1. Who We Are
NeuroSpicy is operated by Varnish Labs LLC, a company registered in the State of Washington. When this policy says "we", "us", or "our", it refers to Varnish Labs LLC.
2. Information We Collect
Information you provide
- Account information: Email address, display name, and timezone when you create an account.
- Authentication data: If you sign in with Google, we receive your email and basic profile information from Google. We do not receive or store your Google password.
- Energy and mood logs: The energy ratings (1-10), optional mood ratings (1-10), and time-of-day data you submit during check-ins.
- Activity logs: Activity selections and associated energy/mood ratings when you use activity tracking.
- Profile settings: Your display name, avatar selection, theme preference, notification preferences, and public/private profile setting.
- Push notification subscriptions: Browser push subscription endpoints and keys when you enable notifications.
- Feedback: Any text you submit through the feedback form.
- Friend connections: Friend requests you send or accept.
- Knowledge base content: Articles and sections created by staff members.
Information collected automatically
- Usage analytics: We use Vercel Analytics and Vercel Speed Insights to collect anonymous, aggregated performance data. This does not include personal information or tracking cookies.
- Server logs: Standard web server logs including IP addresses, browser type, and request timestamps. These are retained for security and debugging purposes and are not used for tracking.
3. Health and Fitness Data (Apple Health and Health Connect)
If you choose to connect NeuroSpicy to Apple Health (on iOS) or Health Connect (on Android), we handle that data as described below. These connections are off by default and require your explicit, per-feature permission. You can turn them off at any time in Settings, or revoke access directly in Apple Health or Health Connect.
- Sleep (read access): With your permission, NeuroSpicy reads last night's sleep from Apple Health or Health Connect to show a single line of honest context on your Home screen (for example, "Short night. Ask less of yourself today."). This sleep data is processed entirely on your device. It is never transmitted to our servers, never stored by us, and never shared with anyone. We use only the sleep data type, and only for this on-device feature.
- Mood (write access, iOS only): With your permission, NeuroSpicy can save your mood check-ins to Apple Health as State of Mind entries, so your mood lives alongside the rest of your health data. We only write this data; we do not read it back.
We do not use health or fitness data for advertising, we do not sell it, and we do not share it with third parties or with our service providers. We access only the specific data types listed above, and only for the on-device features described here.
4. How We Use Your Information
We use your information to:
- Operate the Service and provide features you request (check-ins, signals, friends, notifications)
- Compute energy and mood signals from your logged data
- Send check-in reminder notifications at times you configure
- Send email notifications (friend invites, feedback confirmations)
- Improve the Service through aggregated, anonymous analytics
- Respond to your feedback and support requests
We do not:
- Sell your personal information to third parties
- Use your data for advertising
- Share individual user data with researchers or third parties without your explicit consent
- Use your energy or mood data for any purpose other than providing the Service to you
5. Data Storage and Security
Your data is stored in a Supabase-hosted PostgreSQL database with Row Level Security (RLS) enabled on all tables. This means your data is isolated at the database level and can only be accessed through authenticated requests with your credentials.
The Service is hosted on Vercel. Emails are sent through Resend. All data is transmitted over HTTPS.
We implement reasonable security measures to protect your data, but no system is 100% secure. If you become aware of a security vulnerability, please contact us at support@neurospicy.sh.
6. Data Sharing
We share your information only in the following circumstances:
- Public profiles: If you enable a public profile, your display name, avatar, energy logs, and signal data are visible to anyone with your profile link. You can disable this at any time in Settings.
- Friends: Users you connect with as friends can see your current energy, mood, and phase information.
- Service providers: We use Supabase (database), Vercel (hosting), and Resend (email) to operate the Service. These providers process data on our behalf under their own privacy policies. Health and fitness data is excluded; it stays on your device and is never sent to these providers.
- Legal requirements: We may disclose information if required by law, court order, or governmental regulation.
7. Data Retention
We retain your data for as long as your account is active. If you delete your account (available in Settings), we permanently delete your personal data within 30 days, except where retention is required by law.
Energy and mood logs are retained only while your account exists. We do not keep historical data after account deletion. Health and fitness data read from Apple Health or Health Connect is never stored by us, so there is nothing to delete on our side.
8. Your Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Export: Download your data through the Settings page.
- Correction: Update your information through the Settings page.
- Deletion: Delete your account and all associated data through the Settings page.
- Objection: Object to specific processing activities by contacting us.
For users in the European Economic Area (EEA), we process your data based on your consent (which you provide by creating an account and using the Service) and our legitimate interests in operating and improving the Service.
For users in California, you have additional rights under the CCPA, including the right to know what personal information we collect and the right to request deletion. We do not sell personal information.
9. Cookies
NeuroSpicy uses only essential cookies required for authentication (Supabase session cookies). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
A local storage item is used to remember your selected theme preference. This is not shared with any external service.
10. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it.
11. International Data Transfers
Your data is processed and stored in the United States through our service providers (Supabase, Vercel). If you are accessing the Service from outside the United States, you consent to the transfer of your data to the United States.
12. Future Use of Aggregated Data
We may in the future use aggregated, anonymized data (data that cannot be used to identify individual users) for research purposes, such as studying neurodivergent energy patterns at a population level. If we do so, we will update this policy. Individual user data will never be shared without explicit consent. Health and fitness data is excluded from any such use, since it never reaches our servers.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact
If you have questions about this Privacy Policy or how we handle your data, contact us at support@neurospicy.sh.