NUOVABOT
Privacy Policy
Last updated: April 2026
Applies to: nuovabot.com
This Privacy Policy explains how MediaNuova, operated by Marco Nuova ("we", "us", "our"), collects, uses, stores, and protects personal data in connection with the Nuovabot platform (nuovabot.com). It applies to two categories of people: Customers (businesses that subscribe to Nuovabot) and End Users (members of the public who interact with chatbots deployed by our Customers).
We are committed to complying with the EU General Data Protection Regulation (GDPR). If you have any questions, contact us at hello@nuovabot.com.
1. Who We Are (Data Controller)
| Controller | MediaNuova (owned by Marco Nuova) |
|---|
| Registered address | Jan Tooropstraat 15, 7606JR Almelo, Netherlands |
|---|
| KVK number | 88224341 |
|---|
| Website | nuovabot.com |
|---|
| Contact | hello@nuovabot.com |
|---|
| Infrastructure | EU West - Ireland (primary) |
|---|
For data processed on behalf of our Customers (i.e., End User conversation data), the Customer is the data controller and Nuovabot acts as the data processor. Our Data Processing Agreement (DPA) governs that relationship.
2. Who This Policy Applies To
Customers
Businesses and individuals who create a Nuovabot account, upload documents, configure chatbots, and subscribe to a paid plan.
End Users
Members of the public who interact with chatbots that Customers have deployed - for example, on a Customer's website or via a hosted Nuovabot URL. End Users do not have a direct account with Nuovabot.
3. Data We Collect
3.1 Data Collected from Customers
When you register and use Nuovabot, we collect:
- Account data: Full name, email address, and password (stored as a secure hash).
- Organisation data: Organisation name.
- Payment data: We use Stripe for billing. We store only the Stripe customer ID and subscription ID - never card numbers or banking details.
- Uploaded documents: PDF and text files you upload to build your chatbot's knowledge base, stored in Cloudflare R2.
- Document text content: Text chunks extracted from your documents, stored in our database for AI retrieval.
- Chatbot configuration: Persona, instructions, behaviour settings, and branding choices.
- Usage data: Message counts, token counts, and document upload counts per billing period.
3.2 Data Collected from End Users (via deployed chatbots)
When an End User chats with a Nuovabot-powered chatbot, we collect:
- Conversation data: The messages sent by the End User and the AI responses, stored against a conversation ID and a server-generated session identifier.
- Support ticket data (optional): If an End User submits a support ticket through the chatbot, we collect their name and email address - only when they voluntarily provide it.
- IP addresses: IP addresses are processed transiently for rate limiting purposes only (stored in a short-lived cache, not in the database) and are not retained or associated with End User profiles.
3.3 Operational Data
We also collect operational data to run and improve the platform:
- Tool invocation audit logs (ticket creation, meeting booking, live handoff actions).
- Latency metrics per message (time to first response).
- Token counts per message (for cost tracking and billing).
4. How and Why We Use Your Data (Legal Basis)
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Providing and operating the Nuovabot service | Customer account and document data | Art. 6(1)(b) - Contract performance |
| Authenticating your account | Email, password hash | Art. 6(1)(b) - Contract performance |
| Billing and payment processing | Stripe customer ID, subscription ID | Art. 6(1)(b) - Contract performance |
| Generating AI chatbot responses | End User messages + document chunks | Art. 6(1)(f) - Legitimate interests of Customer (controller) |
| Creating support tickets at End User request | End User name and email | Art. 6(1)(f) - Legitimate interests |
| Service monitoring and reliability | Latency metrics, token counts, audit logs | Art. 6(1)(f) - Legitimate interests |
| Preventing fraud and abuse | Usage data, account data | Art. 6(1)(f) - Legitimate interests |
| Complying with legal obligations | Any relevant data | Art. 6(1)(c) - Legal obligation |
5. Data Sharing and Sub-Processors
We do not sell personal data. We share data only with the sub-processors listed below, who process data on our behalf under contractual obligations. By accepting our Terms of Service, Customers also accept these sub-processors.
| Processor | Country | Role | Data received |
|---|---|---|---|
| Anthropic | USA | AI inference (Claude models) | End User chat messages + system prompt (includes document excerpts and chatbot config) |
| OpenAI | USA | Embedding generation | Document text chunks (at upload time only) |
| Supabase | Ireland (EU) | Authentication + PostgreSQL database | All persistent application data |
| Cloudflare R2 | USA / EU | File storage | Uploaded document files |
| Upstash | EU West | Redis cache + background job queue | Rate-limit counters, session data, job metadata |
| Fly.io | USA | API server hosting | All API request/response traffic |
| Vercel | USA | Frontend (Next.js) hosting | Web page requests; no persistent data stored |
| Stripe | USA | Payment processing | Customer billing information |
6. International Data Transfers
Several of our sub-processors are based in the United States, which is outside the European Economic Area (EEA). These include Anthropic, OpenAI, Cloudflare, Fly.io, Vercel, and Stripe.
For these transfers, we rely on appropriate safeguards as required by GDPR Chapter V, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, and
- Where applicable, adequacy decisions or supplementary measures to ensure an equivalent level of data protection.
You can request more information about our transfer mechanisms by contacting hello@nuovabot.com.
7. Data Retention
7.1 Conversation Data (End User messages)
Conversation records are retained for the period corresponding to the Customer's plan:
| Plan | Conversation retention |
|---|---|
| Free | 7 days |
| Starter | 30 days |
| Pro | 90 days |
| Business | 365 days |
| Enterprise | Indefinite (or as agreed in contract) |
After the retention period expires, conversation and message records are automatically deleted.
7.2 Customer Account Data
Customer account data, uploaded documents, and chatbot configuration are retained for as long as the account is active. Upon account termination, data is deleted within 30 days (see Section 12 - Termination).
7.3 Billing Data
Stripe transaction records may be retained for up to 7 years to comply with applicable tax and financial regulations.
8. Cookies
Nuovabot uses only functional (strictly necessary) cookies:
- Supabase Auth session cookie: Required to keep you logged in to the Nuovabot dashboard. This cookie cannot be disabled without losing access to the dashboard.
We do not use advertising cookies, third-party analytics cookies, or tracking pixels on nuovabot.com.
Widget on Customer websites: The chatbot widget embedded on a Customer's website does not set cookies on End Users' browsers by default.
9. Automated Decision-Making and Profiling
Nuovabot does not engage in automated decision-making or profiling of End Users that produces legal or similarly significant effects, within the meaning of GDPR Article 22. Chatbot responses are AI-generated replies to conversational queries and do not constitute decisions about individuals.
10. AI-Generated Content Disclaimer
Chatbot responses are generated by Anthropic's Claude AI models based on the Customer's uploaded documents and configuration. While we strive to provide accurate and helpful responses, AI-generated content may contain errors or inaccuracies. Nuovabot does not guarantee the accuracy, completeness, or suitability of any AI-generated response.
Nuovabot does not use Customer documents or End User conversations to train AI models.
11. Security Measures
We implement appropriate technical and organisational security measures, including:
- Encryption in transit via TLS for all data connections.
- Encryption at rest for stored data.
- Access controls and role-based permissions.
- API keys stored as SHA-256 hashes - never in plaintext.
- No plaintext secrets in source code or version control.
While we take data security seriously, no system is completely secure. We encourage Customers to use strong passwords and to keep their API keys confidential.
12. Your Rights Under GDPR
If you are located in the EEA, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18): Ask us to limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests.
To exercise any of these rights, contact us at hello@nuovabot.com. We will respond within 30 days. In complex cases, we may extend this period by a further two months, notifying you accordingly.
End Users wishing to exercise GDPR rights in relation to data processed through a deployed chatbot should, in the first instance, contact the Customer (the business that deployed the chatbot), as the Customer is the data controller for that data. Nuovabot will assist Customers in fulfilling such requests as required under our DPA.
13. Right to Lodge a Complaint
You have the right to lodge a complaint with the relevant supervisory authority if you believe we have processed your personal data in breach of the GDPR. In the Netherlands, the supervisory authority is the Autoriteit Persoonsgegevens (AP): autoriteitpersoonsgegevens.nl. You may also contact the supervisory authority in your EU country of residence.
14. Account Termination and Data Deletion
When a Customer cancels their account or is terminated:
- A 30-day grace period begins during which the Customer may request an export of their data.
- After 30 days, all Customer data - including account information, uploaded documents, chatbot configuration, and associated End User conversation data - is permanently deleted.
Stripe may retain transaction records as required by financial regulations.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify Customers of material changes via email at least 30 days before the updated policy takes effect. Continued use of Nuovabot after the effective date constitutes acceptance of the updated policy.
We encourage you to review this policy periodically. The date at the top of this document indicates when it was last updated.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
| General enquiries | hello@nuovabot.com |
|---|
| Business / Sales | sales@nuovabot.com |
|---|
| Website | nuovabot.com |
|---|
| Operated by | MediaNuova, owned by Marco Nuova |
|---|
| Registered address | Jan Tooropstraat 15, 7606JR Almelo, Netherlands |
|---|
| KVK number | 88224341 |
|---|