Privacy Policy

Last updated: April 9, 2026

Novu Oy ("Novu," "we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our AI-powered productivity app for iOS (the "Service"), our website at withnovu.com (the "Site"), and any related features or communications.

By accessing or using our Service, you agree to this Privacy Policy and our Terms of Service. If you do not agree, please discontinue use of the Service.

1. Data Controller

Novu Oy

Business ID: 3508523-5

Address: Otakaari 5, 02015 Espoo, Finland

Email: support@withnovu.com

2. Information We Collect

We collect both personal data and non-personal data when you interact with our Service.

2.1 Personal Data
  • Profile Information: Name, bio, birthday, occupation, and profile photo provided during setup
  • Account Data: Your account is created implicitly through your iCloud account. We use your CloudKit user record ID as your identifier.
  • Usage Data: Voice recordings, voice transcripts, tasks, goals, daily schedule, and feature requests
  • Payment Data: Subscriptions are handled entirely by Apple through the App Store. We do not collect or store any payment information.
2.2 Special Categories of Personal Data (Sensitive Data)

With your permission, we may access the following health data:

  • Sleep analysis data from Apple HealthKit (read-only, used to personalize your experience)

HealthKit data stays on your device and is not sent to our servers or any third party. Access requires your explicit consent through iOS system permissions.

2.3 Technical Data

When you use our app, we may automatically collect:

  • Device model and iOS version
  • App version
  • Timezone and language/locale
  • Permission statuses (notifications, calendar, health)
  • App lifecycle events and usage analytics
2.4 Cookies and Similar Technologies

Our website uses cookies and similar technologies to:

  • Enable essential website functionality
  • Remember your preferences (such as language settings)
  • Analyze website usage to improve user experience

You can control cookies through your browser settings. Disabling cookies may limit some website functionality.

3. How We Use Your Information

We process your information for the following purposes:

  • To provide, operate, and maintain our coaching Service
  • To personalize your coaching experience and deliver insights
  • To process payments and manage subscriptions
  • To communicate with you about updates, support, and service information
  • To analyze and improve our Service performance and security
  • To comply with legal obligations
3.1 Legal Bases for Processing (GDPR)
  • Contract (GDPR Article 6(1)(b)): Processing necessary to provide the Service you requested
  • Explicit Consent (GDPR Article 9(2)(a)): Processing special categories of personal data related to health and wellbeing
  • Legitimate Interests (GDPR Article 6(1)(f)): To improve and secure our Service
  • Legal Obligation (GDPR Article 6(1)(c)): Compliance with accounting and tax legislation

4. Use of AI in the Service

The Novu service uses artificial intelligence (Google Gemini) for voice transcription and task extraction. Important information about AI usage:

  • Anonymization: Your personal data is anonymized before being sent to the AI system. The AI does not process your identifiable personal data.
  • Not Used for Model Training: Your data is not used to train or develop the AI model.
  • EU AI Act Compliance: The service complies with the transparency requirements of the EU AI Regulation.

5. How We Share Information

We do not sell or rent your personal data. We may share it only with:

  • Apple: For iCloud data sync, push notifications, and subscription payments via the App Store.
  • RevenueCat: For subscription management and entitlement verification.
  • Alphabet (Google Gemini): AI service provider for voice transcription and task extraction.
  • PostHog: For anonymized product analytics.
  • Infrastructure Providers: Railway and Supabase for hosting and database services.

All third parties are bound by data processing agreements that ensure GDPR compliance.

6. International Data Transfers

All data is stored and processed within the EU/EEA area. We do not transfer personal data outside the EU.

If this changes in the future, we will ensure such transfers comply with applicable law using Standard Contractual Clauses (SCCs) or other approved safeguards, and we will update this policy accordingly.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

  • On-device data: Persists until you delete it in app settings or remove the app
  • iCloud data: Synced with on-device data and follows the same lifecycle
  • Voice recordings: Temporary files are deleted after processing on your device
  • Backend data: Notification preferences and feature requests are retained during the customer relationship and 3 years after its end
  • Billing data: 6 years from the end of the financial year as required by Finnish accounting law

When no longer needed, data is securely deleted or anonymized.

8. Data Security

We use appropriate technical and organizational measures to protect your data:

  • Data traffic is encrypted with TLS/SSL protocol
  • Databases are encrypted at rest and in transit
  • Access to data is restricted to authorized personnel only
  • We use secure EU-area data centers
  • Regular security assessments and monitoring

However, no method of transmission or storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk. If you suspect unauthorized access to your account, contact us immediately.

9. Automated Decision-Making

Our AI-powered coaching service does not make automated decisions that have legal or similarly significant effects on you. The AI assists in generating coaching content, but all advice is for informational purposes only. You retain full control over any decisions you make based on the coaching provided.

10. Your Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of your personal data and information about how it's processed
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Request limitation of processing under certain circumstances
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent
  • Right to Lodge a Complaint: Lodge a complaint with the supervisory authority

To exercise any of these rights, contact us at support@withnovu.com. We will respond to your request within 30 days.

11. Your Choices

You have control over your data and can:

  • Update your information: Contact us to correct or update your personal data
  • Opt out of marketing: Unsubscribe from marketing emails using the link in each email, or contact us directly
  • Manage cookies: Control cookie preferences through your browser settings
  • Delete your account: Request account deletion at any time by emailing support@withnovu.com. Upon deletion, we will remove your personal data in accordance with our retention policy
  • Export your data: Request a copy of your data in a portable format

12. Children's Privacy

Our Service is not directed to children under 18 years of age. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@withnovu.com.

If we learn that we have inadvertently collected personal data from a child under 18, we will take steps to delete that information as soon as possible.

13. Third-Party Links

Our Service and website may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of these third parties.

We encourage you to review the privacy policies of any third-party sites you visit. This Privacy Policy applies only to our Service and does not cover third-party practices.

14. Supervisory Authority

If you believe that the processing of your personal data violates data protection legislation, you have the right to lodge a complaint with the supervisory authority:

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki
Phone: 029 566 6700
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi

15. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by email or by posting a prominent notice on our website at least 30 days before the changes take effect.

Continued use of the Service after the changes take effect constitutes acceptance of the updated policy. We recommend checking this policy regularly.

16. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Novu Oy
Otakaari 5, 02015 Espoo, Finland
Email: support@withnovu.com

We generally respond to inquiries within 2 business days.

Privacy Policy | Novu