NEW The NOVA engine now understands Saudi dialects with higher accuracy
Legal · PDPL

Privacy Policy

At NOVA, privacy is a design decision, not a contract clause. This page explains what we collect, how we use it, where it is processed, and the rights you hold over it: in plain language.

1

What we collect

Last updated: June 2026

We collect the minimum needed to run the platform, in three clear categories:

Account data

Name, work email, company name, and your account and team settings.

Usage data

Flow run logs, technical events about performance and errors, and the device and browser information needed for security and operation.

Flow content you connect

The data that passes through the integrations you enable: messages, invoices, system records. You decide what gets connected; we process it only to execute your flows.

2

How we use it

  • Running the service: executing your flows and operating agents within the permissions you set.
  • Security: detecting abuse and unauthorized access, and protecting your account.
  • Improving the platform: through aggregated, non-identifying metrics: and we do not use your flow content to train general-purpose models.
  • Communication: service notices and material updates; marketing messages only with your consent, and you can opt out at any time.
3

Where your data is processed

On NOVA's cloud, your data resides in Saudi Arabia by default: in Saudi data centers, encrypted in transit and at rest. In private-cloud (VPC) or on-prem deployments, your data stays inside your own infrastructure and never passes through our systems.

Details of the three deployment paths are in the deployment & sovereignty section.

4

Your rights under PDPL

Our controls are designed to comply with the Saudi Personal Data Protection Law (PDPL), and we provide a data processing agreement to customers. Under the law you have the right to:

  • Know: how and why we process your data: this page is part of that.
  • Access: request a copy of the personal data we hold about you.
  • Correct: have inaccurate or outdated data corrected.
  • Delete: request destruction of your data when there is no longer a legal need for it.
  • Withdraw consent: at any time, where consent is the basis of processing.

To exercise any of these rights, write to us: we verify your identity and respond within the statutory periods.

5

Retention & deletion

  • We keep data only as long as it is needed to provide the service, or as the law requires.
  • Flow run logs have operational retention periods you can adjust to your plan and requirements.
  • When you close your account, we let you export your data, then delete it within a reasonable period: except what the law obliges us to keep.
6

Data sharing

We do not sell your data. Not today, not ever: and we do not trade it for advertising.

  • We use infrastructure providers contractually bound to our own standard of protection, and only to the extent needed to run the service.
  • We may disclose data when a competent authority lawfully requires it: and only the minimum necessary.
  • In VPC and on-prem deployments, your flow content never reaches any provider outside your infrastructure.
7

Contact

For any question about this policy, or to exercise your rights, write to our privacy team at [email protected], or contact us. Our address: Riyadh, Kingdom of Saudi Arabia.

If we make a material change to this policy, we will notify you before it takes effect, by email or an in-platform notice.