Authentic Life

NV Privacy Policy

Publisher: Authentic Life LLC, an Arkansas limited liability company ("Authentic Life," "we," "us," or "our") Product: NV, a workplace wellbeing assessment application Effective Date: [to be set on the day of publication] Last Updated: 2026-04-15

1. Introduction

This Privacy Policy describes how Authentic Life LLC collects, uses, shares, and protects information when you use NV through our mobile application, our website, or any other service that links to this policy (together, the "Service"). By creating an account or using the Service, you agree to the practices described here. If you do not agree, do not use the Service.

NV is designed for adults. The Service is not directed to individuals under the age of 18. We do not knowingly collect information from anyone under 18. If you believe a minor has provided us information, contact us at the address in Section 15 and we will remove it.

2. Information We Collect

Information you provide directly. When you create an account we collect your email address, your name, and the password you set. When you take an NV assessment we collect the responses you submit, the time you take to complete each item, and any optional free text you include. When you update your profile we collect the additional fields you enter, such as organization, role, or team.

Information generated by your use of the Service. When you complete an assessment we generate and store your archetype assignment, your persona scores, an impression management indicator, and any longitudinal tracking records that compare your current assessment to prior ones. When you chat with the NV companion we store the messages you send, the responses returned, and timestamps for each exchange.

Device and log information. When you access the Service we automatically collect device identifiers, operating system and version, application version, approximate language and time zone, IP address, and diagnostic information such as crash logs and performance metrics.

Payment information. If you purchase a subscription directly from us, our payment processor collects billing details necessary to complete the transaction. We do not store full card numbers on our systems. If you purchase through the Apple App Store or Google Play Store, the store processes the transaction and we receive only a confirmation token and subscription status.

We do not collect. We do not collect government identifiers, bank account numbers, credit card numbers (beyond what our payment processor handles), health records from third parties, biometric identifiers, precise geolocation, contacts, photos, microphone audio outside of features you explicitly activate, or social graph data.

3. How We Use Information

We use the information we collect to deliver and improve the Service. That includes authenticating your account, generating your assessment results, delivering AI companion responses, sending you service messages, processing payments, debugging and securing the platform, measuring aggregate product performance, and complying with legal obligations.

We do not use your assessment responses, chat messages, or account profile to train third-party AI models, and our third-party AI providers are contractually prohibited from training their foundation models on our customers' inputs and outputs.

We do not sell personal information, and we do not share personal information with third parties for their own advertising purposes.

4. How We Share Information

Service providers that process data on our behalf. We share information with vendors that operate parts of the Service under written contracts that restrict their use of the information to providing services to us. Our current service providers are:

Supabase Inc. (database, authentication, and storage, hosted in the United States), Anthropic PBC (AI model inference for the NV companion), Vercel Inc. (application hosting and edge functions), Stripe Inc. or the Apple App Store or the Google Play Store (payment processing, depending on purchase channel), RevenueCat Inc. (subscription status management for in-app purchases), PostHog Inc. (product analytics and crash reporting), and Resend or an equivalent transactional email provider (account and service email delivery).

We maintain a current list of processors and will provide it on request for enterprise customers.

Your organization, if you use NV through an employer or sponsor. If your account is provisioned through an employer, benefits partner, or other sponsoring organization, we may share aggregated, de-identified metrics with that organization. We do not share your individual responses, your archetype, your chat content, or any data that could identify you with your employer unless you have explicitly consented to that sharing inside the Service.

Legal and safety. We may share information when required by law, when responding to lawful requests from public authorities, to enforce our agreements, to protect our rights or the safety of users, or in connection with a merger, acquisition, or sale of assets, in which case we will post notice before a transfer.

5. Data Retention

We retain your account information and assessment history for as long as your account is active. If you delete your account, we remove your personal information from our active production systems within thirty days. Backup copies expire on a rolling basis and are fully purged within one hundred eighty days. Aggregated, de-identified data that cannot reasonably be linked to you may be retained indefinitely for product research.

If you request that we delete specific items, such as a single conversation, we will do so on request within thirty days.

6. Your Rights

You have the right to access the personal information we hold about you, the right to correct inaccurate information, the right to request deletion, the right to export your data in a portable format, and the right to withdraw consent where we rely on consent as the basis for processing. To exercise any of these rights, email the address in Section 15 or use the in-app controls described in Section 7. We will respond within thirty days, or sooner where required by law.

You may also object to certain processing activities or request that we restrict processing. If we decline a request we will explain why in writing.

7. Account Deletion

You can delete your account and all associated personal data directly inside the NV application. From the Settings screen, select "Delete Account." You will be asked to confirm. Once confirmed, your profile, assessment history, chat history, subscription records, and authentication credentials are removed from our production systems within thirty days. Backups containing deleted data expire within one hundred eighty days.

You may also request account deletion by emailing nicktogle@me.com. Include the email address associated with your account. We will verify your identity and complete the deletion within thirty days.

Deleting your account ends your subscription. If you purchased through the Apple App Store or Google Play Store, you must also cancel the subscription in that store to stop future billing.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information. These include encryption in transit using TLS 1.2 or higher, encryption at rest using AES 256, row-level access controls, unique user credentials, automatic session timeouts, audit logging, and restricted administrative access.

NV is architected to meet SOC 2 Type I criteria and the HIPAA Security Rule. We have not yet completed a SOC 2 Type I attestation and we do not currently hold HIPAA Business Associate Agreements with our downstream processors. If you are an enterprise customer whose contract requires formal attestation or executed Business Associate Agreements, contact us at the address in Section 15 and we will coordinate those documents as part of the contracting process.

No method of transmission or storage is perfectly secure. We cannot guarantee the security of information you transmit to us or that we store, but we work continuously to protect it.

9. Children's Privacy

The Service is not intended for children. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected information from a person under 18 we will delete it. Parents or guardians who believe their child has provided us information should contact us at the address in Section 15.

10. International Users

We operate the Service from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to that transfer. Where required by law, we implement appropriate safeguards, including standard contractual clauses, for international transfers of personal data.

11. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act give you the following rights with respect to personal information we hold about you.

You have the right to know what categories of personal information we have collected, the sources, the business purposes, and the categories of third parties we have shared it with. You have the right to request deletion of your personal information, subject to exceptions allowed by law. You have the right to correct inaccurate personal information. You have the right to limit the use and disclosure of sensitive personal information. You have the right not to be discriminated against for exercising these rights.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We therefore do not provide a "Do Not Sell or Share" link, but if this practice changes we will update this policy and provide the mechanism required by law.

To exercise your rights, email nicktogle@me.com. We will verify your identity using reasonable methods before fulfilling your request.

12. European and United Kingdom Privacy Rights

If you are in the European Economic Area or the United Kingdom, the General Data Protection Regulation and the UK GDPR give you rights similar to those described above. The legal bases on which we rely are your consent (which you may withdraw at any time), the performance of a contract with you (for account functionality and paid services), and our legitimate interests in operating and securing the Service (where those interests are not overridden by your rights).

You have the right to lodge a complaint with your local data protection authority. A list of authorities is published by the European Data Protection Board and by the UK Information Commissioner's Office.

13. Health Information

NV is a wellbeing assessment and is not a medical device. The Service does not diagnose, treat, cure, or prevent any disease or medical condition. If you work for a covered entity, or if you use the Service as part of a health plan, the information you enter may constitute protected health information under United States law. In that case, we will only process the information under a written Business Associate Agreement with the covered entity. Ask your administrator whether such an agreement is in place, and contact us at the address in Section 15 if you need us to coordinate one.

14. Changes to This Policy

We may update this policy from time to time. When we make a material change we will post the updated policy inside the Service and update the Last Updated date at the top of this document. If a change materially reduces your rights, we will provide prominent notice and, where required, request your renewed consent.

15. Contact Us

If you have questions about this policy or our practices, contact us at:

Authentic Life LLC Attention: Privacy nicktogle@me.com