1. Scope and controller
This policy applies to vunova.dev, user accounts, public content, contact requests, documentation, APIs, and other services that identify VuNova or NovaCore as their platform. A separate product notice may add product-specific details; if it conflicts with this policy, the more specific notice controls for that product.
For these services, “VuNova,” “we,” and “us” mean the service operator of vunova.dev. Depending on the feature, VuNova acts as the controller of account and service data. Where a customer uses NovaCore to process data on its own behalf, the customer may be the controller and VuNova may act as its processor.
2. Information we handle
Information you provide
- Account and profile: login, display name, email address, language, theme, notification preferences, and account-security settings.
- Authentication: password hashes, email-confirmation records, password-reset records, active sessions, API-key metadata, and two-factor authentication state. We do not store your plain-text password.
- Communications: name, email, project name, message, support history, complaints, and moderation appeals.
- Content: comments, reviews, documents, prompts, files, settings, or other material you submit to an enabled product.
- Billing: plan, currency, transaction identifiers, subscription status, invoices, and limited payment metadata. A payment provider processes full card or wallet credentials; VuNova is not designed to store full card numbers.
Information collected automatically
- IP address, approximate region derived from IP, browser and device information, request time, referring page, API route, response status, security events, and diagnostic logs.
- Cookie and session identifiers required to keep you signed in, protect forms, remember language/theme, and prevent abuse.
- Feature usage, quota consumption, job status, performance measurements, and aggregated product analytics.
Information from others
If enabled, we may receive identity details from an OAuth provider, payment status from a payment processor, email-delivery events from an email provider, or abuse reports from users, hosting providers, domain registries, and security services. We only use the fields needed for the relevant feature.
3. Why we use information
| Purpose | Typical data | Legal basis where GDPR applies |
|---|---|---|
| Create accounts, authenticate users, provide requested features, and maintain subscriptions. | Account, session, content, usage, billing. | Performance of a contract or steps requested before a contract. |
| Protect accounts, detect fraud, enforce rate limits, investigate phishing/malware, and keep audit records. | IP, device, session, API, security, moderation records. | Legitimate interests in service and network security; legal obligation where applicable. |
| Respond to contact, support, complaints, privacy requests, and product feedback. | Contact details, messages, related account activity. | Contract, legitimate interests, or legal obligation depending on the request. |
| Send transactional email and service notices. | Email, language, delivery event, account status. | Contract and legitimate interests. Marketing requires consent where required and can be stopped. |
| Improve reliability, accessibility, localization, and product design. | Diagnostics and aggregated or de-identified usage. | Legitimate interests, balanced against user rights. |
| Meet accounting, tax, sanctions, court, and regulatory duties. | Billing, identity, transaction and compliance records. | Legal obligation. |
We do not sell personal information. We do not use sensitive personal data for targeted advertising. We do not make decisions producing legal or similarly significant effects based solely on automated processing.
5. Retention
We keep personal information only for the period reasonably necessary for the purposes described above, including security, dispute resolution, and legal compliance. Retention depends on the record:
- Account and profile information is normally kept while the account is active and during a limited deletion and backup window afterward.
- Session, confirmation, and reset records expire according to their security lifetime and are then removed through maintenance processes.
- Contact and support records are normally kept for up to 24 months after the request closes, unless a longer period is needed for an ongoing relationship or dispute.
- Security and audit records are normally kept for up to 24 months, with shorter operational log windows where possible.
- Billing and tax records are kept for the statutory period required in the applicable jurisdiction.
- Aggregated or irreversibly de-identified statistics may be retained longer because they no longer identify an individual.
Deletion from encrypted backups may take additional time; backup data is isolated from ordinary use and expires on the backup rotation.
6. Your choices and rights
Account settings let you update profile details, language, theme, sessions, API keys, password, and notification preferences. You may also ask us to provide access, correct inaccurate information, delete information, restrict or object to processing, or provide portable data where the law grants those rights.
Where processing relies on consent, you may withdraw it without affecting earlier lawful processing. You may object to direct marketing at any time. You may lodge a complaint with the data-protection authority where you live, work, or believe a violation occurred.
Send a request through the contact form and select or enter “Privacy request” as the project. Include the account email and the right you wish to exercise, but do not send passwords, recovery codes, or identity documents unless we specifically request a secure verification method. We may need to verify your identity and will respond within the period required by applicable law.
Cookies and local storage
Strictly necessary cookies support sign-in and security. Local storage remembers language and theme. Optional analytics or advertising cookies will not be activated where consent is required until a consent control is available. Blocking necessary storage may prevent account features from working.
Children
The services are not directed to children under 16, and we do not knowingly collect their personal information. A parent or guardian who believes a child submitted information should contact us so it can be reviewed and deleted as appropriate.
7. Security and incident response
VuNova uses layered safeguards appropriate to the service risk, including TLS, password hashing, secure session cookies, least-privilege access, tenant isolation, rate limits, login lockout, audit trails, backups, firewall rules, automated blocking of repeated SSH attacks, and security review of sensitive changes.
No internet service can guarantee absolute security. Protect your password and recovery codes, enable two-factor authentication when offered, revoke unknown sessions or API keys, and report suspected compromise promptly. If an incident creates a legally reportable risk, affected users and authorities will be notified as required.
8. Contact and policy changes
Use the tracked VuNova contact form for privacy questions and requests. A dedicated privacy email and the operator’s formal business details will be added here before commercial processing begins.
We may update this policy as products, providers, or laws change. The updated version will show a new date. Material changes will be announced through the site, account, or email when appropriate. Earlier versions will be retained for accountability.
This policy describes our practices; it does not reduce any rights that cannot lawfully be waived.