Novra Privacy Policy

Effective date: May 19, 2026

Last updated: May 19, 2026

Novra, LLC ("Novra," "we," "us," or "our") operates the Novra marketing intelligence platform (the "Service"), accessible through our marketing site at getnovra.ai (https://getnovra.ai) and our web application (collectively, the "Site"). This Privacy Policy explains what information we collect when you visit the Site, sign up for an account, subscribe to the Service, and connect your marketing platforms — and what we do with that information.

If you have any questions, email us at noah@getnovra.ai.

1. Quick summary

If you only read one section, read this one.

Who we serve. Novra is a business-to-business product. Our customers are companies and the people who work at them.

What we collect. Account info you give us (email, name, billing address), product usage and error logs, conversations with our AI, and the marketing and commerce data you authorize us to pull from platforms like Google Ads, Meta, Shopify, Klaviyo, and Google Analytics.

What we don't do. We don't sell your personal information. We don't share it for cross-context behavioral advertising. We don't use Customer Data to train third-party large language models or any foundation model.

AI processing. When you chat with Novra, your messages and the relevant business context are sent to Anthropic, our AI inference provider, under a zero-retention arrangement.

You're in control. You can disconnect any integration, delete chat history, export your data, or close your account at any time.

Your legal rights. California residents and EU/UK residents have specific rights described in Sections 11 and 12.

2. Scope of this policy

This policy covers:

Visitors to getnovra.ai and any other Novra-operated marketing pages.

Users who create a Novra account and use the Service, including subscribers who complete checkout.

People whose data appears inside marketing platforms that Novra customers connect (for example, an ad account viewer your company has added in Google Ads). For those individuals, Novra acts as a processor on behalf of the connecting customer, who remains the controller of that data.

It does not cover third-party services you connect to Novra (Google Ads, Meta, Shopify, Klaviyo, etc.). Those services have their own privacy policies, which we encourage you to read.

3. Information we collect

3.1 Information you provide to us

Account information: Email address, name, password (hashed by our auth provider), profile avatar (optional), authentication identifiers from GitHub if you sign in with GitHub OAuth.

Billing information: Billing address and tax details collected at checkout. Card numbers are entered directly into Stripe and are never stored on Novra's servers; we retain only a Stripe customer reference.

Business and strategy context: Information you enter into Novra to describe your business, such as your ideal customer profile, positioning, brand voice, strategic priorities, and any custom rules you configure.

Chat content: The messages, questions, and instructions you send to the Novra AI assistant, along with any files or context you attach.

Communications: Information you provide when you contact us by email or through support.

3.2 Information we collect automatically

When you use the Site, we collect:

Device and log data: IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps.

Cookies and similar technologies: see Section 8.

Product analytics: events describing how you use the Service (for example, which features you open or which integrations you connect). We use PostHog for this.

Error and performance telemetry: crash reports, stack traces, request traces, and infrastructure logs. We use Sentry and Vercel for this.

3.3 Information from platforms you connect

The core of the Service is letting you connect marketing, analytics, e-commerce, and email platforms so Novra can analyze your performance. We use Nango as our OAuth and data-sync provider. You authorize each integration individually, and you can revoke access at any time from your Novra account settings or from the third-party platform.

We currently support the following providers and pull the following categories of data, limited by the OAuth scopes you grant:

Shopify: Orders, products, inventory, locations, price rules, marketing events.

Meta Ads (Facebook / Instagram): Ad accounts, campaigns, ad sets, ads, creatives, custom conversions, daily insights, placement and breakdown insights.

Google Ads: Customers, campaigns, ad groups, ads, asset groups, conversion actions, budgets, criteria, insights, keyword and search-term views.

Google Analytics 4: Properties, daily traffic, conversions, audience, devices, geographies, landing pages, events, sessions.

Klaviyo: Accounts, campaigns, flows, lists, segments, metrics, events, daily campaign and flow values.

Mailchimp: Lists, campaigns, performance reports, daily campaign activity.

Pinterest Ads: Ad accounts, campaigns, ad groups, ads, daily insights.

Snapchat Ads: Ad accounts, campaigns, daily insights.

LinkedIn Ads: Ad accounts, campaigns, daily insights.

We may add additional providers (such as TikTok Ads) in the future. New providers will be reflected in this list before we make them available in the Service.

A note on end-customer data. Some connected platforms (notably Klaviyo, Mailchimp, and Shopify) can return data about your end customers — for example, email subscriber identifiers, order details, or engagement events — depending on the scopes you grant. Where this happens, you remain the controller of that personal data and Novra processes it on your instructions to provide the Service.

3.4 Information generated by the Service

As you use Novra, we generate derived data about your account, including AI-produced insights, recommendations, narratives, and aggregations over your performance data. This derived data is associated with your account and is subject to this policy.

4. How we use your information

We use information to:

Provide and operate the Service — authenticate you, render dashboards, run scheduled syncs against your connected platforms, and store your work.

Generate AI insights and recommendations — process your chat messages, strategy context, and connected-platform data through our AI agents so they can answer your questions and produce recommendations.

Process payments — bill you for your subscription through Stripe and maintain billing records.

Communicate with you — send transactional messages (sign-in links, password resets, billing notices, security alerts) and respond to support requests.

Improve the Service — analyze usage patterns and diagnose errors. Where we use information for product improvement, we rely on aggregated or de-identified data wherever possible.

Protect Novra and our users — detect, investigate, and prevent fraud, abuse, and security incidents, and enforce our terms.

Comply with legal obligations — meet tax, accounting, and regulatory requirements and respond to lawful requests.

What we do not do. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use Customer Data to train third-party large language models, and we do not use Customer Data to train any foundation model of our own.

5. AI and your data

The Novra assistant is powered by Anthropic's Claude models, accessed through Anthropic's API.

What is sent to Anthropic. When you interact with the assistant, the following may be sent to Anthropic to generate a response: the messages in your conversation, the business and strategy context you have configured in Novra, and the results of tool calls that retrieve data from your Novra account (for example, performance metrics aggregated from your connected platforms).

How Anthropic handles it. Novra accesses Anthropic's API under a commercial agreement that provides for zero data retention on prompts and outputs beyond what is needed to deliver the response. Anthropic does not use Novra customers' API traffic to train its models.

What we keep. Your conversations are persisted in your Novra account so you can return to them. You can delete individual conversations or your entire chat history from the Service at any time.

AI outputs are not advice. AI-generated insights, recommendations, and analyses are produced by statistical models and may be inaccurate or incomplete. They are intended to support your judgment, not replace it. You are responsible for the decisions you make based on Novra's outputs.

6. How we share information

We share information only as described below.

With service providers and sub-processors. We share information with vendors that help us run the Service. They are contractually bound to use it only to provide services to us. See Section 7 for the full list.

With platforms you connect. When you connect a third-party platform, we exchange the data necessary to authenticate and sync. We do not push data back into your connected platforms unless you explicitly direct us to.

For legal reasons. We may disclose information to comply with valid legal process, to enforce our terms, to investigate fraud or security incidents, or to protect the rights, property, or safety of Novra, our users, or others.

In a business transfer. If Novra is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

With your consent or at your direction. For any sharing not described above, we will ask you first.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

7. Sub-processors

The following service providers process personal information on Novra's behalf:

Supabase — Authentication, application database, file storage. United States. supabase.com/privacy (https://supabase.com/privacy)

Stripe — Payment processing and billing. United States. stripe.com/privacy (https://stripe.com/privacy)

Nango — OAuth connection management and platform data sync. United States. nango.dev/privacy-policy (https://www.nango.dev/privacy-policy)

Anthropic — AI model inference (Claude). United States. anthropic.com/privacy (https://www.anthropic.com/legal/privacy)

Vercel — Application hosting, CDN, runtime logs. United States. vercel.com/legal/privacy-policy (https://vercel.com/legal/privacy-policy)

Inngest — Background job orchestration. United States. inngest.com/privacy (https://www.inngest.com/privacy)

PostHog — Product analytics. United States. posthog.com/privacy (https://posthog.com/privacy)

Sentry — Error tracking and performance monitoring. United States. sentry.io/privacy (https://sentry.io/privacy/)

We will update this list when we add or change sub-processors. If you would like to receive advance notice of material sub-processor changes, email us at noah@getnovra.ai.

8. Cookies and similar technologies

We use a small number of cookies and similar storage:

Strictly necessary cookies. Used to keep you signed in (sb-*-auth-token and related cookies set by our auth provider) and to remember your preferred sign-in method. Without these, the Service cannot function.

Analytics. PostHog uses cookies and local storage to attribute product usage events to a session.

We do not use third-party advertising cookies and we do not participate in cross-context behavioral advertising.

You can clear cookies and local storage through your browser at any time. Doing so will sign you out of Novra and reset analytics identifiers.

9. Data retention

We retain information only as long as we need it:

Account information is retained for as long as your account is active. After you close your account, we retain it for up to 30 days to allow recovery, then delete it (except where we are required to keep it longer for legal or accounting reasons).

Data from connected platforms is retained while the integration is active. If you disconnect an integration or close your account, we delete the associated raw integration data within 30 days.

Chat history is retained until you delete individual conversations or close your account.

Billing and tax records are retained for at least seven (7) years, as required by applicable tax and accounting law.

Logs and telemetry (PostHog, Sentry, Vercel) are retained according to those providers' default retention windows.

Backups. Residual copies may persist in encrypted backups for a limited period after deletion before they are cycled out.

10. Your privacy choices and rights

Regardless of where you live, you can:

Access and export the personal information in your account.

Correct inaccurate information by editing it in the Service or contacting us.

Delete specific items (such as chat conversations) or your entire account.

Disconnect any integration from the Service or directly with the third-party platform.

Opt out of marketing email by clicking unsubscribe in any marketing message. We will still send you transactional messages required to operate your account.

To make a request, email noah@getnovra.ai. We may need to verify your identity before responding.

11. California residents (CCPA / CPRA)

This section applies if you are a California resident.

Categories of personal information we collect. In the past 12 months, we have collected the following categories of personal information defined under the CCPA:

Identifiers (e.g., name, email, IP address, account ID).

Customer records (e.g., billing address, payment-related identifiers from Stripe).

Commercial information (e.g., subscription details, billing history).

Internet or network activity (e.g., usage and event data).

Geolocation data (approximate, derived from IP).

Inferences drawn from the above to characterize your usage.

Professional or employment-related information (your role at your company, if provided).

Sources. Directly from you; automatically from your use of the Site; from platforms you connect; and from our service providers.

Business purposes. As described in Section 4 — operating, securing, and improving the Service; processing payments; communicating with you; and complying with law.

Categories disclosed to third parties. We disclose the categories above to the sub-processors listed in Section 7 for the business purposes described in this policy.

Sale or sharing. We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA.

Sensitive personal information. We do not use or disclose sensitive personal information for purposes that would trigger the right to limit under the CPRA.

Your California rights. You have the right to (i) know what personal information we have collected about you, (ii) request deletion of your personal information, (iii) request correction of inaccurate personal information, (iv) opt out of sale or sharing (not applicable, since we do neither), (v) limit the use of sensitive personal information (not applicable for the same reason), and (vi) be free from discrimination for exercising your rights. You may also designate an authorized agent to act on your behalf. To exercise these rights, email noah@getnovra.ai.

12. EU and UK residents (GDPR / UK GDPR)

This section applies if you are in the European Economic Area, the United Kingdom, or Switzerland.

Controller. Novra, LLC is the controller of personal information processed in connection with your Novra account, marketing site visits, and direct communications. When we process data inside platforms you have connected (e.g., your customer or subscriber data from Shopify or Klaviyo), we act as a processor on your behalf and you are the controller.

Legal bases for processing.

Performance of a contract — to deliver the Service you have subscribed to (account, payments, syncs, AI features, support).

Legitimate interests — to keep the Service secure, prevent abuse, debug issues, measure product usage in aggregate, and improve our offering. We balance these interests against your rights and would not rely on this basis where your interests override ours.

Consent — for any optional processing that requires it, such as certain analytics in jurisdictions where consent is required. You can withdraw consent at any time without affecting prior lawful processing.

Legal obligation — to meet tax, accounting, and other regulatory requirements.

Your rights. You have the right to access, rectify, erase, restrict, and port your personal information; to object to processing based on legitimate interests; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local data protection authority.

International transfers. Novra is based in the United States and our infrastructure is hosted in the United States. When personal information is transferred from the EEA, UK, or Switzerland to the United States or any other country that has not been deemed adequate, we rely on the European Commission's Standard Contractual Clauses (and the UK addendum where applicable) with our sub-processors.

To exercise your rights or ask about our transfer mechanisms, email noah@getnovra.ai.

13. How we protect information

We use a layered set of safeguards, including:

Encryption in transit (TLS) for all traffic between you, Novra, and our sub-processors.

Encryption at rest for data stored in our application database.

Tenant isolation through Row Level Security policies in our database, so that one customer's data cannot be queried by another customer's session.

OAuth credential handling through Nango: access and refresh tokens for your connected platforms are stored with Nango under their security controls and are not held in plaintext on Novra's servers.

Access controls for Novra personnel, with access limited to what is necessary to operate and support the Service.

Monitoring and logging through Sentry and Vercel to detect anomalies and errors.

No system is perfectly secure. We cannot guarantee that information will never be accessed, disclosed, altered, or destroyed by a breach of our safeguards. If we become aware of a breach affecting your personal information, we will notify you as required by law.

14. Children's privacy

Novra is a business product and is not directed to anyone under 16. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with personal information, email noah@getnovra.ai and we will delete it.

15. Third-party services and links

The Service relies on and links to third-party platforms (including the integration providers listed in Section 3.3, our sub-processors in Section 7, and other websites we may reference). When you interact with those services, their own privacy policies and terms govern that interaction. We encourage you to read them.

16. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email and through an in-product notice at least 30 days before the changes take effect. Non-material changes (clarifications, corrections, sub-processor list updates) take effect when posted, with an updated "Last updated" date at the top. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact us

Questions about this policy or your information?

Novra, LLC

Email: noah@getnovra.ai