Privacy Policy
Privacy Policy
Effective 5 July 2026 · Version 2026-07-05
On this page
- Our approach to privacy
- Information you provide
- Information collected automatically
- How we use information
- Legal bases for processing
- AI processing of your content
- Sharing and subprocessors
- International data transfers
- Data retention
- Security
- Your privacy rights
- Children's privacy
- Changes to this policy
- How to contact us
1. Our approach to privacy
Senova is an AI web-app builder with integrated hosting and our "Checkride" site-verification service. We designed the product to respect your privacy by default. We collect the data we need to run the service reliably and to bill accurately, and not much more.
Product analytics are off by default. We do not load third-party advertising trackers, and we do not sell your personal information or share it for cross-context behavioral advertising. Where we would like to measure how features are used to improve them, we ask for your consent first and give you a clear way to opt out at any time.
This policy explains what we collect, why we collect it, how long we keep it, who we share it with, and the rights you have over your data.
2. Information you provide
You give us information directly when you sign up and use Senova. This includes:
- Account information — your name, email address, and password credentials (stored as a salted hash, never in plain text). If you sign in with a third-party identity provider, we receive a basic profile and a token rather than your password.
- Workspace and team information — the name of your workspace, the members you invite, their roles, and settings you configure.
- Billing information — your plan, billing address, and tax details. Card and payment-instrument data is handled directly by our third-party payment processor; we do not store full card numbers on our systems. We receive limited billing metadata such as the last four digits, card brand, and payment status.
- Content you create — the prompts you write, the projects, code, configuration, assets, and data you build or upload, and the sites you deploy and verify through Checkride.
- Support and communications — messages you send us, feedback, and survey responses.
3. Information collected automatically
When you use Senova, some information is collected automatically so the service can function, stay secure, and be debugged:
- Log and usage data — request timestamps, pages and features accessed, actions taken, and error and performance diagnostics.
- Device and connection data — IP address, browser type and version, operating system, and general (city/region-level) location inferred from IP.
- Cookies and similar technologies — we use a small set of strictly necessary cookies to keep you signed in and to secure the service, and optional cookies only with your consent. For the full list and your controls, see our Cookie Policy.
4. How we use information
We use the information described above to:
- Provide the service — create and manage your account, build and host your projects, run Checkride verifications, and deliver the features you request.
- Secure the service — authenticate you, detect and prevent fraud and abuse, and investigate security incidents.
- Support you — respond to your questions and troubleshoot problems.
- Improve the service — understand which features work well and fix what does not. Where this relies on optional analytics, we do it only with your consent.
- Communicate — send you service, security, and billing notices, and (where permitted) product updates you can opt out of.
- Meet legal obligations — comply with applicable law, enforce our terms, and establish, exercise, or defend legal claims.
5. Legal bases for processing
If you are in the European Economic Area, the United Kingdom, or a similar jurisdiction, we process your personal data under the following legal bases:
- Performance of a contract — to provide the service you have signed up for, including hosting, building, and billing.
- Legitimate interests — to keep the service secure, prevent abuse, maintain and debug our systems, and understand usage in a privacy-respecting way, balanced against your rights.
- Consent — for optional analytics, non-essential cookies, and certain marketing communications. You may withdraw consent at any time without affecting processing already carried out.
- Legal obligation — to comply with tax, accounting, and other legal requirements.
6. AI processing of your content
Senova is an AI builder, so the prompts and content you provide are processed by AI systems to generate output for you — code, layouts, copy, and configuration. To do this we send relevant prompts and context to AI model providers acting as our subprocessors.
We do not use your prompts or content to train third-party base models, and we contractually require our AI subprocessors not to use your content to train or improve their general-purpose models, unless you have given us explicit, separate consent. Content is processed to serve your request and to operate features you have enabled.
AI output can be inaccurate or incomplete. You are responsible for reviewing generated output before you rely on or deploy it. The AI providers we use are listed on our Subprocessors page.
On-device model. On capable devices, our First Officer assistant runs a small language model privately in your browser using WebGPU. When it does, your conversation with the assistant is processed locally on your own device and is not sent to us or to any AI provider. The model files download once from a public model host and are cached by your browser. This runs quietly in the background on supported devices; you can turn it off at any time from the assistant’s panel, in which case the assistant falls back to server-side processing (subject to the terms above) or is unavailable if no server model is configured.
7. Sharing and subprocessors
We do not sell your personal data. We share information only in the limited circumstances below:
- Subprocessors — vendors who process data on our behalf to run the service, such as cloud hosting, AI model providers, our payment processor, and email delivery. They act under contract and only on our instructions. The current list is on our Subprocessors page.
- Within your workspace — content and activity are visible to other members of your workspace according to the roles and permissions you set.
- Legal and safety — when required by law, valid legal process, or to protect the rights, safety, and security of Senova, our users, or the public.
- Business transfers — if Senova is involved in a merger, acquisition, or sale of assets, data may transfer as part of that transaction, subject to this policy.
8. International data transfers
Senova operates and uses subprocessors in multiple countries, so your data may be processed outside the country where you live, including in the United States. Where we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards.
[Placeholder pending attorney review] We intend to rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with supplementary measures where needed. Final transfer mechanisms and their details will be confirmed on completion of legal review.
9. Data retention
We keep personal data while your account is active and for a limited window afterward, then delete or anonymize it, unless a longer period is required by law (for example, tax and billing records) or to resolve disputes and enforce agreements.
When you delete a project or close your account, we begin removing the associated content from active systems and purge it from backups on our normal backup rotation. The table below summarizes the main data categories, why we hold them, and how long.
| Data category | Purpose | Retention |
|---|---|---|
| Account & profile | Authentication, workspace management | Life of account + up to 90 days after closure |
| Content you create (projects, prompts, deployed sites) | Provide the builder, hosting, and Checkride | Until you delete it or close your account; purged from backups on rotation (up to 35 days) |
| Billing & tax records | Payment, accounting, legal compliance | As required by law, typically up to 7 years |
| Log & security data | Security, abuse prevention, debugging | Typically 30–180 days, longer for active investigations |
| Support communications | Respond to and improve support | Up to 24 months after the ticket closes |
| Optional analytics (consent-based) | Product improvement | Until consent is withdrawn, then deleted or aggregated |
10. Security
We take reasonable and appropriate measures to protect your data, including encryption in transit (TLS), encryption of data at rest on our infrastructure, role-based access controls, least-privilege access for staff, audit logging, and routine patching.
To be honest with you: no system is perfectly secure, and we do not claim otherwise. We cannot guarantee absolute security, and you also play a part — use a strong, unique password, protect your credentials, and manage who you invite to your workspace. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.
11. Your privacy rights
Depending on where you live, you may have some or all of the following rights over your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to fix data that is inaccurate or incomplete.
- Deletion — ask us to delete your personal data, subject to legal exceptions.
- Portability / export — receive your data in a portable format, and export your projects.
- Objection and restriction — object to or restrict certain processing, including processing based on legitimate interests.
- Withdraw consent — withdraw consent for optional analytics, cookies, or marketing at any time.
To exercise any of these rights, email [email protected]. We will verify your request and respond within the timeframe required by applicable law. Exercising your rights will not lead to discriminatory treatment.
We honor Global Privacy Control (GPC) signals as a valid opt-out for applicable sharing and optional analytics. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.
12. Children's privacy
Senova is not directed to children and is not intended for anyone under 16 (or under 18 where a higher age of digital consent applies in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.
13. Changes to this policy
We may update this policy as the product, our subprocessors, or the law changes. When we make material changes, we will update the effective date and version at the top of this page and, where appropriate, notify you in the product or by email. Your continued use of Senova after an update means you accept the revised policy.
14. How to contact us
For any privacy question or to exercise your rights, contact us at [email protected]. We will route your request to the right team and respond as promptly as we can.