Privacy Policy

This Privacy Policy explains how Nookaly ("we", "us", or "our") collects, uses, stores, and protects your personal data when you use the Nookaly mobile app (iOS and Android), browser extension, website, and related services (collectively, the "Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read this policy carefully to understand our practices regarding your personal data.

1. Data Controller

Nookaly is a trading name of Byte Insights Limited, a company registered in England and Wales. Byte Insights Limited is the data controller responsible for your personal data. If you have questions or concerns about this policy or your data, please contact us at privacy@nookaly.co.uk.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Display name (optional)
• Authentication credentials (managed securely through our authentication provider)

2.2 Property Preferences

To provide personalised insights, we collect the preferences you provide, including:

• Budget range
• Desired number of bedrooms and bathrooms
• Property type preferences
• Desired features and deal breakers
• Priority weightings for various property attributes
• Commute destinations (e.g., workplace addresses)

2.3 Usage & Behavioural Data

We collect detailed information about how you interact with the Service in order to improve the product and provide personalised property recommendations. This includes:

• Property listings you view, including how long you spend on each listing (dwell time), which tabs and sections you open, and the order in which you browse
• Properties you save to favourites, including any scores or notes you assign
• Search queries and search result interactions (clicks, scroll depth, sort preferences)
• Automated analysis requests you trigger and their outcomes
• Commute destinations you set and commute calculations you perform
• Navigation patterns within the extension or mobile app (tab switches, section expansions, settings changes)
• Session duration, idle periods (detected after 5 minutes of inactivity), and session activity counts
• Timestamps of all interactions

This behavioural data is collected under a three-tier consent system:

• Tier 0 (Always collected): Consent-related events only (e.g., whether you accepted or declined tracking)
• Tier 1 (Basic analytics): Session and navigation events, collected for all authenticated users to maintain Service quality
• Tier 2 (Detailed behavioural tracking): Property viewing habits, favourites, search behaviour, analysis usage, and commute data. You can opt out of Tier 2 tracking at any time via the extension or mobile app settings. Opting out does not affect your ability to use the Service

2.4 Device & Technical Data

We automatically collect technical information to identify your device and diagnose issues:

• Device fingerprint (browser extension and website): A one-way hash generated from your screen resolution, colour depth, timezone, browser language, number of CPU cores, and operating system platform. These attributes are combined and hashed using the FNV-1a algorithm — the individual attributes are not stored, only the resulting hash
• Mobile device data (app): Device model, operating system version, and app version, used to diagnose issues and tailor the experience. Where you enable notifications, we store a push notification token used solely to deliver alerts you have requested (see Section 3.5)
• IP address: Your IP address is collected and immediately hashed using SHA-256 before storage. We do not store your raw IP address
• User agent string (browser extension and website): Your browser's user agent, which typically includes browser name, version, and operating system
• Extension or app version
• Error logs and performance data

2.5 Data We Do Not Collect

We want to be clear about what we do not collect:

• We do not collect your browsing history. The browser extension operates only on Rightmove and Zoopla pages; the mobile app only receives a listing link when you explicitly share one with it
• We do not read any page content, text, images, or DOM elements from Rightmove or Zoopla — only the page URL (read by the extension) or the listing link you share (in the app) is used to identify the listing
• We do not collect financial information (payments are processed by third-party payment providers)
• We do not use canvas fingerprinting, WebGL fingerprinting, audio fingerprinting, or font detection
• We do not collect passwords or sensitive authentication tokens on our servers
• We do not sell, rent, or trade your personal data to third parties

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Delivery (Contractual Necessity)

• To provide personalised property match scores based on your preferences
• To generate automated property analysis and insights
• To calculate commute times to your chosen destinations
• To manage your account, favourites, and saved properties
• To process credit transactions

3.2 Usage Analytics (Consent)

With your consent (the "Usage Analytics" setting), we collect anonymous behavioural events about how you interact with the Service — for example, which features you use, how long sessions last, and which screens you visit. These events are recorded without your user ID; we can analyse the data in aggregate to understand how Nookaly is used, but we cannot tie any individual event back to you.

• Session start/end, screen visits, feature usage, error counts
• Aggregate funnels (e.g. how many users complete onboarding) and conversion metrics
• Approximate retention and engagement statistics across the user base

You can disable Usage Analytics at any time in the extension or mobile app's privacy settings. Doing so stops new anonymous events from being recorded.

3.3 Personalised Recommendations & Profiling (Consent)

With your consent (the "Smart Recommendations" setting), we link the behavioural events described in Section 3.2 to your account so we can build a profile of your property preferences and tailor what the Service suggests to you. This includes:

• Matching your browsing patterns and engagement signals (dwell time, favourites, search behaviour) with property characteristics to understand the types of homes you are drawn to
• Building a "taste profile" from the properties you save and view, and from the preferences you provide, to power the Daily Discover ("For You") feed — a daily set of recommendations ranked to match the homes you have engaged with
• Letting you mark a Discover recommendation as "Not interested" so we exclude it and show you fewer like it
• Using this behavioural profile to provide tailored property suggestions via the extension, mobile app, or by email
• Combining demographic indicators (such as your area of search and budget range) with your browsing habits to improve recommendation quality

This constitutes profiling as defined under UK GDPR Article 4(4). It is based on your consent and does not produce legal effects or similarly significant effects on you. Smart Recommendations requires Usage Analytics to be enabled — without the underlying anonymous events, there is nothing to link to your account. You can disable Smart Recommendations at any time in the extension or mobile app's privacy settings, and you can request deletion of your behavioural data at any time (see Section 9).

3.4 Service Improvement (Legitimate Interest)

• To understand how the Service is used and identify areas for improvement
• To improve the accuracy and quality of our automated analysis
• To diagnose technical issues and monitor Service performance

3.5 Communication (Consent / Legitimate Interest)

• To send essential service notifications (e.g., account security, Terms updates)
• To send optional product updates and feature announcements (with your consent)
• To send personalised property suggestions by email (with your consent, based on your behavioural profile)
• To send push notifications on the mobile app — such as "gem" property alerts and watch-area matches — where you have enabled notifications. You can turn these off at any time in your device settings or in the app

3.6 Aggregated Insights for Third Parties (Consent)

With your separate, optional consent (the "Help improve UK property data" setting), we may use anonymised, aggregated insights derived from your activity to help organisations such as mortgage providers, insurers, and housebuilders understand UK property demand. Examples of the kind of insights this produces:

• Buyer interest by postcode area over time (e.g. how many people are actively searching in a given outcode this week)
• The distribution of property-match scores across an area
• What home features and priorities buyers in different regions value most
• The gap between buyer demand and new-listing supply in an area

This is a distinct purpose from the analytics and personalisation described above, and it has its own setting that is off by default. It is never enabled by enabling any other consent.

How we protect your privacy. These insights are produced only as aggregates and are subject to anonymisation safeguards before they can be shared:

• Individual records are never released — only grouped, statistical figures
• Your user ID and any identifying information are removed during aggregation
• We apply a k-anonymity threshold: any group that would represent fewer than a minimum number of distinct users is suppressed, so no figure can be traced back to a small, identifiable set of people
• Only users who have given this specific consent contribute to the aggregates; if you withdraw consent, you are excluded from the next refresh

Because the resulting aggregates no longer relate to an identified or identifiable individual, they are not personal data once produced (see Section 9 on retention). You can enable or disable this at any time in the extension or mobile app's privacy settings (Settings → Privacy).

4. Automated Processing

The Service uses artificial intelligence and other automated systems to analyse property listings. This involves:

• Property Image Analysis: Automated systems examine property photographs to assess condition, features, natural light, and other visual attributes. Images are processed by our automated-analysis service providers (see Section 6) and are not stored permanently by these providers.
• Text Analysis: Listing descriptions and publicly available property data are processed to extract structured information and generate insights.
• Personalised Scoring: Your stated preferences are combined with property analysis to generate match scores. This is automated decision-making that directly affects the insights you receive, but it does not have legal or similarly significant effects on you.

You can adjust your preferences at any time to change how properties are scored. If you have concerns about automated processing, please contact us.

5. Legal Basis for Processing

We process your data under the following legal bases as defined by UK GDPR:

• Contractual Necessity (Article 6(1)(b)): Processing necessary to deliver the Service you have requested (property analysis, match scores, commute calculations)
• Legitimate Interest (Article 6(1)(f)): Processing for service improvement, security, and basic analytics (Tier 1), where our interests do not override your rights
• Consent (Article 6(1)(a)): Anonymous usage analytics (Section 3.2), personalised recommendations and profiling (Section 3.3), aggregated insights for third parties (Section 3.6), and optional marketing communications. Each purpose has its own setting that you can enable or disable independently. You can withdraw consent at any time via the extension or mobile app's privacy settings without affecting your ability to use the Service

6. Third-Party Services

We use the following categories of third-party services to operate Nookaly:

6.1 Infrastructure and Authentication

• Supabase: Database hosting and user authentication. Data is stored in EU data centres. Supabase Privacy Policy

6.2 Automated Analysis

• Google Cloud (Vertex AI): Property image and text analysis using machine learning models. Data is processed in accordance with Google's data processing terms. Google Cloud Privacy Notice
• OpenAI: Text processing and semantic search capabilities. OpenAI Privacy

6.3 Mapping and Location

• Mapbox: Map display and location-based features. Mapbox Privacy Policy

6.4 Payments and Subscriptions

• Apple (App Store) and Google (Google Play): Process in-app purchases and subscriptions made through the mobile app on iOS and Android respectively, under their own terms.
• Stripe: Processes payments made through the website and browser extension. Stripe Privacy Policy
• RevenueCat: Manages and validates mobile subscription status across the app stores. RevenueCat Privacy Policy

We receive confirmation of your subscription or purchase status from these providers but do not receive or store your full payment card details.

6.5 Push Notifications

• Mobile push notifications are delivered through the operating system's notification services — Apple Push Notification service on iOS and Firebase Cloud Messaging (Google) on Android — only where you have enabled them.

We have data processing agreements with our service providers where required and ensure they provide adequate levels of data protection.

7. Data Sharing

We do not sell, rent, or trade your personal data to any third party. Your data is shared only with the third-party service providers listed above, solely for the purpose of operating the Service. We do not provide your data to advertisers, data brokers, or any other commercial third parties.

Where you have given consent for aggregated insights (Section 3.6), we may share anonymised, aggregated figures — never your personal data, and never individual records — with third parties such as lenders, insurers, and housebuilders. These aggregates are produced using the anonymisation and k-anonymity safeguards described in Section 3.6, and cannot be used to identify you.

We may disclose your data if required by law, regulation, or legal process, or to protect the rights, safety, or property of Nookaly or others.

8. Data Storage and Security

• Your data is stored on secure servers with encryption at rest and in transit
• Access to personal data is restricted to authorised personnel only
• We use industry-standard security measures to protect your data
• Authentication is handled through secure, established authentication providers
• We regularly review our security practices and update them as needed

9. Data Retention

• Account data: Retained for as long as your account is active, plus 30 days after deletion request to allow for account recovery
• Property preferences: Retained while your account is active; deleted upon account deletion
• Behavioural event data: Retained while your account is active for the purposes described in Sections 3.2 and 3.3. Anonymous events (Usage Analytics) are recorded without your user ID from the moment they are collected. Personalised events (Smart Recommendations) are linked to your account; upon account deletion, those records are pseudonymised (user ID, session ID, device fingerprint, IP hash, and user agent are removed) and retained in de-identified form for aggregate analytics
• Device fingerprints: Retained while your account is active; removed upon account deletion as part of event pseudonymisation
• Automated analysis results: Cached to improve Service performance; refreshed periodically and removed when no longer needed
• Aggregated insights (Section 3.6): Once produced, anonymised aggregates no longer relate to an identified or identifiable individual and are therefore not personal data under UK GDPR. They have no statutory retention limit and may be retained indefinitely. Withdrawing consent removes you from all future aggregate refreshes, but does not require us to recompute aggregates already produced (which contain no individual record)
• Technical logs: Retained for up to 90 days for debugging and security purposes

10. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you
• Right to Rectification: You may request correction of inaccurate personal data
• Right to Erasure: You may request deletion of your personal data (subject to legal obligations). Your account data will be deleted and event records pseudonymised within 30 days
• Right to Data Portability: You may request your data in a machine-readable format
• Right to Restrict Processing: You may request limitation of how we process your data
• Right to Object to Profiling: You may object to profiling for personalised recommendations at any time by disabling Tier 2 tracking in the extension or mobile app settings
• Right to Object: You may object to processing based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, you can:

• Use the data export and account deletion features within the app or extension
• Disable Tier 2 tracking in the app or extension settings to stop behavioural profiling
• Contact us at privacy@nookaly.co.uk

We will respond to your request within 30 days as required by law.

11. Cookies and Local Storage

The Nookaly browser extension uses browser local storage, and the mobile app uses on-device storage (in both cases, not cookies) to store:

• Your authentication session
• Cached property data for performance
• Your preferences and settings
• Your tracking consent choice

Our website may use essential cookies for basic functionality. We do not use third-party advertising or tracking cookies.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will take steps to delete it.

13. International Data Transfers

Some of our third-party service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the ICO
• Adequacy decisions by the UK government
• Service providers certified under recognised data protection frameworks

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website with a revised "Last updated" date
• Sending a notification through the app or extension where appropriate

We encourage you to review this policy periodically.

15. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

We encourage you to contact us first so we can try to resolve your concern directly.

16. Contact Us

For any questions about this Privacy Policy or your personal data, please contact us:

Email: privacy@nookaly.co.uk