Privacy Policy
Last updated: February 2026 | Version 1.0
This Privacy Policy explains how 360Milieu Creatives Ltd ("we", "us", "Nesra") collects, uses, stores, and shares your personal information when you use the Nesra app. Please read it carefully before downloading or using the app.
If you have questions about this policy, contact us at: contact@nesra.co.uk
1. Who We Are (Your Data Controller)
Your personal data is controlled by 360 Milieu Creatives Ltd (trading as "Nesra"), a company registered in England and Wales.
- Company name:
- 360 Milieu Creatives
- Registered address:
- Unit D, 4 Cwm Road, Swansea. SA1 2AY
- Company number:
- 16661000
- ICO registration number:
- ZC130239
- General enquiries email:
- contact@nesra.co.uk
- Data Protection Officer:
- creatives@360milieu.co.uk
2. Personal Data We Collect
We collect the following categories of personal data when you use Nesra:
| Category | Data Collected | Why We Collect It |
|---|---|---|
| Account & authentication | Email address; login session data; account preferences | To create and manage your account and authenticate you securely (via Supabase) |
| Mood data | Journal entries; mood ratings and notes; emotional state records; focus session logs | To provide the journalling, mood tracking, and AI reflection features |
| Chat history | AI chat messages and conversation records | To provide the AI chat companion feature |
| App usage & preferences | In-app settings; feature usage patterns (aggregated and anonymised) | To improve app performance and personalise your experience |
| Technical / diagnostic data | Device type; operating system version; app version; crash reports; error logs | To diagnose and fix technical issues and maintain app security |
* Special category (health) data — see Section 3 below.
3. Special Category Data: Your Mental Health Information
IMPORTANT
Certain data we collect — specifically your mood data, journal entries, and AI chat history relating to your emotional or mental health — is likely to constitute health data under Article 9 of UK GDPR. Health data is a "special category" of personal data that is subject to stricter legal protections because of its sensitive nature.
We treat the following data as special category health data:
- Mood ratings, mood notes, and emotional state records
- Journal entries that relate to your mental health, feelings, or emotional state
- AI chat history that records discussions about your wellbeing, mental health, or emotional state
We only process your special category data where you have given us your explicit consent to do so (Article 9(2)(a) of UK GDPR). You will be asked to provide this consent separately within the app before these features are activated.
You may withdraw your consent at any time by using the consent settings within the app. Withdrawing consent will not affect the lawfulness of any processing we carried out before you withdrew it.
We have conducted a Data Protection Impact Assessment (DPIA) in relation to our processing of special category data, as required by Article 35 of UK GDPR. A summary of this assessment is available on request.
4. Lawful Bases for Processing Your Personal Data
We must have a lawful basis for processing your personal data. We rely on the following bases:
| Processing Activity | Article 6 Lawful Basis | Article 9 Condition |
|---|---|---|
| Account creation and authentication | Art. 6(1)(b) — Performance of contract | N/A |
| Provision of app features (journalling, mood tracking, goals, focus timer, planner) | Art. 6(1)(b) — Performance of contract | Art. 9(2)(a) — Explicit consent (for mood / journal health data) |
| AI chat feature | Art. 6(1)(b) — Performance of contract | Art. 9(2)(a) — Explicit consent (for any health-related chat content) |
| AI-generated reflections, summaries, and mood insights | Art. 6(1)(a) — Consent | Art. 9(2)(a) — Explicit consent |
| Subscription management and billing | Art. 6(1)(b) — Performance of contract | N/A |
| Technical / diagnostic data collection | Art. 6(1)(f) — Legitimate interests | N/A |
| Responding to your enquiries and support requests | Art. 6(1)(b) — Performance of contract; Art. 6(1)(f) — Legitimate interests | N/A |
| Compliance with legal obligations | Art. 6(1)(c) — Legal obligation | Art. 9(2)(b) — Obligations/rights in employment, social security and social protection (if applicable) |
5. How We Store Your Data
5.1 Local-First Architecture
Your personal content is stored locally on your device. This means that your journal entries, mood data, chat history, goals, planner data, and focus records are kept on your iPhone or iPad and are not uploaded to our servers. This is a deliberate privacy-by-design choice.
If you delete the app from your device, all locally stored content will be permanently removed. We recommend that you export any data you wish to retain before deleting the app (see Section 8 for your export rights).
5.2 Authentication Data (Supabase)
Your account authentication data (email address and login session credentials) is processed and stored securely by our third-party authentication provider, Supabase Inc., in accordance with our Data Processing Agreement with them. Supabase processes this data on our behalf and in accordance with our instructions. More information about Supabase's security practices is available at https://supabase.com/security.
5.3 Security Measures
We implement appropriate technical and organisational security measures to protect your personal data from unauthorised access, loss, or disclosure. These measures include encrypted connections (TLS), access controls, and regular security monitoring. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.
6. How We Process Your Data: AI Features
The following premium features use a third-party AI model provided by Open AI, L.L.C to generate content for you: AI-generated reflections, weekly and monthly summaries, mood insights, and AI chat responses.
When AI processing occurs, the following safeguards apply:
- Only the minimum content necessary to generate the relevant output is transmitted to the AI provider for processing.
- Your data is not used to train the AI model or to improve the AI provider's models.
- Processing is carried out in real-time; data is not retained by the AI provider beyond what is necessary for the immediate processing task.
- No persistent personal identifiers (such as your name or email address) are included in requests sent to the AI provider.
- All transmissions to the AI provider are encrypted in transit.
More details about OpenAI's data processing practices are available in their privacy policy at https://openai.com/policies/privacy-policy.
7. Third-Party Processors
We share your personal data with the following third-party processors who process data on our behalf and under our instructions. We have Data Processing Agreements in place with each of them, as required by Article 28 of UK GDPR.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Authentication and account management | United States (and/or EU) | UK Standard Contractual Clauses |
| Open AI, L.L.C. | AI feature processing (reflections, summaries, chat) | United States | UK Standard Contractual Clauses |
| Apple Inc. | App Store distribution, subscription billing, push notifications | United States | Apple's UK GDPR standard contractual clauses |
We do not sell your personal data to third parties. We do not share your personal data with third parties for their own marketing purposes.
8. International Data Transfers
Some of our third-party processors are based outside the United Kingdom or process data in countries outside the UK. When we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V.
If you are located outside the United Kingdom and use the app, your personal data will be transferred to and processed in the United Kingdom. We are a UK-based data controller and UK GDPR governs our processing of your data.
Where your local data protection law requires equivalent safeguards for such inbound transfers, those safeguards apply accordingly. If you are an EU or EEA resident, EU GDPR applies to our processing of your personal data in addition to, and in some respects instead of, UK GDPR, and you have the right to complain to your local supervisory authority (see Section 16).
You can request a copy of the transfer mechanisms we use by contacting us at contact@nesra.co.uk.
9. How Long We Keep Your Data
We keep your personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Local content (journal, mood, chat, goals, planner, focus) | Kept on your device until you delete it or uninstall the app. We do not hold copies on our servers. |
| Authentication data (email, login credentials — via Supabase) | Retained for the duration of your account and for 30 days after account deletion, after which it is permanently deleted. |
| Technical / diagnostic data | Retained for up to 12 months from collection, after which it is deleted or permanently anonymised. |
| AI processing — real-time requests to Open AI, L.L.C | Not retained beyond immediate processing. The AI provider processes data in real-time and does not store it. |
| Customer support correspondence | Retained for 3 years from resolution of the relevant enquiry, in accordance with limitation periods under the Limitation Act 1980. |
| Subscription and transaction records | Retained for 7 years from the end of the subscription, as required by the Companies Act 2006 and HMRC guidance. |
10. Your Rights Under UK GDPR
As a data subject, you have the following rights in relation to your personal data. We will respond to any valid request within one calendar month of receiving it. There is no charge for exercising your rights in most circumstances.
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you and information about how we use it.
Right to Rectification (Article 16)
You have the right to ask us to correct any personal data that is inaccurate or incomplete.
Right to Erasure (Article 17)
You have the right to ask us to delete your personal data in certain circumstances, for example if the data is no longer necessary for the purpose for which it was collected, or if you withdraw consent. You can delete your account and all locally stored content directly from the app settings.
Right to Restriction of Processing (Article 18)
You have the right to ask us to restrict the processing of your personal data in certain circumstances, for example while a dispute about accuracy is being resolved.
Right to Data Portability (Article 20)
Where we process your personal data by automated means on the basis of your consent or to perform a contract with you, you have the right to receive your personal data in a structured, commonly used, machine-readable format. You can export your data from the app settings.
Right to Object (Article 21)
You have the right to object to processing of your personal data where we rely on legitimate interests as our lawful basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Rights Related to Automated Decision-Making and Profiling (Article 22)
You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. Our AI features generate reflections, summaries, and insights but do not make automated decisions with significant legal effects. You may object to profiling at any time using the consent settings in the app.
Right to Withdraw Consent (Article 7(3))
Where we rely on your consent (including explicit consent for special category data), you have the right to withdraw that consent at any time by using the consent settings within the app. Withdrawing consent does not require you to delete your account. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.
To exercise any of your rights, please contact us at contact@nesra.co.uk or using the contact details in Section 15. You may also exercise some rights directly within the app settings.
11. Children's Privacy
The app is not directed to children under the age of 13. Under UK GDPR (Article 8), children under the age of 13 cannot provide valid consent to the processing of their personal data in relation to information society services; parental or guardian consent is required.
If you are under 13, you must have your parent's or guardian's consent before using the app. If you are a parent or guardian and you believe your child under 13 has used the app without your consent, please contact us at contact@nesra.co.uk and we will promptly delete the relevant data.
We apply enhanced safeguards to users who are under 18 in accordance with applicable child protection laws, including: the ICO Age Appropriate Design Code (Children's Code) for UK users; Article 8 of EU GDPR for users in the EU and EEA (noting that many EU member states set the minimum consent age at 16, not 13 — users in those states must meet that higher local requirement); and the Children's Online Privacy Protection Act (COPPA) for users in the United States.
If you are resident in a country where the minimum age for consent to data processing is higher than 13, you must meet that higher requirement before using the app without parental consent. If we identify that a user is a child, we will: (a) apply the highest privacy settings by default; (b) restrict AI processing of that user's mood and journal data; and (c) disable in-app purchase prompts directed at the child.
12. Automated Decision-Making and Profiling
Nesra uses automated processing (powered by AI) to generate personalised reflections, summaries, and mood insights based on your journal entries, mood data, and chat history. This constitutes profiling under Article 4(4) of UK GDPR because it involves using your personal data to evaluate your emotional state and wellbeing.
We do not use solely automated decision-making to make decisions about you that have legal or similarly significant effects. Our AI outputs are wellness suggestions and reflections only; they do not affect your legal rights, contractual terms, or access to other services.
You have the right to object to profiling at any time by turning off AI features in the app settings. If you turn off AI features, you will retain access to the non-AI features of the app.
13. Cookies and Tracking Technologies
No cookies or tracking technologies are used.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by in-app notification at least 30 days before the changes take effect.
The "Last updated" date at the top of this document will always reflect the date of the most recent version. We encourage you to review this policy periodically.
15. How to Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our processing of your personal data, please contact us at contact@nesra.co.uk.
You may also write to us at: Unit D, 4 Cwm Road, Hafod, SA1 2AY, Swansea, Wales.
16. Your Right to Complain to a Supervisory Authority
YOUR RIGHTS
If you are resident in the United Kingdom, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you are resident in the European Union or European Economic Area, you have the right to complain to your local national data protection supervisory authority. A full list of EU/EEA supervisory authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members_en.
If you are resident in another country, you may have the right to complain to your local data protection authority under applicable local law. We would appreciate the opportunity to address your concerns before you contact any supervisory authority, so please contact us first.
For questions about this policy, contact us at contact@nesra.co.uk