NoLoss
Legal

Privacy Policy

Last updated: 8 May 2026

PrivacyTerms of UseSubscription & Cancellation

Application: Noloss — Habit & Streak Tracker

Data Controller: JUPMADS L.L.C-FZ ("Noloss," "we," "us," or "our")

Last Updated: May 16, 2026

Contact: support@jupmads.com

Website: https://noloss.app

1. INTRODUCTION

This Privacy Policy ("Policy") explains how JUPMADS L.L.C-FZ collects, processes, stores, shares, and protects your personal data as a user ("you," "user," or "data subject") of the Noloss mobile application, the noloss.app website, and all related services (collectively, the "Service").

Noloss is a personal habit-tracking tool designed to help adults build healthier routines, track streaks, monitor moods, and reduce time spent on distracting websites and applications. Because the Service interacts with sensitive behavioral signals (browsing activity, app usage, screen time, mood records, user-reported financial information), we have designed this Policy to meet the strictest applicable standards — including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Personal Data Protection Law No. 6698 (KVKK).

By installing, accessing, or using Noloss, you confirm that you have read, understood, and accepted this Policy. If you do not agree, you must not use the Service.

2. DATA CONTROLLER

The data controller under GDPR, UK GDPR, and KVKK is:

JUPMADS L.L.C-FZ

Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates

Contact: support@jupmads.com

All requests related to data protection — including access, erasure, rectification, or complaints — may be submitted in writing to support@jupmads.com.

3. AGE REQUIREMENT

The Service is designed exclusively for users over the age of eighteen (18). We do not knowingly collect data from minors. If we determine that an account belongs to a person under 18, we will delete the account and all associated data without delay. If you believe a minor has provided us with data, please notify us at support@jupmads.com.

4. CATEGORIES OF PERSONAL DATA PROCESSED

We process the following categories of personal data. The legal basis for each category is set out in Section 6.

4.1 Account and Authentication Data

  • Email address (when registering via email or via Sign in with Apple with email sharing enabled)
  • Apple Private Email Relay address — when you use Sign in with Apple with "Hide My Email"; we treat this as your contact email and never attempt to resolve it to your real address
  • Anonymous user identifier (UUID) generated at installation
  • Authentication tokens issued by Apple (Sign in with Apple) or our authentication provider
  • Display name or alias (optional, user-entered)
  • Account creation timestamp, last login timestamp

4.2 Subscription and Transaction Data

  • Subscription status (active, expired, trial, cancelled)
  • Product ID of the purchased subscription (e.g. weekly, annual)
  • Original transaction ID issued by Apple App Store or Google Play
  • Receipt validation metadata

We do not receive, store, or process your full payment card details, banking information, or billing address. All payment transactions are handled by Apple and Google under their own privacy policies.

4.3 Habit, Behavioral, and Wellness Data

  • Streak counters (number of days since a habit goal was started)
  • User-reported financial savings (amounts entered by the user as "money saved")
  • Mood records and emotional assessments
  • Goal milestones, achievement badges, journal entries
  • Daily activity timestamps

This data is encrypted at rest and synchronized with our cloud infrastructure for cross-device access, post-device-loss recovery, and continuous service delivery. This data is never sold, shared with advertisers, or used for advertising profiling.

Special category data notice: Mood records, journal entries, and user-reported behavioral data may, depending on context, qualify as 'health data' under GDPR Article 9 or 'sensitive personal data' under KVKK Article 6. Where this classification applies, we process this data solely on the basis of your explicit consent, which is obtained at the moment you choose to record the relevant information. You may withdraw your explicit consent at any time by deleting the relevant records or your account.

4.4 Device and Technical Data

  • Device model, operating system version, language and region settings
  • App version, build number, install referrer
  • IP address (collected only during API requests; retained for security and abuse prevention)
  • Crash logs, performance traces, diagnostic events

4.5 Push Notification Tokens

  • Apple Push Notification service (APNs) tokens for iOS devices
  • Firebase Cloud Messaging (FCM) tokens for Android devices

These tokens are device-specific identifiers issued by Apple or Google that allow us to deliver notifications you have opted into (streak reminders, mood check-ins, subscription receipts). Tokens do not contain personal information on their own; they identify your device installation and are automatically invalidated when you uninstall the app or disable notifications.

4.6 Site Blocking and Self-Monitoring Data (Sensitive)

Noloss provides functionality that helps users block or limit access to certain websites and online services associated with gambling or other targeted behaviors. To deliver this functionality, the app processes the following data:

  • Domain names and applications the user has chosen to block while the blocking service is active
  • Timestamps of blocking events
  • Categorized aggregate data (e.g., "X blocked access attempts this week")

We process this data solely to provide the user-requested blocking and self-monitoring features. We do not log the full content of web pages, the body of network traffic, or the substantive content of any communications. Blocking and detection functions are performed on-device through operating system frameworks to the extent technically feasible; only aggregated or anonymized signals leave the device. When data exchange with our servers is required for synchronization of blocking lists, cross-device settings transfer, or abuse prevention, such data is encrypted in transit (TLS 1.2 or higher) and at rest.

4.7 Screen Time and App Usage Data (Sensitive)

Where you grant the relevant permissions, the Service may use:

  • iOS Family Controls / Screen Time / DeviceActivity / ManagedSettings frameworks where approved under Apple's entitlement program
  • Android UsageStatsManager and/or AccessibilityService APIs

These frameworks allow Noloss to detect when targeted apps or websites are opened and to enforce user-configured limits. Data accessed through these frameworks is processed solely to provide the user-requested self-control features. Apple's Screen Time data, when used, is processed in compliance with Apple's restrictions; it is not transferred to ad networks or brokers and is not used for any purpose beyond the requested feature.

4.8 Marketing Attribution, Location, and Third-Party Advertising/Cookie Data

If you grant consent under Apple's App Tracking Transparency (ATT) framework or equivalent Android consent mechanisms, we and our marketing/attribution partners (e.g., AppsFlyer) may process the following data:

  • Install attribution identifiers (IDFA on iOS, GAID on Android)
  • Campaign and ad creative identifiers
  • Install and post-install event timestamps
  • Location information (including approximate/regional location) — may be collected and processed by our attribution partner AppsFlyer to improve attribution accuracy, detect fraudulent installs and attribution fraud, and measure regional campaign performance

Where you have provided consent, AppsFlyer and our other third-party service providers may process the above data under their own privacy policies for the purpose of improving application services, conducting performance and usage analytics, managing and measuring promotions and advertisements, and performing cookie and similar identifier-based operations. These third-party processing activities are carried out only within the scope of the consent you have provided and for the duration that consent remains valid.

If you decline tracking, attribution will be configured to operate in a non-tracking, aggregated-only mode (SKAdNetwork on iOS, its equivalent on Android), and location information will not be processed for attribution purposes.

Important limitation: Regardless of your tracking consent, we will never under any circumstances share your habit, mood, financial, browsing (blocking), or screen time data with attribution, advertising, or analytics partners. Location and attribution-based advertising/promotional processing is limited solely to the technical attribution and campaign identifiers defined in this Section 4.8.

4.9 Support and Communication Data

  • Email content, attachments, and metadata when you contact support@jupmads.com
  • In-app feedback messages

4.10 Cookies and Web Tracking

Our website noloss.app uses strictly necessary cookies and, with your consent, analytics cookies. The mobile app itself does not use traditional HTTP cookies; however, if you grant consent under Section 4.8, our third-party attribution and advertising partners (e.g., AppsFlyer) may use cookies, SDKs, and similar identifier-based technologies for promotional and advertising measurement purposes. For details on web cookies, please refer to our Cookie Notice at noloss.app/cookies.

5. DATA SOURCES

We collect data in the following ways:

  • Directly from you (account creation, in-app inputs, support emails)
  • Automatically from your device (device model, OS version, crash data, events generated by the blocking service, push tokens issued by APNs/FCM)
  • From third-party authentication providers when you choose Sign in with Apple
  • From subscription processors (Apple App Store, Google Play) for subscription status verification
  • From our marketing/attribution partners (e.g., AppsFlyer) — where you have provided consent — for install attribution, campaign performance, and location-based attribution signals

We process personal data only when we have a valid legal basis (GDPR Article 6, and where applicable Article 9; KVKK Articles 5 and 6):

| Processing Activity | Legal Basis | | :---- | :---- | | Creation and verification of your account | Performance of a contract (GDPR 6/1-b; KVKK 5/2-c) | | Provision of habit tracking, blocking, and screen time features | Performance of a contract | | Subscription billing verification | Performance of a contract | | Crash reporting and security monitoring | Legitimate interests (GDPR 6/1-f; KVKK 5/2-f) | | Marketing attribution and location-based attribution (with ATT/equivalent consent) | Explicit consent (GDPR 6/1-a; KVKK 5/1) | | Promotional, advertising, and cookie processing by third parties (with consent) | Explicit consent (GDPR 6/1-a; KVKK 5/1) | | Service-related email communications (e.g. subscription receipts) | Performance of a contract | | Promotional email communications | Explicit consent | | Mood records and behavioral self-reporting that may qualify as health-related data | Explicit consent (GDPR 9/2-a; KVKK 6/3) | | Compliance with legal obligations | Legal obligation (GDPR 6/1-c; KVKK 5/2-a) |

You may withdraw your consent at any time; withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

7. PURPOSES OF PROCESSING

We process your data solely for the following purposes:

  • Service delivery — providing habit tracking, streaks, blocking, screen time enforcement, mood records, achievements, and cross-device synchronization.
  • Account management — registration, authentication, and subscription management.
  • Customer support — responding to your enquiries.
  • Service improvement — crash detection, bug fixing, and feature performance measurement through aggregated and pseudonymized analysis; usage and performance analytics through third-party service providers where you have provided consent.
  • Marketing attribution and promotional/advertising activity — understanding which campaigns drive user acquisition, location-based attribution and campaign performance measurement, management of promotions and advertisements, and cookie/identifier-based measurement (solely with your consent, under Section 4.8).
  • Security and abuse prevention — detection of fraud, account takeover, payment abuse, and attribution fraud.
  • Legal compliance — responding to requests from competent authorities and enforcing our Terms of Service.

We do not use your data for:

  • Sale to data brokers
  • Advertising profiling based on your habit, mood, browsing, or financial data
  • Automated decision-making that produces legal or similarly significant effects on you
  • Any purpose not disclosed in this Policy

8. THIRD-PARTY PROCESSORS

To deliver the Service, we share your personal data with carefully selected categories of processors that act on our written instructions and have entered into Data Processing Agreements with us (GDPR Article 28 / KVKK Article 12). These categories include:

  • Cloud hosting and infrastructure providers
  • Database and authentication providers
  • Subscription verification providers
  • Crash reporting, performance monitoring, and product analytics providers
  • Push notification providers
  • Marketing attribution, location-based attribution, and advertising/promotional measurement providers — e.g., AppsFlyer (solely with your consent)
  • Customer support tool providers

We share with each processor only the data required for the relevant purpose and do not authorize any processor to use your data for their own purposes beyond those described in this Policy. Our attribution and advertising partners (e.g., AppsFlyer), within the scope of the consent you have provided, may also process attribution, location, and identifier data under their own privacy policies for the purposes of improving application services, promotions, advertising, and cookie/identifier operations. Our processor list is updated as our infrastructure evolves; you may request the current list of named processors at any time by writing to support@jupmads.com.

9. INTERNATIONAL DATA TRANSFERS

Some of our processors are located outside the European Economic Area, the United Kingdom, or the Republic of Turkey. When we transfer personal data outside these jurisdictions, we rely on:

  • European Commission Standard Contractual Clauses (SCCs) in their 2021 form, together with appropriate transfer impact assessments;
  • The UK Addendum to SCCs for UK data;
  • Adequacy decisions where applicable;
  • For transfers from Turkey: the data subject's explicit consent pursuant to KVKK Article 9, or other lawful transfer mechanisms recognized by the Personal Data Protection Authority.

You may request a copy of the safeguards we apply by writing to support@jupmads.com.

10. DATA RETENTION

We retain personal data only for as long as necessary to fulfil the purposes set out in Section 7, taking into account the nature, scope, and sensitivity of the data. The criteria we use to determine retention periods include:

  • The duration of your account and your active use of the Service;
  • The period for which the data is required for us to continue providing the Service (e.g., to preserve your streaks, history, and achievements);
  • Legal, accounting, tax, and regulatory retention obligations applicable to JUPMADS L.L.C-FZ;
  • The period required to resolve disputes, enforce our agreements, prevent fraud, and protect our rights and those of our users;
  • Standard retention periods applied by our processors for technical data such as crash logs, IP-based security records, and attribution data.

When data is no longer necessary, it is irreversibly deleted or anonymized. When you delete your account, your data in active systems is deleted within a reasonable period; residual data in backup copies is purged within our normal backup rotation cycle — except where applicable law requires us to retain certain records (e.g., tax records relating to subscription transactions).

You may request information about the retention periods applicable to specific categories of your data at any time by writing to support@jupmads.com.

11. SECURITY MEASURES

We implement technical and administrative measures proportionate to the risk:

  • Encryption in transit with TLS 1.2+
  • Encryption at rest with AES-256 for database storage
  • Least-privilege principle for staff access; access is logged and audited
  • Multi-factor authentication required for all administrative access
  • Regular vulnerability scanning and dependency monitoring
  • Incident response plan with breach notification within 72 hours (where required by law)
  • Secure software development practices, code review, and penetration testing on major releases

No system is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify you and the competent supervisory authority as required by GDPR Articles 33-34 and the relevant provisions of KVKK.

12. YOUR RIGHTS UNDER GDPR / UK GDPR

You have the following rights, exercisable free of charge except for manifestly unfounded or excessive requests:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / "right to be forgotten" (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Right to withdraw consent (Article 7(3))
  • Right not to be subject to automated decision-making (Article 22). We do not engage in such processing.
  • Right to lodge a complaint with a supervisory authority

To exercise these rights, write to support@jupmads.com or use the in-app Settings → Account → Delete Account flow. We respond within one (1) month; this may be extended by a further two months for complex requests.

On first launch, iOS users are shown Apple's App Tracking Transparency prompt. If you select "Ask App Not to Track," we and our SDKs (including AppsFlyer) will disable cross-app tracking, will not process location information for attribution purposes, and will operate solely within SKAdNetwork's privacy-preserving attribution. On Android, equivalent consent is collected via an in-app consent dialog before any non-essential tracking or attribution SDK is initialized. You may withdraw your consent at any time via Settings → Privacy → Tracking; following withdrawal, third-party advertising, promotional, and cookie/identifier processing will cease.

Regardless of your choice, your habit, mood, financial, browsing, and screen time data will never under any circumstances be shared with attribution or advertising partners.

14. AUTOMATED DECISION-MAKING AND PROFILING

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you. Aggregate analytics may be used to improve features (e.g., identifying which onboarding step has the highest drop-off rate), but no decision is automated at an individual level.

15. SENSITIVE PERMISSIONS DISCLOSURE

The Service requests several permissions that provide access to sensitive device capabilities. We explain these in plain language:

  • Notifications — to send streak reminders, mood check-ins, and subscription event confirmations. Declining does not disable the Service.
  • iOS Family Controls / Screen Time / DeviceActivity (where available) — to enable user-configured blocking and limits. Used solely to deliver self-control features. Not used for advertising. Apple's restrictions applicable to this entitlement apply.
  • Android Accessibility Service, UsageStatsManager (where granted) — to enable user-configured blocking and monitoring of targeted apps. We comply with Google Play's Permissions and Restricted APIs policies (including the Accessibility API policy). These permissions are used solely to provide the user-requested blocking and self-monitoring features and are never used for advertising, surveillance of unrelated apps, or covert data collection.
  • Background processing — to maintain blocking and streak tracking even when the app is not in the foreground.

You may revoke any of these permissions at any time from your device settings. Doing so may disable the associated features.

16. KVKK INFORMATION NOTICE

This section is prepared pursuant to the disclosure obligation under the Personal Data Protection Law No. 6698 (KVKK). The Turkish-language version is the binding version for users resident in the Republic of Turkey.

Identity of the Data Controller:

JUPMADS L.L.C-FZ

Address: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates

Contact: support@jupmads.com

Purposes of Processing Personal Data:

Your personal data is processed for the purposes of delivering the Service, creating and managing your account, executing subscription transactions, providing customer support, enhancing service quality and security, fulfilling legal obligations, and — where you have provided consent — marketing attribution, location-based attribution, promotions, advertising, cookie/identifier operations, and improving application services through third-party service providers.

Categories of Personal Data Processed:

Identity information (anonymous user ID, alias), contact information (email, Apple Private Email Relay address), customer transaction information (subscription status, transaction IDs), transaction security information (IP, device information, session records, push notification tokens), marketing information (with consent only; attribution identifiers, campaign data, and approximate/regional location information), user-reported financial information (amounts claimed to be saved — not actual financial account information), behavioral/emotional data that may qualify as health-related (mood records, journal entries), and browsing and app usage behavioral data (while the blocking service is active).

Method of Collection and Legal Basis:

Your personal data is collected through the application, website, electronic communication channels, and — where you have provided consent — through third-party attribution/marketing partners (e.g., AppsFlyer), on the bases of lawfulness set out in KVKK Articles 5/2 and 6/3, and where required, your explicit consent.

Transfer of Personal Data:

Your personal data may be transferred to overseas cloud, attribution, advertising, and service providers (e.g., AppsFlyer) in the categories defined in Section 8. Overseas transfers are carried out on the basis of your explicit consent pursuant to KVKK Article 9, or other lawful transfer mechanisms recognized by the Personal Data Protection Authority.

Your Rights under KVKK Article 11:

As a data subject, you have the rights to: (a) learn whether your personal data is being processed; (b) request information if it has been processed; (c) learn the purpose of processing and whether it is used in accordance with that purpose; (d) know the third parties to whom data is transferred domestically or abroad; (e) request correction if data is incomplete or inaccurate; (f) request deletion or destruction under KVKK Article 7; (g) request notification of the actions taken pursuant to (e) and (f) to the third parties to whom data has been transferred; (h) object to a result arising against you through analysis of processed data exclusively by automated systems; and (i) claim compensation for damages in the event of unlawful processing.

Application Method:

You may submit your requests in writing to support@jupmads.com together with documents verifying your identity. Requests are concluded within thirty (30) days at the latest pursuant to KVKK Article 13.

17. CALIFORNIA / CCPA NOTICE (RESERVED)

While the Service does not currently target California residents, if you are a California consumer, you may have rights under the California Consumer Privacy Act / California Privacy Rights Act. We do not sell personal information as defined under CCPA. The sharing of identifier-based data with attribution and advertising partners where you have provided consent under Section 4.8 may constitute "sharing" under CPRA; such processing is based solely on your consent, which you may withdraw at any time. To exercise your CCPA/CPRA rights, write to support@jupmads.com.

18. CHILDREN

The Service is not directed at children under the age of 18. We do not knowingly collect data from minors. See Section 3.

19. CHANGES TO THIS POLICY

We may update this Policy to reflect operational, legal, or regulatory changes. Material changes will be communicated via in-app notification or email at least 30 days before they take effect. The "Last Updated" date at the top of this Policy reflects the most recent revision. Your continued use of the Service following a change constitutes acceptance of the revised Policy.

20. CONTACT

For any privacy-related questions, requests, or complaints:

  • Email: support@jupmads.com
  • Postal address: JUPMADS L.L.C-FZ, Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates
  • Website: https://noloss.app

If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority of your country of residence (e.g., for Turkey: the Personal Data Protection Authority — KVKK; for EEA users: the Irish Data Protection Commission; for UK users: the UK Information Commissioner's Office).

*This Privacy Policy is effective as of the Effective Date stated above and supersedes all prior versions.*

Need urgent support? Yeşilay / YEDAM free counseling —yedam.org.tr