Nover | Privacy policy

Last Updated: February 5, 2026 Effective Date: February 5, 2026 Version 1.0

Quick Summary

We collect only what we need to operate the Service (account info, payment metadata, session data).

We do **not** use your data to train AI models, sell your data, or share it with advertisers.

Generated images are delivered as publicly accessible URLs — do not generate private or sensitive content.

You have rights under GDPR, CCPA, and other privacy laws. See "Your Rights" sections below.

This summary is for convenience only and is not legally binding. Please read the full Policy below.*

## Table of Contents 1. [Introduction](#1-introduction) 2. [Information We Collect](#2-information-we-collect) 3. [How We Use Your Information](#3-how-we-use-your-information) 4. [Information We Do Not Collect or Use](#4-information-we-do-not-collect-or-use) 5. [Future Data Practices](#5-future-data-practices) 6. [Data Sharing and Disclosure](#6-data-sharing-and-disclosure) 7. [Sub-Processors and Third-Party Services](#7-sub-processors-and-third-party-services) 8. [Public Image URLs](#8-public-image-urls) 9. [Cookie Notice](#9-cookie-notice) 10. [Data Storage and Security](#10-data-storage-and-security) 11. [Data Retention](#11-data-retention) 12. [Your Rights Under GDPR (EEA/UK)](#12-your-rights-under-gdpr-eeauk) 13. [Your Rights Under CCPA/CPRA (California)](#13-your-rights-under-ccpacpra-california) 14. [Children's Privacy](#14-childrens-privacy) 15. [International Data Transfers](#15-international-data-transfers) 16. [Data Breach Notification](#16-data-breach-notification) 17. [Nover Community](#17-nover-community) 18. [Do Not Track Signals](#18-do-not-track-signals) 19. [Changes to This Privacy Policy](#19-changes-to-this-privacy-policy) 20. [Contact Information](#20-contact-information)

## 1. Introduction This Privacy Policy describes how **Nover, Inc.** ("**Nover**," "**we**," "**us**," or "**our**") collects, uses, stores, and protects your personal information when you use our AI-powered image and video generation platform at nover.studio (the "**Service**"). We are committed to protecting your privacy. We designed our Service to minimize the personal data we collect and to be transparent about how we use it. This Privacy Policy should be read together with our [Terms of Service](/legal/terms), [DMCA Policy](/legal/dmca), and [Security Policy](/legal/security). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service. **Data Controller:** Nover, Inc., a Delaware C-Corporation. **Contact:** <legal@nover.studio>

## 2. Information We Collect ### 2.1 Information You Provide Directly | Data Type | Details | Purpose | |---|---|---| | **Account Information** | Email address, display name, password (or OAuth credentials) | Account creation, authentication, communication | | **Payment Information** | Billing details processed by Stripe (we do not store credit card numbers, CVVs, or full card details) | Subscription billing and payment processing | | **Support Communications** | Emails or messages you send to our support team | Responding to inquiries, improving the Service | | **LoRA Training Data** | Images or data you upload for custom model training | Providing custom model training functionality | | **Community Content** | Content you voluntarily share to the Nover Community (when available) | Displaying shared content publicly | ### 2.2 Information We Collect Automatically | Data Type | Details | Purpose | |---|---|---| | **Session and Authentication Data** | Authentication tokens, session identifiers | Maintaining your logged-in session securely | | **Device and Browser Information** | Browser type and version, operating system, screen resolution, device type | Service optimization, security, and troubleshooting | | **Log Data** | IP address, access timestamps, pages visited, referring URL | Security monitoring, fraud prevention, service reliability | | **Cookie Data** | Essential and optional cookies (see Section 9) | Authentication, session management, preferences | ### 2.3 Information We Receive from Third Parties | Source | Data | Purpose | |---|---|---| | **OAuth Providers** (via Supabase) | Email address, display name, profile picture (when you sign in with Google, GitHub, etc.) | Account creation and authentication | | **Stripe** | Payment confirmation status, subscription status, billing metadata (not card numbers) | Billing and subscription management |

## 3. How We Use Your Information We use your information for the following purposes and no others: 1. **Providing the Service** — processing your inputs, generating outputs, managing your account, and delivering content. 2. **Payment Processing** — managing subscriptions, processing payments through Stripe, maintaining billing records. 3. **Account Security** — authenticating your identity, preventing unauthorized access, detecting fraud. 4. **Communication** — sending essential service communications (billing confirmations, security alerts, policy updates, support responses). We do not send marketing emails unless you have opted in. 5. **Legal Compliance** — complying with applicable laws, regulations, legal processes, and enforceable governmental requests. 6. **Service Improvement** — understanding how users interact with the Service through aggregated, anonymized data (not individual tracking or profiling). We do not use analytics services. 7. **Protecting Rights** — enforcing our Terms of Service, investigating potential violations, and protecting the rights, property, and safety of Nover and our users. ### Legal Bases for Processing (GDPR) | Purpose | Legal Basis | |---|---| | Providing the Service | Performance of a contract (Art. 6(1)(b)) | | Payment processing | Performance of a contract (Art. 6(1)(b)) | | Account security | Legitimate interests (Art. 6(1)(f)) | | Communication | Performance of a contract / Legitimate interests | | Legal compliance | Legal obligation (Art. 6(1)(c)) | | Service improvement | Legitimate interests (Art. 6(1)(f)) | | Protecting rights | Legitimate interests (Art. 6(1)(f)) |

## 4. Information We Do Not Collect or Use We want to be clear about what we **do not** do with your data: 1. **We do not use your data to train AI models.** We do not use your prompts, inputs, generated content, or any other user data to train, fine-tune, or improve any AI model. This applies to both Nover's LoRA models and any third-party AI models accessed through the Service. 2. **We do not sell your personal data.** We have never sold personal data and have no plans to do so. 3. **We do not share your data with advertisers.** We do not serve ads and do not share data with advertising networks. 4. **We do not profile users.** We do not use analytics services, build behavioral profiles, or track individual users across the internet. 5. **We do not permanently store your prompts or generated content in our databases.** As of the effective date of this Policy, we do not retain your text prompts or generated images/videos after processing. Prompts are transmitted to Runware.ai for generation and then discarded. Generated content is delivered via publicly accessible URLs provided by Runware.ai. We may temporarily log generation requests for debugging and security purposes, but these logs are retained only briefly and do not contain full prompt text. See Section 5 for potential future changes to content storage.

## 5. Future Data Practices We may, in the future, implement storage of user prompts and generated content to provide features such as generation history, favorites, or content management. If we implement such changes: 1. We will update this Privacy Policy at least **30 days** before the changes take effect. 2. We will notify you by email. 3. We will clearly describe what is being stored, how long it will be retained, and how you can delete it. 4. We will provide you with the ability to opt out of or delete stored data. 5. We reserve the right to add error tracking and monitoring services (such as Sentry, Datadog, or similar) to improve platform reliability and user experience. If these services process personal data, they will be disclosed as sub-processors in this Privacy Policy.

## 6. Data Sharing and Disclosure ### 6.1 We Do Not Share Individual Data We do not share, sell, rent, trade, or disclose your personal data to third parties for their own purposes, with the following limited exceptions: ### 6.2 Service Providers (Sub-Processors) We share data with third-party service providers solely to operate the Service. These providers process your data on our behalf and are bound by their own privacy policies and data protection obligations. See Section 7 for the full list. ### 6.3 Legal Requirements We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to: - Comply with applicable law or a court order. - Protect the rights, property, or safety of Nover, our users, or the public. - Prevent fraud, abuse, or other illegal activity. - Enforce our Terms of Service. - Cooperate with law enforcement authorities in response to a valid legal request. ### 6.4 Business Transfers If Nover is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your personal data becomes subject to a different privacy policy. ### 6.5 Aggregated Data We may share **aggregated, anonymized** data that cannot reasonably identify any individual for business purposes, including reporting to investors during due diligence. This aggregated data includes general usage statistics such as total number of users, total generations, and revenue metrics — never individual user data.

## 7. Sub-Processors and Third-Party Services The following third-party services process your data as part of the Service: | Service | Purpose | Data Processed | Location | |---|---|---|---| | **Runware.ai** | AI image and video generation | Text prompts, generation parameters, image/video outputs | Service provider's infrastructure | | **Stripe** | Payment processing | Name, email, payment method, billing address, transaction history | United States (PCI DSS compliant) | | **Supabase** | Authentication and database | Account data, authentication tokens, hashed passwords | **European Union** | | **Vercel** | Web hosting and built-in logging | IP address, request logs, page views | Global CDN (US-based company) | | **Netlify** | Web hosting | Static assets, IP address | Global CDN (US-based company) | | **Zoho** | Email communications | Email address, email content | India / global | | **Namecheap** | CDN and DNS services | Domain routing data | United States | ### Important Note About Runware.ai Your text prompts and generation parameters are sent to **Runware.ai** for AI content generation. This is necessary to provide the Service. Runware.ai processes your prompts under their own terms of service and privacy policy. We do not currently have a formal Data Processing Agreement (DPA) with Runware.ai; they process data under their standard terms. Generated images are hosted on Runware.ai's infrastructure as publicly accessible URLs. See Section 8 for important privacy implications. We encourage you to review the privacy policies of our sub-processors, particularly [Stripe's Privacy Policy](https://stripe.com/privacy) and [Supabase's Privacy Policy](https://supabase.com/privacy). For a comprehensive list of all sub-processors including DPA status and security certifications, see our [List of Sub-Processors](/legal/subprocessors).

## 8. Public Image URLs **IMPORTANT PRIVACY NOTICE:** Generated images and certain video content are delivered as **publicly accessible URLs** hosted by our AI generation provider, Runware.ai. **What this means for your privacy:** 1. **No access control.** Anyone who obtains the URL of a generated image can view it. There is no password protection or authentication required. 2. **Persistence.** Even if you delete content from your Nover account, the underlying URL hosted by Runware.ai may remain accessible. 3. **No expectation of privacy.** You should treat all generated content as publicly available. Do not include personal, confidential, medical, financial, or otherwise sensitive information in your prompts or expected outputs. 4. **Your responsibility.** You are solely responsible for how you share these URLs and for any consequences of the public accessibility of your generated content. **We strongly advise against** using the Service to generate any content that contains or reveals: - Personally identifiable information (PII) - Private photographs or images of identifiable individuals - Confidential business information - Any content you wish to keep private

## 9. Cookie Notice ### 9.1 What Are Cookies Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently and to provide information to site operators. ### 9.2 How We Use Cookies We use a limited number of cookies for the following purposes: | Cookie Type | Purpose | Required? | |---|---|---| | **Essential / Authentication Cookies** | Maintaining your logged-in session, authenticating your identity, and ensuring security of your account | **Yes** — the Service cannot function without these | | **Session Cookies** | Preserving your settings and preferences during a browsing session | **Yes** — necessary for core functionality | | **Analytics Cookies** | We may use analytics cookies in the future to understand how users interact with the Service in aggregate. These are not currently active. | **No** — optional, can be declined | ### 9.3 Essential Cookies We use essential cookies that are strictly necessary for the operation of the Service. These cookies enable core functionality such as authentication, session management, and security. You cannot opt out of essential cookies and continue to use the Service. ### 9.4 Your Cookie Choices - **Essential cookies** cannot be disabled as they are necessary for the Service to function. - **Non-essential cookies** (such as analytics cookies, if and when implemented) can be declined or disabled through our cookie consent mechanism or through your browser settings. - **Browser settings.** Most browsers allow you to manage cookie preferences. You can set your browser to refuse cookies or to alert you when a cookie is being set. Please note that disabling essential cookies will prevent you from using the Service. ### 9.5 Third-Party Cookies Our third-party service providers (such as Stripe for payment processing and Supabase for authentication) may set their own cookies when you interact with their services through our platform. These cookies are governed by the respective provider's cookie policies.

## 10. Data Storage and Security ### 10.1 Where We Store Your Data Your primary account data is stored on **Supabase**, a managed PostgreSQL database service hosted in the **European Union (EU)**. This means your core personal data (account information, authentication data) resides in EU data centers. Other data may be processed in different locations based on our sub-processors (see Section 7). For example, payment data is processed by Stripe in the United States. ### 10.2 How We Protect Your Data We implement commercially reasonable technical and organizational measures to protect your personal data, including: - **Encryption in transit.** All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. - **Encryption at rest.** Data stored in Supabase is encrypted at rest. - **Password security.** User passwords are securely hashed and encrypted by Supabase. We do not store passwords in plain text. - **Two-factor authentication.** We offer 2FA/MFA to add an additional layer of account security. We strongly recommend enabling this feature. - **Access controls.** Administrative access to our systems is restricted and protected by multi-factor authentication. - **Regular security audits.** We conduct regular security reviews of our infrastructure and practices. - **Automated backups.** Supabase provides automated database backups as part of their managed service. ### 10.3 Security Limitations While we implement commercially reasonable security measures, **we cannot guarantee that the Service is immune from security breaches, data loss, unauthorized access, or other security incidents.** No method of transmission over the internet or method of electronic storage is 100% secure. For more details about our security practices, please see our [Security Policy](/legal/security).

## 11. Data Retention We retain your personal data only as long as necessary for the purposes described in this Privacy Policy or as required by law. | Scenario | Retention Period | |---|---| | **Active account** | Data retained for the lifetime of your account | | **Account cancellation** (subscription only) | Account persists on free plan; data retained indefinitely | | **Account deletion** (full deletion request) | Data retained for **30 days** to allow recovery, then permanently deleted | | **Transaction and billing records** | Retained for **7 years** after the transaction date for tax and legal compliance | | **Legal hold or investigation** | Data may be retained beyond standard periods if required for legal proceedings, investigations, or regulatory compliance | | **Anonymized/aggregated data** | May be retained indefinitely (no longer constitutes personal data) | ### How to Delete Your Data You may request deletion of your account and personal data by: 1. Using the account deletion option in your account settings, or 2. Contacting us at <legal@nover.studio>. Upon deletion: - Your account and associated personal data will be removed within 30 days. - Transaction records will be retained for 7 years as required for tax compliance. - Content hosted on Runware.ai's infrastructure (public image URLs) is outside of our control and may persist. See Section 8.

## 12. Your Rights Under GDPR (EEA/UK) If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR): 1. **Right of Access** — You have the right to request a copy of the personal data we hold about you. 2. **Right to Rectification** — You have the right to request correction of inaccurate or incomplete personal data. 3. **Right to Erasure ("Right to be Forgotten")** — You have the right to request deletion of your personal data, subject to legal retention requirements. 4. **Right to Restriction of Processing** — You have the right to request that we limit the processing of your personal data in certain circumstances. 5. **Right to Data Portability** — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. 6. **Right to Object** — You have the right to object to the processing of your personal data based on our legitimate interests. 7. **Right to Withdraw Consent** — Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal. 8. **Right to Lodge a Complaint** — You have the right to lodge a complaint with a supervisory authority in your member state. ### How to Exercise Your Rights To exercise any of these rights, contact us at **<legal@nover.studio>**. We will respond to your request within **30 days**. We may ask you to verify your identity before processing your request. We strive to comply with our obligations under GDPR. Note that we have not yet appointed a Data Protection Officer (DPO). For all data protection inquiries, please contact <legal@nover.studio>.

## 13. Your Rights Under CCPA/CPRA (California) If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act: 1. **Right to Know** — You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it. 2. **Right to Delete** — You have the right to request that we delete the personal information we have collected from you, subject to legal retention requirements. 3. **Right to Correct** — You have the right to request that we correct inaccurate personal information. 4. **Right to Opt Out of Sale** — You have the right to opt out of the "sale" of personal information. **We do not sell your personal information**, so this right does not apply. 5. **Right to Non-Discrimination** — We will not discriminate against you for exercising any of your CCPA/CPRA rights. ### California-Specific Disclosures | Category | Details | |---|---| | **Do we sell personal information?** | **No** — we have never sold personal information | | **Do we share for cross-context behavioral advertising?** | **No** | | **Sensitive personal information collected** | Account credentials (email, password) | | **Financial incentives** | None | ### How to Exercise Your Rights To exercise your CCPA/CPRA rights, contact us at **<legal@nover.studio>**. We will respond within **45 days** as required by law. You may also designate an authorized agent to make requests on your behalf.

## 14. Children's Privacy The Service is not directed to children under the age of **18**. We do not knowingly collect personal information from children under 18. If you are under 18, you may not use the Service. If we become aware that we have collected personal information from a person under 18, we will take prompt steps to delete that information. If you believe a person under 18 has provided us with personal information, please contact us immediately at <legal@nover.studio>.

## 15. International Data Transfers ### 15.1 Where Your Data Goes While your primary account data is stored in the EU (via Supabase), some of your data may be transferred to and processed in countries outside your country of residence, including the United States, as part of normal service operation. For example: - Payment data is processed by Stripe in the United States. - Web hosting services (Vercel, Netlify) use global CDN infrastructure. - AI generation requests are processed by Runware.ai on their infrastructure. ### 15.2 Safeguards When transferring data outside the EEA/UK, we rely on: - **Standard Contractual Clauses (SCCs)** where available from our sub-processors. - **Adequacy decisions** by the European Commission where applicable. - **Our sub-processors' compliance frameworks** (for example, Stripe's global data transfer practices and Supabase's EU hosting). We use commercially reasonable efforts to ensure that your personal data receives an adequate level of protection consistent with applicable data protection laws.

## 16. Data Breach Notification In the event of a confirmed personal data breach that is likely to result in a risk to your rights and freedoms, we will: 1. **Regulators:** Notify the relevant supervisory authority within **72 hours** of becoming aware of the breach, as required by GDPR (where feasible; if notification is delayed, we will explain the reasons). 2. **Affected Users:** Notify affected individuals without undue delay if the breach is likely to result in a **high risk** to their rights and freedoms. 3. **California Residents:** Notify affected California residents as required by applicable California law. 4. **Stripe:** Notify Stripe promptly if the breach involves data related to Stripe services. Our breach notification will include: - A description of what happened (in plain language). - The types of data involved. - What we have done to contain and address the breach. - What steps you should take to protect yourself (such as resetting your password or enabling 2FA). - How to contact us for more information. For more details about our security practices and incident response procedures, please see our [Security Policy](/legal/security).

## 17. Nover Community We are developing a **Nover Community** feature that will allow users to optionally share their generated content publicly on the platform. This feature is not currently available. When launched: - **Opt-in only.** You must actively choose to share content to the Community. No content will be shared without your affirmative action. - **Public visibility.** Content shared to the Community will be visible to all users of the platform and may be visible to the general public. - **Marketing use.** By sharing content to the Community, you grant us the right to use that content for marketing and promotional purposes, with attribution to your username. See our [Terms of Service](/legal/terms) Section 9.2 for the full license terms. - **Removal.** You may remove your content from the Community at any time.

## 18. Do Not Track Signals Some browsers send "Do Not Track" (DNT) signals. There is no universally accepted standard for how websites should respond to DNT signals. We currently do not use tracking technologies beyond the essential cookies described in Section 9, so DNT signals do not materially affect our data practices.

## 19. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will: 1. Update the "Last Updated" date at the top of this Policy. 2. Notify you via email at least **30 days** before the changes take effect. 3. For significant changes that materially affect your privacy rights, we may require re-acceptance during your next login. Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the revised Policy. If you do not agree to the updated Policy, you must stop using the Service and may delete your account.

## 20. Contact Information If you have questions about this Privacy Policy, your data, or your privacy rights, please contact us: - **Privacy Inquiries:** <legal@nover.studio> - **General Support:** <support@nover.studio> - **Data Deletion Requests:** <legal@nover.studio> **Nover, Inc.** A Delaware C-Corporation --- **Related Documents:** - [Terms of Service](/legal/terms) - [DMCA Policy](/legal/dmca) - [Security Policy](/legal/security) - [List of Sub-Processors](/legal/subprocessors) --- **Previous Versions:** None — this is Version 1.0.