Skip to content

nomadkit

Privacy Policy

This policy explains how NomadKit Starter handles your personal data when you use our website and app.

Last updated: May 2026

1. Who we are

NomadKit Starter is operated by Notable Nomads ("we", "us"). For questions about this policy or your data, contact us at privacy@example.com.

2. What data we collect

Account data

When you create an account we collect your name, email address, and (if you use email/password sign-up) a hashed password. If you sign in with Google, we receive your Google profile information (name, email, profile picture) as provided by Google.

Goals and plans

NomadKit Starter stores the goals, constraints, and step plans you create. This content is free text and may include personal details you choose to enter. Please avoid entering special-category data (e.g. health, religion) unless necessary for your goal.

Preferences

We store appearance settings (light/dark/system theme) in your account. The web app may also cache them in browser storage for offline use.

Technical data

When you sign in we store session metadata including IP address and browser user agent for security and fraud prevention. On the web, authentication uses an HttpOnly session cookie scoped to our domain. On the native mobile app, we use a bearer token stored in your device's secure storage.

Analytics (with your consent only)

If you accept analytics cookies on our websites, we collect product usage events (e.g. plan created, step completed), page views, and JavaScript errors. We use an internal user ID — not your email or name — in analytics. See our Cookie Policy for details. The native mobile app does not load PostHog or the web analytics beacon.

Offline storage (web app / PWA)

The NomadKit Starter web app at http://localhost:3000 caches your plans and settings in your browser's local storage so you can use the app offline. This data is cleared when you sign out.

Native mobile app

The iOS and Android app stores your session token in secure storage and loads plans from our API when online. It does not use the web app's offline plan cache or PWA service worker.

3. Why we use your data (legal bases)

  • Contract (Art. 6(1)(b) GDPR): providing your account, storing plans, sending account emails (verification, welcome, password reset, referral notifications), and delivering the service you signed up for.
  • Consent (Art. 6(1)(a) GDPR): analytics and optional tracking cookies on our websites. You can withdraw consent at any time via Cookie settings.
  • Legitimate interest (Art. 6(1)(f) GDPR): session security (IP address, user agent) and abuse prevention, balanced against your rights.

4. Processors and subprocessors

We use the following service providers to run NomadKit Starter:

ProviderPurposeLocation
CloudflareHosting, database (D1), API Workers, Workers AI (plan generation), optional web analyticsGlobal / EU edge
PostHog EUProduct analytics on web (consent required)EU (Frankfurt)
ResendTransactional email (verification, welcome, password reset, referral notifications)United States
GoogleOAuth sign-in onlyGlobal / United States

Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses where applicable.

5. AI plan generation

When you create or adjust a plan, text you enter as goals or instructions may be processed by Google's Gemma model via Cloudflare Workers AI to generate or update your steps. We process this data to provide the feature you request (contract basis). Generation metadata may be stored in our database for debugging and quality. Cloudflare's and Google's privacy policies apply to their processing: cloudflare.com/privacypolicy, policies.google.com/privacy.

6. Retention

  • Account and plan data: until you delete your account or individual plans.
  • Sessions: up to 7 days, with session activity refreshed at least every 24 hours while you remain signed in.
  • Verification tokens: until used or expired.
  • Analytics: per PostHog and Cloudflare retention settings (typically up to 90 days).
  • Web browser cache (offline): until sign-out or manual browser clear.

7. Your rights

Under GDPR you have the right to:

  • Access your data (export from Profile in the web app at http://localhost:3000)
  • Rectify inaccurate data (edit profile in the app)
  • Erasure ("right to be forgotten") — delete your account from Profile in the web app
  • Data portability — export your data from Profile in the web app
  • Restrict or object to processing where applicable
  • Withdraw consent for analytics at any time (Cookie settings on our websites)
  • Lodge a complaint with your local supervisory authority

On the native mobile app, use the web app at http://localhost:3000 for export and account deletion, or email privacy@example.com.

8. Children

NomadKit Starter is not directed at children under 16. We do not knowingly collect data from children. Contact us if you believe a child has provided personal data.

9. Changes

We may update this policy. Material changes will be posted on this page with an updated date. Continued use after changes constitutes acceptance where permitted by law.

10. Contact

Notable Nomads

Email: privacy@example.com
Website: http://localhost:3002