Privacy Policy

Last Updated: February 9, 2026

Who We Are

Data Controller: Ilya Tsymbal

Address: Room 1603F, Block A White Rose View, 16 Merrion Way, Leeds LS2 8PT, United Kingdom

What Data We Collect

Data Stored on Your Device

All your personal content is encrypted and stored locally on your device. Providing data is your choice. The app works fully offline without sending anything to our servers.

Journal entries
Tasks and commitments
Notification settings
App preferences

Data We Process

When you request an AI report, we process:

Journal text and task data - sent to generate your report
IP address - temporarily held for rate limiting (5 minutes)
Device identifier - anonymous UUID for abuse prevention (30 days)

Anonymous Analytics

We collect anonymous usage signals (e.g., "app opened", "report generated") through TelemetryDeck. No personal content or identifiers are collected.

Why We Process Your Data

AI Report Generation - Legal basis: Contract (you request it, we provide it)
Rate Limiting & Abuse Prevention - Legal basis: Legitimate interests (protecting service availability)
Anonymous Analytics - Not personal data under GDPR (fully anonymized)

Who Receives Your Data

Anthropic (USA) : AI processing. Retention: 30 days. Not used for training.
Railway (EU) : Backend hosting. Data transits but is not stored.
TelemetryDeck (EU) : Anonymous analytics only.
Apple - Optional iCloud backup (encrypted, controlled by you).

Data transferred to the USA (Anthropic) is protected under the EU-US Data Privacy Framework.

Data Retention

Data on your device - Controlled by you (delete anytime in Settings)
IP addresses - 5 minutes (our servers)
Device identifier - 30 days (our servers)
Anthropic - Up to 30 days

Your Rights

Under data protection law, you have the right to:

Access your personal data
Correct inaccurate data
Delete your data
Restrict processing
Data portability - export your data
Object to processing based on legitimate interests

Since your data is stored locally, you can access, edit, export, or delete it directly in the app (Settings).

To exercise any right or ask questions: support@nightmare.app

We respond within 1 month.

Complaints

If you have concerns about how we handle your data:

Contact us: support@nightmare.app
UK: Information Commissioner's Office
EU: Your local Data Protection Authority

AI-Generated Content

Reports are generated using artificial intelligence (Anthropic). This is not automated decision-making that produces legal effects. It's a tool you choose to use.

Important: This app is not therapy, medical advice, or mental health treatment. The AI is not a licensed professional. Do not use it for crisis situations, diagnosis, or treatment decisions. If you need support, contact a mental health professional or emergency services.

Data Security

AES-256-GCM encryption for local data
TLS 1.3 for data in transit
Encryption keys stored in iOS Keychain
No user accounts or passwords to compromise

Children & Young Users

Nightmare is for users aged 13 and older. We do not knowingly collect personal data from anyone under 13. If we discover that a child under 13 has used the app, we will delete any personal data we hold promptly.

Parental Consent

In jurisdictions where the age of digital consent is higher than 13 (up to 16 in parts of the EU/EEA), users below that threshold require verifiable parental or guardian consent before using features that send data to third parties, such as AI report generation. Parents or guardians who provide consent take responsibility for the minor's use of those features.

Parents and guardians have the right to:

Review the personal data processed in connection with their child's use
Request deletion of their child's data
Withdraw consent at any time

To exercise these rights: support@nightmare.app

For US Residents

We do not sell your personal information. We do not share personal information for targeted advertising.

You have the right to:

Know what personal information we collect and how it's used
Request correction of inaccurate information
Request deletion of your data
Opt out of any sale of personal information (we don't sell)

We will never discriminate against you for exercising these rights.

Residents of California, Virginia, Colorado, Connecticut, Indiana, Kentucky, Rhode Island, and other states with privacy laws: contact us to exercise your rights.

Changes to This Policy

We may update this policy. Check this page for the latest version.