Privacy Policy

Novu Oy (“Novu,” “we,” “our,” or “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our AI-powered productivity app for iOS (the “Service”), our website at withnovu.com (the “Site”), and any related features or communications.

By accessing or using our Service, you agree to this Privacy Policy and our Terms of Service. If you do not agree, please discontinue use of the Service.

1. Data Controller

2. Information We Collect

We collect both personal data and non-personal data when you interact with our Service.

2.1 Personal Data

• Profile Information: Name, bio, birthday, occupation, and profile photo provided during setup
• Account Data: Your account is created implicitly through your iCloud account. We use your CloudKit user record ID as your identifier.
• Usage Data: Voice recordings, voice transcripts, tasks, goals, daily schedule, and feature requests
• Payment Data: Subscriptions are handled entirely by Apple through the App Store. We do not collect or store any payment information.

2.2 Special Categories of Personal Data (Sensitive Data)

With your permission, we may access the following health data:

• Sleep analysis data from Apple HealthKit (read-only, used to personalize your experience)

HealthKit data stays on your device and is not sent to our servers or any third party. Access requires your explicit consent through iOS system permissions.

2.3 Technical Data

When you use our app, we may automatically collect:

• Device model and iOS version
• App version
• Timezone and language/locale
• Permission statuses (notifications, calendar, reminders, health, location)
• App lifecycle events and usage analytics

2.4 Location Data

With your permission, the app may access your precise location to trigger geofenced task reminders (for example, reminding you of a task when you arrive at or leave a specific place). Location data is processed entirely on your device. We do not transmit, store, or share your location with our servers or any third party. Access requires your explicit consent through the iOS system permission prompt and can be revoked at any time in iOS Settings > Privacy & Security > Location Services.

2.5 Calendar and Reminders

With your permission, the app may access your iOS Calendar events and Reminders (via Apple’s EventKit) so that Novu can present a unified daily schedule and coordinate tasks with your existing calendar/reminder workflow. Access requires your explicit consent through the iOS system permission prompts and can be revoked at any time in iOS Settings > Privacy & Security > Calendars / Reminders. Calendar and Reminders content accessed by the Service is handled as personal data under this Privacy Policy and is subject to the retention, security, and sharing terms described in Sections 6–8.

2.6 Cookies and Similar Technologies

Our website uses cookies and similar technologies to:

• Enable essential website functionality
• Remember your preferences (such as language settings)
• Analyze website usage to improve user experience

You can control cookies through your browser settings. Disabling cookies may limit some website functionality.

3. How We Use Your Information

We process your information for the following purposes:

• To provide, operate, and maintain our coaching Service
• To personalize your coaching experience and deliver insights
• To process payments and manage subscriptions
• To communicate with you about updates, support, and service information
• To analyze and improve our Service performance and security
• To comply with legal obligations

3.1 Legal Bases for Processing (GDPR)

• Contract (GDPR Article 6(1)(b)): Processing necessary to provide the Service you requested
• Explicit Consent (GDPR Article 9(2)(a)): Processing special categories of personal data related to health and wellbeing
• Legitimate Interests (GDPR Article 6(1)(f)): To improve and secure our Service
• Legal Obligation (GDPR Article 6(1)(c)): Compliance with accounting and tax legislation

3.2 Purpose Limitation

We use your personal data only for the purposes described in this Privacy Policy. Data collected for one purpose will not be repurposed for an unrelated new purpose without first obtaining your consent or otherwise having a lawful basis for doing so.

4. Use of AI in the Service

The Novu service uses two AI sub-processors to turn your voice into actionable coaching content:

• ElevenLabs (Scribe v2): speech-to-text transcription of your voice recordings.
• Google Gemini: understanding of the transcript to extract tasks, goals, and schedule items.

Important information about AI usage:

• Anonymization: Your personal data is anonymized before being sent to the AI systems. The AI providers do not process your identifiable personal data.
• Not Used for Model Training: Your data is not used by ElevenLabs or Google to train or develop their AI models. The providers may temporarily retain inputs for operational purposes such as abuse detection and service reliability, subject to their own policies and our data processing agreements with them.
• EU AI Act Compliance: The service complies with the transparency requirements of the EU AI Regulation.

5. Health and HealthKit Data

Novu integrates with Apple HealthKit to read a limited set of health data that helps personalize your coaching experience. This section describes how we handle health data and applies in addition to the rest of this Privacy Policy. Where this section conflicts with any other section, this section governs health data.

5.1 What Health Data We Access

• Sleep analysis from Apple HealthKit (read-only)

We only request read access. We do not write data back to HealthKit. Access requires your explicit consent through the iOS system permission prompt, and you may revoke access at any time in iOS Settings > Privacy & Security > Health.

5.2 How We Use Health Data

Health data obtained through HealthKit is used solely to provide and personalize the coaching features of the Service — for example, to tailor daily schedules, recovery suggestions, and goals to your sleep patterns.

5.3 Restrictions on Use of Health Data

In accordance with Apple’s App Store Review Guidelines and our own commitments to you:

• We do not use health data for advertising, marketing, remarketing, or other use-based data mining purposes beyond improving your health, fitness, or wellness experience within the Service.
• We do not sell, rent, trade, or otherwise disclose health data to data brokers, advertising networks, insurance providers, employers, or any other third parties.
• We do not share health data with third parties for their own purposes.
• We do not use health data for any advertising or similar services.

5.4 Where Health Data Is Stored

Health data read from HealthKit is processed on your device and stored locally. It is not transmitted to Novu’s servers and is not synced to iCloud by Novu. HealthKit data is not sent to any third-party service provider, including our AI, analytics, or infrastructure providers.

5.5 Legal Basis (GDPR)

Health data constitutes a special category of personal data under GDPR Article 9. We process it only on the basis of your explicit consent (GDPR Article 9(2)(a)), which you grant via the iOS system permission prompt. You may withdraw consent at any time by revoking HealthKit access in iOS Settings, which stops all further processing of your health data by the Service.

5.6 Your Control Over Health Data

• You can revoke HealthKit access at any time in iOS Settings > Privacy & Security > Health > Novu.
• Because health data is stored on-device, deleting the app or clearing its data removes Novu’s access to it.
• Revoking access does not retroactively remove personalizations already derived from earlier sleep data; to remove those, delete the relevant content within the app or delete your account.

5.7 Medical Disclaimer

Novu is not a medical device and does not provide medical advice, diagnosis, or treatment. Health data is used only to personalize coaching content. Always consult a qualified healthcare provider for medical questions.

5.8 Other Sensitive Apple APIs

The same restrictions described in Section 5.3 — no advertising, marketing, use-based data mining, sale, or sharing with unrelated third parties — also apply to any data we obtain via other sensitive Apple platform APIs, including the Photos and Camera APIs (for example, when you select a profile photo). Data obtained via these APIs is used only to deliver the feature for which you provided it.

6. How We Share Information

We do not sell or rent your personal data. We may share it only with:

• Apple: For iCloud data sync, push notifications, and subscription payments via the App Store.
• RevenueCat: For subscription management and entitlement verification.
• ElevenLabs:Speech-to-text transcription (Scribe v2). Audio and transcripts are not used to train ElevenLabs’ models.
• Alphabet (Google Gemini):AI service provider for understanding transcripts and extracting tasks. Inputs are not used to train Google’s models.
• PostHog: For anonymized product analytics within the iOS app.
• Google Analytics: For anonymized website analytics.
• Infrastructure Providers: Railway and Supabase for hosting and database services.

All third parties with whom we share personal data — including analytics tools, advertising networks (we currently use none), third-party SDKs, AI service providers, and any parent, subsidiary, or related entities — are contractually required, under data processing agreements, to provide the same or equivalent protection of your personal data as stated in this Privacy Policy and as required by applicable law (including the GDPR) and by the Apple Developer Program License Agreement.

7. International Data Transfers

Our primary backend (Railway, Supabase) and your iCloud data are stored within the EU/EEA.

Some of our AI sub-processors — specifically ElevenLabs and Google (Gemini) — may process data on infrastructure located outside the EU/EEA (typically the United States) when transcribing your voice or extracting tasks from transcripts. As described in Section 4, these inputs are anonymized before transmission and are not used to train the providers’ AI models.

Any such transfers outside the EU/EEA are carried out under appropriate safeguards required by GDPR Chapter V, including Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework. You can request a copy of the relevant safeguards by contacting us at support@withnovu.com.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

• On-device data: Persists until you delete it in app settings or remove the app
• iCloud data: Synced with on-device data and follows the same lifecycle
• Voice recordings (raw audio): Deleted from your device immediately after transcription. We (Novu) do not retain copies of your audio on our servers. Our transcription sub-processor (ElevenLabs) may temporarily retain audio for operational purposes such as abuse detection and service reliability, per their policies and our data processing agreement. Only the resulting text transcript is retained as part of your on-device and iCloud data.
• Backend data: Notification preferences and feature requests are retained during the customer relationship and 3 years after its end
• Billing data: 6 years from the end of the financial year as required by Finnish accounting law

When no longer needed, data is securely deleted or anonymized.

9. Data Security

We use appropriate technical and organizational measures to protect your data:

• Data traffic is encrypted with TLS/SSL protocol
• Databases are encrypted at rest and in transit
• Access to data is restricted to authorized personnel only
• We use secure EU-area data centers
• Regular security assessments and monitoring

However, no method of transmission or storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk. If you suspect unauthorized access to your account, contact us immediately.

10. Automated Decision-Making

Our AI-powered coaching service does not make automated decisions that have legal or similarly significant effects on you. The AI assists in generating coaching content, but all advice is for informational purposes only. You retain full control over any decisions you make based on the coaching provided.

11. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of Access:Request a copy of your personal data and information about how it’s processed
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure:Request deletion of your data (“right to be forgotten”)
• Right to Restriction: Request limitation of processing under certain circumstances
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent
• Right to Lodge a Complaint: Lodge a complaint with the supervisory authority

To exercise any of these rights, contact us at support@withnovu.com. We will respond to your request within 30 days.

12. Your Choices

You have control over your data and can:

• Update your information: Contact us to correct or update your personal data
• Manage cookies: Control cookie preferences through your browser settings
• Delete your account: You can delete your account and all associated personal data at any time directly from within the app at Settings > Delete Account. You may also request deletion by emailing support@withnovu.com. Upon deletion, we will remove your personal data in accordance with our retention policy.
• Export your data: Request a copy of your data in a portable format

13. Children’s Privacy

Our Service is rated 9+ on the App Store and is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@withnovu.com.

If we learn that we have inadvertently collected personal data from a child under 13, we will take steps to delete that information as soon as possible. In EU/EEA jurisdictions that set a higher digital consent age under GDPR Article 8, parental consent requirements of that jurisdiction apply.

14. Third-Party Links

Our Service and website may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of these third parties.

We encourage you to review the privacy policies of any third-party sites you visit. This Privacy Policy applies only to our Service and does not cover third-party practices.

15. Supervisory Authority

If you believe that the processing of your personal data violates data protection legislation, you have the right to lodge a complaint with the supervisory authority:

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by email or by posting a prominent notice on our website at least 30 days before the changes take effect.

Continued use of the Service after the changes take effect constitutes acceptance of the updated policy. We recommend checking this policy regularly.

17. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

We generally respond to inquiries within 2 business days.