Privacy Policy

Last updated: April 22, 2026 · Version 1.1

We don't collect your data

This is the core principle of Nabbit: we have no way of knowing who you are, what you save, or how you use the app — because that information never reaches us.

What is stored on your device

Nabbit stores the following locally within the iOS sandbox on your device:

• Your saved items (text, type, date, category) in a SQLite database
• A JSON copy of your items for Siri integration, in the App Group container
• A temporary file used by the Share Extension during import
• Your preferences (onboarding status, language setting)

These files are encrypted by iOS when your device is locked (hardware encryption). No raw data leaves your device as part of core functionality.

Data that leaves your device

There are three situations in which data may leave your device. All three either require an explicit action from you, or occur transparently as a necessary part of a feature you actively use.

A) AI title summarization and Today analysis (Claude)

When you save text that Nabbit cannot categorize automatically via pattern matching, a sanitized text snippet (max 4,000 characters) is sent to our Cloudflare Worker proxy, which forwards it to Anthropic (Claude Haiku). The same flow powers the daily summary in the Today tab.

• What is filtered out: Card numbers, national ID numbers, passwords, PIN codes, BankID numbers, and CVV codes — stripped on your device and again in the proxy before any API call is made.
• Retention: Nothing is stored. The Worker logs no request bodies. Anthropic processes data under a zero-retention API agreement and acts as a data processor.
• Authentication: Requests are protected by a secret token header and rate-limited to 30 requests per 60 seconds per IP.

B) Nabbit Cards (shared links)

If you actively choose to share an item as a Nabbit Card (a public link at getnabbit.app/kort/), the item text, type, and structured metadata are sent to our Cloudflare Workers service and stored temporarily in a D1 database.

• End-to-end encryption: Sensitive fields (such as passwords) are encrypted on your device before being sent to the server. The decryption key is embedded in the shared URL and never stored on or accessible by our servers.
• No sender info: No user ID, device identifier, or IP address is linked to the card.
• Automatic deletion: Cards are automatically deleted after 30 days.
• Sanitization: Item text is sanitized before storage. Structured metadata is encrypted client-side for sensitive fields.
• Opt-in only: Nothing is shared unless you explicitly tap "Share as Card".

C) Support form

If you submit a message via the support form at getnabbit.app, it is forwarded via Web3Forms to support@getnabbit.app. No information is sent unless you actively fill in and submit the form.

What we do not collect

Nabbit contains none of the following:

• Analytics (no Firebase, Amplitude, Mixpanel, PostHog, or similar)
• Crash reporting (no Sentry, Bugsnag, or similar)
• Ad networks, third-party cookies, or device fingerprinting
• IDFA, device identifiers, or persistent IP logging
• Accounts — we never collect your email address, name, or password
• Location data (exception: the "Open in Maps" feature sends a location directly from your device to Apple Maps — no location data reaches Nabbit)
• Calendar data — Nabbit can optionally create events in your calendar when you tap "Add to Calendar". This uses Apple's EventKit framework. The event is created directly on your device. No calendar data is read, synced, or sent anywhere by Nabbit.

Third-party services

• Anthropic (Claude Haiku) — Title summarization, Today analysis. Data sent: sanitized text snippet, no identifiers.
• Cloudflare Workers / D1 — AI proxy, Nabbit Cards, website, email routing. See sections above.
• Apple (App Store, Siri, App Intents) — Distribution, voice control, on-device embeddings. Handled within iOS — no data reaches Nabbit.
• Web3Forms — Contact form on the website. Only the fields you submit.
• RevenueCat — Subscription management. Only Apple's anonymous purchase token is shared. No personal data is collected.

Your rights

Because almost all data lives locally on your device, you have full control at all times.

Access and export

All your data is on your device. You can export your items at any time directly in the app via Settings → Export Data.

Deletion

You can delete individual items within the app. Uninstalling the app permanently deletes all data. We hold no copies (with the exception of active Nabbit Cards, which auto-delete within 30 days).

Portability

The in-app export function gives you your data in a machine-readable format, satisfying the right to data portability under GDPR and equivalent laws.

EU / UK users (GDPR & UK GDPR)

You have the right to access, rectify, erase, restrict processing of, and object to processing of your personal data. Given that we hold virtually no personal data about you, most of these rights are exercised directly on your device. For any requests or questions, contact us at support@getnabbit.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. For EU users, you may use the EU Online Dispute Resolution platform at ec.europa.eu/consumers/odr.

California residents (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioral advertising. You have the right to know what personal information is collected, to request deletion, and to opt out of sale (not applicable here). To exercise your rights, contact support@getnabbit.app.

Children

Nabbit is not directed at children under the age of 13 (or under 16 where required by local law). We do not knowingly collect personal information from children. If you believe a child has submitted information via the support form, please contact us and we will delete it promptly.

Security

• All on-device data is protected by the iOS sandbox and hardware encryption
• All network requests use HTTPS / TLS
• The Anthropic API key is never bundled in the app — it is stored as a Cloudflare Worker Secret
• Sanitization filters (client- and server-side) remove card numbers, national IDs, passwords, PINs, BankID numbers, and CVV codes before any external call

Changes to this policy

If we make material changes we will notify you via an in-app message at the next app update. The date of the latest revision is always shown at the top of this page. Continued use of the app after a change constitutes acceptance of the updated policy.

Contact & Data Controller

The data controller responsible for the processing of your personal data under the GDPR is:

• Dion Appelbom
• Sturegatan 25, 172 31 Sundbyberg, Sweden
• Email: support@getnabbit.app
• Web: getnabbit.app

We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.