Privacy Policy

NovaFlow is a product of Brand Evolution. We provide AI-powered business tools to service businesses worldwide. In this policy, "we", "us" and "our" refer to Brand Evolution. "You" refers to the business (workspace) using NovaFlow and its authorised users.

For the purposes of the UK GDPR and EU GDPR, Brand Evolution is the data controller for the account and workspace data we hold about you. You remain the data controller for any personal data belonging to your own clients (leads) that you store in NovaFlow.

We collect the following categories of data:

• Account data — name, email address and password (hashed) of workspace users.
• Workspace data — business name, industry, brand voice, colours, language preference and notification settings.
• Lead data — contact details, enquiry information and pipeline notes that you or your clients submit through NovaFlow forms or enter manually.
• AI-generated content — outputs produced by the AI tools (emails, captions, proposals, follow-up sequences, etc.).
• Usage data — which tools are used and how often, for billing and platform improvement purposes.
• Technical data — session tokens and server logs. We do not use third-party tracking cookies or advertising cookies.

• To provide and operate the NovaFlow platform.
• To generate AI outputs in response to your inputs using the Claude API (Anthropic).
• To send transactional emails (invite links, reminders) where you have provided an email address.
• To monitor usage for fair-use enforcement and billing.
• To improve the platform based on aggregated, anonymised usage patterns.

We do not sell your data to third parties. We do not use your data or your clients' data for advertising.

NovaFlow uses the Claude API, provided by Anthropic, PBC, to power its AI tools. When you use an AI tool, the relevant input data (which may include lead details, business context or conversation history) is sent to Anthropic's API to generate a response.

Anthropic does not use API inputs and outputs to train its models by default. Anthropic is GDPR-compliant and processes data under a Data Processing Agreement with us. For more information, see anthropic.com/legal/privacy.

Your data is stored in a PostgreSQL database hosted by Neon on AWS eu-west-2 (London, United Kingdom). This means your data never leaves the UK/EU region.

The NovaFlow application is hosted on Vercel, which uses a global edge network. Application code runs on Vercel's infrastructure; no personal data is permanently stored outside the Neon database.

Our sub-processors and their locations:

SCCs = Standard Contractual Clauses, the legal mechanism that allows lawful data transfer from the EU/UK to the US under GDPR.

We process your data under the following legal bases:

• Contract — processing necessary to provide the NovaFlow service you have subscribed to.
• Legitimate interests — usage monitoring, security, fraud prevention and platform improvement.
• Legal obligation — where we are required to retain records by law.

If you are based in the EU or UK, you have the right to:

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate data (most data can be updated directly in Settings).
• Erasure — request deletion of your account and all associated data.
• Restriction — ask us to limit how we use your data.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests.

To exercise any of these rights, email us at pedro@brandevolutionhub.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national DPA in the EU).

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal information. To exercise your rights, contact us at pedro@brandevolutionhub.com.

We retain your data for as long as your workspace subscription is active. If you close your account, we will delete your workspace and all associated data within 30 days, unless we are required to retain it by law. Lead data and AI-generated content are deleted as part of workspace deletion.

We implement appropriate technical and organisational measures to protect your data, including:

• All data encrypted in transit (TLS) and at rest (AES-256 via Neon).
• Passwords hashed using bcrypt — we never store plaintext passwords.
• Access to workspaces is isolated — each workspace can only access its own data.
• Workspace users require authentication and can be deactivated by the workspace owner.

NovaFlow uses a single session cookie to keep you logged in. We do not use advertising cookies, analytics cookies or any third-party tracking scripts. No cookie consent banner is required for this type of cookie under GDPR (it is strictly necessary).

We may update this policy from time to time. We will notify workspace owners by email when we make material changes. Continued use of NovaFlow after changes take effect constitutes acceptance of the updated policy.

For any privacy-related questions, requests or complaints, contact us at:

Brand Evolution
Calle Palmito 7, Manilva, Málaga, 29692, Spain
Email: pedro@brandevolutionhub.com