Privacy Policy

Effective Date: April 11, 2026

This Privacy Policy explains how Nirvana ("we," "us," or "our") collects, uses, stores, and protects your information when you use the Nirvana mobile application ("App"). We are committed to protecting your privacy and handling your data in an open and transparent manner.

Data Controller: Nirvana, reachable at privacy@nirvana-cbt.com

By using the App, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

Depending on how you choose to use the App, we may collect:

Unique User Identifier (UUID): A randomly generated identifier assigned to your account for authentication and data access control
Email Address: If you create an account using email or sign in with Google or Apple
Authentication Data: Managed securely by Firebase Authentication. Passwords are never stored in plain text and are protected using industry-standard encryption

1.2 Session Data

When you use the App to complete CBT sessions, we store the following data in your personal account:

Your feelings and thoughts entries
Cognitive errors identified during sessions
Reframing and reflection responses
Behavioral experiments and their outcomes
Session metadata (timestamps, session mode: CBT or E-CBT)

This data is stored exclusively for your personal use and therapeutic benefit. We do not access, read, analyze, or use your session content for any purpose other than providing it back to you within the App.

1.3 Advertising Data (Free Version Only)

If you use the free version of the App with advertisements, third-party advertising services (such as Google AdMob) may collect:

Advertising identifiers (e.g., IDFA on iOS, AAID on Android)
Device information (device type, operating system version)
Usage data for ad personalization and frequency capping
IP address for general location-based advertising

These services operate according to their own privacy policies:

Google AdMob: https://policies.google.com/privacy

Your session content is never shared with advertising providers.

1.4 Technical and Diagnostic Data

We may collect limited technical information to maintain and improve the App:

Device type and operating system version
App version
Crash reports and error logs (which do not contain your session content)

2. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), Switzerland, and UK, we process your data under the following legal bases:

Contractual Necessity: Processing is necessary to provide the App's core functionality (authentication, data storage and retrieval)
Legitimate Interests: Technical diagnostics and app improvements, provided these do not override your fundamental rights
Consent: For advertising in the free version (you can opt out by purchasing the ad-free version)
Legal Obligation: When required to comply with applicable laws

3. How We Use Your Information

We use the information we collect strictly to:

Provide and maintain the App's core functionality
Enable account authentication and sync across your devices
Store and retrieve your CBT session data
Display advertisements in the free version (via third-party services)
Process in-app purchases to remove ads
Respond to your support requests
Improve app stability and performance
Comply with legal obligations

We do not:

Read, analyze, or use your session content for advertising, profiling, AI training, or research
Sell your personal information to third parties
Share your session data with anyone, except as legally required
Use your data for purposes other than those stated in this policy

4. How Your Data Is Stored

Cloud Storage: Your session data is stored securely using Google Firebase Cloud Firestore (servers located in the United States and Europe)
Encryption in Transit: All data transmission between your device and our servers is encrypted using HTTPS/TLS
Encryption at Rest: Data is encrypted at rest using Google Cloud Platform's encryption standards
Access Control: Database access is restricted using strict security rules that ensure users can access only their own data. Your data is isolated by your unique user ID
Authentication: Firebase Authentication securely manages user accounts using industry-standard protocols

5. Account Options

You may use the App in one of the following ways:

Anonymous use (default): No email address required. A unique identifier is assigned to your device. Data is not synced across devices.
Google Sign-In: Links your sessions to your Google account for cross-device sync.
Apple Sign-In: Links your sessions to your Apple ID for cross-device sync.
Email account creation: Create an account using your email address and password to enable sync across devices.

6. Data Sharing and Third-Party Services

We do not sell or rent your personal information. We may share limited data with the following third-party services, solely to provide App functionality:

Firebase (Google): Authentication, Cloud Firestore database, hosting (Privacy Policy)
Google Sign-In: Authentication service (Privacy Policy)
Apple Sign-In: Authentication service (Privacy Policy)
Google AdMob: Advertising service (free version only) (Privacy Policy)

These services may have access to certain data to perform their functions, but are prohibited from using it for other purposes.

Legal Disclosures: We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect rights, property, or safety.

7. Data Retention and Deletion

Retention Period: Your data remains stored only while your account exists. We do not retain data after account deletion.
Account Deletion: You may delete your account at any time from within the App's Account settings.
When you delete your account:
- All associated session documents are permanently deleted from our database within 30 days
- Your authentication record is removed
- This action cannot be undone
- Cached copies in backup systems are removed within 90 days
Deletion Requests: You may also contact us directly at privacy@nirvana-cbt.com to request deletion of your data. We will respond within 30 days and process your request promptly in accordance with applicable law.

8. Advertising and In-App Purchases

The free version of the App may display advertisements via Google AdMob
Ads may be personalized based on advertising identifiers, but never based on your session content
You may opt out of personalized advertising through your device settings (iOS: Settings → Privacy → Advertising; Android: Settings → Google → Ads)
You may permanently remove ads via a one-time in-app purchase
In-app purchases are processed by Apple App Store or Google Play Store according to their respective policies. We do not have access to your payment information.

9. Children's Privacy

The App is not intended for use by children under the age of 13 (or 16 in the EEA, or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe we have inadvertently collected information from a child, please contact us immediately at privacy@nirvana-cbt.com, and we will delete such information promptly.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

For EEA, Swiss, and UK Users (GDPR/Swiss DPA):

Right of Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten"): Request deletion of your data
Right to Restriction: Restrict processing of your data
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Object: Object to certain data processing activities
Right to Withdraw Consent: Withdraw consent at any time (for processing based on consent)
Right to Lodge a Complaint: File a complaint with your local data protection authority

For California Users (CCPA/CPRA):

Right to know what personal information is collected
Right to know whether personal information is sold or disclosed
Right to opt-out of sale of personal information (we do not sell your information)
Right to deletion
Right to non-discrimination for exercising your rights

For All Users:

Update or correct your data within the App
Delete your account and all associated data
Request a copy of your data in JSON format

To exercise these rights, contact us at privacy@nirvana-cbt.com. We will respond within 30 days (or sooner as required by applicable law).

11. International Data Transfers

Your data may be transferred to and stored on servers located outside your country of residence, including in the United States and Europe. We use Google Firebase, which complies with applicable data protection frameworks.

For EEA, Swiss, and UK users: Data transfers are protected by:

Google's compliance with Standard Contractual Clauses (SCCs) approved by the European Commission
Google's Data Processing Amendment and security measures

By using the App, you consent to such transfers. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable law.

12. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction:

Encryption in transit (TLS/HTTPS) and at rest
Access controls and authentication
Regular security assessments
Restricted employee access on a need-to-know basis

However, no method of transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

13. Developer Access

Session data is stored securely in Google Firebase Cloud Firestore. Backend access is restricted and protected by authentication and authorization controls. We do not monitor or review individual session content except:

When necessary for technical support (with your explicit consent)
When required by law or legal process
To investigate potential violations of our Terms of Service

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

Posting the new Privacy Policy within the App
Updating the "Effective Date" at the top of this page
Sending an in-app notification or email (for significant changes)

Your continued use of the App after changes become effective constitutes acceptance of the revised policy. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data practices, please contact us:

Visit our Contact Page →

← Back to Home