Effective — July 8, 2026

Privacy Policy

The nemesis is fictional. The data protection is not.

1. Who we are (Data Controller)

The Nemesis service ("Nemesis", "Service", "we", "us") is operated by Adnan Kadric, a sole proprietor trading as Nemesis, reachable at privacy@nemesisgoals.com. Adnan Kadric is the data controller responsible for personal data processed through nemesisgoals.com.

2. What we collect

  • Account: email address, hashed password (or Google account identifier if you sign in with Google).
  • Nemesis profile: the persona archetype you choose, an optional name for your nemesis, your stated goal, and your deadline.
  • Subscription: your Paddle customer and subscription identifiers, plan tier, status, and billing period dates. We do not receive or store your full card number.
  • Taunt history: AI-generated messages sent to you.
  • Technical logs: IP address, user agent, approximate location, and basic device data collected to secure the Service.

3. Why we use it & legal basis

Under the EU/UK GDPR we rely on the following legal bases for each category of processing:

  • Providing the Service (account, nemesis profile, taunt generation and delivery) — performance of a contract with you (Art. 6(1)(b) GDPR).
  • Processing payments and preventing fraud (via Paddle) — performance of a contract and compliance with a legal obligation (Art. 6(1)(b) and 6(1)(c) GDPR).
  • Service messages and product updates performance of a contract. Optional daily taunt emails and marketing messages — your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.
  • Security, abuse prevention, and technical logs our legitimate interests in operating a secure Service (Art. 6(1)(f) GDPR).
  • Tax, accounting, and record-keeping compliance with a legal obligation (Art. 6(1)(c) GDPR).

4. Who we share it with

  • Paddle.com Market Ltd. — Merchant of Record for billing, tax, refunds, and fraud prevention.
  • Supabase — database, authentication, and file storage on our behalf.
  • AI providers accessed via the Lovable AI Gateway (e.g. Google Gemini) — receive your persona, name, and goal strictly to generate the requested taunt text.
  • Google — only if you choose to sign in with Google.

We do not sell personal data. We do not use it for advertising.

5. Retention

We keep account and subscription data for as long as your account is active and for up to 24 months after cancellation to satisfy tax and fraud obligations. Taunt history is retained for 12 months unless you delete it or your account sooner.

6. Your rights

Depending on where you live (e.g. EU/UK under GDPR, California under CCPA), you may have the right to access, correct, export, or delete your personal data, and to object to certain processing. To exercise these rights, email privacy@nemesis.app. We respond within 30 days.

7. Security

Data is encrypted in transit (TLS) and at rest. Access is limited to personnel who need it. No system is perfectly secure — you use the Service at your own risk.

8. International transfers

Our providers may process your data in the EU, UK, and United States under standard contractual clauses or equivalent safeguards.

9. Children

The Service is not for anyone under 18. We do not knowingly collect data from children.

10. Contact

Data protection questions: privacy@nemesis.app.