Privacy

The short version: Noctua stores what you ask Luna and what she says back, because that's the whole point of the reading. We don't do anything else with it — no ads, no resale, no training our own model on your words.

What we keep

When you use Noctua, we save:

• Your reading.The question you typed, the three cards drawn, Luna's interpretation, and any follow-up messages. Stored in Supabase, visible only to your account (enforced at the database level with row-level security).
• Auth identity.Either an anonymous Supabase session (nothing personal — just a random id in a cookie) or, if you've used the magic-link sign-in, your email address.
• Push subscription. Only if you opted in on the daily-card page. The endpoint URL and encryption keys your browser handed out — nothing personally identifying.
• Usage metadata in PostHog: which pages you visited, how long a reading took, the card ids you drew, the length of things (not the text). Explicitly neverthe content of your question, Luna's reply, or any message body.

Third parties we talk to

• Supabase — database + auth + email delivery for magic links. EU/US region. Supabase never sees your content in plaintext outside the database itself.
• LiteLLM-routed language model — we send your question and the cards drawn so Luna can write back. We use providers with no-training policies and we do not send any identifying metadata with the request.
• PostHog — product analytics. Metadata only, hosted on PostHog Cloud.
• Vercel — hosts the app and sends push notifications.

What we never do

• Sell your data.
• Share it with advertisers.
• Train our own AI on your questions or Luna's replies.
• Read what you wrote. (Yes, the data is in the database. No, no human is reading through it.)

Your rights

You can delete a reading from /readings at any time. If you want your entire account and history gone, email hello@noctua.appfrom the email you signed in with and we'll remove everything within 30 days.

If you're in the EU/UK/California, you also have the right to request a copy of what we have, to correct it, or to object to processing — same email.

Cookies & local storage

We use a few:

• Supabase auth cookies keep you signed in.
• PostHog cookie (ph_*) groups your sessions into one person for analytics.
• Local storagefor your language preference and whether you've dismissed the install prompt.

No tracking pixels. No third-party advertising cookies.

Kids

Noctua is for people 13 and older (16 in the EU). It's a reflection tool and occasionally touches on heavy subjects; it's not for children. If we find out we've collected data from a minor under the threshold for their region, we delete it.

Changes

If this policy changes in a way that affects what we collect or who sees it, we'll say so on the homepage for at least 14 days before it takes effect.

last updated: 2026-04-18