

8. California residents (CCPA / CPRA)

In the last 12 months, we have not sold or shared (for cross-context behavioral advertising) any personal information within the meaning of the CCPA. We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age. You have the right to know, delete, correct, and (were we ever to engage in sale or sharing) opt out — email us to exercise any of these.

9. Children — age thresholds

Nunca is not directed at children under 13 (COPPA standard, United States). For users in the European Union, the minimum age is 16 unless local law sets a lower threshold. We do not knowingly collect personal information from anyone below the applicable threshold. If you believe a child below the applicable threshold has provided us personal information, contact us and we will delete it promptly.

10. Cookies and local storage

We use browser localStorage to keep your Google sign-in session persistent and to remember your current profiling session across page refreshes. We do not set any cross-site or advertising cookies. Our analytics provider uses a privacy-preserving, cookie-less model.

11. Security

All traffic is served over HTTPS. Sensitive credentials are stored as encrypted environment variables managed by our hosting provider. Database row-level security ensures users can only read/write their own rows. We apply rate limiting, input validation, bot protection, and a honeypot field to deter abuse. No system is perfectly secure; we will notify affected users and, where legally required, supervisory authorities without undue delay if we become aware of a breach.

12. AI recommendations — what you should know

Your reactions and taste DNA are processed by a large language model. The output is algorithmic, not reviewed by a human, and may be inaccurate. We do not use your data to train AI models, and our AI processor does not retain prompts for training under their API terms. The taste DNA is a creative description and should not be treated as objective fact about you.

13. Changes to this policy

We may update this policy. For material changes we will update the “Last updated” date at the top and, where the change significantly affects your rights, notify you by email if you have provided one.

14. Contact

Questions, requests, or complaints: hi@nunca.app.