Privacy Policy

Last updated: 27 May 2026

This Privacy Policy describes how novaverb ("we", "us", "our") collects, uses, and protects personal information when you use our SaaS platform at novaverb.com (the "Service"). By using the Service you agree to the practices described below.

1. Information We Collect

1.1 Account Information

When you create an account we collect: full name, email address, password (stored as bcrypt/argon2 hash — never plaintext), preferred language, optional country and phone number. If you sign in via OAuth (Google, etc.), we receive your name + email from the provider; we do not receive your password.

1.2 Workspace & Project Data

You create workspaces (projects) under your account. For each workspace we store: project name, registered domain, verification proof (DNS / HTTP file token), and aggregated SEO data crawled or imported from your domain (page URLs, titles, headings, internal links, structured data).

1.3 Usage Data

We log feature usage (audit runs, crawls, AI generations, API calls) tied to your account, primarily to enforce quota limits and produce billing-relevant aggregates. Server logs may also include IP addresses, user-agent strings, and timestamps — retained no longer than 90 days for security analysis.

1.4 Google Integrations (Optional)

If you connect Google Search Console and/or Google Analytics 4 to a workspace, we receive an OAuth refresh token from Google scoped to read-only access on the specific property you select. We periodically pull aggregate metrics (clicks, impressions, sessions, page views) and store them in our database. We do not request write access; novaverb cannot modify your GSC or GA4 properties.

OAuth tokens are encrypted at rest using Laravel's Crypt facade (AES-256-CBC with a per-installation key). You can disconnect at any time from Project Settings → Google data sources; disconnection deletes the token immediately.

1.5 Payment Information

If you subscribe to a paid plan, payment is processed by third-party payment providers (Stripe, MoMo, PayPal — depending on selection). novaverb does not store full card numbers or full bank account numbers; we receive only a tokenized reference + last 4 digits + brand for display purposes.

1.6 Cookies & Local Storage

We use first-party cookies for authentication (session cookie), CSRF protection, and remembering your UI preferences (theme, language). We do not use third-party advertising or behavioral-tracking cookies on the authenticated app surface. The public marketing site may set analytics cookies (Google Analytics or self-hosted Plausible) — disclosed in a cookie banner where applicable.

2. How We Use Your Information

We use the data above to:

• Provide the Service — render dashboards, run audits, sync metrics, generate content
• Enforce subscription quotas and bill your plan correctly
• Send transactional emails — verification, password reset, billing receipts, security alerts
• Improve the Service — aggregate, anonymized usage analytics for product decisions
• Detect abuse and respond to security incidents
• Comply with legal obligations (tax, court orders, regulator requests)

3. AI Processing

novaverb integrates with third-party large-language-model providers (currently OpenAI, Anthropic, Google) to power features like content briefs, rewrites, and citation analysis. When you invoke an AI feature, the following data may be transmitted to the chosen provider:

• Your prompt / instructions
• Page content you select for processing (titles, headings, body text)
• System-generated context (URLs, keywords)

Each provider is bound by their own privacy terms. novaverb uses provider APIs with "do not train on customer data" flags where available (OpenAI: X-OpenAI-No-Training; Anthropic: default API behavior; Google: enterprise-grade endpoints). We do not store provider response data beyond what is necessary to deliver the feature to you.

4. Information Sharing & Disclosure

We do not sell your personal information. We share data only when:

• You explicitly authorize it — e.g., connecting Google Search Console
• Service providers — hosting (Hostinger or equivalent), email delivery (Resend / SES / SMTP provider you configure), payment processors. Each provider operates under a data-processing agreement.
• Legal obligation — when required by law, court order, or to protect novaverb's legal rights
• Aggregated, anonymized data — published statistics with no individual identifiers

5. Data Retention

• Account data — retained for the lifetime of your account, then 30 days after deletion request (grace period)
• Crawled / audit data — retained for the lifetime of the workspace
• Server logs — 90 days maximum
• Billing records — retained as required by Vietnamese tax law (typically 5 years)
• Activity audit log — retained 2 years for security forensics

You can request deletion of your account at any time from Account → Settings → Delete account. Deletion is subject to a 30-day grace period during which you can cancel. After the grace period, your personal data is irreversibly removed.

6. Your Rights

Regardless of your jurisdiction, novaverb extends the following rights to all users:

• Access — request a copy of all data we hold about you
• Correction — update or correct inaccurate data
• Deletion — request erasure of your data (subject to legal retention requirements)
• Portability — receive your data in a machine-readable format (JSON export)
• Withdrawal of consent — for processing based on consent (marketing emails, optional integrations)
• Restriction — limit how we process certain categories of data
• Objection — object to processing for legitimate-interest grounds

To exercise any of these rights, email contact@novaverb.com. We will respond within 30 days.

7. Security

We protect your data with:

• TLS 1.2+ for all network traffic (HTTPS)
• Passwords hashed with bcrypt/argon2 — never stored in plaintext
• OAuth tokens encrypted at rest with AES-256-CBC
• Database backups encrypted with per-installation keys
• 2FA (TOTP) optional on user accounts; required for admin accounts
• Step-up authentication for sensitive admin actions
• Hash-chained audit log — tamper-evident record of admin actions
• File-integrity monitoring — daily SHA hash of application files
• Rate limiting + IP banning for known abuse patterns

No system is perfectly secure. In the event of a breach affecting your data, we will notify you within 72 hours via the email on your account.

8. International Data Transfers

novaverb operates primarily from Vietnam. If you are located outside Vietnam, your data may be transferred to and processed in Vietnam, or to data centers operated by our service providers in the European Union, the United States, or Singapore (depending on provider region). By using the Service you consent to such transfers.

9. Children's Privacy

novaverb is not intended for children under 13. We do not knowingly collect personal information from anyone under 13. If we discover such data, we delete it immediately. Parents who believe their child has provided us data may contact us at the email below.

10. Third-Party Links

Our Service may link to third-party websites (Google, Hostinger, payment providers, etc.). We are not responsible for the privacy practices of those sites; please review their policies directly.

11. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced via email to your account address and a banner on the Service for 30 days. The "Last updated" date above always reflects the most recent revision.

12. Contact

For privacy questions, data requests, or to report a concern:

• Email: contact@novaverb.com
• Website: novaverb.com

This Privacy Policy is a template provided in good faith. It does not constitute legal advice. Operators of novaverb deployments should review with qualified legal counsel before relying on it for jurisdictional compliance (especially GDPR, CCPA, PDPA, Vietnamese Decree 13/2023).