Privacy Policy

Last updated: December 24, 2024

1. Introduction

Welcome to Nook ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our reading application and services.

This policy applies to all information collected through our website, mobile application, and any related services, sales, marketing, or events (collectively, the "Services").

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, and password when you create an account
  • Profile Information: Optional profile details you choose to provide
  • Content: Articles, documents, and reading materials you import into Nook
  • Reading Data: Bookmarks, highlights, notes, and reading progress
  • Payment Information: Billing details processed securely through Stripe
  • Communications: Messages you send to our support team

2.2 Information Collected Automatically

  • Usage Data: How you interact with our Services, including reading patterns and preferences
  • Device Information: Device type, operating system, and browser type
  • Log Data: IP address, access times, and pages viewed
  • Cookies: Session cookies for authentication and preferences

2.3 Browser Extension Data

If you use our browser extension:

Data Sent to Nook Servers

  • Article Content: When you save an article, we extract and send the article text, title, author, and source URL to provide our reading features
  • Subscription Queries: We check your subscription status to display usage limits

Data Stored Locally on Your Device

  • Authentication Data: Your user ID, email, display name, and session tokens are stored locally to keep you signed in
  • Recent Imports: The last 10 articles you imported (title, URL, file ID) are stored locally for quick access

Page Analysis

To detect readable articles, the extension analyzes page structure when you visit websites. This analysis happens entirely on your device and includes checking for article elements, headings, and paragraph content. No data from this analysis is sent to our servers unless you explicitly choose to save an article.

What We Do NOT Collect

  • Browsing history or pages you visit (unless you save them)
  • Data from pages you don't choose to import
  • Passwords or sensitive form data from other websites

2.4 Information from Third Parties

  • Google OAuth: If you sign in with Google, we receive your email address and name from your Google account
  • Payment Processors: Stripe provides us with transaction confirmations (not full card numbers)

3. How We Use Your Information

We use your information for the following purposes:

  • Provide, operate, and maintain our Services
  • Process your transactions and manage your subscription
  • Personalize your reading experience and preferences
  • Generate AI-powered summaries and reading aids (processed securely)
  • Sync your reading progress across devices
  • Send you service-related communications
  • Respond to your inquiries and provide customer support
  • Improve and develop new features
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your data based on:

  • Contract Performance: To provide the Services you requested
  • Legitimate Interests: To improve our Services and ensure security
  • Consent: When you opt-in to optional features or marketing
  • Legal Obligation: To comply with applicable laws

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data with:

  • Service Providers: Third parties that help us operate our Services (hosting, payment processing, analytics)
  • AI Providers: To generate summaries and reading aids (data is processed securely and not stored by providers)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

Our Service Providers

  • Supabase: Database and authentication (US-based, GDPR compliant)
  • Stripe: Payment processing (PCI-DSS compliant)
  • Vercel: Hosting infrastructure
  • OpenAI/Anthropic: AI features (data not retained for training)

6. Your Rights

6.1 GDPR Rights (EEA, UK, Switzerland)

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a portable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Revoke consent at any time

6.2 CCPA Rights (California Residents)

  • Know: Request disclosure of data collected about you
  • Delete: Request deletion of your personal information
  • Opt-Out: Opt-out of the sale of personal information (we do not sell data)
  • Non-Discrimination: Equal service regardless of exercising rights

6.3 Other US State Rights

Residents of Virginia, Colorado, Connecticut, Utah, and other states with privacy laws have similar rights to access, delete, and correct their data. Contact us to exercise these rights.

7. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

  • Account Data: Until you delete your account
  • Reading Content: Until you delete it or your account
  • Transaction Records: 7 years for tax/legal compliance
  • Analytics Data: Aggregated and anonymized after 24 months

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Secure authentication with password hashing
  • Regular security audits and monitoring
  • Access controls and employee training
  • Incident response procedures

9. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all service providers
  • Compliance with applicable data transfer frameworks

10. Cookies and Tracking

We use essential cookies for authentication and functionality. We do not use third-party advertising cookies. You can manage cookies through your browser settings.

11. Children's Privacy

Our Services are not intended for children under 13 (or 16 in the EEA). We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Services. Your continued use after changes constitutes acceptance.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Nook

Email: support@nook.app

You also have the right to lodge a complaint with your local data protection authority.

HomeTerms of ServiceRefund PolicyBlog