Nod, Privacy Policy
Curate-Me AI, Inc. ("Curate-Me", "we", "our", or "us") operates Nod, an iPhone app that captures family logistics (forwarded emails, photos, voice notes, typed notes), turns them into structured proposals you review, and, only after you approve, writes events to your own device calendar. Curate-Me AI, Inc. is the data controller for the personal data processed through Nod. This policy explains what we collect, how we process it, what we deliberately do not do, and your rights.
1. Introduction
Nod is a thin capture-and-approve app. You forward an email, snap a photo, speak a note, or type a few words; the Curate-Me platform extracts a structured proposal (a title, a resolved date and time, who it concerns); you review and approve it; and the app writes the result to your device calendar. The app never changes your calendar or takes a side-effecting action on its own, nothing is written until you approve.
By using Nod you consent to the data practices described in this policy. If you do not agree, please do not use the app.
2. What We Collect and How
We collect only what is needed to turn your captures into calendar proposals and to run your account.
Account identity (Sign in with Apple)
Signing in with Apple is the only way to sign in. We receive the identifier Apple provides and (if you choose to share it) your name and a relay or real email address. After verifying your Apple identity, the platform issues your account a per-member API key the app uses to act on your behalf.
Forwarded-email captures
You are given a forwarding address. When you forward an email to it, its content is processed into a proposal. We receive only the messages you choose to forward. We never connect to, or read, your email inbox , there is no inbox sync, no mailbox scanning, and no background reading of your mail.
Photos and images you import
When you pick a photo, screenshot, or flyer to import, that image is used to extract a proposal. We process only the specific images you choose to import.
Voice notes (transcribed on your device)
When you capture by voice, the audio is transcribed on your device. Only the text transcript leaves your device, the audio recording never leaves your device and is never sent to us or to any provider. You always see the editable transcript before anything is acted on.
Typed text, event details, and family members
The notes you type, and the details a capture contains, titles, dates and times, locations, who an item concerns, are processed into proposals, along with the names and per-member details you enter for the people in your family. The resolved absolute date and time is always shown to you on a proposal before you approve.
Push notification device token
If you allow notifications, we register your device's push token to deliver approval prompts and reminders.
Optional, content-free usage analytics
Only if you turn it on, the app sends a small amount of anonymous, content-free product-usage data. This is off by default and described in Section 7.
3. What We Do Not Do
These are deliberate design choices, not just promises:
- We never read your email inbox. Ingestion is only via the forwarding address, the messages you choose to forward. No mailbox connection, no background scan.
- Your voice audio never leaves your device. Voice is transcribed on-device; only the text transcript is sent.
- Our analytics never contain your content. If you opt in, the data is content-free: no message, email, photo, or capture content; no names, event titles, or dates/times; no audio.
- We do not track you across other apps or websites. We do not use the iOS advertising identifier (IDFA) and run no advertising or attribution SDKs.
- We do not sell your personal information and do not use it for advertising.
- We do not use your family's data to train AI models. Our providers are contractually bound not to train on this data under their Data Processing Agreements (DPAs). Separately, the platform routes every AI call through a governance gateway that applies access control, PII scanning, and policy enforcement, but the no-train guarantee itself is the contractual DPA commitment, not a gateway setting.
4. Service Providers (Processors) We Use
| Provider | Purpose | Location |
|---|---|---|
| Anthropic (Claude) | AI extraction of your captures into structured proposals, accessed only through the Curate-Me governance gateway. Contractually bound not to train on this data under its Data Processing Agreement (DPA); calls are routed through the governance gateway, which applies access control, PII scanning, and policy enforcement. | US / EU (configurable) |
| PostHog | Optional, content-free product-usage analytics, only if you opt in. Contractually bound not to train any model on this data under its DPA. | European Union (PostHog EU Cloud, eu.i.posthog.com) |
| Apple (Maps & WeatherKit) | When an event has a place, the place text is sent to Apple Maps to resolve its location, and that location and the event time may be sent to Apple's WeatherKit to show a forecast. No device location is collected. Governed by Apple's own privacy terms. | Apple, Inc. |
Place and weather lookups. When an event has a place, the app sends the place text (for example, "Riverside Field") to Apple Maps to resolve its location, and may send that location and the event time to Apple's WeatherKit to show a forecast. These go to Apple, not to us and not to the AI provider. The app never requests or collects your device's GPS location.
Your captures are also processed by the underlying Curate-Me platform infrastructure (hosting, database, transactional email) under the same DPA terms; see the Curate-Me sub-processor list for the complete inventory.
5. How Your Captures Become Proposals
When you submit a capture (a forwarded email, an imported image, a voice transcript, or typed text), the content is sent to the Curate-Me platform, which uses an AI provider, currently Anthropic's Claude models, accessed through the Curate-Me gateway, to extract a structured proposal: a title, a resolved absolute date and time, who it concerns, and a confidence cue.
- The AI provider receives the capture content it needs to read to extract the proposal. It is contractually bound not to train on this content under its Data Processing Agreement (DPA), that DPA is what the no-train guarantee rests on. Separately, the call is routed through the Curate-Me governance gateway, which applies access control, PII scanning, and policy enforcement.
- Nothing is written to your calendar from this step. Extraction only produces a proposal you review. The world changes only when you approve.
- The platform (not your device) is the system of record for your captures, proposals, and the record of your approvals.
No solely-automated decisions about you (GDPR Article 22). The AI extraction produces a proposal that you review and approve, a human (you) is always in the loop. We do not make decisions that produce legal effects concerning you, or similarly significantly affect you, based solely on automated processing.
6. Legal Basis for Processing
Where data-protection law (such as the EU/UK GDPR) requires us to identify a lawful basis for processing your personal data, we rely on the following bases, by purpose:
- Your consent. We rely on your consent for AI processing of your captures (the per-feature, first-use consent described in Section 10) and for the optional usage analytics (Section 7). You can withdraw your consent at any time in Settings (see Section 10); withdrawal does not affect the lawfulness of processing carried out before you withdrew.
- Performance of a contract / providing the service you requested. We process your data to operate your account and to run the core capture → propose → approve flow you asked us to perform, for example, turning a capture you submit into a proposal and recording your approval.
- Legitimate interests. We process limited data for security, abuse-prevention, and reliability of the service (for example, protecting accounts, preventing misuse, and keeping the service working), where this is not overridden by your interests or fundamental rights.
7. Anonymous Usage Analytics (Optional, Off by Default)
If you turn on "Anonymous usage data" in Settings, Family Manager sends a small amount of anonymous, content-free product-usage data to PostHog, our analytics processor, hosted in the European Union (PostHog EU Cloud, eu.i.posthog.com). This data is limited to product-event names, coarse counts, and fixed labels, for example, that an approval was confirmed, which onboarding step finished, how many items a list had, or how long a screen took to respond.
It never includes the content of your family's information: no message, email, photo, or capture content; no names, event titles, or dates/times; no audio (voice is transcribed on your device and the audio never leaves it); and we never read your inbox. The data is tied only to an opaque within-app identifier that is not your name, email, or account , it is not used to track you across other apps or websites, and we do not use the iOS advertising identifier (IDFA). Our analytics processor is contractually bound not to train any model on this data.
Usage analytics is opt-in: it stays off until you turn it on, and you can turn it off at any time in Settings (turning it off stops collection immediately). Turning on usage analytics does not turn on session replay , masked screen replay is a separate, more limited opt-in that is off by default and, when on, records masked wireframes only (all text, inputs, and images are masked; never a raw screenshot).
8. Calendar Access (On Your Device)
When you approve a proposal, Nod writes the event to your device calendar using Apple's EventKit, with your permission. The calendar on your device is the canonical copy of approved events; after writing, the app reads the event back to confirm it was written, so a "done" state always reflects a real event, never an unverified claim. You grant calendar access on-device and can change it in iOS Settings at any time.
9. Data Retention
| Data | Retention |
|---|---|
| Account identity (Apple sign-in identifier, forwarding address) | Life of your account; deleted on account deletion |
| Captures, proposals, and approval records (system of record) | Life of your account; deleted on account deletion |
| Voice audio | Not retained, never leaves your device |
| Email inbox contents | Not collected, we only receive what you forward |
| Approved calendar events | Stored on your device in your calendar; controlled by you |
| Optional usage analytics (if opted in) | Content-free product events held by PostHog (EU); stops immediately when you opt out |
You may request earlier deletion at any time (see Section 11), subject to any retention required by law.
10. Consent and Revocation
Nod asks for consent per feature, at first use, and every consent is revocable in Settings:
- AI processing of your captures. Before a capture is first processed by the AI provider, you are asked for explicit, per-feature consent. The provider(s) are named to you, and you can revoke this consent in Settings.
- Proactive assistance. A separate, off-by-default consent. When you turn it on, Nod watches for things like schedule conflicts and upcoming deadlines and drafts suggestions for you, using Anthropic. It only ever proposes, nothing is added to your calendar until you approve it. It stays off until you turn it on, and you can turn it off at any time.
- Contributing anonymized learning patterns. A separate, off-by-default consent. When you turn it on, Nod shares anonymized patterns from the documents you forward, the shape of a form or how you corrected a draft, to help Anthropic get the drafts right for other families. It never shares your events, names, or values, and a pattern is only used once many families share the same template. It stays off until you turn it on, and you can turn it off at any time.
- Usage analytics. A separate, explicit, deny-by-default opt-in (Section 7), revocable at any time. Revoking stops collection immediately. Granting analytics never grants session replay; turning analytics off also turns replay off.
- Calendar, notifications, photos, microphone. Standard iOS permissions you grant and can change in iOS Settings at any time.
Analytics and AI consent are independent, and analytics is never a gate, a capture or approval is never blocked on it.
11. Your Rights & Account Deletion
Depending on where you live, you may have the right to access, correct, delete, export, or restrict the processing of your personal data, to object to certain processing, and to withdraw consent. To exercise any of these, contact privacy@curate-me.ai.
Right to lodge a complaint. If you are in the EEA, the UK, or another region with a data-protection authority, you have the right to lodge a complaint with your local data-protection supervisory authority. We would, of course, appreciate the chance to address your concern first, please contact us at privacy@curate-me.ai.
In-app account deletion. You can delete your account from within the app. Deleting your account:
- deletes the personal data associated with your account (your captures, proposals, and approval records held by the platform),
- revokes your per-member API key so the app can no longer act on your behalf, and
- revokes the Apple sign-in token for the app.
Approved events already written to your device calendar remain in your calendar and are under your control. Deletion is irreversible.
12. Children's Privacy
Nod is an organizer for an adult parent or guardian (the account holder must be 18 or older). It is not directed to children, is not offered in the Kids Category, and we do not knowingly collect personal information directly from children. A parent may enter information about their own children (such as a child's name and schedule) in the course of organizing the family; that information is treated as the account holder's family data under this policy. If you believe a child has created an account, contact us and we will take steps to remove it.
13. Data Security
We protect your data with industry-standard measures, including encryption in transit (TLS 1.2+) and at rest, tenant isolation so households cannot access each other's data, and EU-resident analytics. Your voice audio is protected by construction, it never leaves your device. For platform-level security details, see the Security page.
14. International Data Transfers
Curate-Me operates internationally, and some processing of your personal data may occur outside your own country or region. In particular:
- The AI provider (for extraction) may process capture content in the US or EU, depending on configuration.
- Usage analytics is EU-resident with PostHog (PostHog EU Cloud,
eu.i.posthog.com).
Where your personal data is transferred out of the European Economic Area (EEA) or the United Kingdom, we rely on appropriate safeguards for the transfer, such as the EU Standard Contractual Clauses (SCCs) (with the UK Addendum where applicable) and/or the EU-US Data Privacy Framework where applicable.
15. Changes to This Policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you in the app or by email. If a change adds or changes a service provider that processes your data, we will reflect it here and in our sub-processor list.
16. Contact Us
Questions about this policy or our data practices, please contact us:
Curate-Me AI, Inc., the data controller for your personal data
Privacy: privacy@curate-me.ai
Data Protection: dpo@curate-me.ai