Privacy Policy

Last updated: February 6, 2026

1. Introduction

Nova Finance Inc. ("Nova Finance", "we", "our", or "us") is committed to protecting your privacy and ensuring the security of your personal and financial information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our financial management platform and services (collectively, the "Services").

By using our Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. This policy complies with applicable data protection regulations including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Brazil's Lei Geral de Proteção de Dados (LGPD).

2. Information We Collect

2.1 Personal Information

When you register for an account, we collect:

  • Full name
  • Email address
  • Password (encrypted using bcrypt with salt rounds)
  • Phone number (optional)
  • Profile preferences and settings

2.2 Financial Information

Through our integration with Plaid Inc., a certified financial services provider, we access:

  • Bank account information (account numbers, balances, institution names)
  • Transaction history (descriptions, amounts, dates, categories)
  • Account ownership verification data
  • Routing numbers and account types

Important: We never store your bank login credentials. All authentication with financial institutions is handled securely by Plaid using OAuth 2.0 and bank-level encryption protocols.

2.3 Usage and Technical Data

  • IP address and geolocation data
  • Device information (type, operating system, browser)
  • Session data and authentication tokens (JWT)
  • Feature usage statistics and interaction patterns
  • Error logs and diagnostic information
  • Cookie identifiers (see our Cookie Policy for details)

2.4 Communication Data

  • Customer support correspondence
  • Feedback and survey responses
  • Marketing communication preferences

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Delivery

  • Authenticate your identity and maintain your account security
  • Display your financial data (accounts, transactions, balances)
  • Generate financial insights, trends, and spending analytics
  • Process subscription payments through Stripe
  • Provide customer support and respond to inquiries

3.2 Security and Fraud Prevention

  • Monitor and prevent fraudulent activities
  • Detect and mitigate security vulnerabilities
  • Enforce our Terms of Service
  • Comply with legal obligations and regulatory requirements

3.3 Improvement and Development

  • Analyze usage patterns to improve platform performance
  • Develop new features and functionality
  • Conduct research and statistical analysis (anonymized data)

3.4 Communication

  • Send transactional emails (account verification, password reset, security alerts)
  • Provide product updates and feature announcements
  • Marketing communications (with your explicit consent, opt-out available)

4. Data Encryption and Security

4.1 Encryption Standards

We implement industry-leading encryption protocols:

  • At Rest: All sensitive financial data (Plaid access tokens, account numbers, transaction details, account balances) are encrypted using AES-256-CBC (Advanced Encryption Standard with 256-bit keys in Cipher Block Chaining mode)
  • In Transit: All data transmission uses TLS 1.2+ (Transport Layer Security) with perfect forward secrecy
  • Passwords: Hashed using bcrypt with cryptographically secure salt rounds, never stored in plain text
  • API Keys: Stored as environment variables, never committed to source code repositories

4.2 Infrastructure Security

  • Hosting: Google Cloud Run (backend) and Vercel (frontend) with SOC 2 Type II compliance
  • Database: Supabase PostgreSQL with Row Level Security (RLS) policies
  • Access Control: Role-based access control (RBAC) with principle of least privilege
  • Monitoring: Real-time intrusion detection and automated threat response
  • Backups: Automated daily encrypted backups with 30-day retention

4.3 Third-Party Security

Plaid: Certified by industry-leading security frameworks including SOC 2 Type II, ISO 27001, and PCI DSS Service Provider Level 1. Plaid does not sell or rent your financial data.

Stripe: PCI DSS Level 1 compliant payment processor. We do not store credit card numbers directly; Stripe handles all card data processing.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

5.1 Service Providers

ProviderPurposeData Shared
Plaid Inc.Banking data aggregationBank credentials (temporarily), account selection
Stripe Inc.Payment processingEmail, name, payment method
Supabase Inc.Database and authenticationAccount data, encrypted financial data
Google CloudBackend hostingApplication data, logs

5.2 Legal Requirements

We may disclose your information when required by law, such as:

  • Valid court orders, subpoenas, or government requests
  • Compliance with financial regulations (KYC, AML requirements)
  • Protection of our legal rights or prevention of fraud
  • Emergency situations involving danger to personal safety

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and prominent website notice 30 days before any such transfer.

6. Data Retention

We retain your information for the following periods:

  • Active Account Data: Maintained while your account is active
  • Transaction History: 12 months from the date of transaction
  • Encrypted Financial Data: 12 months, then automatically purged
  • Account After Deletion: 90-day grace period, then permanently deleted
  • Legal/Compliance Records: 7 years (as required by financial regulations)
  • Audit Logs: 13 months (security and compliance purposes)

You can request immediate account deletion at any time through Settings > Privacy > Delete Account. After deletion, we retain only anonymized analytics data and records required by law.

7. Your Privacy Rights

Depending on your jurisdiction (GDPR, CCPA, LGPD), you have the following rights:

7.1 Access and Portability

  • Right to Access: Request a copy of all personal data we hold about you
  • Data Portability: Download your data in JSON format (Settings > Privacy > Export Data)
  • Response time: Within 30 days of verified request

7.2 Correction and Deletion

  • Right to Rectification: Correct inaccurate personal information
  • Right to Erasure: Delete your account and associated data (with legal exceptions)
  • You can update most information directly in Settings

7.3 Consent and Objection

  • Right to Withdraw Consent: Revoke consent for data processing (may limit service functionality)
  • Right to Object: Opt-out of marketing communications anytime
  • Restrict Processing: Limit how we use your data in certain circumstances

7.4 California Residents (CCPA)

If you are a California resident, you also have:

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information (with certain exceptions)
  • Right to opt-out of sale of personal information (Note: We do not sell your data)
  • Right to non-discrimination for exercising your CCPA rights

To Exercise Your Rights: Email privacy@novafinance.tech with subject "Privacy Rights Request" or use the in-app Privacy Center (Settings > Privacy). We will verify your identity before processing requests.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. For detailed information, see our Cookie Policy.

Cookie Categories:

  • Essential: Required for authentication and security (cannot be disabled)
  • Functional: Remember your preferences and settings
  • Analytics: Understand how you use our Services (anonymized)
  • Marketing: Track campaign effectiveness (requires consent)

Manage your cookie preferences in Settings > Privacy > Cookie Preferences.

9. International Data Transfers

Nova Finance operates globally. Your information may be transferred to and processed in countries outside your residence, including the United States, where data protection laws may differ.

GDPR Compliance: For EU/EEA users, we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection during international transfers.

Data Localization: Financial data is primarily stored in data centers within your region when possible. Cloud providers: Google Cloud (multi-region), Supabase (US, EU regions available).

10. Children's Privacy

Nova Finance is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@novafinance.tech. We will promptly delete such information from our systems.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes:

  • We will update the "Last updated" date at the top of this policy
  • We will notify you via email at least 30 days before changes take effect
  • We will display a prominent notice on our website and in the application
  • For material changes requiring new consent, we will ask for your explicit agreement

Continued use of our Services after the effective date constitutes acceptance of the updated policy.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Nova Finance Inc.

Privacy and Data Protection OfficeEmail: privacy@novafinance.techSupport: support@novafinance.techResponse time: Within 48 hours for privacy inquiries

Data Protection Officer (DPO)

For GDPR-related inquiries, you can contact our Data Protection Officer at dpo@novafinance.tech

Regulatory Authorities

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

  • EU/EEA: Contact your national Data Protection Authority (DPA)
  • California: California Attorney General's Office (oag.ca.gov/privacy)
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD) (gov.br/anpd)

13. Security Incident Response

In the unlikely event of a data breach affecting your personal information, we will:

  • Notify you within 72 hours of breach discovery (as required by GDPR)
  • Provide details about the nature and extent of the breach
  • Describe the measures we are taking to address the breach
  • Offer guidance on steps you can take to protect yourself
  • Report the incident to relevant regulatory authorities

For security concerns or to report suspicious activity: security@novafinance.tech

14. Acknowledgment and Consent

By using Nova Finance, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. You can withdraw consent at any time by:

  • Adjusting your privacy settings in Account Settings
  • Contacting our Privacy team at privacy@novafinance.tech
  • Deleting your account (Settings > Privacy > Delete Account)

Please note that withdrawing consent may limit your ability to use certain features of our Services.

Document Version: 2.0 (Effective Date: February 6, 2026)
Compliance: GDPR, CCPA, LGPD, SOC 2, ISO 27001
Languages: This policy is available in English (primary), Portuguese, Spanish