Privacy Policy

1. Who we are and what this covers

Nevala is an accessibility tool that scans video, images, and on-screen content for the specific things on your list — spiders, blood, needles, and similar — and returns a time-coded map of where they appear, so you can decide what to watch or skip. This policy explains what we do and don’t do with information when you use the Nevala website, browser extension, and account.

The data controller is John Muradeli (Individual Entrepreneur), Tbilisi, Georgia. Contact details are in section 13.

The one-sentence version: the videos, images, and screenshots you submit are processed to find what’s on your list and then deleted — we don’t keep your media or your scan results, we don’t identify anyone in it, and we don’t use it to train AI. The rest of this policy is the detail behind that sentence.

2. What we process, and why

2a. The content you submit for scanning

When you scan something, that content is sent to our AI provider (Google) to find what’s on your list, and the source content is then deleted (see sections 4 and 5). Depending on how you scan:

• Video or image upload — the file is briefly placed in cloud storage, scanned, and deleted.
• YouTube link — Google fetches the video directly from YouTube to scan it; the file never passes through our storage, and we don’t keep the link after the scan.
• “Screen ahead” in the extension — the extension takes screenshots of the page you are already viewing, scans them, and discards them. Screenshots are held in memory only and are never written to disk, databases, logs, or anywhere else.

Why: to provide the scanning service you requested. For uploads and links this is processing necessary to perform our contract with you (GDPR Art. 6(1)(b)). For the extension’s on-page screenshots it is our legitimate interest in providing the accessibility feature you initiated (Art. 6(1)(f)); see section 6.

2b. People who appear in your content

Your media or screenshots may incidentally contain other people. We do not identify them, build profiles of them, or extract any face data — see section 8. Their images pass through processing transiently and are deleted with the rest of the content. We rely on legitimate interest for this incidental processing and have documented that assessment (section 6); because individually notifying every person who might appear in submitted content is impossible, this policy serves as that notice (GDPR Art. 14).

2c. Your list of phobias

The phobias you add to your list tell us what to look for. Because a list of your phobias can reveal health-related information about you, we only store it if you choose to — by ticking “Remember my list” — which is your explicit consent to keep that special-category data (GDPR Art. 9(2)(a)). If you leave that unticked, your list is used only for the scans in that session and is not saved. You can turn saving off, and delete your saved list, at any time in Settings (section 9).

2d. Account, payment, and usage data

• Account data (email, Google sign-in identifier, display name) — to create and operate your account (contract).
• Payment metadata (amount, product, country, transaction ID — never card details, which Paddle handles) — to take payment, issue receipts, and meet tax/accounting duties (contract and legal obligation).
• Scan billing metadata (timestamp, scan type, the AI model used, and the credit cost) — to bill the correct credits and operate your account (contract). We do not store the content or links you submitted, the results (labels and timecodes), or which phobia a given scan was run for — those are session-only (see sections 3 and 4). Saving your phobia list across sessions is a separate, optional choice you control (section 2c).
• Content-rights confirmation (the confirmation you give at upload that you have the right to scan the content, with timestamp and version) — to maintain a record of lawful-use attestations (legitimate interest); kept 3 years.
• Technical data (IP address, browser/user-agent, error diagnostics) — for rate-limiting, abuse prevention, security, and fixing faults (legitimate interest).

3. What we do NOT collect or keep

• We do not keep your uploaded videos, images, video frames, or screenshots after a scan completes (section 4).
• We do not keep a history of your scans. The content you scan, the results we return (labels and timecodes), and which phobia each scan was run for are session-only — shown to you and then discarded — and we never build a profile of your triggers or a log of what you have scanned. The only scan record we keep is the billing line (how many credits a scan cost), with no phobia, links, or results attached. (Saving your phobia list for next time is the separate, optional choice in section 2c.)
• We do not perform facial recognition, extract or store face geometry, identify individuals, or create biometric templates or profiles (section 8).
• We do not record your browsing history or the content of pages you don’t submit for scanning. The extension only acts when you click to scan.
• We do not use your content to train AI models, and our AI provider does not use paid-tier content to train its general models (section 5).
• We do not sell your data or use it for advertising.
• We never write your media, frames, or screenshots to error logs, analytics, or support tools.

4. Deletion of submitted content

Uploaded videos and images are deleted from our cloud storage immediately after the scan that uses them completes. As a safety net, storage is also configured to automatically purge any file within 24 hours regardless. Extension screenshots are never stored at all — they exist only in memory during the scan and are released as soon as results return. YouTube links are scanned by Google directly from YouTube, so no video file ever reaches our storage. After a scan, the results (labels and timecodes) are not stored — they are shown to you live and then discarded, and we keep no log of what you scanned or which phobia each scan was for, so there is no scan history. What remains is only the billing record described in section 2d (credit cost, time, scan type, and AI model — with no phobia, links, or results attached). Your phobia list itself is saved only if you turn on “Remember my list” (section 2c).

5. Our AI and infrastructure providers (sub-processors)

We use a small set of service providers to run Nevala. The ones that may handle the content you submit are named below; we have data-processing agreements with each.

• Google — Vertex AI (Gemini): finds what’s on your list in submitted content. Receives your submitted video/image/screenshot content, transiently, for classification.
• Google — Cloud Storage: briefly holds uploaded files during a scan, deleted immediately after (section 4).
• Google — YouTube Data API: checks a YouTube link before scanning (length, availability). Receives the link only — no media file. Google’s policy.
• Paddle: processes payments and handles tax as merchant of record. Receives payment and billing details — no scan content. policy.
• Supabase: database, sign-in, and account storage. Receives account data, scan metadata, and results — no source media. policy.
• Vercel: hosts the website and provides privacy-friendly performance metrics. Receives standard technical request data — no scan content. policy.
• Sentry: diagnoses errors. Receives technical error diagnostics — never your media, frames, or screenshots. policy.

Google’s handling of submitted content

We use Google’s paid Vertex AI service. Under Google’s terms, content sent through this paid service is not used to train Google’s general AI models. Google’s automated systems screen requests for policy violations; if a request is flagged, Google may retain it — including the image or video content — for up to 90 days so that authorized Google staff can review it for policy enforcement only, after which it is deleted. Requests that are not flagged are not retained for this purpose. We have disabled Google’s short-term processing cache, and we never store your media ourselves beyond the scan itself (section 4).

6. Legal bases (GDPR), in brief

• Performing our contract (Art. 6(1)(b)) — running uploaded and linked scans, operating your account, taking payment.
• Legitimate interest (Art. 6(1)(f)) — the extension’s on-page screenshot scans you initiate; incidental processing of people who appear in submitted content; rate-limiting, security, and abuse prevention; keeping content-rights attestations. We have weighed these against your and others’ interests and documented the assessment.
• Explicit consent (Art. 9(2)(a)) — storing your saved list of phobias, which is health-related. Withdrawable at any time.
• Legal obligation (Art. 6(1)(c)) — retaining payment and tax records.

A note on public content. Some content you scan may be public; some (private posts, logged-in pages) may not be. We do not rely on “it’s public” as our basis. Our basis is that you chose to scan content available to you, we process it transiently, and we delete it.

7. How long we keep things

• Uploaded videos and images: deleted immediately after scanning; 24-hour automatic purge as a backstop.
• Screenshots (extension): never stored — memory-only during the scan.
• Scan history (what you scanned, the results, and which phobia each scan was for): not kept — session-only, discarded as soon as your results are shown to you.
• Scan billing records (credit cost, time, scan type, AI model — no results, phobia, or links): kept while your account is active for billing and refunds; deleted when you delete your account.
• Your list of phobias: stored only if you tick “Remember my list”; then kept until you turn that off or delete your account.
• Account data: until you delete your account.
• Content-rights attestations: 3 years.
• Payment records: retained as required for tax and accounting (up to 7 years).

8. No facial recognition, no biometrics, no identification

Nevala does not perform facial recognition, does not extract or store face geometry, does not identify individuals, and does not create biometric templates or profiles.

We ask our AI provider only to report which of the categories on your list appear and when. We never ask it to identify who anyone is, and we never request or store face data of any kind.

9. Your rights

You can ask us to access, correct, delete, export, or restrict your personal data, and to object to processing based on legitimate interest. Where we rely on your consent (your saved list of phobias), you can withdraw it at any time — turn off “Remember my list” in Settings to stop saving and delete what’s stored — without affecting prior processing. To exercise any of these, email us (section 13); we respond within 30 days. You also have the right to complain to a data-protection supervisory authority in your country.

10. International transfers

Our providers process data in the United States and the European Union. Where data leaves your region, transfers are covered by appropriate safeguards — the EU-US Data Privacy Framework and/or Standard Contractual Clauses — through our agreements with those providers (including Google’s Data Processing Addendum).

11. Content you don’t have the rights to

Only scan content you have the right to scan — content you created, have permission to use, may use for your own accessibility under fair use, or that is in the public domain. Don’t submit other people’s private or protected content. You confirm this each time you upload.

12. Cookies, children, security, and changes

• Cookies: only strictly-necessary ones (session, sign-in). No advertising cookies; no third-party trackers beyond Vercel’s privacy-friendly performance metrics.
• Children: Nevala is not directed at children under 16, and we don’t knowingly collect their data. If we learn of such an account, we delete it.
• Security: encryption in transit (HTTPS/TLS) and at rest. No system is perfectly secure, and we can’t guarantee absolute security.
• Changes: we may update this policy and will give at least 30 days’ notice of material changes by email or in-service notice.

13. Contact

Privacy questions and data-rights requests: privacy@nevala.app. You can also reach general support at support@nevala.app.