Effective Date: 13 May 2026 · Last Updated: 29 May 2026
Exerevno Limited ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information is collected when you use Bites, how that information is used, and your rights in respect of it.
"Bites" or the "Service" means, collectively:
This Policy applies to both surfaces. Where a section applies only to one surface, it is clearly labelled (Mobile App) or (Web App).
By downloading, installing, opening, accessing, or browsing Bites, you acknowledge that you have read and understood this Privacy Policy.
This Policy should be read alongside our Terms of Use.
Exerevno Limited acts as the data controller in respect of any personal information processed in connection with Bites. Our contact details are set out in Section 16.
If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, Exerevno Limited is the data controller responsible for your personal information under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and applicable national implementing legislation (including the UK Data Protection Act 2018).
If you are located in New Zealand, Exerevno Limited is an "agency" within the meaning of the Privacy Act 2020 (NZ) ("NZ Privacy Act") and is responsible for compliance with the Information Privacy Principles set out in that Act.
If you are a California resident, Exerevno Limited is a "business" within the meaning of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA").
To be clear about what Bites does not do (on either the Mobile App or the Web App):
Although Bites does not actively solicit personal information from you, certain information may be incidentally processed as a consequence of normal network operations and the delivery of the Service.
Bites retrieves content from a backend database operated by Supabase, Inc. ("Supabase"). When the Mobile App or the Web App makes requests to Supabase's servers, Supabase's infrastructure may log:
This logging is performed by Supabase at the infrastructure level in accordance with Supabase's own Privacy Policy. Exerevno Limited does not instruct Supabase to collect, store, or process personal information beyond what is technically necessary to service the database query. Bites uses only Supabase's anonymous (public) API key and no user authentication is performed.
Supabase data processing location: Supabase processes data on Amazon Web Services ("AWS") infrastructure. Data may be processed in the United States or other jurisdictions.
The Web App is hosted as static files on Netlify, Inc. ("Netlify"), which operates a global content delivery network ("CDN"). When you load the Web App at exer-labs.app/bites/, Netlify's edge servers receive and process:
Netlify processes this information for the purposes of delivering content, applying caching, mitigating denial-of-service attacks, and maintaining operational logs in accordance with its own privacy practices. Exerevno Limited does not receive personal information from Netlify beyond aggregated technical statistics.
Netlify data processing location: Netlify operates servers in the United States and other jurisdictions and uses a global CDN.
Bites uses the Geist typeface delivered via Google Fonts (operated by Google LLC). On first load, Bites may make a request to Google's font CDN at fonts.googleapis.com and fonts.gstatic.com. This request may expose your IP address and standard HTTP headers to Google's servers.
Note: After the font files are downloaded, they are cached by the operating system or browser and subsequent loads may not require further requests to Google's CDN. Google has stated that the Fonts API does not set cookies and does not use the data received for advertising purposes.
When you tap on a source article in the Mobile App, the Mobile App opens that article within an embedded WebView browser. When this occurs:
When you click a source article on the Web App, the article opens in a new tab in your system browser (target="_blank"). When this occurs:
The Web App collects first-party usage events and writes them directly to Exerevno Limited's Supabase database. No cookies are used, no third-party analytics tool is involved, and no personal data is collected. Specifically:
bites-sid) is generated freshly each time you open the Web App in a browser tab, stored in sessionStorage (not a cookie), and automatically deleted when the tab is closed. It cannot be used to identify you across sessions or devices;sessionStorage is not a cookie and is not subject to the prior-consent requirement of Article 5(3) of the ePrivacy Directive. No personal data is collected that would require a separate consent basis under GDPR.Analytics are not currently implemented in the Mobile App. If analytics are added to the Mobile App in a future version, this Policy will be updated prior to that release.
The Web App uses browser storage APIs to preserve preferences and support analytics. The following keys are written:
| Key | Storage type | Purpose | Lifetime | Transmitted? |
|---|---|---|---|---|
bites-dark |
localStorage |
Remembers your chosen light/dark display theme across visits | Persists until you clear site data | Never — stored locally only |
bites-sid |
sessionStorage |
A random UUID used to group analytics events within a single browser tab session. Not linked to your identity. | Automatically deleted when the tab is closed | Sent to Exerevno Limited's Supabase database as part of each analytics event (see Section 4.6). Not sent to any third party. |
Neither key is a cookie. localStorage values persist across visits; sessionStorage values are scoped to the current tab and cleared on close. Neither key contains personal information. You can delete both at any time by clearing your browser's site data for exer-labs.app.
Bites does not currently offer account creation, login, or personalised features. If a future version introduces optional account functionality, this Privacy Policy will be updated prior to launch with full disclosure of the data collected, its purpose, legal basis, retention period, and any sharing.
If the Mobile App directs you to the Apple App Store or Google Play Store, those platforms collect information in accordance with Apple's and Google's own privacy policies. Exerevno Limited does not receive personal information from Apple or Google as a result of this interaction other than aggregated download, crash, and rating statistics provided by the respective store's developer console.
For users in the EEA, United Kingdom, or Switzerland, to the extent any personal information is processed, we rely on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Technical connection data processed by Supabase when serving content (Mobile App and Web App) | Legitimate interests (Article 6(1)(f) GDPR): it is technically necessary to transmit your IP address to retrieve content from the server. |
| Static hosting and content delivery by Netlify (Web App) | Legitimate interests (Article 6(1)(f) GDPR): delivery of the Web App's HTML, CSS, JavaScript, and other static assets requires routing your request through a CDN. Server logs are necessary for security, performance, and abuse prevention. |
| Font loading via Google Fonts CDN (Mobile App and Web App) | Legitimate interests (Article 6(1)(f) GDPR): delivery of the Service interface requires loading typeface files. Fonts are cached after first load. |
Local theme preference stored in localStorage (Web App) |
Strictly necessary for the operation of an explicitly requested feature: storing your chosen display theme is exempt from consent under Article 5(3) of the ePrivacy Directive as a user-preference storage item. The value is not personal data and is not transmitted to us. |
First-party analytics events collected via sessionStorage session identifier and written to Supabase (Web App) |
Legitimate interests (Article 6(1)(f) GDPR): Exerevno Limited has a legitimate interest in understanding aggregate usage patterns to improve the Service. The data collected is anonymous at source — no names, email addresses, or IP addresses are stored in our analytics records. The session identifier is ephemeral, tab-scoped, and not linked to your identity. The processing has minimal impact on your rights and freedoms. sessionStorage is not a cookie and is not subject to the prior-consent requirement under Article 5(3) of the ePrivacy Directive. |
Where we rely on legitimate interests, we have carried out a balancing assessment and consider that the limited, technical nature of the processing does not override your fundamental rights and freedoms. You may object to processing based on legitimate interests at any time using the contact details in Section 16.
To the limited extent that technical information is processed, it is used solely:
(a) To enable Bites to connect to its backend and retrieve content (daily Digest and source articles);
(b) To deliver the Web App's static assets from Netlify's CDN;
(c) To serve the Service interface correctly (fonts);
(d) To remember your local theme preference within your browser (Web App);
(e) To measure and understand how the Web App is used in aggregate — including which content is read, how users navigate between daily digests, and where visitors come from — for the purposes of improving the Service (see Section 4.6); and
(f) Insofar as Supabase and Netlify retain infrastructure logs, for the purposes of network security, abuse prevention, and operational diagnostics as described in their own privacy policies.
Exerevno Limited does not use any information for profiling, automated decision-making producing legal or similarly significant effects, targeted advertising, marketing, or sale to third parties.
We do not sell, rent, share for cross-context behavioural advertising, or trade your personal information. We do not share personal information with third parties except as described below.
| Third Party | Purpose | Surface | Privacy Policy |
|---|---|---|---|
| Supabase, Inc. (United States) | Backend database infrastructure — hosts and serves the Digest and article content; also stores first-party analytics events from the Web App (see Section 4.6) | Mobile App and Web App | supabase.com/privacy |
| Netlify, Inc. (United States) | Static site hosting and global CDN for the Web App | Web App | netlify.com/privacy |
| Google LLC (United States) — Google Fonts | Delivery of the Geist typeface via CDN | Mobile App and Web App | policies.google.com/privacy |
| Apple Inc. (United States) | App distribution, download statistics, crash reports (App Store) | Mobile App (iOS) | apple.com/legal/privacy |
| Google LLC (United States) — Google Play | App distribution, download statistics (Google Play) | Mobile App (Android) | policies.google.com/privacy |
We may disclose information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Exerevno Limited, our users, or the public.
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your information may be transferred to the successor entity. We will notify you of any such change and any new privacy policy that will apply.
Server-level logs generated by Supabase and Netlify in connection with API requests and HTTP requests are retained in accordance with those providers' respective data retention policies. Please refer to their privacy policies (linked in Section 7.1) for details. Exerevno Limited does not download, archive, or maintain its own copy of those infrastructure logs in identifiable form.
Bites may cache content (Digest text, article metadata, fonts) on your device or in your browser to improve performance. This data is stored locally and can be cleared at any time by deleting the Mobile App, or by clearing your browser's site data for exer-labs.app. Exerevno Limited does not have access to locally cached data.
The bites-dark value stored in your browser's localStorage persists until you clear your browser's site data or remove the entry manually. It is never sent to us.
Because Bites does not collect personal information from users, Exerevno Limited does not maintain a central repository of user personal data subject to retention or deletion obligations.
Analytics events collected from the Web App are stored in Exerevno Limited's Supabase database and retained to support long-term usage analysis. Event records are reviewed periodically and may be purged at our discretion. Individual events are not linked to personal identifiers — they contain only a tab-scoped random session ID, event metadata, and aggregate device and traffic-source information. If you wish to request deletion of analytics events that may have been generated during your use of the Web App, please contact us at info@exerevno.co.nz; because session identifiers are random, ephemeral, and not linked to your identity, it may not be possible to identify which records (if any) relate to you.
Exerevno Limited implements reasonable technical and organisational measures to protect information processed in connection with Bites, including:
No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.
Bites is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and become aware that your child under 13 has used Bites, please contact us at info@exerevno.co.nz and we will take appropriate steps.
For users in the EEA, where the applicable national law sets a higher digital consent age (up to 16 years under Article 8 GDPR), we will comply with the relevant national requirement.
We comply with the United States Children's Online Privacy Protection Act ("COPPA"). Because Bites does not request or knowingly collect personal information from any user, including children, no parental consent mechanism is required for the current version. Should this change, we will update this Policy and implement the required COPPA controls before any such collection commences.
Bites relies on service providers located outside your country of residence:
By using Bites, you acknowledge that your connection data may be transferred to and processed in jurisdictions that may have different data protection laws than your own.
Transfers from the EEA, UK, or Switzerland: where personal data is transferred outside the EEA, UK, or Switzerland to a country not benefitting from an adequacy decision, we rely on the sub-processor's own appropriate safeguards, including the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, as published by each provider.
Transfers from New Zealand: where personal information is transferred outside New Zealand, we comply with Information Privacy Principle 12 of the NZ Privacy Act, including by selecting providers whose terms ensure comparable safeguards.
If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights in respect of any personal information we hold about you:
Important note: Because Bites does not collect or store personal information centrally, we may not hold any personal information about you against which to exercise these rights. We will respond to any verified request within one month (extendable by a further two months for complex requests under Article 12(3) GDPR).
If you are located in New Zealand, you have the right to request access to, and correction of, any personal information held about you by Exerevno Limited under Information Privacy Principles 6 and 7 of the NZ Privacy Act. You may also make a complaint to the Office of the Privacy Commissioner (www.privacy.org.nz).
If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA:
In the preceding 12 months, Exerevno Limited has not sold or shared any personal information. We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age.
To exercise any of the rights set out above, please contact us using the details in Section 16. You may also nominate an authorised agent to act on your behalf, in which case we may require proof of the agent's authority. We may need to verify your identity (including, where you have not provided personal data to us, by asking for technical information confirming the connection between you and any data we may hold) before acting on a request.
Bites displays content from third-party news publishers and links to their websites. In the Mobile App, source articles open in the integrated WebView browser. In the Web App, source articles open in a new tab in your system browser (using target="_blank" rel="noopener"). In both cases, Exerevno Limited is not responsible for the privacy practices or content of any third-party website and does not receive information about your activity on those sites. We encourage you to review the privacy policy of each website you visit.
This Section 14 applies only to the Mobile App distributed via the Apple App Store and Google Play and does not apply to the Web App.
The Mobile App does not offer or require account creation, so there is no account to delete. If a future version introduces optional account functionality, Exerevno Limited will implement a compliant in-app and online account deletion flow prior to that release in accordance with the Apple App Store and Google Play Developer Program requirements.
If there is any inconsistency between this Privacy Policy and the in-store privacy disclosures, this Privacy Policy prevails as the governing document.
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this document and, where changes are material, notify you within the Mobile App, on the Web App, or by other appropriate means. Your continued use of Bites after any change to this Privacy Policy constitutes your acceptance of the revised Policy.
If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:
Exerevno Limited
Level 4, 125 Queen St, Auckland 1010, New Zealand
Email: info@exerevno.co.nz
Website: https://www.exerevno.co.nz
For users in the EEA or UK, if you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority: