Privacy Policy — NovoVendi

1. Introduction

This Privacy Policy explains how NovoVendi (“we”, “us”, “our”) collects, uses, stores, and protects your personal information when you use our WooCommerce fleet management platform (“the Service”). We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant legislation.

2. Data Controller

NovoVendi is the data controller for the personal data collected through the Service (your account information, usage data, etc.). For data relating to your WooCommerce store customers (order data, customer names, etc.), you are the data controller and NovoVendi acts as a data processor on your behalf.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

Name and email address
Hashed password (we never store plaintext passwords)
Account creation timestamp
Consent timestamps (Terms of Service and Privacy Policy acceptance)

3.2 Store Connection Data

When you connect WooCommerce stores, we store:

Store URL and name
WooCommerce API credentials (consumer key/secret) — stored securely and never exposed in API responses
Bridge plugin tokens — unique authentication tokens for the WordPress bridge plugin
Store metadata: WooCommerce version, WordPress version, PHP version, active theme, plugin list, currency

3.3 Store Operational Data

Through store synchronization and bridge plugin heartbeats, we collect:

WooCommerce settings and configuration values
Product counts, order counts, and aggregate commerce metrics (revenue, AOV)
Plugin inventory and update availability
Theme data, shipping zones, tax rates, payment gateway configuration, coupon data, email settings
Site health information and feature flags

Note: We do not deliberately collect end-customer personal data (individual customer names, email addresses, or payment details). However, some operational data (e.g., order metadata) may incidentally include personal information of your customers.

3.4 Usage & Analytics Data

We may collect:

Browser type, device information, and IP address (via server logs)
Pages visited and features used within the Service
Google Analytics data (if you consent to analytics cookies) — see our cookie policy below

3.5 Audit & Activity Logs

All configuration changes, sync events, and administrative actions are recorded in audit logs with timestamps and user identification for security and accountability purposes.

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

Contract performance: Processing necessary to provide the Service you have signed up for (account data, store connections, configuration management)
Consent: Analytics cookies and optional data processing (you may withdraw consent at any time)
Legitimate interest: Security logging, fraud prevention, and service improvement
Legal obligation: Retaining records as required by applicable law

5. How We Use Your Information

Providing and operating the Service (store management, settings sync, alerts)
Authenticating your identity and securing your account
Sending transactional notifications (alerts, weekly reports) you have opted into
Improving the Service through aggregated, anonymized usage analytics
Detecting and preventing security threats and unauthorized access
Complying with legal obligations

6. Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with the following categories of service providers:

Sub-Processor	Purpose	Data
Google Cloud Platform (GCP)	Application hosting, networking, managed infrastructure	Service operational data
Brevo	Transactional email delivery (verification, product notifications)	Account email address and message metadata
Amazon Web Services (S3)	File storage (store icons, theme uploads)	Uploaded files only
Google Analytics (optional)	Usage analytics	Anonymized browsing data (only with consent)
Google Identity Services (optional)	Single Sign-On authentication	Email, name, profile picture

7. Cookies & Tracking

We use the following categories of cookies:

Essential cookies: Required for authentication and session management. These cannot be disabled.
Analytics cookies: Google Analytics cookies to understand how the Service is used. These are only activated with your explicit consent and can be managed at any time via the cookie consent banner.

You can change your cookie preferences at any time by clearing your browser's local storage for this site, which will re-display the consent banner on your next visit.

8. Data Retention

Account data: Retained for the lifetime of your account. Deleted upon account deletion.
Store data & settings: Retained while your account is active. Deleted upon account deletion or store removal.
Audit logs: Retained for the lifetime of your account for compliance and security purposes.
Bridge commands: Completed and failed commands may be cleared manually. All commands are deleted upon account deletion.
Analytics data: Subject to Google Analytics retention policies (currently 14 months).

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Access: Request a copy of all personal data we hold about you (available via “Download My Data” in App Settings)
Rectification: Correct inaccurate personal information
Erasure (“Right to be Forgotten”): Delete your account and all associated data (available via “Delete My Account” in App Settings)
Data Portability: Receive your data in a structured, machine-readable format (JSON export via App Settings)
Restriction: Request limitation of processing in certain circumstances
Objection: Object to processing based on legitimate interest
Withdraw Consent: Withdraw previously given consent (e.g., analytics cookies) at any time

To exercise any of these rights, use the self-service tools in App Settings or contact us at privacy@novovendi.com. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption of passwords using bcrypt with a cost factor of 12
API credentials never exposed in responses (replaced with boolean indicators)
SSRF protection against server-side request forgery attacks
Rate limiting on authentication endpoints
Content Security Policy (CSP) headers to prevent XSS attacks
Secure session cookies in production (HTTPS-only, HttpOnly)
Role-based access control with 24 granular permissions
Comprehensive audit logging of all administrative actions

11. International Data Transfers

Your data is processed and stored in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on standard contractual clauses and other appropriate safeguards for international data transfers as required by applicable law.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

Right to Know: Request what personal information we collect, use, and disclose
Right to Delete: Request deletion of your personal information
Right to Non-Discrimination: We will not discriminate against you for exercising your rights
No Sale of Data: We do not sell personal information to third parties

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via a prominent notice within the Service. The “Last updated” date at the top indicates when the most recent changes were made.

15. Contact Us

For privacy-related inquiries, data protection requests, or to request a Data Processing Agreement (DPA), contact us at:

privacy@novovendi.com