Skip to content
Privacy

Your data.
Your control.

Effective: 28 June 2026

This is a plain-English description of how Nova actually handles the data you give it. It describes what the product does today, not what we hope to do.

1. Who we are

Nova is operated by the Nova team based in the Republic of South Africa. For privacy matters, contact our Information Officer (POPIA) / Data Protection contact (GDPR) at privacy@nova.ai.

2. What we collect, and why

Account details (email, optional first name) โ€” to create your account and sign you in. Memory and cards (notes, tasks, opportunities, agent drafts) โ€” the personal context you give Nova so it can prepare suggestions for you. Usage events(which agents ran, AI requests counted against your daily allowance) โ€” to enforce fair-use limits and improve reliability. Billing records (subscription plan, status, renewal date) โ€” only when you choose a paid plan; we never see your card number. We do not collect anything from sources you have not explicitly connected.

3. Lawful basis (GDPR)

We process your data on the basis of (a) performance of contractโ€” to deliver the service you signed up for; (b) legitimate interestโ€” to keep the service secure and prevent abuse; and (c) consentโ€” for non-essential analytics, which is off by default until you accept the consent banner. You can withdraw consent at any time by clearing the banner choice in your browser.

4. How it is stored

Your data lives in a managed Postgres database with row-level security scoped to your user id โ€” other users cannot read your rows even from the same table. Data is encrypted in transit with TLS and encrypted at rest by the database provider. We do not claim end-to-end encryption: our service necessarily decrypts your data to compute on it (that is how Nova works). Secrets (API keys, OAuth tokens) live in a separate encrypted secret store.

5. Retention

Account and memory data is kept for as long as your account is active. AI usage events and agent run logs are retained for up to 90 days for debugging and abuse prevention, then aggregated or deleted. When you delete your account from /account, your rows are hard-deleted from the live database immediately and from rolling backups within 30 days. Audit log entries in data_requests are kept for compliance evidence even after the user is deleted.

6. Your rights

You have the right to access, correct, export, delete, and object to processing of your personal data. We have built these into the app:For anything that can't be self-served, email privacy@nova.ai and we'll respond within 30 days. If we don't resolve it, you can complain to the South African Information Regulator (POPIA), your EU data protection authority (GDPR), or the California Attorney General (CCPA).

7. International transfers

Nova's database and AI inference run on infrastructure that may be located outside South Africa and outside the EU/EEA, including the United States. Where data leaves the EU/EEA we rely on the relevant provider's Standard Contractual Clauses (SCCs); where data leaves South Africa we rely on POPIA s.72 protections. Specific provider regions are listed under Sub-processors below.

8. AI providers and your prompts

When Nova drafts a card or answers an Ask, your prompt and relevant context are sent to a large language model provider. We pay for those calls per token; we do not sell your data to them. Whether a given provider uses paid API content for training depends on their published terms โ€” we do not warrant a blanket "not used to train" statement here because that's a third-party guarantee, not ours. If you need a specific provider's training-opt-out for compliance, email us and we'll confirm the current configuration in writing.

9. What we never do

We do not sell your personal data. We do not share it with advertisers. We do not run third-party advertising trackers in the app. We do not use your content to train a model that we operate.

10. Children

Nova handles financial and household admin and is not directed at children. You must be 18 or older to create an account.

11. Cookies and analytics

We use one essential cookie/storage entry to keep you signed in. We use a privacy-respecting product analytics layer for aggregate counts (page views, key actions). Analytics is OFF until you accept the consent banner on first visit. We do not use cross-site advertising trackers.

12. Changes

Material changes to this policy are announced in-app at least 30 days before they take effect. The effective date at the top of this page reflects the last change.

13. Sub-processors

The third parties that process your personal data on our behalf today:

Sub-processorPurposeRegion
Supabase (database, auth, storage)Stores your account, memory, cards and audit logs.EU / US (provider-managed)
Cloudflare Workers (serverless runtime)Runs the Nova app server and edge endpoints.Global edge
Lovable AI Gateway (LLM routing)Forwards your prompts to large language model providers (e.g. Google Gemini, Anthropic Claude, OpenAI) to generate Nova's drafts and answers.US / EU (provider-managed)
Paddle (payments โ€” once live)Subscription billing and tax. Card details are handled by Paddle, never by Nova.EU / US

We will update this list at least 30 days before adding a new sub-processor that materially changes how your data is handled.

14. Contact

Information Officer (POPIA) / Data Protection contact (GDPR / CCPA): privacy@nova.ai.

Add Nova to your home screenHow