Privacy Policy

NovaSpark ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our social media management platform and services. By using NovaSpark, you agree to the collection and use of information in accordance with this policy.

NovaSpark is a product of NovaMind Technologies FZE, located in Ajman, United Arab Emirates. We comply with GDPR, CCPA, and all applicable data protection laws.

2.1 Information You Provide

• Account Information: Name, email address, phone number, company name, and billing information
• Profile Information: Profile pictures, bio, and other optional profile details
• Content: Posts, images, videos, captions, comments, and other content you create or schedule
• Communication Data: Messages, support tickets, and feedback you send us

2.2 Social Media Data

When you connect your social media accounts (Instagram, Facebook, LinkedIn, TikTok, Snapchat, Threads, Reddit, WhatsApp, YouTube, or X/Twitter), we collect:

• Account credentials and access tokens (encrypted)
• Profile information from connected platforms
• Analytics data (engagement metrics, follower counts, post performance)
• Comments, messages, and interactions from your audience
• Media files from your connected accounts

2.3 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, clicks, and interactions
• Device Information: Browser type, operating system, IP address, device identifiers
• Cookies and Tracking: See our Cookie Policy below
• Log Data: Server logs, error reports, and system activity

We use collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our social media management services
• Account Management: To create and manage your account, authenticate users, and provide customer support
• Social Media Operations: To publish posts, analyze performance, engage with your audience, and manage automations
• Analytics: To generate insights, reports, and recommendations about your social media performance
• Communication: To send service updates, security alerts, support messages, and marketing communications (with your consent)
• Compliance: To comply with legal obligations and enforce our Terms of Service
• Security: To detect, prevent, and address fraud, abuse, and security issues
• Improvement: To analyze usage patterns and improve our platform features and user experience

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Consent: When you connect your social media accounts or opt-in to marketing communications, we process data based on your explicit consent. You may withdraw consent at any time.
• Contract Performance: Processing is necessary to fulfill our service agreement with you, including account management, content publishing, and analytics delivery.
• Legitimate Interests: We process data for legitimate business purposes such as security monitoring, fraud prevention, service improvement, and analytics, ensuring these interests do not override your rights.
• Legal Obligations: We process data to comply with applicable laws, including tax regulations, accounting requirements, and legal proceedings.

Your data security is our top priority. We implement SOC 2-aligned security controls and use bank-level protection:

4.1 Encryption and Data Protection

• Military-Grade Encryption: All sensitive data is encrypted using AES-256 encryption with agency-specific data encryption keys (DEKs)
• Envelope Encryption: We use HashiCorp Vault for secure encryption key management and rotation
• Secure Credential Storage: Social media tokens are encrypted at rest and in transit
• TLS 1.3 Encryption: All data transmission uses the latest TLS 1.3 protocol

4.2 Access Controls and Authentication

• Role-Based Access Control: Team permissions ensure users only access authorized resources
• Two-Factor Authentication: Optional 2FA for enhanced account security
• Session Management: Automatic session expiration and secure token handling
• Principle of Least Privilege: Staff access limited to necessary systems only

4.3 Security Monitoring and Incident Response

• 24/7 Security Monitoring: Real-time monitoring and logging of security events
• Encryption Audit Logs: Comprehensive audit trail of all encryption/decryption operations
• Incident Response Plan: Documented procedures for security incidents with 72-hour breach notification to authorities
• Security Awareness Training: Regular training for all team members on security best practices

4.4 Infrastructure and Operational Security

• Secure Hosting: Professional hosting infrastructure with physical security controls
• Regular Security Testing: Vulnerability scanning and penetration testing by independent security experts
• Change Management: Version control and peer review for all code changes
• Disaster Recovery: Regular backups and business continuity procedures
• Rate Limiting: Protection against brute force attacks and API abuse
• Circuit Breakers: Fault isolation to prevent cascading failures

4.5 Compliance and Standards

• SOC 2 Aligned: We implement security controls aligned with SOC 2 Type II standards
• GDPR Compliant: Full compliance with EU data protection regulations
• Regular Audits: Internal and external security assessments

5.1 Infrastructure Services (Self-Hosted)

We utilize the following infrastructure services:

• FreakHosting (Server Hosting): Hosts our application infrastructure. All data is encrypted at rest and in transit.
• PostgreSQL Database (Self-Hosted): Stores user accounts, encrypted social media tokens, posts, and analytics data.
• Redis Cache (Self-Hosted): Temporarily caches session data and improves performance. Data expires automatically.
• HashiCorp Vault (Self-Hosted): Manages encryption keys securely with automatic key rotation capabilities.

5.2 Payment Processing

• Stripe (United States, EU-compliant): Processes payment information, billing details, and subscription management. Stripe maintains PCI DSS Level 1 certification. Data shared: payment card information, billing address, transaction history. Privacy Policy: stripe.com/privacy

5.3 Email Services

• Self-Managed SMTP Service: Sends transactional emails and notifications. Data shared: email addresses, notification content. We do not use third-party email tracking.

5.4 Social Media Platform APIs

We share data with social media platforms as necessary to provide our services. Each platform acts as an independent data controller for data processed through their APIs:

• Meta Platforms - Instagram, Facebook, Threads, WhatsApp (United States, EU): Data shared: OAuth access tokens, post content (images, videos, captions), comments, messages, engagement data, analytics requests. We use Facebook Graph API and Instagram Graph API. Privacy: Meta Privacy Policy
• TikTok (United States, Singapore): Data shared: OAuth tokens, video content, captions, user interactions, analytics requests. Privacy: TikTok Privacy Policy
• LinkedIn - Microsoft (United States, EU): Data shared: OAuth tokens, post content, profile information, analytics requests. Privacy: LinkedIn Privacy Policy
• Reddit (United States): Data shared: OAuth tokens, post content, comments, user interactions. Privacy: Reddit Privacy Policy
• Snapchat - Snap Inc. (United States): Data shared: OAuth tokens, creative content (snaps), engagement data. Privacy: Snapchat Privacy Policy
• YouTube - Google (United States, Global): Data shared: OAuth tokens, video content, channel information, analytics requests. Privacy: Google Privacy Policy
• X/Twitter (United States): Data shared: OAuth tokens, tweet content, user interactions. Privacy: X Privacy Policy

5.5 Frontend Dependencies

• unpkg.com CDN (Cloudflare, Global): Delivers FFmpeg.wasm library for client-side video processing. No personal data is shared; only browser requests for public JavaScript libraries.

5.6 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, safety, and the safety of others.

5.7 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We never have and never will.

We comply with each social media platform's specific requirements for data handling, privacy, and API usage:

Meta Platforms (Instagram, Facebook, Threads, WhatsApp)

• Full compliance with Meta Platform Terms and Developer Policies
• Adherence to Instagram and Facebook Community Guidelines
• Data deletion requests honored within 90 days as required by Meta
• Platform data used only for authorized service provision - never for independent analytics or advertising
• Respect for user consent and platform-granted permissions
• Implementation of data deletion callbacks for user-initiated deletions on Meta platforms
• WhatsApp Business API compliance for business messaging
• No use of Meta data to build competing services or features

TikTok

• Compliance with TikTok Developer Terms
• Data used only for authorized purposes within TikTok API scope
• Respect for content authenticity and copyright requirements
• No cross-platform data merging without explicit user consent
• Compliance with regional data localization requirements where applicable
• Adherence to minor safety and COPPA requirements

Snapchat

• Compliance with Snap Kit Terms
• Respect for Snapchat's ephemeral content philosophy with appropriate data retention
• No use of Snap data for advertising targeting outside the platform
• Protection of user privacy and creative content

LinkedIn

• Full compliance with LinkedIn API Terms
• Professional data handling standards appropriate for business networking
• No scraping or unauthorized data collection
• Respect for member privacy controls and professional boundaries

Reddit

• Compliance with Reddit API Terms and User Agreement
• Respect for subreddit-specific rules and community guidelines
• No vote manipulation or content manipulation
• Protection of user anonymity and privacy preferences

YouTube (Google)

• Strict compliance with YouTube API Services Terms
• Google Privacy Policy incorporated by reference
• COPPA compliance for children's content (users under 13 prohibited from directed content)
• Respect for Content ID and copyright protection systems
• No separation of YouTube video player from other content
• Clear disclosure of our use of YouTube API Services to users

X/Twitter

• Full compliance with X Developer Agreement
• Respect for user delete actions and content removal
• No separate display of tweets from surrounding context
• Compliance with automation rules and rate limits
• No API abuse or circumvention of platform limitations

6.1 GDPR Rights (EU Users)

If you are in the European Union, you have the following rights under GDPR:

• Access (Article 15): Request a copy of your personal data in a commonly used format
• Rectification (Article 16): Correct inaccurate or incomplete data
• Erasure (Article 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements
• Restriction (Article 18): Request limited processing of your data in certain circumstances
• Portability (Article 20): Receive your data in JSON, CSV, or PDF format for transfer to another service
• Objection (Article 21): Object to processing based on legitimate interests or for direct marketing
• Withdraw Consent: Withdraw consent for data processing at any time without affecting prior processing
• Lodge a Complaint: Right to lodge a complaint with your local data protection supervisory authority

6.2 CCPA Rights (California Users)

If you are a California resident, you have the right to:

• Know: Request disclosure of what personal information we collect, use, disclose, and sell
• Access: Request a copy of the specific pieces of personal information we have collected
• Delete: Request deletion of your personal information, subject to legal exceptions
• Opt-Out: Opt-out of the sale of personal information (note: we do not and will not sell your data)
• Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment

6.3 How to Exercise Your Rights

To exercise any of these rights, you can:

• Email: privacy@novamind.ae (preferred method)
• Phone: +971 55 540 9172
• Account Settings: Access many privacy controls directly in your account dashboard

6.4 Request Processing

• Identity Verification: We will verify your identity before processing requests to prevent unauthorized access
• Response Timeline: We respond within 30 days for standard requests, up to 60 days for complex requests (we will notify you if an extension is needed)
• Free of Charge: The first reasonable request each year is free; excessive or repetitive requests may incur a reasonable administrative fee
• Data Portability Formats: JSON, CSV, or PDF format as you prefer

6.5 Supervisory Authority

If you are in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

We use cookies and similar technologies to enhance your experience and improve our service. Under GDPR and ePrivacy regulations, we obtain your consent for non-essential cookies.

7.1 Types of Cookies

• Essential Cookies (No Consent Required): Strictly necessary for authentication, security, and core platform functionality. These cannot be disabled.
• Functional Cookies (Consent Required): Remember your settings, preferences, and language choices to provide a personalized experience.
• Analytics Cookies (Consent Required): Help us understand usage patterns, measure performance, and improve our service. These are anonymized where possible.
• Performance Cookies (Consent Required): Monitor application performance and detect errors to maintain service quality.

7.2 Cookie Management

• Cookie Banner: You will see a cookie consent banner on your first visit, allowing you to accept or customize cookie preferences
• Granular Control: You can accept all cookies, reject non-essential cookies, or customize your preferences by category
• Browser Settings: You can also control cookies through your browser settings (note: this may affect functionality)
• Withdraw Consent: Change your cookie preferences anytime through your account settings

7.3 Cookie Retention

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Stored for up to 12 months (authentication tokens, preferences)
• Analytics Cookies: Stored for up to 24 months

7.4 Third-Party Cookies

We do not use third-party advertising cookies. The only third-party cookies are from:

• Stripe: For secure payment processing (essential)
• Social Media Platforms: When you use social media login or connect accounts (required for functionality)

We retain your data only as long as necessary for the purposes outlined in this policy. Retention periods are based on legal requirements, operational needs, and data protection principles.

8.1 Data Retention Schedule

• Account Data: Retained for the duration of your active account plus 90 days after deletion (to allow account recovery)
• Payment and Billing Data: 7 years from the date of transaction (tax and accounting compliance requirements)
• Social Media Tokens: Until account disconnection plus 30 days (or until token expiration/revocation, whichever is sooner)
• Published Content and Posts: Until you delete them or your account is terminated
• Analytics Data: Aggregated for up to 2 years; individual post analytics retained while post exists
• Support Tickets and Communications: 3 years from case closure for quality assurance and legal purposes
• Security and Audit Logs: 1 year for security monitoring and incident investigation
• Encryption Audit Logs: 1 year for compliance and security auditing
• Marketing Consent Records: Duration of consent plus 3 years (to demonstrate compliance)

8.2 Legal and Legitimate Retention

After account deletion, we retain certain data for:

• Legal Compliance: Tax records, financial transactions, and records required by law
• Dispute Resolution: Information necessary to resolve pending disputes or legal claims
• Fraud Prevention: Data needed to prevent and detect fraudulent activity
• Enforcing Agreements: Records necessary to enforce our Terms of Service
• Platform Requirements: Compliance with social media platform data retention policies (e.g., Meta's 90-day requirement)

8.3 Data Deletion

You can request complete data deletion by contacting us at privacy@novamind.ae. We will delete all personal data except what we are legally required to retain. Deletion is typically completed within 30 days.

Note: Data stored in backups will be deleted during the next backup rotation cycle (maximum 90 days).

In accordance with GDPR Article 5(1)(c), we practice data minimization and only collect data that is adequate, relevant, and limited to what is necessary:

• Minimal Collection: We only request information necessary to provide our social media management services
• Purpose Limitation: Data is only used for the specific purposes disclosed at collection time
• Regular Audits: We periodically review stored data and delete information no longer needed
• Automatic Purging: Expired sessions, old logs, and unnecessary cache data are automatically deleted
• Storage Limitation: We don't retain data longer than necessary (see Data Retention Schedule)
• No Excessive Data: We don't collect "nice to have" information - only essential data

We use limited automated processing to improve our service. Under GDPR Article 22, you have rights regarding automated decision-making:

Automated Systems We Use:

• Content Scheduling Algorithm: Determines optimal posting times based on your historical engagement data. You can override automated suggestions.
• Analytics and Insights: Generates performance reports and recommendations using aggregated data. These are advisory only.
• Fraud Detection: Automated security systems flag suspicious activities for human review. No automated decisions affect your account without human intervention.
• Rate Limiting: Automated throttling to prevent API abuse and protect service stability.

Your Rights:

• No Automated-Only Decisions: We do not make decisions that significantly affect you based solely on automated processing
• Human Review: You can request human review of any automated recommendation or decision
• Explanation: You can request an explanation of how any automated system arrived at a recommendation
• Contest Decisions: You can challenge and appeal any automated decision

Your data may be transferred to and processed in countries other than your country of residence. We ensure adequate protection for international data transfers as required by GDPR Chapter V:

9.1 Countries Where Data is Processed

• United Arab Emirates: Primary hosting location (FreakHosting servers)
• United States: Social media platform APIs (Meta, TikTok, Reddit, Snapchat, X, YouTube), Stripe payment processing
• European Union: Meta and LinkedIn maintain EU data centers for EU users
• Singapore: TikTok regional data processing

9.2 Transfer Mechanisms

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to countries without adequacy decisions
• UK International Data Transfer Agreement (IDTA): For transfers involving UK personal data
• Adequacy Decisions: Where available, we rely on European Commission adequacy decisions
• Supplementary Measures: Additional technical safeguards including end-to-end encryption, encryption at rest, and access controls

9.3 Platform-Specific Transfers

When you connect social media accounts, data is transferred to those platforms according to their privacy policies and data transfer mechanisms. Each platform is an independent data controller.

NovaSpark is not intended for users under 13 years old (or 16 in the EU). We do not knowingly collect information from children. If we discover we have collected data from a child, we will delete it immediately.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through our platform. Continued use of NovaSpark after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy or our data practices, contact us through the appropriate channel:

• Data Protection & Privacy Inquiries: privacy@novamind.ae
• Security Incidents & Vulnerabilities: security@novamind.ae
• General Support: support@novamind.ae
• Phone: +971 55 540 9172
• Address: NovaMind Technologies FZE, Ajman, United Arab Emirates

Response Times: We aim to respond to privacy inquiries within 48 hours and complete data subject access requests within 30 days (or 60 days for complex requests with notification).