Privacy Policy

This Privacy Policy explains how Nortevo ("Nortevo", "we", "us") collects, uses, and protects personal data when you use our AI visibility tracking service (the "Service") available at nortevo.app.

1. Data Controller

Nortevo acts as the data controller for personal data of account holders. For questions about this policy or to exercise your rights, contact us at privacy@nortevo.app.

2. What we collect

• Account data: name, email address, hashed password (or OAuth identifier).
• Project data: brand name, domain, competitors, prompts you configure.
• Usage data: tracking runs, results, and analytics about how you use the Service.
• Billing data: processed by our payment provider (Stripe). We store only customer/subscription identifiers, never card numbers.
• Technical data: IP address, browser, device, and cookies necessary for the Service to function.

3. Why we use it (legal bases under GDPR)

• Contract (Art. 6(1)(b) GDPR): to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)): to keep the Service secure, prevent abuse, and improve features.
• Legal obligation (Art. 6(1)(c)): to keep tax/billing records.
• Consent (Art. 6(1)(a)): for optional marketing emails — you can withdraw consent at any time in Settings.

4. Your GDPR rights (EU/EEA & UK)

If you are located in the EU, EEA, or UK, you have the right to:

• Access the personal data we hold about you.
• Request rectification of inaccurate data.
• Request erasure ("right to be forgotten").
• Restrict or object to certain processing.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@nortevo.app. We respond within 30 days.

5. Sharing & sub-processors

We do not sell your personal data. We share data only with vetted sub-processors strictly to operate the Service:

• Supabase — database & authentication hosting (EU region).
• Stripe — payment processing.
• Resend — transactional email delivery.
• OpenAI, Anthropic, Google — AI model providers used to run tracking queries on your behalf.

6. International transfers

Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and additional safeguards as required.

7. Retention

We retain account and project data for as long as your account is active. After deletion, backups are purged within 30 days. Billing records are retained for the period required by applicable tax law (typically up to 10 years).

8. Security

We use industry-standard encryption in transit (TLS) and at rest, role-based access controls, and least-privilege principles. No system is 100% secure; we will notify affected users and the relevant authority within 72 hours of confirming a personal data breach, as required by GDPR.

9. Cookies

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

10. Children

The Service is not directed at children under 16. We do not knowingly collect their data.

11. Changes

We may update this policy. Material changes will be communicated by email or in-app notice at least 14 days before they take effect.

12. Contact

Nortevo — privacy@nortevo.app.