Nightmare is a free AI self-development app that respects your privacy. This Privacy Policy explains what information we collect, how we use it, and your privacy rights.
We comply with privacy laws globally, including UK GDPR, EU GDPR, CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), PIPEDA (Canada), APPI (Japan), Australian Privacy Principles, and India DPDPA (monitoring for enforcement).
Who We Are
Data Controller:
Name: Ilya Tsymbal (individual developer)
Correspondence Address: Room 1603F, Block A White Rose View, 16 Merrion Way, Leeds LS2 8PT, United Kingdom
For UK and EU Users:
This policy complies with UK GDPR and EU GDPR Article 3(2). The data controller operates from the United Kingdom. You can contact us at the correspondence address above.
Information We Collect
We practice strict data minimization and collect only what is necessary to provide our service.
1. Account Information
When you create an account via Apple Sign-In or Google Sign-In:
User ID (unique identifier)
Email address
Display name
Profile picture (if provided by Apple or Google)
Authentication provider (Apple or Google)
Account creation and last sign-in dates
2. Chat Messages and Usage Data
To provide AI self-development services:
Chat messages (encrypted client-side before storage)
Chat metadata (titles, creation dates, last updated)
Message and chat identifiers (technical UUIDs for database operations)
Total token usage counter (for service management)
Account activity information (last active timestamp, account creation date)
3. Device Fraud Prevention
To prevent abuse and ensure fair access for all users, we implement hardware-based device attestation:
What We Collect:
Device attestation data using Apple's App Attest API (hardware-backed cryptographic proof)
Non-reversible cryptographic hash derived from device hardware key (SHA-256 hash of App Attest key_id)
Attestation validation timestamps
Attestation counter (tracks number of attestations for security integrity)
Attestation status information (active/revoked status, revocation timestamps and reasons if applicable)
Attestation challenges (used during validation process, marked as expired/used after validation but retained until account deletion for security audit purposes)
Enforce daily usage limits per device (not per user account) - this means limits are tied to your physical device, not your user account. Multiple accounts on the same device share the same daily quota.
Prevent spam account creation and quota gaming (users creating multiple accounts to bypass limits)
Ensure service availability and sustainability for all users
How It Works:
When you sign in, your device generates a cryptographic proof using Apple's Secure Enclave (hardware security chip)
We create a non-reversible hash from this proof to identify your device
This hash cannot be traced back to you, your device model, or any personal identifiers
Multiple accounts can be used on the same device (each has separate encryption keys)
Retention After Account Deletion:
When you delete your account, the device hash is retained for 1 week to prevent spam account creation and quota abuse. After 1 week of inactivity, the hash is automatically and permanently deleted.
Re-registration:
If you create a new account on the same device within 1 week, the deletion countdown is cancelled and the device quota is reactivated for your new account.
Note: This is NOT device fingerprinting or tracking. We do not collect device identifiers (IDFA, IDFV), device models, operating system versions, or any information that can identify your physical device. The cryptographic hash is pseudonymised and cannot be reversed.
4. Technical Data for Security
For rate limiting and abuse prevention:
IP addresses (temporary, in-memory only)
How We Use IP Addresses:
Rate limiting to prevent API abuse and DDoS attacks
Stored in server memory only
Automatically deleted after 5 minutes
NOT stored in database
NOT linked to your user account
Retention: 5 minutes (our rate limiter)
Information We Do NOT Collect
Phone numbers
Device identifiers (IDFA, IDFV) or device fingerprinting
Device models, operating system versions, or hardware specifications
Location data or geolocation
Third-party analytics, tracking, or behavioral data
Advertising or marketing data
Cookies or web tracking technologies
Biometric data
Date of birth or age
Health, medical, racial, ethnic, political, or religious information
Sensitive personal information as defined by CCPA
Payment information (app is completely free)
Requirement to Provide Information
Contractual Requirement:
Providing your account information (email, display name) is necessary to create an account and use our service. A unique user identifier is automatically assigned by our authentication system. Device attestation is required to prevent abuse of our free service. Without this information, we cannot provide AI self-development services to you.
Voluntary Information:
All other information (chat messages, usage data) is provided voluntarily through your use of the service.
Consequences of Not Providing Data:
Account Information: Cannot create account or access service
Chat Messages: Cannot receive AI self-development responses
Device Attestation: Cannot use service (required for fraud prevention)
Legal Basis for Processing Your Data
This section provides a comprehensive overview of how we process your personal data, the legal basis for each processing activity, and how long we retain it.
Purpose
Personal Data Collected
Legal Basis (GDPR)
Retention Period
Account Creation & Management
User ID, email address, display name, profile picture (if provided), authentication provider, account creation and last sign-in dates
Performance of contract (Article 6(1)(b)) - necessary to provide you with an account and access to services
Immediate deletion at account deletion
AI Self-Development Services
Chat messages (encrypted client-side), chat metadata (titles, dates), message and chat identifiers, message content sent to AI provider
Performance of contract (Article 6(1)(b)) - necessary to provide AI self-development responses
Immediate deletion at account deletion (our database). Anthropic retention: up to 30 days (messages sent to AI)
Usage Management & Fair Access
Daily usage cost tracking, total token usage counter, account activity information (last active timestamp, creation date)
Performance of contract (Article 6(1)(b)) + Legitimate interests (Article 6(1)(f)) - enforcing fair daily limits and preventing service abuse
Legitimate interests (Article 6(1)(f)) - preventing spam accounts, quota gaming, and ensuring service sustainability for all users. See detailed balancing test below.
Attestation data & challenges: deleted immediately at account deletion. Device hash & quota data: retained for 1 week after account deletion, then permanently deleted
Rate Limiting & DDoS Protection
IP addresses (in-memory processing only)
Legitimate interests (Article 6(1)(f)) - protecting service from API abuse and ensuring availability
5 minutes (our rate limiter)
iCloud Keychain Sync
Encryption keys for your messages
N/A - Controlled by Apple, not Nightmare. Subject to Apple's Privacy Policy. Optional - can be disabled in iOS Settings.
Controlled by Apple (your personal iCloud account)
Understanding Legal Bases
Performance of Contract (Article 6(1)(b)):
This means processing is necessary to provide you with the service you signed up for. For example, we need your email to create your account, and we need to process your messages to generate AI self-development responses. Without this processing, we cannot deliver the service to you.
Legitimate Interests (Article 6(1)(f)):
This means we have a legitimate reason to process your data, but we must balance our interests against your privacy rights. We use this basis only when:
The processing benefits both you and us (e.g., preventing fraud ensures service sustainability)
The impact on your privacy is minimal (e.g., non-reversible hashes, temporary IP storage)
We implement safeguards to protect your rights (e.g., automatic deletion, data minimization)
Right to Object:
Where we rely on legitimate interests, you have the right to object to the processing. Contact support@nightmare.app to exercise this right. Note that objecting to fraud prevention processing may prevent you from using the service.
For the 1-week device hash retention after account deletion, we conducted a thorough balancing test:
1. Our Legitimate Interest:
Preventing abuse of our free service (spam account creation, quota gaming)
Ensuring service sustainability and availability for genuine users
Protecting against fraudulent use that could exhaust AI processing resources
2. Necessity Test:
Data minimization: Only a non-reversible cryptographic hash and associated device quota data are retained (not device identifiers, models, or personal data)
Purpose limitation: Hash and quota data used solely for device-level quota enforcement, not tracking or profiling
Alternatives considered: Shorter retention periods would allow immediate re-abuse; longer periods would be disproportionate
1-week period rationale: Balances fraud prevention needs with data minimization (sufficient to prevent immediate quota gaming without excessive retention)
3. Balancing Test (Your Rights vs. Our Interest):
Impact on you: Minimal - the hash is pseudonymised, non-reversible, and cannot identify you or your device
Your reasonable expectations: Users expect free services to implement reasonable abuse prevention measures
Safeguards implemented:
Automatic deletion after 1 week of inactivity (not indefinite retention)
Reactivation trigger cancels deletion if you return (respects legitimate re-use)
No tracking, profiling, or cross-device linking
Hash cannot be reversed to identify your physical device
Your rights protected: You can request confirmation of device hash retention status and deletion timeline under Right to Access
Conclusion: The 1-week retention is proportionate, necessary, and includes appropriate safeguards. Your privacy rights are minimally impacted while protecting service sustainability for all users.
How We Use Your Information
We use your information solely to provide and improve our free AI self-development service:
Account management: Creating, maintaining, and securing your account
AI self-development: Processing your messages to generate AI responses
Usage management: Enforcing fair daily limits to ensure service sustainability
Fraud prevention: Preventing abuse, spam accounts, and quota gaming
What We Do NOT Do
Sell your personal information
Share your information for advertising or marketing
Use your data for cross-context behavioral advertising
Track you across other websites or apps
Charge for the service (app is completely free)
Encryption and AI Processing
Client-Side Encryption
Your chat messages are encrypted on your device using AES-256-GCM encryption before being stored. Encryption keys are stored securely in your iOS Keychain with hardware-backed security and synced via iCloud Keychain for multi-device access. Our database stores only encrypted messages - we cannot read your stored messages.
iCloud Keychain Sync:
Who controls it: Apple, Inc. controls iCloud Keychain sync (not Nightmare or the developer)
Where keys sync: Encryption keys sync to your personal iCloud account across your signed-in Apple devices
Your control: You can disable iCloud Keychain sync at any time in iOS Settings → [Your Name] → iCloud → Passwords and Keychain → toggle off
Effect of disabling: Disabling iCloud Keychain will prevent encryption keys from syncing to other devices. You will only be able to access your encrypted messages on the device where the keys are stored.
AI Processing
When you interact with our AI self-development assistant:
Your device decrypts messages locally
Decrypted messages are sent to Anthropic's Claude API for AI processing
Messages are processed by Anthropic's AI service to generate responses
Anthropic retains messages for up to 30 days (standard commercial API retention)
Your data is NOT used for AI model training (per Anthropic's policy)
Third-Party Service Providers
We work with carefully selected processors under data processing agreements with appropriate safeguards:
1. Supabase (Database and Authentication)
Location: United Kingdom (London)
Purpose: Database hosting and user authentication
Safeguards: Data Processing Agreement in place, EU Standard Contractual Clauses, UK IDTA
2. Anthropic (AI Processing)
Location: United States/Ireland (based on user location: Anthropic Ireland, Limited for UK/EEA/Swiss users; Anthropic, PBC for other regions)
Purpose: AI message processing and response generation
Data Retention: 30 days maximum
Training Policy: Your data is NOT used to train AI models
Safeguards: Data Processing Agreement in place, UK-US Data Privacy Framework, Standard Contractual Clauses
3. Railway (Backend Hosting)
Location: European Union (Amsterdam, Netherlands)
Purpose: Backend application hosting and API infrastructure
Data Processed: Processes all API requests, including temporary processing of messages in server memory before forwarding to AI service
Retention: Messages are processed in memory only (not persisted)
Safeguards: Data Processing Agreement in place, EU GDPR compliant, data processed in EU region
4. Apple (Authentication and App Distribution)
Location: Global
Purpose: Apple Sign-In authentication and App Store distribution
Safeguards: Apple's Privacy Policy and App Store Terms
International Data Transfers
Your data may be transferred outside your country of residence.
For UK and EU Users:
Supabase: Data stored in UK (London) - adequate protection under UK GDPR
Railway: Backend hosted in EU (Amsterdam, Netherlands) - adequate protection under EU GDPR
Anthropic: UK/EEA users contract with Anthropic Ireland, Limited; data transfers protected by UK-US Data Privacy Framework and Standard Contractual Clauses
Data Controller (UK-based): The controller operates from the United Kingdom.
All transfers comply with GDPR Chapter V requirements, ensuring equivalent protection regardless of processing location.
Geographic Restrictions
Due to technical and legal restrictions imposed by our AI service provider (Anthropic), U.S. export controls, and compliance requirements, the Nightmare App is not available in the following countries and territories:
Restricted Countries and Territories (29 total):
Anguilla, Belarus, Bermuda, Brazil, British Virgin Islands, Cayman Islands, China (mainland), Congo (Democratic Republic of the), Cuba, France, Hong Kong, Iran, Kosovo, Libya, Macau, Mali, Montserrat, Myanmar (Burma), Nicaragua, North Korea, Russia, South Africa, South Korea, Syria, Turkey (Türkiye), Turks and Caicos Islands, Ukraine (Crimea, Donetsk, Kherson, Luhansk, and Zaporizhzhia regions), Venezuela, Yemen
If you are located in or attempt to use the service from these restricted regions, you will not be able to access AI self-development features. This restriction is based on U.S. export controls, OFAC sanctions compliance requirements, technical limitations imposed by our service providers, and regulatory compliance requirements.
AI Transparency (Preparing for EU AI Act)
In preparation for EU AI Act Article 50 (effective 2 August 2026):
Device attestation data and attestation challenges
Device quota retention: Non-reversible device hash and device quota data retained for 1 week to prevent spam account creation, then automatically deleted
Anthropic retention: Messages sent to Claude API are deleted within 30 days maximum
Irreversible: Account deletion cannot be undone
Device Quota Retention Period:
After you delete your account, the device hash and device quota data remain in our system for 1 week to prevent abuse. This countdown is automatically cancelled if you create a new account on the same device. After 1 week of inactivity, the hash and quota data are permanently and automatically deleted.
Right to Access - Request a copy of your personal data
Right to Rectification - Correct inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten") - Request deletion of your data
Right to Restriction of Processing - Limit how we use your data
Right to Data Portability - Receive your data in a portable format
Right to Object - Object to certain types of processing
Right to Withdraw Consent - Withdraw consent at any time
Right to Lodge a Complaint - Complain to the ICO (UK) or your local Data Protection Authority (EU)
Response Time: Within 1 month (extendable to 3 months for complex requests)
Data Access Format: JSON format including account information, encrypted messages, device attestation status, and retention information
Note on Device Hash: Due to the pseudonymised and non-reversible nature of the device hash, we cannot provide the original device identifier. We can confirm whether a device hash associated with your account is being retained and when it will be automatically deleted.
For California Residents (CCPA/CPRA Rights):
Right to Know - Request disclosure of personal information collected and shared
Right to Delete - Request deletion of your personal information
Right to Correct - Request correction of inaccurate information
Right to Opt-Out - (Not applicable - we do NOT sell or share data for advertising)
Right to Non-Discrimination - Exercise rights without discriminatory treatment
Response Time: Within 45 days (extendable to 90 days if needed)
Important: We do NOT sell your personal information and have NOT sold personal information in the preceding 12 months. We do NOT share your information for cross-context behavioral advertising.
For Virginia, Colorado, and Connecticut Residents:
Right to Confirm - Confirm whether we process your personal data
Right to Access - Access your personal data
Right to Delete - Delete your personal data
Right to Data Portability - Obtain a portable copy of your data
Right to Opt-Out - (Not applicable - we do NOT engage in targeted advertising or data sales)
Right to Appeal - Appeal our decision regarding your request
Appeal Process: Reply to our response email within 30 days. We will respond to appeals within 60 days.
For Utah Residents:
Right to Confirm - Confirm whether we process your personal data
Right to Access - Access your personal data
Right to Delete - Delete your personal data
Right to Data Portability - Obtain a portable copy of your data
Right to Opt-Out - (Not applicable - we do NOT engage in targeted advertising or data sales)
Note: Utah law does not provide a right to appeal denied requests.
For Canadian Users (PIPEDA Rights):
Right to Access - Access your personal information
Right to Correct - Correct inaccurate or incomplete information
Right to Withdraw Consent - Withdraw consent for data processing
Right to Complain - File a complaint with the Privacy Commissioner of Canada
For Japanese Users (APPI Rights):
Right to Disclosure - Request disclosure of your personal information
Right to Correction - Request correction of inaccurate data
Right to Deletion - Request deletion in certain circumstances
Right to Stop Use - Request suspension of use or provision to third parties
For Australian Users (Privacy Act Rights):
Right to Access - Access your personal information
Right to Correction - Correct inaccurate or out-of-date information
Right to Complain - Complain to the Office of the Australian Information Commissioner
Row-Level Security (RLS) - Database-level access controls ensuring users can only access their own data
Secure authentication - OAuth via Apple and Google
Hardware-backed attestation - Apple App Attest with Secure Enclave for device verification
Minimal access - Only authorized processors have access to necessary data
Limitations:
No system is 100% secure. We cannot guarantee absolute security of data transmitted over the internet. You are responsible for maintaining the confidentiality of your account credentials and protecting your device.
Data Breach Response:
In the event of a data breach that poses a risk to your rights:
We will notify the relevant supervisory authority within 72 hours (where required)
We will notify affected users without undue delay if the breach poses a high risk
Age verification: Apple's App Store age gate handles age verification at download. Users must confirm they are 18+ to download the app.
Minimum age: You must be at least 18 years old to use Nightmare
Compliance: We do not knowingly collect information from individuals under 13 (COPPA - US) or under 18 (our policy)
Parental Notice:
If you believe your child has provided us with personal information, contact support@nightmare.app. We will delete such information immediately upon verification.
Do Not Track Signals
We do NOT track you across websites or apps, use cookies, or engage in behavioral advertising. We honor Do Not Track (DNT) signals by default because we don't track in the first place.
Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements.
Notification of Changes:
Material changes: We will notify you via email or in-app notification
Effective date: Changes become effective on the "Last Updated" date at the top of this policy
Continued use: Your continued use after changes constitutes acceptance
We encourage you to review this policy periodically. Previous versions available upon request.
Complaints and Supervisory Authorities
If you believe we have not handled your personal information properly, you have the right to lodge a complaint with the relevant supervisory authority:
UK Users: Information Commissioner's Office
EU Users: Your local Data Protection Authority
Australia Users: Office of the Australian Information Commissioner
Other Jurisdictions: Contact your local data protection authority or consumer protection agency
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy, please contact us: