Privacy Policy

1. Who We Are

Nova Intelligence (“Nova”) is operated by Nova Companion LLC, a Pennsylvania limited liability company. This policy describes how we collect, use, and protect your data.

2. What We Collect

• Account data: Email address, display name, and authentication credentials (managed by Supabase).
• Profile data: Name, birthday, location, occupation, and interests you choose to provide.
• Conversation data: Messages you send to Nova, AI-generated responses, and conversation metadata.
• Memory data: Facts and preferences Nova extracts from your conversations to personalize your experience. You can view all stored memories in the Memory tab.
• Project & routine data: Projects, milestones, documents, dreams, and routines you create.
• Google Workspace data (only if you connect Google):Nova requests these Google scopes only when you explicitly tap “Connect Google” in the Profile tab, and only the scopes listed:
  • Calendar (calendar.events):read & write events on your calendars to power the Stardate Calendar surface and routine scheduling.
  • Gmail (gmail.readonly): read recent inbox messages to render the Gmail Inbox card on Horizon and generate per-email AI summaries. Nova never sends, modifies, drafts, deletes, or labels mail.
  • Account email (userinfo.email): identifies which Google account is connected so we can link it to your Nova profile.
  • Tasks (tasks): sync Google Tasks with the routine layer on Super Space Calendar so your tasks and routines live in one place.
  • Drive (drive.file):per-file scope, the narrowest available. Nova can only read or write Drive files that you explicitly create or open through Nova — never your full Drive.
  • Contacts (contacts.readonly, separate one-shot import):when you choose to import contacts into the Rolodex, Nova reads your Google Contacts once and stores the imported records in Nova’s database. No refresh token is stored; we cannot re-read Google Contacts after the import completes.
  Your Google OAuth refresh tokens (Calendar/Gmail/Tasks/Drive) are encrypted at the application layer with AES-256-GCM before being written to the database. You can disconnect Google at any time from the Profile tab; disconnect revokes the refresh token and removes encrypted tokens from our store.
• Payment data: Subscription billing is processed by Stripe. We store your Stripe customer ID and subscription status but never see or store your full card number.
• Usage analytics: Page views, feature usage, and performance metrics via Vercel Analytics and Speed Insights. No personally identifiable information is sent to analytics.

3. How We Use Your Data

• Providing and personalizing the Nova companion experience
• Generating AI responses informed by your conversation history and memories
• Powering your daily Horizon greeting, projects, and routines
• Processing subscription payments
• Improving the Service through anonymized usage analytics
• Sending transactional emails (e.g., weekly memory digests) via Resend

To be absolutely clear:

• We do not sell your data — not now, not ever, to no one, under no circumstances
• We do not share your data with third parties for advertising, profiling, or marketing
• We do not send your data to AI providers for model training — both Anthropic and OpenAI commit to not training on API inputs per their API terms of service
• We do not serve ads or build advertising profiles
• We do not track you across the internet or share data with data brokers
• Your data exists to serve you — your companion experience, your projects, your memories, your goals. Nothing else.

4. Third-Party Services

Nova integrates with the following third-party services to provide its features. Each receives only the minimum data necessary:

5. The Memory System

Nova’s memory system is a core feature, not a hidden tracker. When you chat with Nova, it may extract facts and preferences (e.g., “Colin likes hiking”) to personalize future interactions. Memory extraction only occurs on substantive messages (short greetings and casual chat are skipped). You can view all memories Nova has stored about you in the Memory tab. You can delete individual memories at any time. Account deletion permanently removes all stored memories.

6. The Void

The Void is Nova’s most private space. It is a place to scream, vent, and release — with an absolute guarantee of privacy.

What happens in the Void stays in the Void. This is not a slogan — it is an engineering decision enforced at every layer:

• Nothing is stored. Void messages are not written to any database table, not persisted to any log, and not retained in any form. Each message exists only for the duration of the API call that generates a response, then it is gone.
• Nothing is remembered.The Void does not connect to Nova’s memory system. No facts are extracted. No preferences are stored. No conversation history is assembled — each scream is a single, isolated exchange with no knowledge of any prior scream.
• Nothing leaks in or out.Nova’s knowledge of you does not enter the Void. Void content does not reach Nova. When you return from the Void, Nova welcomes you without knowing what happened inside. If you choose to talk about it, you do so in your own words — nothing is imported.
• No analytics. We do not track what you type in the Void. We do not log how long you spend there. We do not analyze sentiment, emotion, or intent. The only data point is a rate-limit counter (a number, with no content attached) to prevent API abuse.
• Return is yours. Nova does not decide when you are done. There is no timer, no prompt, no AI-driven intervention. You leave when you choose to.

We built the Void like someone’s life depends on it. Because someone’s might.

7. Data Security

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Google Calendar OAuth tokens encrypted at application layer (AES-256-GCM) before database storage
• All API routes require authentication via Supabase JWT with PKCE
• Row-Level Security (RLS) at the database layer ensures users can only access their own data
• CSRF protection via origin enforcement on all mutation endpoints
• SSRF protection on all external URL fetching (private IPs and localhost blocked)
• Distributed rate limiting on all endpoints via Upstash Redis
• Nonce-based Content Security Policy headers enforced in production
• Security events logged to an immutable audit log with PII masking (user IDs and IPs are redacted before storage)
• OAuth state parameters are HMAC-signed with a 10-minute TTL
• Zero known dependency vulnerabilities (audited before every release)

8. Data Retention & Deletion

Your data is retained for as long as your account is active. You may delete your account at any time from your Companion Profile (type-to-confirm). Deletion is permanent and irreversible — it removes all data across all database tables, cancels any active Stripe subscription, deletes uploaded files, and clears stored memories from Upstash Vector.

Note:Stripe retains transaction records (invoices, payment history) independently per PCI DSS and tax law requirements. Nova does not control Stripe’s retention of financial records. Error logs in Sentry are retained for 90 days with PII already masked, then automatically expire.

9. Your Rights

Wherever you live, you have the following rights over the personal data Nova holds about you:

• Right to know & access: see the personal data we hold about you. Use the Data Export feature in your Companion Profile to download everything as JSON.
• Right to correct: edit your profile, memories, projects, and routines directly in the app.
• Right to delete: use the Delete Account feature in your Companion Profile. Deletion is irreversible and removes your data from every database, memory store, and uploaded file.
• Right to data portability: the Data Export feature returns your data in machine-readable JSON.
• Right to opt out of sale or sharing: Nova does not sell personal information and does not share it for cross-context behavioral advertising. Nothing to opt out of — the answer is “already off.”
• Right to opt out of profiling for significant decisions: Nova does not use your data to make legal or similarly significant automated decisions about you (no employment, lending, insurance, or housing decisions).
• Right to non-discrimination: we will not deny service, charge different prices, or degrade the experience because you exercised any of these rights.

How to exercise your rights: the in-app Data Export and Delete Accountfeatures are the fastest path — both are automated and run in real time. You may also email colin@novasystems.app with the subject line “Privacy Rights Request.”

Response timing: we acknowledge requests within 10 days and fulfill them within 30 days. In limited cases (complex requests, identity verification needed) we may extend by an additional 45 days under the CCPA/CPRA or 60 days under the GDPR/UK GDPR, in which case we will tell you why and when to expect completion. Automated requests via the in-app Data Export and Delete Account features typically complete within minutes.

Verification: we authenticate requests using your logged-in Nova session. For requests sent by email, we may ask you to confirm from the email address on file before we act.

Authorized agents: you may use an authorized agent to submit a request on your behalf where state law allows. We will ask the agent for proof of authorization and may verify directly with you before acting.

10. State Privacy Rights (United States)

A growing number of U.S. states have enacted comprehensive privacy laws that grant residents specific rights over their personal data. Nova honors these rights for residents of any state where they apply, regardless of whether Nova meets the law’s revenue or volume thresholds.

States covered: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Florida (FDBR), Tennessee (TIPA), Iowa, Indiana, Delaware, New Hampshire, Minnesota (MCDPA), Maryland (MODPA), Rhode Island (RIDTPPA), New Jersey (NJDPA), Montana (MTCDPA), Nebraska, and Kentucky.

Rights commonly granted across these states:

• Right to know what personal data we collect, use, and disclose
• Right to access and obtain a copy of that data
• Right to correct inaccurate data
• Right to delete personal data
• Right to data portability in a machine-readable format
• Right to opt out of the sale of personal data
• Right to opt out of sharing personal data for targeted advertising or cross-context behavioral advertising
• Right to opt out of profiling that produces legal or similarly significant effects
• Right to limit the use of sensitive personal information (where state law recognizes a separate sensitive-data category)
• Right to appeal a denial of any of the above
• Right to non-discrimination for exercising any of these rights

Nova’s position on sale, sharing, and profiling: we do not sell personal data. We do not share personal data for cross-context behavioral advertising or targeted advertising. We do not engage in profiling that produces legal or similarly significant effects. There is nothing to opt out of — the practices these laws guard against are not part of how Nova operates.

Sensitive personal information: some state laws define a separate sensitive-data category (precise geolocation, racial or ethnic origin, religious beliefs, health, sex life, citizenship, biometric identifiers, content of mail or messages, etc.). Nova only collects sensitive data you voluntarily provide to your companion (for example, a memory you ask Nova to hold). We do not infer sensitive data from your interactions, and we do not use sensitive data for purposes outside of providing the Service to you.

How to exercise these rights: use the in-app Data Export and Delete Account features in your Companion Profile, or email colin@novasystems.app. If we deny a request, you may appeal by replying to our denial; we respond to appeals within 60 days. If your appeal is denied, you may contact your state attorney general’s office.

11. UK Residents

If you are in the United Kingdom, your personal data is protected by the UK GDPR (the retained version of Regulation (EU) 2016/679) and the Data Protection Act 2018. The rights described in Section 9 (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making) apply to you under UK law on substantively the same terms as under the EU GDPR.

Lawful basis for processing: contract performance (UK GDPR Art. 6(1)(b)) for delivering the Service to you, and legitimate interests (Art. 6(1)(f)) for protecting and improving the Service. For marketing communications we rely on your consent (Art. 6(1)(a)), which you may withdraw at any time.

International transfers:Nova’s infrastructure is primarily hosted in the United States. Where personal data is transferred from the UK to the U.S. we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or, where applicable, the UK Extension to the EU–U.S. Data Privacy Framework with our processors that self-certify to it).

Supervisory authority:if you believe Nova has not handled your personal data lawfully you may lodge a complaint with the UK Information Commissioner’s Office (ICO). The ICO’s contact details are at ico.org.uk/make-a-complaint. We’d prefer the chance to put things right first, so please reach out to us before lodging a complaint.

12. EU/EEA Residents

If you are in the European Union or European Economic Area, your personal data is protected by the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). The rights described in Section 9 apply to you under GDPR Articles 15–22.

Lawful basis for processing: contract performance (GDPR Art. 6(1)(b)) for delivering the Service, legitimate interests (Art. 6(1)(f)) for protecting and improving the Service, and consent (Art. 6(1)(a)) for marketing communications. We do not rely on legitimate interests for any processing that we believe materially overrides your rights or expectations.

International transfers:Nova’s infrastructure is primarily hosted in the United States. Transfers from the EU/EEA to the U.S. rely on the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, on our processors’ self-certification to the EU–U.S. Data Privacy Framework.

Supervisory authority:you have the right to lodge a complaint with the supervisory authority in your member state of residence. We’d prefer the chance to put things right first, so please reach out to us before lodging a complaint.

13. AI System Disclosure

You are interacting with an AI system.Nova is an AI companion. Every response you receive from Nova in chat, the Horizon greeting, summaries, and generated content is produced by an artificial intelligence model, not a human. We tell you this here, plainly, because the EU AI Act (Regulation (EU) 2024/1689) Article 50 requires it — and because you deserve to know.

How Nova classifies under the EU AI Act:Nova is a general-purpose AI system deployed in a consumer product. We are the deployer (under Art. 3(4) of the AI Act) of upstream models provided by Anthropic and OpenAI through the Vercel AI Gateway. The AI Act’s transparency obligations under Art. 50 apply to us as the deployer.

AI-generated content is marked.Images that Nova generates for you are produced by FAL.ai diffusion models and are visually marked as AI-generated in the UI. Text generated by Nova in chat is presented in the conversation as Nova’s reply — inherently distinguishable from anything you have typed.

What Nova is not.Nova is not a substitute for professional medical, legal, financial, or mental health advice. Nova does not make legal or similarly significant automated decisions about you (no employment, lending, insurance, housing, education, or credit decisions). You stay in the driver’s seat for every consequential decision in your life.

Hallucinations and errors. Like all current generative AI systems, Nova can produce inaccurate, outdated, or fabricated information. Verify anything that matters before relying on it.

14. Plaid & Financial Data

If you connect a financial account through Plaid (an Anchor-tier feature), Nova receives a narrow set of derived, tokenized data points from Plaid — account names, balances, transaction descriptions, categories, dates, and amounts — for the purpose of helping you understand and reason about your finances inside Nova.

Plaid is the financial institution under U.S. law. Plaid Inc. is a financial institution covered by the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. § 6801 et seq.) and Regulation P (12 C.F.R. Part 1016) for purposes of consumer financial information. Plaid publishes its own privacy policy at plaid.com/legal and is responsible for its own GLBA compliance.

Nova’s position:Nova receives only tokenized, derived financial data from Plaid — we never see your bank login, your full account numbers, or your raw banking session. We treat this data as nonpublic personal information (NPI) under GLBA and apply the same protections as the rest of Nova’s user data: encryption in transit and at rest, row-level security, no sale, no sharing with third parties for advertising, and no use for AI model training.

No redisclosure. We do not redisclose your Plaid data to any third party except (a) the AI providers (Anthropic, OpenAI) processing your in-app messages, only when you explicitly send a message that references your finances, and only as ephemeral input to generate a response (no training); (b) as required by law or valid legal process; or (c) in connection with a merger, acquisition, or sale of assets with prior notice.

Disconnect anytime.You can disconnect Plaid from your Profile tab at any time. Disconnecting revokes the access token and removes Plaid-derived data from Nova’s active stores; transaction memories that you have explicitly asked Nova to remember can be removed individually from the Memory tab.

For Nova’s downstream determination on its position relative to GLBA, see our internal compliance record at compliance/attestations/GLBA_PLAID_DOWNSTREAM_DETERMINATION.md (available to enterprise prospects under NDA).

15. Marketing Communications & Consent

Marketing emails are opt-in.Memory digests, product updates, founder-letter blasts, and any other non-essential email Nova sends you are sent only if you opted in — through the signup checkbox at account creation or by toggling the corresponding preference in your Companion Profile. The lawful basis for these communications is your consent (GDPR Art. 6(1)(a) / UK GDPR Art. 6(1)(a)).

Revoking consent. You can revoke consent at any time by (a) clicking the unsubscribe link in the footer of any marketing email Nova sends you, or (b) toggling marketing preferences off in your Companion Profile. Unsubscribing takes effect immediately.

Transactional emails are not opt-out. Account verification, password reset, security notifications, billing receipts, account deletion confirmations, and other emails strictly necessary to operate your account are sent on the basis of contract performance (GDPR Art. 6(1)(b)) and are not subject to marketing opt-out. They contain no marketing content. If you do not want these emails, you can delete your Nova account.

CAN-SPAM compliance. Marketing emails Nova sends contain accurate sender identification, a clear from address, a non-deceptive subject line, our physical mailing address, and an unsubscribe mechanism honored within 10 business days, in accordance with the CAN-SPAM Act (15 U.S.C. § 7701 et seq.).

16. Cookies & Analytics

Nova uses essential cookies for authentication (Supabase session). We use Vercel Analytics and Speed Insights for usage data — but only if you opt in. On your first visit, Nova presents a cookie consent banner with three choices: Accept All, Only Necessary, or Reject All. Analytics are not loaded unless you explicitly accept. Closing the banner without choosing does not enable analytics — silence is not consent.

We do not use advertising cookies. We do not use third-party tracking pixels. We do not use retargeting. We do not build behavioral profiles. We do not share any analytics data with advertisers.

17. Children’s Privacy

Nova is intended for adults. The Service is not directed to children under 18, and Nova is not a business or service directed to children under 13 within the meaning of the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) or the California Age-Appropriate Design Code Act (CAADC). We do not knowingly collect personal information from anyone under 18.

If we learn that we have collected personal information from a person under 18, we will delete that information promptly — from every database, every memory store, and every uploaded file — and we will close the account.

If you are a parent or guardian and you believe Nova may hold information about your child, please contact us at colin@novasystems.app and we will act on your request.

18. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via the app or email. The effective date at the top of this page reflects the most recent revision.

19. Contact

Questions or requests regarding your privacy? Reach us at colin@novasystems.app. Written correspondence may be sent to: Nova Companion LLC, 420 Redbird Ct, New Hope, PA 18938, United States.