Privacy policy
We collect as little as possible, keep it private, and let you take it with you or delete it whenever you want.
Last updated: July 2026
The short version
- Your email is never public. We use it for sign-in, security, and essential account notifications.
- We never store your exact address. City and country are optional and you can hide them.
- No behavioural advertising or selling data. Essential hosting, authentication, and security logs are still processed to operate Narumelo.
- Request a copy of your data. Use the profile export control where available, or contact privacy@narumelo.com while the full production export workflow is being completed.
- Request account deletion anytime. Personal account data is scheduled for deletion within 30 days; some circle messages may remain under “Former member” to preserve conversation context.
1. What we collect
Account information: your email address, display name, username, and (optionally) a bio, city, country, age range, and avatar image.
Google sign-in information: if you choose Continue with Google, Google and Supabase provide the basic profile information required for sign-in, such as your email address, name, and profile image. Narumelo does not request access to your Gmail, contacts, files, or other Google services.
What you create: circle messages, direct messages, prompt responses, reactions, circle house rules, reports, membership requests, and connections.
Technical and security data: our hosting and authentication providers may process request paths, timestamps, IP addresses, browser or device information, status codes, and security events to deliver and protect the service. We do not currently use third-party behavioural analytics, advertising pixels, or device fingerprinting.
What we never collect: your exact home or street address, your phone number (unless you choose to add it to your private account recovery later), your precise location, or your contacts list.
2. How we use your information
We use your data only to:
- Operate your account and sign you in securely.
- Match you to circles and people based on your stated interests and preferences.
- Deliver circle messages, direct messages, and notifications.
- Deliver relevant in-app announcements, which may be targeted by account plan, circle membership, or account status.
- Investigate reports and keep the community safe.
- Send you essential account emails (password reset, security notices). We don’t send marketing emails.
3. What other users can see
The following fields are visible to other members on your public profile:
- Display name, username, avatar, bio
- City and country (only if you haven’t hidden them)
- Age range (optional)
- Interests, introvert type, reply style, social battery
Never public: your email, password, exact address, reports you’ve filed, people you’ve blocked, or any administrative information.
4. Service providers
We use a small number of service providers to operate Narumelo:
- Supabase provides authentication, PostgreSQL database hosting, private avatar storage, and realtime updates.
- Google provides optional Google sign-in when you choose that method.
- Vercel hosts and delivers the website and processes limited request and runtime logs.
These providers process information on our behalf under their own security and privacy terms. Data may be processed in countries other than your own. We will update this policy before adding a payment, marketing-email, or behavioural-analytics provider.
5. Access controls and moderation
In production, Narumelo runs on Supabase PostgreSQL with Row Level Security (RLS) enabled on every table. This means the database helps enforce who can read or write each type of information. For example:
- Circle messages are ordinarily readable by approved members of that circle.
- Direct messages are only visible to the two accepted participants.
- Reports are visible to the reporter and authorised administrators.
- Blocked users cannot message each other.
- Only you can edit your own profile.
Authorised administrators may access circle content, reports, account status, and limited surrounding context when needed for moderation, safety investigations, abuse prevention, or service support. Direct messages are not available for casual administrator browsing.
6. Data retention
We keep your data for as long as your account is active. If you request account deletion, we schedule your profile, connections, memberships, preferences, private account information, and eligible content for deletion within 30 days. Limited security, moderation, transaction, or audit records may be retained where reasonably necessary or legally required.
If you leave a circle, your messages in that circle remain visible to its members (so conversations make sense), but your name shows as “former member” and you lose access. You can request full deletion of your circle messages by contacting a moderator.
7. Your rights
You have the right to:
- Access your data — use “My profile → Your data” where available, or request a copy at privacy@narumelo.com.
- Correct your data — edit any field on your profile anytime.
- Delete your account — request deletion from “Your data” or email privacy@narumelo.com if the in-app control is unavailable.
- Pause — hush notifications, pause matching, or take a quiet break.
- Object — report any processing you’re uncomfortable with.
If you’re in the EU, UK, or California, you have additional statutory rights under the GDPR and CCPA. To exercise them, use the in-app tools first; if you need help, contact privacy@narumelo.com.
8. Security
Supabase Auth handles password and Google sign-in sessions. Narumelo uses server-managed session cookies, Row Level Security, private storage with expiring avatar links, server-side authorisation, and input validation. Avatar uploads are restricted to supported image types, re-encoded to strip embedded metadata, and capped at 4MB. Server-only Supabase credentials are never included in public frontend code, and sensitive actions have abuse-prevention limits.
No system is perfectly secure. If you believe you’ve found a vulnerability, please report it responsibly to security@narumelo.com and we’ll respond within 72 hours.
9. Children
Narumelo is for adults 18 and older. We do not knowingly collect data from minors. If we learn an account belongs to someone under 18, we delete it immediately.
10. Changes to this policy
We’ll update the “last updated” date above whenever we change this policy in a material way. We’ll never silently weaken your privacy — if we did, that would defeat the whole point.