Privacy Policy
Last updated: June 2026
Neku ("we", "our", or "us") is operated by Neku, based in Greece. This policy explains what personal data we collect, why we collect it, and what rights you have over it. As an EU-based service, we comply with the General Data Protection Regulation (GDPR).
1. Who We Are
Neku is a writing app for fiction writers, available at neku.io.
For any privacy-related questions, contact us at: hi@neku.io
2. What Data We Collect
Data you provide through signup
When you create an account via Google, we receive and store:
- Your full name
- Your email address
We do not store your Google profile photo.
Data you create in the app
- The text content of your stories and notes
- Your storyboard diagrams
Subscription data
If you subscribe to a paid plan, we store your subscription status, plan type, and billing period via Polar, our payment processor and Merchant of Record. Your email address is shared with Polar at checkout to create your billing account. We do not store payment card details — these are handled entirely by Polar.
Technical data
- Authentication cookies — session and refresh tokens from Supabase, and state tokens from Google OAuth during login. These are strictly necessary for the service to function.
- User preferences — stored in your browser's localStorage (not cookies). These never leave your device unless you are logged in.
- Anonymised usage analytics and product events — collected via Vercel Analytics. No personal information is included and no cookies are used.
3. Why We Collect It
| Data | Purpose | Legal Basis |
|---|---|---|
| Name and email | Account creation and identification | Contract |
| Stories and notes | Providing the writing service | Contract |
| Auth cookies | Keeping you logged in securely | Contract (strictly necessary) |
| Subscription data | Managing your plan and billing | Contract |
| Anonymised analytics | Understanding how the app is used | Legitimate interest |
4. Who We Share Your Data With
We use the following third-party services to operate Neku. Each acts as a data processor on our behalf:
- Supabase — database and authentication infrastructure. Supabase Privacy Policy
- Vercel — hosting and deployment. Vercel Privacy Policy
- Google — authentication via Google OAuth. Google Privacy Policy
- Polar — payment processing and Merchant of Record for paid plans. Your email address is shared with Polar at checkout. Polar Privacy Policy
- Resend — transactional email delivery (e.g. account notifications). Your email address is shared with Resend solely for this purpose. Resend Privacy Policy
We do not sell your data. We do not use your data for advertising.
5. International Data Transfers
Some of our third-party processors are based outside the European Union, including in the United States (Vercel, Polar, and Resend). We select processors that maintain appropriate safeguards for international data transfers in accordance with GDPR, such as Standard Contractual Clauses (SCCs). For details on the safeguards each processor applies, refer to their respective privacy policies linked in Section 4.
6. Cookies
We use only strictly necessary cookies:
| Cookie | Purpose | Provider |
|---|---|---|
| Supabase session token | Keeps you authenticated | Supabase |
| Supabase refresh token | Renews your session | Supabase |
| Google OAuth state token | Secures the login flow |
We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required.
7. Your Rights Under GDPR
As an EU resident, you have the right to:
- Access — request a copy of the personal data we hold about you
- Portability — export your data at any time from your account settings
- Deletion — permanently delete your account and all associated data from your account settings
- Correction — update your name at any time from your account settings
- Restriction — request that we limit how we use your data
- Object — object to our use of your data for legitimate interest purposes
To exercise any right not available in the app directly, contact us at hi@neku.io. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority. In Greece, this is the Hellenic Data Protection Authority (HDPA).
8. Data Retention
We keep your personal data for as long as your account is active. When you delete your account:
- Your name, email, stories, notes, and storyboards are permanently deleted
- Anonymised billing records are retained as required for accounting purposes
9. Data Security
We use industry-standard measures to protect your data, including encrypted connections (HTTPS), row-level security on our database, and server-side-only access for sensitive operations. In the event of a data breach that affects your rights, we will notify the relevant authority within 72 hours and inform you without undue delay.
10. Children
Neku is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to This Policy
We may update this policy from time to time. When we do, we will update the date at the top of this page. For significant changes, we will notify you by email.