Legal
Privacy Policy
Last updated 2 July 2026
Nooklet (“we”) is the data controller for the personal data described here. This policy explains what we collect, why, who processes it, and the rights you have over it. Questions any time: support@nooklets.com.
What we collect
- Account data: your email address (sign-in and service emails), password (stored only as a hash by our authentication provider), username, display name, and the optional bio and profile photo you add.
- Content you create: reviews and ratings, comments, lists and notes, likes, reposts, follows, and any reports you file about content.
- Waitlist: if you joined the pre-launch waitlist, your email address and the site it was entered on.
- Technical data: your IP address and basic request data, used for security, abuse-prevention limits and error diagnosis; anonymous, cookieless page-view analytics (no advertising, no cross-site tracking, no profile built about you); and error reports that may include your IP and browser details when something breaks.
We don't collect more than this, and we don't buy data about you from anyone.
What's public
Nooklet is a social review platform: your profile (username, display name, bio, photo), reviews, comments and public lists are visible to anyone, including visitors without an account. Private lists stay private to you. Your email address is never public.
How we use your data
- To run the service: your account, your Nook, the feed, search and notifications.
- To personalise: recommendations are computed from your own reviews and follows.
- To keep Nooklet safe: sign-in protection, rate limiting, bot checks, and handling reports and moderation.
- To communicate: transactional email only, such as confirmation, password reset, and (for the waitlist) a note when Nooklet opens. No marketing lists.
Legal bases (GDPR)
Where the GDPR applies, we process your data: to provide the service you signed up for (contract: account, content, emails); for our legitimate interests in keeping the service secure, preventing abuse, fixing errors and understanding aggregate usage (security logs, rate limiting, error monitoring, cookieless analytics); and with your consent where required, which you can withdraw.
Who processes your data
We use a small set of providers to run Nooklet, each processing data on our behalf:
- Supabase: database, authentication and file storage; hosted in Sydney, Australia.
- Vercel: application hosting, content delivery, and cookieless analytics.
- Sentry: error monitoring.
- Upstash: short-lived counters for rate limiting.
- Cloudflare Turnstile: bot protection on sign-up, sign-in and password reset; Cloudflare may process technical signals from your browser to tell humans from bots.
- Resend: sending transactional email.
Item information (titles, artwork, descriptions) is supplied by TMDB, IGDB, MusicBrainz, the Cover Art Archive and Google Books. When artwork loads, your browser fetches images directly from those services, which see your IP address like any image host would.
International transfers
Your account data lives in Australia (Sydney). Some providers above (for example hosting, analytics, error monitoring and email) process limited technical data in other countries, including the United States, under their standard data-protection safeguards such as the EU Standard Contractual Clauses.
How long we keep things
- Account and content: until you delete them or your account.
- Rate-limit counters: expire automatically within minutes to hours.
- Error reports and security logs: kept for around 90 days.
- Waitlist emails: until we've invited the list at launch, or sooner on request.
- Moderation records: reports may be kept after the reported content is removed, for as long as needed to keep the service safe and meet legal obligations.
- Backups: deleted data can persist in encrypted backups for a short period before those backups age out.
Your rights and controls
Built into the product: edit your profile in settings, export your data as a file, and delete your account, which permanently removes your profile and content. Under the GDPR (and similar laws) you also have rights to access, rectification, erasure, restriction, portability and objection: email support@nooklets.com and we'll respond within a month. You can also complain to your data-protection authority, in Australia the OAIC, or your local authority in the EU/UK.
Cookies
We use only the essential cookies that keep you signed in. Our analytics are cookieless, so there's no tracking-cookie consent banner; there's nothing to consent to.
Children
Nooklet isn't intended for anyone under 13, or under the minimum age of digital consent where you live. If you believe a child is using Nooklet, contact us and we'll remove the account.
Changes
We may update this policy as the service evolves; we'll update the date above, and flag material changes on the site.
Contact
Privacy questions or requests: support@nooklets.com.