Privacy Policy
Last updated: 2026-06-30
This Privacy Policy explains how nottoobad ("we", "us") processes your personal data when you use nottoobad (nottoobad.io). We follow the EU General Data Protection Regulation (GDPR).
Data controller: nottoobad. Contact for any privacy request: hello@nottoobad.io.
1. What data we process
- Account data: your email address, used to sign you in via a magic link.
- Financial profile (optional): your hourly rate (stored encrypted), savings goal, emergency-fund target and currency. You provide these to get personalised calculations.
- Conversations: the messages you exchange with the AI conscience and the related purchase sessions.
- Technical data: IP address, browser/user-agent and request logs, used for security, anti-abuse and to keep the service running.
- Consent records: the cookie choices you make, with a timestamp and a hashed identifier, kept as proof of consent.
2. Why we process it (legal bases)
- To provide the service and your account (Art. 6(1)(b) — contract).
- To generate AI replies and financial calculations you ask for (Art. 6(1)(b)).
- To keep the service secure and prevent abuse/fraud, including bot detection and rate limiting (Art. 6(1)(f) — legitimate interest).
- To remember non-essential preferences only where you consent (Art. 6(1)(a)).
- To comply with legal obligations where applicable (Art. 6(1)(c)).
3. AI processing of your messages
Your chat messages are sent to Google Cloud Vertex AI (Gemini) to generate replies. Treat the chat as you would any online form: please do not share data you wouldn't want processed by a third-party AI provider.
The AI gives opinions to help you reflect on a purchase. It is not professional financial advice and may be inaccurate.
4. Who we share data with (sub-processors)
We use trusted providers that process data on our behalf: hosting and privacy-friendly analytics (Vercel), authentication and database (Supabase, hosted in the EU), AI (Google Cloud Vertex AI), bot protection (Cloudflare Turnstile), rate-limit storage (Upstash), transactional email (Resend — sends the account-deletion and tokens-ready notices to your email address), and, when a product page blocks the direct fetch, a fallback reader that receives the URL you paste (Jina AI). A current list is in the Cookie Policy and in our compliance documentation.
Some providers may process data outside the EU under appropriate safeguards (e.g. Standard Contractual Clauses). We never sell your data.
5. How long we keep it
- Account, profile and conversations: until you delete them or close your account.
- Anti-abuse counters: up to 24 hours.
- Consent records: up to the consent's validity (1 year) plus a reasonable period as proof.
- Server logs: a limited retention set by our hosting provider.
6. Your rights
You can request access, rectification, erasure, restriction, portability and object to processing. You can also withdraw consent at any time (this doesn't affect prior processing).
To exercise any right, email hello@nottoobad.io. You also have the right to lodge a complaint with your data-protection authority (in Spain, the AEPD).
7. Security
Access to your data is protected by row-level security; sensitive financial fields (your hourly rate) are encrypted with AES-256-GCM before storage. We apply same-origin checks, bot protection and rate limiting to the service.
8. Children
The service is not directed to people under 16. If you are under 16, please do not use it without the consent of a holder of parental responsibility.
9. Changes
We may update this policy. Material changes will be reflected by the effective date above and, where appropriate, by asking you to review your cookie choices again.