1. Who we are
Nova is operated by the Nova team based in the Republic of South Africa. For privacy matters, contact our Information Officer (POPIA) / Data Protection contact (GDPR) at privacy@nova.ai.
2. What we collect, and why
Account details (email, optional first name) โ to create your account and sign you in. Memory and cards (notes, tasks, opportunities, agent drafts) โ the personal context you give Nova so it can prepare suggestions for you. Usage events(which agents ran, AI requests counted against your daily allowance) โ to enforce fair-use limits and improve reliability. Billing records (subscription plan, status, renewal date) โ only when you choose a paid plan; we never see your card number. We do not collect anything from sources you have not explicitly connected.
3. Lawful basis (GDPR)
We process your data on the basis of (a) performance of contractโ to deliver the service you signed up for; (b) legitimate interestโ to keep the service secure and prevent abuse; and (c) consentโ for non-essential analytics, which is off by default until you accept the consent banner. You can withdraw consent at any time by clearing the banner choice in your browser.
4. How it is stored
Your data lives in a managed Postgres database with row-level security scoped to your user id โ other users cannot read your rows even from the same table. Data is encrypted in transit with TLS and encrypted at rest by the database provider. We do not claim end-to-end encryption: our service necessarily decrypts your data to compute on it (that is how Nova works). Secrets (API keys, OAuth tokens) live in a separate encrypted secret store.
5. Retention
Account and memory data is kept for as long as your account is active. AI usage events and agent run logs are retained for up to 90 days for debugging and abuse prevention, then aggregated or deleted. When you delete your account from /account, your rows are hard-deleted from the live database immediately and from rolling backups within 30 days. Audit log entries in
data_requests are kept for compliance evidence even after the user is deleted.6. Your rights
You have the right to access, correct, export, delete, and object to processing of your personal data. We have built these into the app:
- Export: /account โ Your data โ Export my data (JSON). Returns a complete JSON of every row Nova holds about you.
- Delete: /account โ Your data โ Delete my account. Requires you to type DELETE; runs immediately; you cannot log back in afterwards.
- Correct: edit any note, card, profile field, or guardrail directly in the app.
- Object / restrict: pause any agent from /my-agents, revoke any integration from /permissions.
7. International transfers
Nova's database and AI inference run on infrastructure that may be located outside South Africa and outside the EU/EEA, including the United States. Where data leaves the EU/EEA we rely on the relevant provider's Standard Contractual Clauses (SCCs); where data leaves South Africa we rely on POPIA s.72 protections. Specific provider regions are listed under Sub-processors below.
8. AI providers and your prompts
When Nova drafts a card or answers an Ask, your prompt and relevant context are sent to a large language model provider. We pay for those calls per token; we do not sell your data to them. Whether a given provider uses paid API content for training depends on their published terms โ we do not warrant a blanket "not used to train" statement here because that's a third-party guarantee, not ours. If you need a specific provider's training-opt-out for compliance, email us and we'll confirm the current configuration in writing.
9. What we never do
We do not sell your personal data. We do not share it with advertisers. We do not run third-party advertising trackers in the app. We do not use your content to train a model that we operate.
10. Children
Nova handles financial and household admin and is not directed at children. You must be 18 or older to create an account.
11. Cookies and analytics
We use one essential cookie/storage entry to keep you signed in. We use a privacy-respecting product analytics layer for aggregate counts (page views, key actions). Analytics is OFF until you accept the consent banner on first visit. We do not use cross-site advertising trackers.
12. Changes
Material changes to this policy are announced in-app at least 30 days before they take effect. The effective date at the top of this page reflects the last change.
13. Sub-processors
The third parties that process your personal data on our behalf today:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (database, auth, storage) | Stores your account, memory, cards and audit logs. | EU / US (provider-managed) |
| Cloudflare Workers (serverless runtime) | Runs the Nova app server and edge endpoints. | Global edge |
| Lovable AI Gateway (LLM routing) | Forwards your prompts to large language model providers (e.g. Google Gemini, Anthropic Claude, OpenAI) to generate Nova's drafts and answers. | US / EU (provider-managed) |
| Paddle (payments โ once live) | Subscription billing and tax. Card details are handled by Paddle, never by Nova. | EU / US |
We will update this list at least 30 days before adding a new sub-processor that materially changes how your data is handled.
14. Contact
Information Officer (POPIA) / Data Protection contact (GDPR / CCPA): privacy@nova.ai.