Nenapu ("we", "us") operates the Nenapu app and nenapu.ai, and is the data fiduciary (India), data controller (EU/UK) and "business" (California) for the personal data described here. Contact: hello@nenapu.ai.
We do not collect precise location, contacts, browsing history, or advertising identifiers. The nenapu.ai website sets no analytics or advertising cookies.
| What we do | Why (legal basis) |
|---|---|
| Host, process and deliver your recordings and photos to the people you've authorised | Performing our contract with you (GDPR Art. 6(1)(b)); the explicit consent of the people recorded (Art. 9(2)(a)); consent (India DPDP Act) |
| Create and manage accounts, invitations and access levels | Performing our contract; consent |
| Send service emails — invitations, important account and policy notices | Performing our contract; legitimate interest |
| Scan content with automated tools (including AI) for illegal or prohibited material | Legitimate interest in a safe service (Art. 6(1)(f)); legal obligation where the law requires detection or reporting (e.g. child sexual abuse material) |
| Keep security logs, prevent abuse, debug problems | Legitimate interest in a secure, working service |
| Respond to lawful requests from courts or authorities | Legal obligation (Art. 6(1)(c)) |
Life-story recordings are deeply personal — they can touch on health, faith, and family history, and they carry a person's face and voice. We treat all of it as sensitive data: it is processed only with the explicit consent of the people recorded, given when they agree to record for a Memory Library, and everyone who appears in a recording has the same rights over their data as the account holder (section 8).
We do not use your family's recordings to train AI models, to advertise, or for any purpose beyond operating the service, without asking you first.
We share personal data only with the service providers Nenapu is built on, each acting under our instructions to run the service:
Beyond that, we disclose data only: with your direction (people you invite see what you share with them); if required by law — a subpoena, court order or lawful government request; to prevent serious harm; or, if Nenapu is ever acquired or merged, to a successor bound by this policy (we would notify you first). We never sell personal data, and we never share it for advertising. In the words of the CCPA: we do not "sell" or "share" personal information, and we haven't in the past 12 months.
Our application servers are currently in India. Our media and delivery providers operate globally, so recordings and technical data may be processed in other countries, including the United States. Where GDPR or UK GDPR applies to a transfer, we rely on appropriate safeguards such as our providers' Standard Contractual Clauses. India's DPDP Act permits such transfers to countries not barred by the Indian government.
Data is encrypted in transit (TLS) everywhere, and recordings and photos are served through signed links that expire. Video and audio recordings are stored with a media provider that encrypts them at rest; other data — photos, questions, account details — lives on access-restricted servers in India. Access to production systems is restricted to those who operate the service, passwords are stored hashed, and backups are encrypted with a key held offline before they touch disk. No internet service can promise perfect security, but if a breach ever affects your data we will notify you and the relevant authorities as the law requires — including the 72-hour GDPR window and the Indian Data Protection Board and CERT-In requirements.
These apply to everyone, everywhere — we don't make you prove your jurisdiction first. Email hello@nenapu.ai and we'll respond within 30 days:
You have the rights above plus the right to nominate someone to exercise your rights if you die or are incapacitated — for a memory service, we consider that important, and the commissioner model in our Terms reflects it. Grievances go to our Grievance Officer at hello@nenapu.ai (subject line "Grievance"); if unresolved, you may approach the Data Protection Board of India.
The rights above are your Articles 15–21 rights. You may also lodge a complaint with your local supervisory authority. Where we rely on legitimate interest, we've balanced it against your rights, and you can ask us about that assessment.
You have the rights to know, delete, correct and port, described above. There is nothing to opt out of: we do not sell or share personal information, and we do not use sensitive personal information beyond providing the service you asked for. You can appoint an authorised agent to act for you.
Nenapu accounts are for adults (18+). Families sometimes record children as part of a Memory Library — for example a grandchild asking a question. Where a child appears, we rely on the commissioner's confirmation that the child's parent or guardian has agreed, and a parent or guardian can ask us to remove a child's appearance at any time. We never profile children — or anyone — for advertising, and we show no ads. We don't knowingly collect data directly from children; if you believe a child has created an account, tell us and we'll remove it.
Our automated content scanning (described in the Terms) can flag content for human review, and in clear-cut cases restrict it automatically. No decision with legal or similarly significant effect is made about you without a human able to review it — you can always contest a moderation action at hello@nenapu.ai.
We'll update this policy as the service grows. Material changes will be announced in the app or by email before they take effect, with the version and date updated at the top of this page.
Privacy questions, rights requests, grievances: hello@nenapu.ai.