Privacy Policy

Last updated: February 4, 2026

Novu Oy ("Novu," "we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our AI-powered coaching service delivered via WhatsApp (the "Service"), our website at withnovu.com (the "Site"), and any related features or communications.

By accessing or using our Service, you agree to this Privacy Policy and our Terms of Service. If you do not agree, please discontinue use of the Service.

1. Data Controller

Novu Oy

Business ID: 3508523-5

Address: Otakaari 5, 02015 Espoo, Finland

Email: support@withnovu.com

2. Information We Collect

We collect both personal data and non-personal data when you interact with our Service.

2.1 Personal Data
  • Contact Information: Name and phone number provided during registration
  • Account Data:Information you share and user preferences
  • Usage Data: WhatsApp message history (coaching conversations), goals, tasks, and progress data
  • Payment Data: Billing information processed through Stripe (we do not store your payment card details)
2.2 Special Categories of Personal Data (Sensitive Data)

To provide the coaching service, we may process health and wellbeing data you choose to share:

  • Lifestyle data (sleep, exercise, nutrition)
  • Wellbeing goals and challenges
  • Stress management and mental wellbeing information

Processing this data requires your explicit consent, which you provide when registering for the service.

2.3 Technical Data

When you visit our website, we may collect:

  • IP address and approximate location
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent
  • Referring website or source
2.4 Cookies and Similar Technologies

Our website uses cookies and similar technologies to:

  • Enable essential website functionality
  • Remember your preferences (such as language settings)
  • Analyze website usage to improve user experience

You can control cookies through your browser settings. Disabling cookies may limit some website functionality.

3. How We Use Your Information

We process your information for the following purposes:

  • To provide, operate, and maintain our coaching Service
  • To personalize your coaching experience and deliver insights
  • To process payments and manage subscriptions
  • To communicate with you about updates, support, and service information
  • To analyze and improve our Service performance and security
  • To comply with legal obligations
3.1 Legal Bases for Processing (GDPR)
  • Contract (GDPR Article 6(1)(b)): Processing necessary to provide the Service you requested
  • Explicit Consent (GDPR Article 9(2)(a)): Processing special categories of personal data related to health and wellbeing
  • Legitimate Interests (GDPR Article 6(1)(f)): To improve and secure our Service
  • Legal Obligation (GDPR Article 6(1)(c)): Compliance with accounting and tax legislation

4. Use of AI in the Service

The Novu service uses artificial intelligence (Google Gemini) in coaching conversations. Important information about AI usage:

  • Anonymization: Your personal data is anonymized before being sent to the AI system. The AI does not process your identifiable personal data.
  • Human Supervision: AI-generated content is supervised by humans who ensure the quality and safety of the advice.
  • Not Used for Model Training: Your conversations are not used to train or develop the AI model.
  • EU AI Act Compliance: The service complies with the transparency requirements of the EU AI Regulation.

5. How We Share Information

We do not sell or rent your personal data. We may share it only with:

  • Meta (WhatsApp Business API): For message delivery. Data is processed in the EU.
  • Stripe: For payment processing. Stripe acts as an independent data controller for payment data.
  • Alphabet (Finland): AI service provider.
  • Infrastructure Providers: Railway (Netherlands), AWS (Sweden), and Supabase (Germany) for hosting and database services.

All third parties are bound by data processing agreements that ensure GDPR compliance.

6. International Data Transfers

All data is stored and processed within the EU/EEA area. We do not transfer personal data outside the EU.

If this changes in the future, we will ensure such transfers comply with applicable law using Standard Contractual Clauses (SCCs) or other approved safeguards, and we will update this policy accordingly.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

  • Customer data: During the customer relationship and 3 years after its end
  • Message history: During the customer relationship and 1 year after its end
  • Billing data: 6 years from the end of the financial year as required by Finnish accounting law
  • Consents: As long as processing continues, and 3 years after

When no longer needed, data is securely deleted or anonymized.

8. Data Security

We use appropriate technical and organizational measures to protect your data:

  • Data traffic is encrypted with TLS/SSL protocol
  • Databases are encrypted at rest and in transit
  • Access to data is restricted to authorized personnel only
  • We use secure EU-area data centers
  • Regular security assessments and monitoring

However, no method of transmission or storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk. If you suspect unauthorized access to your account, contact us immediately.

9. Automated Decision-Making

Our AI-powered coaching service does not make automated decisions that have legal or similarly significant effects on you. The AI assists in generating coaching content, but all advice is for informational purposes only. You retain full control over any decisions you make based on the coaching provided.

10. Your Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of your personal data and information about how it's processed
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Request limitation of processing under certain circumstances
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent
  • Right to Lodge a Complaint: Lodge a complaint with the supervisory authority

To exercise any of these rights, contact us at support@withnovu.com. We will respond to your request within 30 days.

11. Your Choices

You have control over your data and can:

  • Update your information: Contact us to correct or update your personal data
  • Opt out of marketing: Unsubscribe from marketing emails using the link in each email, or contact us directly
  • Manage cookies: Control cookie preferences through your browser settings
  • Delete your account: Request account deletion at any time by emailing support@withnovu.com. Upon deletion, we will remove your personal data in accordance with our retention policy
  • Export your data: Request a copy of your data in a portable format

12. Children's Privacy

Our Service is not directed to children under 18 years of age. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@withnovu.com.

If we learn that we have inadvertently collected personal data from a child under 18, we will take steps to delete that information as soon as possible.

13. Third-Party Links

Our Service and website may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of these third parties.

We encourage you to review the privacy policies of any third-party sites you visit. This Privacy Policy applies only to our Service and does not cover third-party practices.

14. Supervisory Authority

If you believe that the processing of your personal data violates data protection legislation, you have the right to lodge a complaint with the supervisory authority:

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki
Phone: 029 566 6700
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi

15. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by email or by posting a prominent notice on our website at least 30 days before the changes take effect.

Continued use of the Service after the changes take effect constitutes acceptance of the updated policy. We recommend checking this policy regularly.

16. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Novu Oy
Otakaari 5, 02015 Espoo, Finland
Email: support@withnovu.com

We generally respond to inquiries within 2 business days.

Privacy Policy | Novu