Privacy Policy

Nyota ("we," "our," or "the app") is a mobile application that helps families organize events, manage guest lists, record gifts, and preserve relationship memories. Nyota is developed and operated by TheNyota.app, headquartered in Bangalore, India.

This Privacy Policy explains what personal information we collect when you use the Nyota mobile application and website at thenyota.app, how we use it, and the choices you have regarding your information.

This Policy applies to all users worldwide, including users in the European Union (EU), United Kingdom (UK), India, and other jurisdictions. Where local laws grant you additional rights, those rights apply in full — this Policy is written to meet or exceed the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, India's Digital Personal Data Protection Act 2023 (DPDP Act), and other applicable privacy laws.

By downloading or using Nyota, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the app.

We collect only what is necessary to provide the Nyota service. Below is a complete description of every category of information we may collect.

We do not collect sensitive personal data categories such as racial or ethnic origin, religious beliefs, health data, biometric data, or financial account numbers.

When you choose to add a guest to an event, Nyota provides two options:

• Manual Entry: Type the contact's name and phone number directly — no phone contact access required.
• Import from Contacts (Optional): Opens the native iOS or Android system contact picker, where you select individual contacts one at a time.

Contact access is entirely optional. You can use every feature of Nyota — including full event management, guest tracking, and gift recording — without ever granting contact permission, simply by entering contact information manually.

You may revoke contact permission at any time through your device's Settings → Privacy & Security → Contacts → Nyota. Revoking permission does not delete contacts already imported; it only prevents future imports via the phone picker.

Under the EU GDPR and UK GDPR, we are required to identify a lawful basis for each type of personal data processing we conduct. Under India's DPDP Act 2023, processing requires either consent or a legitimate use recognised by law. The table below documents our lawful basis for each processing activity.

Where we rely on consent as the lawful basis, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted before withdrawal. You can withdraw consent by adjusting permissions in your device settings or by deleting your account.

We use the information we collect only for the following purposes:

• Providing the Service: Creating and managing your events, guest lists, contact records, and gift entries.
• Authentication: Verifying your identity via phone OTP to keep your account secure.
• Relationship Features: Displaying relationship history, gift reciprocity records, and event participation history within your private account.
• Invitations & RSVP: Generating shareable invite links and managing RSVP responses from your guests.
• Push Notifications: Sending you event reminders and relevant alerts (only if you have enabled notifications).
• App Improvement: Using anonymised, aggregated usage data to identify bugs, improve performance, and develop new features.
• Legal Compliance: Meeting our obligations under applicable law, including responding to lawful requests from authorities.

We will not use your data for any purpose not listed above without first obtaining your explicit consent or as otherwise required by law.

Your data is stored on Supabase, a secure cloud database platform using PostgreSQL. Our primary data region is Asia Pacific (Singapore / ap-southeast-1). All data is stored in encrypted form at rest and in transit (TLS 1.2+).

• Row-Level Security (RLS): Database-level access controls ensure you can only access your own data. No user can view another user's records.
• OTP Authentication: Login requires a one-time password sent to your registered phone number. We do not use passwords.
• Service Role Keys: Admin-level database keys are used exclusively within secure server-side Edge Functions — never exposed to the client app.
• Image Storage: Profile photos and event banners are stored in private Supabase Storage buckets with access policies.
• Data Minimisation: We collect only fields necessary for the app to function. This is a core principle under both GDPR (Art. 5(1)(c)) and the DPDP Act.
• Rate Limiting: SMS OTP requests are rate-limited per phone number and IP address to prevent abuse.

While we implement industry-standard security practices, no method of electronic storage or transmission is 100% secure. In the event of a data breach that affects your personal information, we will notify you as described in Section 15.

We retain your personal data only for as long as necessary to provide the Service and fulfil the purposes described in this Policy. The table below summarises our retention periods.

When you delete your account, all personal data is permanently and irreversibly deleted from our systems immediately. Anonymised or aggregated data that does not identify you may be retained for analytical purposes.

We do not sell, rent, or trade your personal information. We share data only with the following trusted service providers who help us operate the app, and only to the extent necessary for their function:

All third-party providers are bound by data processing agreements and are prohibited from using your data for any purpose other than providing their service to Nyota. Where these providers are located outside your country, we ensure appropriate safeguards are in place — see Section 9.

We may also disclose your information if required by law, court order, or a government authority, or to protect the rights, property, or safety of Nyota, our users, or the public.

Nyota is operated from India and our primary data infrastructure is hosted in Singapore. Some of our third-party service providers (such as Firebase and Twilio) are based in the United States. This means that your personal data may be transferred to and processed in countries outside your home country.

If you have questions about our international transfer safeguards, please contact us at privacy@thenyota.app.

You have full control over your data within Nyota. The rights available to you depend on where you are located — we honour all of the following for all users globally.

To exercise any of these rights, contact us at privacy@thenyota.app. We will respond within 30 days (or sooner where required by applicable law). We may need to verify your identity before processing certain requests.

You can permanently delete your Nyota account and all associated data directly from within the app. No email or external request is required.

Deletion permanently removes the following:

• Your user account and authentication record
• Your profile information (name, phone number, avatar, city)
• All contacts you have added to Nyota
• All events you have created
• All guest list entries across your events
• All gift and transaction records
• All event activities, wishes, and guestbook entries
• All uploaded images (avatars and event banners)
• Push notification tokens and notification history

Deletion is irreversible. Once your account is deleted, we cannot recover your data. Deletion is processed immediately upon confirmation and is implemented via a secure server-side function.

If you are unable to access the app, you may also request account deletion by emailing privacy@thenyota.app from your registered contact. We will process the request within 7 days.

Nyota is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18 years of age.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@thenyota.app. We will promptly delete that information upon verification.

If we become aware that we have collected personal data from a user under 18 without appropriate consent, we will delete that information from our records without delay.

Nyota may request permission to send push notifications to your device for the following purposes:

• Event reminders (upcoming events you have created)
• Guest RSVP updates (when a guest responds to your invitation)
• Important app announcements (infrequent)

Push notification permission is entirely optional. You can deny or revoke permission at any time from Settings → Notifications → Nyota on your device. Revoking notification permission does not affect any other app functionality.

We use Expo Push Notifications and Firebase Cloud Messaging to deliver notifications. Only your device push token is shared with these services — no other personal information is transmitted.

The Nyota mobile app does not use cookies.

The Nyota website (thenyota.app) uses minimal cookies necessary for site functionality. We use Google Analytics (GA4) to understand how visitors interact with our website in an anonymised, aggregated manner. GA4 is configured with IP anonymisation enabled. We do not use third-party advertising cookies or cross-site tracking cookies.

For EU and UK users, our website displays a cookie consent notice. You may accept or decline non-essential cookies. Declining cookies will not prevent you from accessing any part of the website.

For full details on our cookie usage, see our Cookie Policy.

We may collect anonymised, aggregated analytics about app usage (such as feature popularity and crash reports) to improve the product. This data does not identify individual users and is not shared externally.

Despite our robust security measures, no system can be fully guaranteed against breaches. In the event of a personal data breach, we are committed to acting promptly and transparently.

Breach notifications to users will include: the nature of the breach, the categories of data affected, the likely consequences, and the steps we are taking to address it. If you believe your data has been compromised, please contact us immediately at privacy@thenyota.app.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via a push notification or in-app message if the change is significant.
• For EU/UK users, where a change affects your rights or how we use your data, we will obtain fresh consent where required by GDPR.
• For material changes affecting contact data or sensitive information, we will request fresh consent where required by applicable law.

Your continued use of Nyota after the updated policy takes effect constitutes your acceptance of the revised policy, to the extent permitted by law. We encourage you to review this page periodically.

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us: