Privacy Policy

Last updated: March 17, 2026

Niffler is a personal link and note keeper. We designed it to collect only what is necessary to provide the service.

Information We Collect

• Account data: email and a unique user ID via Supabase authentication.
• Content you add: bookmarks, notes, categories, tags, cover images.
• Device data: Basic technical logs (errors, warnings) for troubleshooting and improving the service.
• PWA data: offline cache and localStorage to improve performance and reliability.
• Google Calendar data: When you choose to connect your Google Calendar, we access calendar names, event titles, descriptions, locations, and date/time information from calendars you select for syncing.
• AI Assistant interactions: When you use the AI assistant (Mr. Niffs), we collect the messages you send and the responses generated. The assistant also accesses your existing bookmarks, notes, tasks, events, and categories to answer your queries.

How We Use Information

We process your information based on the following legal bases:

• Performance of Contract: Authenticate you, maintain your session, and store your bookmarks, notes, and related content to provide the core service you signed up for.
• Legitimate Interest: Provide features like offline access, share target, and real-time sync; diagnose and fix issues; improve service performance and user experience through anonymous analytics.
• Compliance with Legal Obligations: Retain certain data as required by law for security and accountability purposes.

Data Storage and Security

• Infrastructure: We use Supabase (hosted on AWS) for authentication, database, and storage. Data may be processed and stored in the United States and other jurisdictions.
• Security Measures: We implement industry-standard security measures including encryption in transit (TLS/SSL), row-level security policies, secure authentication, and regular security assessments.
• Access Controls: Row-level security policies restrict data access to authorized users only. Images may be served via public or signed URLs depending on bucket policy and your privacy settings.
• Limitations: While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. You use the service at your own risk.

Local Data

We use localStorage for preferences (e.g., language), offline actions, and share-target data; and service worker caches for faster loads. You can clear this via your browser settings.

Data Sharing

We do not sell your data. We never have and never will. We share data only with our infrastructure and service providers to operate the service:

• Supabase: For authentication, database, and file storage.
• Google Calendar API: When you connect your Google account, we access your calendar data through Google's API to sync events to Niffler.
• OpenAI: When you use the AI assistant (Mr. Niffs), your messages and relevant content from your account are sent to OpenAI's API (GPT-4o-mini model) for processing. OpenAI processes this data to generate responses. See OpenAI's Privacy Policy.
• RevenueCat: For managing in-app subscriptions and purchases on iOS. RevenueCat processes your Apple ID transaction data, subscription status, and device identifiers to manage your subscription. See RevenueCat's Privacy Policy.

For a complete list of our service providers and how they handle your data, see our Subprocessors page.

Employee Access to Your Data

Our default practice is to not access your information. We treat your content as private and confidential. We do not access your bookmarks, notes, or other stored content except:

• When required to provide support that you have explicitly requested
• When required by law or valid legal process
• To investigate potential Terms of Service violations when we have reasonable evidence of abuse
• To protect the safety and security of our users or the public

Google Calendar Integration

Niffler offers optional Google Calendar integration to help you manage your schedule alongside your bookmarks and notes. Here's how it works:

• What Niffler is: Niffler is a personal bookmark and note management application that helps you organize links, notes, tasks, and calendar events in one place.
• Authentication: We use Google's secure OAuth 2.0 protocol to authenticate your account. You will be redirected to Google to grant permission.
• Read-only access: We request read-only access to your Google Calendar (calendar.readonly scope). We cannot modify, create, or delete events in your Google Calendar.
• Data we access: Calendar names, event titles, descriptions, locations, start/end times, and whether events are all-day events.
• How we use your data: Calendar events are converted to bookmarks within the app, allowing you to view and organize your schedule alongside your other content. This data is used solely to provide you with the calendar sync feature you requested.
• Token storage: We securely store an encrypted refresh token in our database to maintain your calendar connection. This token allows us to fetch updated calendar data without requiring you to re-authenticate each time.
• Disconnecting: You can disconnect Google Calendar at any time from the app settings. Disconnecting will delete all synced calendar events from your Niffler account. You can also revoke access from your Google Account permissions.

Limited Use Disclosure: Niffler's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google Calendar data to provide and improve the calendar sync feature
• We do not transfer Google Calendar data to third parties except as necessary to provide the service
• We do not use Google Calendar data for advertising purposes
• We do not allow humans to read Google Calendar data except with your explicit consent, for security purposes, or to comply with applicable law

AI Assistant (Mr. Niffs)

Niffler includes an optional AI-powered assistant called Mr. Niffs. Here's how your data is handled when you use it:

• What data is sent to AI: When you send a message, your query and relevant content from your account (bookmarks, notes, tasks, events, categories) are sent to OpenAI's API for processing. Only content necessary to answer your query is included.
• Third-party processing: AI responses are generated by OpenAI's GPT-4o-mini model. OpenAI processes this data under their API data usage policy, which states that data sent via the API is not used to train their models.
• Actions on your behalf: The AI assistant can create, edit, and delete bookmarks, notes, tasks, events, and dividers in your account when you instruct it to. These actions modify your stored data.
• Conversation data: Your conversation history with the AI assistant is stored in our database to provide context for ongoing conversations and to improve the service.
• No advertising use: We do not use your AI assistant interactions for advertising or profiling purposes.
• Opting out: Use of the AI assistant is entirely optional. You can use Niffler without ever interacting with Mr. Niffs.

Public Content

If you mark a category or item as public, its content becomes accessible to anyone with the link. Keep this in mind when sharing.

Your Rights

Under applicable data protection laws (including GDPR and CCPA), you have the following rights:

• Right to Access: Request a copy of all personal data we hold about you.
• Right to Rectification: Correct any inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your account and all associated personal data (subject to legal retention requirements).
• Right to Data Portability: Export your bookmarks and content in a structured, machine-readable format.
• Right to Object: Object to processing of your personal data for certain purposes, including analytics tracking.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with your local data protection authority (for EU users: Spanish Data Protection Agency - AEPD).
• Right to Disconnect Third-Party Services: Disconnect Google Calendar or other third-party integrations at any time from the app settings, which will remove all associated synced data from your account.

To exercise these rights, contact us at mario@mariocanas.com. We will respond within 30 days.

Cookies and Tracking

We use essential cookies for authentication and session management via Supabase. Your browser's localStorage and sessionStorage are used for app preferences and offline functionality.

Data Retention

We retain your data for as long as your account is active. When you delete your account, we permanently remove your profile, bookmarks, notes, and associated content within 30 days. Some anonymized logs may be retained for security and troubleshooting purposes.

Children's Privacy

Niffler is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it immediately. Parents who believe their child has provided information should contact us.

International Data Transfers

Niffler is operated from Spain. Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers (Supabase) operate. We ensure appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Service providers with adequate data protection certifications
• Contractual commitments to protect your data according to GDPR standards

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR
• Notify affected users via email without undue delay if the breach poses a high risk to your rights and freedoms
• Provide clear information about the nature of the breach, the data affected, likely consequences, and measures being taken to address it
• Offer guidance on steps you can take to protect yourself

Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email and/or through an in-app notification. The updated policy will include the new "Last updated" date at the top. Your continued use of Niffler after changes constitutes acceptance of the updated policy.

California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected, used, shared, or sold in the past 12 months.
• Right to Delete: Request deletion of personal information we have collected from you.
• Right to Opt-Out: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at mario@mariocanas.com with "California Privacy Request" in the subject line.

Under CCPA, we process your data as a "service provider" — we only use your personal information for the purposes of providing the Niffler service as described in this policy.

Do Not Track Signals

Some browsers have a "Do Not Track" (DNT) feature that signals websites you visit that you do not want to have your online activity tracked. Our website does not currently respond to DNT signals. You can opt-out of analytics tracking by using browser privacy tools, ad blockers, or browser extensions that block tracking scripts.

Contact & Data Controller Information

The data controller responsible for your personal information is Niffler, operated from Spain.

For privacy inquiries, data requests, or to exercise your rights, contact us at:

• Email: mario@mariocanas.com

We will respond to requests within 30 days (or within the timeframe required by applicable law).