← Back to NEDIO

Privacy Policy (NEDIO)

Last updated: December 26, 2025

This Privacy Policy explains how NEDIO ("NEDIO", "we", "us", or "our") collects, uses, shares, and protects information when you use our website and web app at https://nedio.xyz (the "Service").

If you have questions, contact us at support@nedio.xyz.

Controller address: **[INSERT POSTAL ADDRESS]**

1) What NEDIO is

NEDIO is a web-based focus radio and session timer. You can use the Service without creating an account, or you can create an account to save your progress (for example, focus streaks and stats) and manage a subscription (NEDIO Pro).

2) Information we collect

We collect information in three ways: (a) information you provide, (b) information collected automatically when you use the Service, and (c) information from third parties you choose to use (like Google/GitHub sign-in).

A. Information you provide

  • **Account information**: email address and authentication details when you create an account or sign in. If you use OAuth (Google or GitHub), we receive a token/identifier from that provider to sign you in.
  • **Profile and preferences**: information you choose to share to personalize the experience (for example, profession and preferred genres).
  • **Support messages**: if you contact support through the in-app contact form, we collect the subject, message, your email (if provided), and any attachments you upload (up to 3 files).
  • **Subscription-related information**: when you subscribe, we associate your account with billing identifiers (such as Stripe customer/subscription IDs) and your subscription status (for example, free, trialing, active, canceled).

B. Information collected automatically

  • **Usage and session information**: listening sessions and usage measurements such as session start/end time, session duration, station/mode, and minutes listened (used for usage limits and stats).
  • **Anonymous identifiers (for guests)**: if you use the Service without an account, we may generate a random identifier stored on your device to recognize a returning guest session and help measure usage (for example, daily minutes used).
  • **Device and log information**: IP address, browser type, user agent, approximate location (derived from IP), referring/exit pages, timestamps, and similar diagnostic information.
  • **Cookies and local storage**: we use cookies and local storage for essential functionality (such as authentication) and, if enabled, for analytics/marketing measurement (see Section 6).

C. Information from third parties

If you sign in via Google or GitHub, those providers may share basic account information (like an email address) with us based on your provider settings. We use it only to authenticate you and associate your account.

3) How we use information

We use information to:

  • **Provide the Service** (stream audio, run focus sessions, enforce daily usage limits for free users, and enable Pro features).
  • **Create and manage accounts** (authentication, account settings, and security).
  • **Personalize your experience** (for example, content preferences).
  • **Operate subscriptions and billing** (create checkout sessions, manage subscriptions, and provide a billing portal).
  • **Support and communicate with you** (respond to support requests and send operational messages).
  • **Measure and improve the Service** (understand feature usage, fix bugs, and improve performance).
  • **Prevent fraud and protect the Service** (security monitoring, abuse prevention, and compliance).

We do **not** sell your personal information.

4) Legal bases (EEA/UK and similar regions)

Depending on where you live, we process personal data under one or more of the following legal bases:

  • **Contract**: to provide the Service you request (account, playback, session tracking, subscription management).
  • **Legitimate interests**: to secure, maintain, and improve the Service (for example, preventing abuse and understanding product performance).
  • **Consent**: where required for certain analytics/marketing technologies (for example, Meta Pixel/Conversions API when configured to require consent).
  • **Legal obligation**: to comply with applicable laws (for example, accounting and tax rules related to subscriptions).

5) How we share information

We share information only as needed to run the Service, including with the following categories of providers:

  • **Hosting and infrastructure**: providers that host and run the Service and deliver content.
  • **Database and authentication**: Supabase (accounts, sessions, and app data).
  • **Payments**: Stripe (subscription billing). Payment card details are processed by Stripe; we do not store full card numbers.
  • **Email delivery**: Resend (to send and receive support emails initiated through the Service).
  • **Analytics and measurement** (if enabled): Google Analytics, Vercel Analytics, and Meta (Pixel and Conversions API).
  • **Media storage/delivery**: Cloudflare (for storing and serving audio assets).

We may also share information:

  • **For legal reasons**: to comply with law, regulation, legal process, or government request.
  • **To protect rights and safety**: to enforce our terms, prevent fraud, and protect users and the Service.
  • **Business transfers**: if we are involved in a merger, acquisition, financing, or sale of assets (you will be notified as required by law).

6) Cookies, tracking, and choices

We use cookies and similar technologies to operate the Service and, depending on configuration, to measure marketing/analytics performance.

Essential cookies

These help the Service work (for example, authentication/session cookies used by our authentication provider). Disabling them may prevent sign-in or other features from working.

Analytics cookies and measurement

If enabled, we may use:

  • **Google Analytics** to understand aggregated usage and improve the Service.
  • **Vercel Analytics** to measure traffic and performance.

Advertising/marketing measurement (Meta)

If enabled, we may use **Meta Pixel** and **Meta Conversions API** to measure the performance of ads and understand conversions (for example, sign-ups, checkout events, or session starts). Depending on how the Service is configured, these events may be sent only after you grant consent.

When Meta measurement is enabled, we may process:

  • cookie identifiers (for example _fbp and _fbc, when present),
  • IP address and user agent (for event matching),
  • event identifiers (for deduplication), and
  • hashed email (SHA-256) when you provide an email in a relevant flow.

Your choices

  • You can often control cookies through your browser settings and clear local storage via your browser controls.
  • Where we use consent-based tracking, you can deny or withdraw consent at any time through the Service (if available) or by clearing the relevant consent cookie/local storage.
  • If you do not want marketing/ads measurement, do not grant consent when prompted (where applicable).
  • If your browser sends a **Global Privacy Control (GPC)** signal, we treat it as a request to disable marketing measurement where applicable.

6A) California privacy notice (CCPA/CPRA)

NEDIO does not “sell” personal information. We may “share” certain information for cross-context behavioral advertising when marketing measurement is enabled (for example, Meta Pixel/Conversions API). You can opt out of such “sharing” by turning off **Marketing** in the in-app cookie settings or by visiting /do-not-sell. We also honor **Global Privacy Control (GPC)** signals as an opt-out of marketing measurement.

6B) California privacy notice (CPRA/CCPA) - categories, sources, and retention

**Categories of personal information we collect:**

  • **Identifiers** (for example, email address, account IDs, device identifiers).
  • **Commercial information** (subscription status and billing identifiers).
  • **Internet or network activity** (usage, session data, and cookie identifiers).
  • **Approximate geolocation** (derived from IP address).
  • **Inferences** (preferences such as profession and genres).
  • **Customer service content** (support messages and attachments).

**Sources of personal information:**

  • **Directly from you** (account creation, personalization, support).
  • **Automatically from your device** (usage and log data).
  • **From service providers** you choose to use (OAuth providers and payment processors).

**Retention by category (criteria):**

  • **Identifiers and account data**: retained while your account is active and as needed to comply with legal obligations.
  • **Commercial information**: retained as required for billing, tax, and dispute resolution.
  • **Internet/network activity**: retained as needed for security, analytics, and service improvement.
  • **Approximate geolocation**: retained with log data as needed for security and diagnostics.
  • **Support content**: retained as needed to resolve requests and maintain support history.
  • **Preferences/inferences**: retained until you update them or delete your account.

We do not discriminate against you for exercising CPRA/CCPA rights.

7) Data retention

We keep information only as long as needed for the purposes described in this policy, including:

  • **Account data**: for as long as your account is active, and for a reasonable period thereafter to comply with legal obligations and resolve disputes.
  • **Session/usage data**: for as long as needed to provide stats, enforce limits, and improve the Service.
  • **Billing records**: as required by applicable law and our payment provider policies.
  • **Support communications**: for as long as needed to resolve your request and maintain support history.

You can request deletion (see Section 9).

8) Security

We use reasonable administrative, technical, and organizational measures to protect information. However, no method of transmission or storage is completely secure.

9) Your rights and requests

Depending on your location, you may have rights to access, correct, delete, or object to certain processing of your personal information, and to request a copy of your data.

To make a request, contact support@nedio.xyz. To protect users, we may need to verify your identity before fulfilling requests.

If you are in the UK or EEA, you also have the right to lodge a complaint with your local supervisory authority (for example, the UK Information Commissioner's Office (ICO)).

10) International transfers

Our providers may process and store information in countries other than your own. Where required, we rely on appropriate safeguards for international transfers.

11) Children’s privacy

The Service is not intended for children under 13 (or the minimum age required in your jurisdiction). If you believe a child has provided us personal information, contact support@nedio.xyz.

12) Changes to this policy

We may update this Privacy Policy from time to time. We will revise the "Last updated" date and, where required, provide additional notice.