Privacy Policy

This Privacy Policy explains how Nookaly ("we", "us", or "our") collects, uses, stores, and protects your personal data when you use the Nookaly browser extension, website, and related services (collectively, the "Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read this policy carefully to understand our practices regarding your personal data.

1. Data Controller

Nookaly is the data controller responsible for your personal data. If you have questions or concerns about this policy or your data, please contact us at privacy@nookaly.co.uk.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Display name (optional)
• Authentication credentials (managed securely through our authentication provider)

2.2 Property Preferences

To provide personalised insights, we collect the preferences you provide, including:

• Budget range
• Desired number of bedrooms and bathrooms
• Property type preferences
• Desired features and deal breakers
• Priority weightings for various property attributes
• Commute destinations (e.g., workplace addresses)

2.3 Usage & Behavioural Data

We collect detailed information about how you interact with the Service in order to improve the product and provide personalised property recommendations. This includes:

• Property listings you view, including how long you spend on each listing (dwell time), which tabs and sections you open, and the order in which you browse
• Properties you save to favourites, including any scores or notes you assign
• Search queries and search result interactions (clicks, scroll depth, sort preferences)
• AI analysis requests you trigger and their outcomes
• Commute destinations you set and commute calculations you perform
• Navigation patterns within the extension (tab switches, section expansions, settings changes)
• Session duration, idle periods (detected after 5 minutes of inactivity), and session activity counts
• Timestamps of all interactions

This behavioural data is collected under a three-tier consent system:

• Tier 0 (Always collected): Consent-related events only (e.g., whether you accepted or declined tracking)
• Tier 1 (Basic analytics): Session and navigation events, collected for all authenticated users to maintain Service quality
• Tier 2 (Detailed behavioural tracking): Property viewing habits, favourites, search behaviour, analysis usage, and commute data. You can opt out of Tier 2 tracking at any time via the extension settings. Opting out does not affect your ability to use the Service

2.4 Device & Technical Data

We automatically collect technical information to identify your device and diagnose issues:

• Device fingerprint: A one-way hash generated from your screen resolution, colour depth, timezone, browser language, number of CPU cores, and operating system platform. These attributes are combined and hashed using the FNV-1a algorithm — the individual attributes are not stored, only the resulting hash
• IP address: Your IP address is collected and immediately hashed using SHA-256 before storage. We do not store your raw IP address
• User agent string: Your browser's user agent, which typically includes browser name, version, and operating system
• Extension version
• Error logs and performance data

2.5 Data We Do Not Collect

We want to be clear about what we do not collect:

• We do not collect your browsing history outside of Rightmove and Zoopla
• We do not read any page content, text, images, or DOM elements from Rightmove or Zoopla — only the page URL is read to identify the listing
• We do not collect financial information (payments are processed by third-party payment providers)
• We do not use canvas fingerprinting, WebGL fingerprinting, audio fingerprinting, or font detection
• We do not collect passwords or sensitive authentication tokens on our servers
• We do not sell, rent, or trade your personal data to third parties

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Delivery (Contractual Necessity)

• To provide personalised property match scores based on your preferences
• To generate AI-powered property analysis and insights
• To calculate commute times to your chosen destinations
• To manage your account, favourites, and saved properties
• To process credit transactions

3.2 Personalised Recommendations & Profiling (Consent)

With your consent (Tier 2 tracking), we analyse your property browsing behaviour to build a profile of your property preferences and housing interests. This includes:

• Matching your browsing patterns and engagement signals (dwell time, favourites, search behaviour) with property characteristics to understand the types of homes you are drawn to
• Using this behavioural profile to provide tailored property suggestions via the extension or by email
• Combining demographic indicators (such as your area of search and budget range) with your browsing habits to improve recommendation quality

This constitutes profiling as defined under UK GDPR Article 4(4). It is based on your consent and does not produce legal effects or similarly significant effects on you. You can opt out of this profiling at any time by disabling Tier 2 tracking in the extension settings, and you can request deletion of your behavioural data at any time (see Section 9).

3.3 Service Improvement (Legitimate Interest)

• To understand how the Service is used and identify areas for improvement
• To improve the accuracy and quality of our AI analysis
• To diagnose technical issues and monitor Service performance

3.4 Communication (Consent / Legitimate Interest)

• To send essential service notifications (e.g., account security, Terms updates)
• To send optional product updates and feature announcements (with your consent)
• To send personalised property suggestions by email (with your consent, based on your behavioural profile)

4. AI Processing

The Service uses artificial intelligence to analyse property listings. This involves:

• Property Image Analysis: AI models examine property photographs to assess condition, features, natural light, and other visual attributes. Images are processed by our AI service providers (see Section 6) and are not stored permanently by these providers.
• Text Analysis: Listing descriptions and publicly available property data are processed to extract structured information and generate insights.
• Personalised Scoring: Your stated preferences are combined with property analysis to generate match scores. This is automated decision-making that directly affects the insights you receive, but it does not have legal or similarly significant effects on you.

You can adjust your preferences at any time to change how properties are scored. If you have concerns about automated processing, please contact us.

5. Legal Basis for Processing

We process your data under the following legal bases as defined by UK GDPR:

• Contractual Necessity (Article 6(1)(b)): Processing necessary to deliver the Service you have requested (property analysis, match scores, commute calculations)
• Legitimate Interest (Article 6(1)(f)): Processing for service improvement, security, and basic analytics (Tier 1), where our interests do not override your rights
• Consent (Article 6(1)(a)): Detailed behavioural tracking (Tier 2), profiling for personalised property recommendations, and optional marketing communications. You can withdraw consent at any time via the extension settings without affecting your ability to use the Service

6. Third-Party Services

We use the following categories of third-party services to operate Nookaly:

6.1 Infrastructure and Authentication

• Supabase: Database hosting and user authentication. Data is stored in EU data centres. Supabase Privacy Policy

6.2 AI and Analysis

• Google Cloud (Vertex AI): Property image and text analysis using AI models. Data is processed in accordance with Google's data processing terms. Google Cloud Privacy Notice
• OpenAI: Text processing and semantic search capabilities. OpenAI Privacy

6.3 Mapping and Location

• Mapbox: Map display and location-based features. Mapbox Privacy Policy

We have data processing agreements with our service providers where required and ensure they provide adequate levels of data protection.

7. Data Sharing

We do not sell, rent, or trade your personal data to any third party. Your data is shared only with the third-party service providers listed above, solely for the purpose of operating the Service. We do not provide your data to advertisers, data brokers, or any other commercial third parties.

We may disclose your data if required by law, regulation, or legal process, or to protect the rights, safety, or property of Nookaly or others.

8. Data Storage and Security

• Your data is stored on secure servers with encryption at rest and in transit
• Access to personal data is restricted to authorised personnel only
• We use industry-standard security measures to protect your data
• Authentication is handled through secure, established authentication providers
• We regularly review our security practices and update them as needed

9. Data Retention

• Account data: Retained for as long as your account is active, plus 30 days after deletion request to allow for account recovery
• Property preferences: Retained while your account is active; deleted upon account deletion
• Behavioural event data: Retained while your account is active for the purposes described in Section 3.2. Upon account deletion, event records are pseudonymised (user ID, session ID, device fingerprint, IP hash, and user agent are removed) and retained in de-identified form for aggregate analytics
• Device fingerprints: Retained while your account is active; removed upon account deletion as part of event pseudonymisation
• AI analysis results: Cached to improve Service performance; refreshed periodically and removed when no longer needed
• Technical logs: Retained for up to 90 days for debugging and security purposes

10. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you
• Right to Rectification: You may request correction of inaccurate personal data
• Right to Erasure: You may request deletion of your personal data (subject to legal obligations). Your account data will be deleted and event records pseudonymised within 30 days
• Right to Data Portability: You may request your data in a machine-readable format
• Right to Restrict Processing: You may request limitation of how we process your data
• Right to Object to Profiling: You may object to profiling for personalised recommendations at any time by disabling Tier 2 tracking in the extension settings
• Right to Object: You may object to processing based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, you can:

• Use the data export and account deletion features within the extension
• Disable Tier 2 tracking in the extension settings to stop behavioural profiling
• Contact us at privacy@nookaly.co.uk

We will respond to your request within 30 days as required by law.

11. Cookies and Local Storage

The Nookaly extension uses browser local storage (not cookies) to store:

• Your authentication session
• Cached property data for performance
• Your preferences and settings
• Your tracking consent choice

Our website may use essential cookies for basic functionality. We do not use third-party advertising or tracking cookies.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will take steps to delete it.

13. International Data Transfers

Some of our third-party service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the ICO
• Adequacy decisions by the UK government
• Service providers certified under recognised data protection frameworks

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website with a revised "Last updated" date
• Sending a notification through the extension where appropriate

We encourage you to review this policy periodically.

15. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

We encourage you to contact us first so we can try to resolve your concern directly.

16. Contact Us

For any questions about this Privacy Policy or your personal data, please contact us:

Email: privacy@nookaly.co.uk