Privacy Policy
How Novaly collects, uses, and protects your personal data.
Effective date: April 25, 2026
Novaly ("we", "us", "our") is committed to protecting your privacy. This policy explains what personal data we collect, how we use it, and your rights under applicable law, including the General Data Protection Regulation (GDPR).
1. Who We Are
Novaly is a personalized newsletter and private podcast service. For any privacy-related questions, contact us at privacy@novaly.app.
2. Data We Collect
Account data
When you create an account, we collect:
- Your email address
- Your name (optional, used for newsletter personalization)
- Authentication credentials (hashed password or OAuth token — we never store plain-text passwords)
Subscription & billing data
When you subscribe to a paid plan:
- Billing information is collected and processed directly by Stripe. We receive only a payment confirmation and subscription status — we never see or store your full card number.
- Your chosen plan (Starter, Pro, or Premium) and billing history.
Newsletter preferences
- Topics and prompt text you configure for each newsletter
- Preferred language (French or English)
- Delivery frequency per newsletter
- Newsletter format preference (text, audio, or both)
Usage & engagement data
- Editions delivered to you and whether they were opened (via an invisible tracking pixel in emails — you can disable this by blocking remote images in your email client)
- Timestamps of logins and key actions (newsletter created, prompt edited, plan changed)
- Aggregated usage stats shown on your Value Dashboard (edition count, estimated reading time saved, streak)
Technical data
- IP address (used for rate limiting and abuse prevention only — not stored long-term)
- Browser and device type (standard server logs, retained for 30 days)
All data is stored on servers located within the European Union.
Gift subscriptions
If you purchase a gift subscription, we collect the recipient's email address solely to deliver the activation invitation. This data is not used for any other purpose.
3. How We Use Your Data
| Purpose | Legal basis |
|---|---|
| Delivering your newsletters and audio editions | Contract performance |
| Processing payments and managing your subscription | Contract performance |
| Sending transactional emails (delivery, billing, account) | Contract performance |
| Personalizing newsletter content based on your prompts | Contract performance |
| Detecting and preventing abuse | Legitimate interest |
| Improving the service through aggregated analytics | Legitimate interest |
| Complying with legal obligations | Legal obligation |
We do not use your data for advertising, profiling for third parties, or any purpose not listed above.
4. Data Sharing
We share data only with the third-party services strictly necessary to operate Novaly:
| Service | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Billing info (directly, not via us) |
| Email delivery provider | Transactional email delivery | Your email address, newsletter content |
| Cloud infrastructure provider | Application hosting and file storage | Application data, audio files |
| Content generation service | Newsletter content production | Your topic and prompt |
All processors are bound by data processing agreements and operate under GDPR-compliant terms. We do not sell your data to any third party.
5. Data Retention
- Account data: retained for as long as your account is active. Deleted within 30 days of account deletion request.
- Billing records: retained for 7 years to comply with French accounting regulations (even after account deletion).
- Newsletter content & editions: retained for the duration of your subscription + 90 days after cancellation, then deleted.
- Server logs: retained for 30 days, then automatically purged.
6. Your Rights (GDPR)
If you are located in the European Economic Area, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten") — subject to legal retention obligations
- Restrict or object to certain processing
- Data portability — receive your data in a machine-readable format
- Withdraw consent at any time where processing is based on consent
To exercise any of these rights, email us at privacy@novaly.app. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority (in France: CNIL).
7. Cookies
Novaly uses only strictly necessary cookies for session management and authentication. We do not use advertising or analytics cookies. No cookie consent banner is required.
8. Security
We apply industry-standard security measures including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Passwords are hashed and never stored in plain text
- Private RSS feed URLs are unique, unguessable tokens — treat them like passwords
- Access to production systems is restricted to authorized personnel only
9. Children's Privacy
Novaly is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
10. Changes to This Policy
If we make material changes to this policy, we will notify you by email and update the effective date above. Continued use of the service after notice constitutes acceptance.
11. Contact
For any privacy questions or to exercise your rights: privacy@novaly.app