Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Name and email address
• Profile picture (if provided through Google Sign-In)
• Account preferences and settings

1.2 Information from Google Sign-In

We offer Google Sign-In as an authentication option. When you sign in with Google, we receive and store the following information from your Google account:

• Email address — used as your account identifier and for sending notifications
• Display name — used to personalize your experience
• Profile picture — displayed on your account profile

We only request the minimum scopes necessary for authentication. We do not access your Google contacts, calendar, Drive files, Gmail messages, or any other Google services beyond basic profile information. Your Google account password is never shared with us.

1.3 Message Content

When you use the Service, you may provide:

• Text messages and notes
• Photos, videos, and audio recordings
• Recipient contact information (names and email addresses)
• Scheduled delivery dates and preferences

1.4 Payment Information

When you purchase credits or subscriptions, payment processing is handled entirely by Stripe, Inc. We do not store your credit card number, CVV, or full billing details on our servers. We only receive a confirmation of payment, transaction ID, and subscription status from Stripe.

1.5 Automatically Collected Information

When you use the Service, we may automatically collect:

• IP address and approximate location
• Browser type and device information
• Pages visited and actions taken within the Service
• Error logs and performance data

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Store, encrypt, and deliver your scheduled messages
• Process payments and manage your subscription
• Send transactional emails (message delivery confirmations, account notifications)
• Send push notifications (with your consent)
• Provide customer support
• Monitor and improve the Service's performance and security
• Detect and prevent fraud or abuse
• Comply with legal obligations

We do not use your data for advertising, sell your data to third parties, or use your message content to train AI models.

3. How We Store and Protect Your Data

3.1 Encryption

All message content is encrypted at rest using AES-256-GCM encryption. Each message is encrypted with a unique derived key. Media files (photos, videos, audio) are stored in encrypted form.

3.2 Infrastructure Security

Your data is stored on secure cloud infrastructure provided by Amazon Web Services (AWS) and Supabase. All data transmission is encrypted in transit using TLS/SSL. Access to production systems is restricted and monitored.

3.3 Data Retention

• Active accounts: Your data is retained for as long as your account is active.
• Scheduled messages: Stored until delivered, then retained for 30 days after delivery before deletion.
• Timeless (vault) messages: Stored for the vault horizon period you selected (20, 40, or 60 years), subject to renewal.
• Deleted accounts: When you delete your account, all personal data and message content is permanently deleted within 30 days.
• Payment records: Transaction records may be retained for up to 7 years as required by tax and financial regulations.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• Message recipients: When a message is delivered, the recipient receives the message content you created for them.
• Service providers: We use trusted third-party services to operate the platform (see Section 5 below). These providers only access data necessary to perform their functions and are bound by confidentiality obligations.
• Legal requirements: We may disclose your information if required by law, court order, or governmental authority.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. You will be notified of any such change.

5. Third-Party Services

We use the following third-party services to provide and improve the Service:

• Supabase — Database hosting and user authentication
• Amazon Web Services (AWS) — Cloud computing, file storage (S3), email delivery (SES), and serverless functions (Lambda)
• Stripe — Payment processing for subscriptions and credit purchases
• Google — OAuth authentication (Google Sign-In)
• Firebase (Google) — Push notification delivery
• Sentry — Error monitoring and performance tracking
• Anthropic — AI-powered features (Twin AI). Message content shared with AI features is not used to train AI models.

Each third-party service has its own privacy policy governing the use of your information. We encourage you to review their policies.

6. Use of Google User Data

MessageFuture's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only access the Google user data necessary for authentication (email, name, profile picture).
• We do not use Google user data for serving advertisements.
• We do not transfer or sell Google user data to third parties, except as necessary to provide the Service or as required by law.
• We do not use Google user data to train AI or machine learning models.
• Human access to Google user data is limited to service operations, security investigations, legal compliance, or with your explicit consent.

7. Your Rights and Choices

7.1 GDPR Rights (European Users)

If you are located in the European Economic Area, you have the following rights:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete data.
• Erasure — Request deletion of your personal data.
• Restrict processing — Request that we limit how we use your data.
• Object to processing — Object to our use of your data for certain purposes.
• Data portability — Request your data in a portable format.

7.2 CCPA Rights (California Residents)

Under the California Consumer Privacy Act, you have the right to:

• Know what personal data we collect and how it is used.
• Request deletion of your personal data.
• Opt out of the sale of personal data. We do not sell personal data.
• Non-discrimination for exercising your privacy rights.

7.3 Account Controls

You can:

• Update your profile information from your account settings.
• Delete your account and all associated data by contacting us.
• Opt out of marketing emails by clicking the unsubscribe link.
• Manage push notification preferences in the app settings.
• Revoke Google Sign-In access at any time from your Google Account security settings.

8. Children's Privacy

The Service is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at help@nukylabs.com.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States and the European Union. These transfers are necessary to provide the Service and are protected by appropriate safeguards, including encryption and contractual obligations with our service providers.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the “Effective Date” above. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a complaint, please contact us:

• Email: help@nukylabs.com
• Company: Nuky Labs LLC
• Location: Wyoming, USA

We aim to respond to all privacy-related inquiries within 30 days.