Noctral is operated from Japan ("Noctral", "we", "us"). Noctral is the controller of the personal information described in this policy. Contact: support@noctralai.com. A mailing address is available on request. This policy explains what we collect, why, who we share it with, and the rights and choices you have. It applies to the Noctral app and the noctralai.com website.
We do not collect your precise location, contacts, photo library (beyond an image you explicitly attach), or advertising identifiers, and we do not use third-party analytics or tracking SDKs.
To generate a conversation, a summary of each participant's twin — only the shareable fields you wrote — is sent to our AI provider (Google, Gemini API). Your email and account identity are never included in prompts. We use the paid API tier under terms that do not permit the provider to use your data to train its models. Content you mark private steers your twin only in abstracted form and is never sent verbatim; every generated conversation must pass an automated redaction and safety check before delivery, and conversations that fail are withheld.
Nightly matching is automated: it proposes candidate pairs using signals such as profile completeness, community membership, purpose, semantic similarity of twin text, and responsiveness. This is profiling in the GDPR sense, but it produces no legal or similarly significant effect — it only proposes a conversation, and connecting always requires both people's explicit choice. You can ask us how matching works or object to a specific outcome at support@noctralai.com.
You control it: your profile appears in full or abstracted (no name) per your setting; each link has its own visibility; anonymous posts hide your identity; a dream counterpart's real identity is revealed only when both people choose to connect; and marking interest in someone is never disclosed to them.
We share personal information only with service providers acting on our instructions to operate Noctral:
Each provider is bound by contractual data-protection obligations. Beyond providers, we disclose information only: to comply with law or valid legal process; to enforce our Terms and protect the rights, safety, and property of members, the public, or Noctral; or as part of a merger, acquisition, or sale of assets (in which case this policy continues to apply and we will notify you of any change in controller). We do not sell personal information and do not share it for cross-context behavioral advertising (as those terms are defined in the California Consumer Privacy Act).
We operate from Japan and our providers process data primarily in the United States. Where data about you is transferred internationally, we rely on appropriate safeguards: our providers participate in recognized transfer frameworks (such as the EU–U.S. Data Privacy Framework) and/or enter into standard contractual clauses, and we impose contractual data-protection obligations on them. For users in Japan: personal data is handled by service providers located in the United States as described above (a country whose data-protection regime differs from Japan's APPI); we supervise these providers through contracts requiring security measures equivalent to those required by the APPI.
We keep your data while your account exists. Deleting your account in Settings permanently removes your account record — profile, twins, private context, conversations, posts, messages, connections, and push tokens — from the live database immediately, and from encrypted backups within 35 days. We may retain limited data longer where necessary for safety, dispute resolution, or legal compliance (for example moderation reports about serious misconduct, and records we are required to keep), and we retain it only as long as needed for that purpose. Security logs are retained for a short rolling window.
Data is encrypted in transit; access is enforced row-by-row at the database layer, so each member can read only what the product deliberately shows them; AI keys and server credentials never ship in the app; generated content passes automated redaction and safety gates before delivery; session tokens are stored in the device Keychain; and administrative access to production is restricted. No service can guarantee perfect security, but if a breach affecting your personal data occurs we will notify you and the relevant authorities as applicable law requires.
Everyone, regardless of location, can: edit their profile and twin in the app; control visibility per item; delete individual content; delete their account in Settings; disable push notifications in system settings; and email us to request a copy of their data.
EEA / UK (GDPR): you have the rights of access, rectification, erasure, restriction, portability, and objection (including to processing based on legitimate interests), and the right to withdraw consent at any time without affecting prior processing. You may lodge a complaint with your local supervisory authority.
California (CCPA/CPRA): you have the rights to know, access, correct, and delete personal information, and to non-discrimination for exercising them. We do not sell or share personal information, so there is nothing to opt out of; we treat Global Privacy Control signals accordingly. You may use an authorized agent, and we will verify requests via your account email.
Japan (APPI): you may request disclosure, correction, addition or deletion, cessation of use, and cessation of third-party provision of your retained personal data. Complaints may also be directed to the Personal Information Protection Commission (PPC).
To exercise any right, email support@noctralai.com from your account email (or provide equivalent verification). We respond within the time applicable law requires (one month under GDPR, 45 days under CCPA, without undue delay under APPI), and we will not charge a fee unless the law allows it for excessive requests.
Push notifications are optional and controlled by iOS permission prompts and Settings. Notification content is deliberately generic — it never contains another member's identity. The app requests no other sensitive device permissions; if you attach an image to a post, only the image you select is uploaded.
The noctralai.com website is a static site served by Cloudflare. We do not set advertising or analytics cookies. Cloudflare may set strictly necessary cookies for security (such as bot protection). The app itself does not use cookies.
Today Noctral shows no third-party advertising and offers no business-to-business products. If that changes — for example, if we introduce advertising or tools for organizations such as recruiting or talent discovery — we will update this policy before launch and explain exactly what data is involved. Our commitments in advance: your private twin context and private messages will not be used to target advertising; features that materially change how your information is shared with other parties will respect your existing visibility settings; and where law requires consent (such as personalized advertising or cross-app tracking under Apple's App Tracking Transparency), we will ask first and you can say no.
Noctral is not directed to children and may not be used by anyone under 18. We do not knowingly collect personal information from anyone under 18; if we learn we have, we will delete it.
If this policy changes materially, we will say so in the app before the change takes effect and update the effective date above. Earlier versions are available on request.
Privacy questions, requests, and complaints: support@noctralai.com. If you are unsatisfied with our response, you may contact your local data-protection authority — in Japan, the Personal Information Protection Commission; in the EEA/UK, your national supervisory authority; in California, the California Privacy Protection Agency.