Privacy Policy

1. Who We Are

NovuRoy is an AI-powered personal college counseling service operated by NovuRoy ("we", "us", "our"). We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Swiss data protection law.

For privacy-related questions or requests, contact us at privacy@novuroy.com.

2. What Data We Collect

When you use NovuRoy, we collect the following personal data:

• Identity data: your first name, as provided during onboarding
• Contact data: your email address, obtained from your Google account when you sign in
• Academic profile: grade level, country of residence, current GPA, academic direction (e.g. university, trade school), dream career, and extracurricular activities
• Conversation data: all messages you send to and receive from NovuRoy, stored to maintain context across sessions
• Usage data: session metadata and basic technical information (e.g. browser type) collected automatically when you use the service

We do not collect sensitive personal data such as racial or ethnic origin, political opinions, health data, or financial information.

3. Why We Collect Your Data

We collect and process your data for the following purposes:

• To provide the service: your profile data is used to personalize every piece of guidance NovuRoy gives you — your college timeline, essay advice, test score context, and recommendations are all built around your specific situation
• To send you personalized guidance: your email address is used to deliver proactive insights and updates from NovuRoy's overnight agent
• To maintain conversation continuity: your chat messages are stored so NovuRoy can reference prior context in future sessions
• To improve the service: aggregated, anonymized usage data may be used to identify issues and improve NovuRoy's guidance quality

The legal basis for processing your data is your consent (Article 6(1)(a) GDPR), provided when you create an account, and the performance of a contract (Article 6(1)(b) GDPR) for delivering the core service you signed up for.

4. How and Where Your Data Is Stored

Your data is stored in Supabase, a PostgreSQL database service. Supabase stores data on servers located in Frankfurt, Germany (EU), within the European Economic Area.

All data is encrypted at rest and in transit using industry-standard TLS encryption. Access to the database is restricted to authenticated service processes only — no human at NovuRoy can browse your personal data without a specific, documented reason.

AI processing (generating responses to your messages) is performed via the Anthropic Claude API. Messages sent to Claude are subject to Anthropic's data processing terms. Anthropic does not use your conversation data to train its models by default. Web search functionality, when used, is performed via Anthropic's built-in web search tool.

Transactional emails are delivered via Resend, a US-based email delivery service. Data transferred to Resend is limited to your email address and the email content and is governed by their data processing agreement.

5. Data Sharing and Third Parties

We do not sell, rent, or share your personal data with any third parties for marketing, advertising, or commercial purposes — ever.

Your data is shared only with the sub-processors listed above (Supabase, Anthropic, Resend) strictly to operate the service you signed up for. Each sub-processor is bound by data processing agreements and GDPR-compliant data handling obligations.

We may disclose personal data if required to do so by law, court order, or regulation, but we will notify you where legally permitted to do so.

6. Data Retention

We retain your personal data for as long as your account is active. Specifically:

• Profile data (name, grade, country, GPA, career, extracurriculars) is retained until you request deletion
• Conversation messages are retained to provide continuity across sessions; you may request deletion at any time
• Email logs are retained for up to 90 days for deliverability troubleshooting

When you request account deletion, all your personal data is permanently removed from our systems within 30 days.

7. Your Rights Under GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

• Right of access: you may request a copy of all personal data we hold about you
• Right to rectification: you may request that we correct inaccurate or incomplete data
• Right to erasure: you may request that we delete all your personal data ("right to be forgotten")
• Right to restriction: you may request that we restrict processing of your data while a complaint is resolved
• Right to data portability: you may request your data in a structured, machine-readable format
• Right to object: you may object to processing based on legitimate interests
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing

8. How to Exercise Your Rights

To exercise any of the rights above, email us at privacy@novuroy.com with the subject line "Data Request — [your right]". We will respond within 30 days.

To request full account and data deletion, email privacy@novuroy.com with the subject line "Delete My Account". We will permanently delete all your data within 30 days and send you a confirmation.

You also have the right to lodge a complaint with your national data protection authority. In the EU, you can find your authority at edpb.europa.eu.

9. Cookies

NovuRoy uses cookies and browser local storage to maintain your authenticated session and remember your preferences (such as cookie consent). We do not use third-party advertising or tracking cookies.

You can clear cookies and local storage at any time through your browser settings. Doing so will sign you out of your account.

10. Children's Privacy

NovuRoy is designed for students aged 13 and above. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us at privacy@novuroy.com and we will delete the account immediately.

Users under 18 should have a parent or guardian review this Privacy Policy before using the service.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of the service after changes constitutes acceptance of the updated policy.

Questions about this policy? Email us at privacy@novuroy.com. We're here to help.