novo SOLUTION - Privacy Policy

This Privacy Policy describes how novo SOLUTION ("novo SOLUTION", "we", "us") collects, uses, discloses, and protects information when you use our iOS app, associated websites, and related services (collectively, the "Services").

novo SOLUTION is developed and operated by Mohammad Reghabi, an individual located in Vancouver, British Columbia, Canada.

If you are using novo SOLUTION on behalf of a business, your business may be the "Customer" under a separate agreement (for example, an enterprise plan). In that case, we process information as described below and as required to provide the Services.

1. SCOPE

This Policy applies to:

The novo SOLUTION iOS app (including optional iCloud/CloudKit sync, if enabled on your device)

Your connected website and backend services (when you enable website integration/sync)

Optional integrations you connect (for example: Facebook/Instagram, TikTok, payment providers, email providers)

This Policy does not apply to third-party websites, platforms, or services that you connect to novo SOLUTION. Those third parties have their own policies.

2. INFORMATION WE COLLECT

The information we collect depends on which features you use and which integrations you connect.

2A. Access to Your Data and Your Control

On-device / iCloud-only data: If your data is stored only on your device and/or synced via Apple iCloud/CloudKit, that data is managed by Apple under your iCloud account. We do not have routine access to the contents of your iCloud data.

Website/backend data (if enabled): If you enable website integration or backend services, some data is stored and processed on the connected backend to deliver those features (for example, website content, sync operations, integrations, security logs, and anonymous analytics). As the operator of that backend, we (or authorized personnel assisting with support/security) may be able to access limited server-side information as necessary to operate, secure, debug, and support the Services.

Practical impact: Many privacy requests (for example, changes to customer records you entered) should be directed to the business owner/admin using the Services. Where we do have control over server-side data (for example, stored OAuth tokens, anonymous analytics, and security logs), we can help process requests as described below.

2.1 Account and Business Profile Information

We may collect and process:

Account information: name, username, email, role/permissions, authentication and session data

Business information: company name, address, phone, country/region, business type, stores/locations and related settings

Administrative metadata: user roles, permissions, activity and configuration changes (for security and audit purposes)

2.2 Business Data You Choose to Store in the Services

You (and your team) may store business records such as:

Inventory and catalog: products, images, categories/collections, pricing, stock history

Sales and finance: invoices, estimates, receipts/records, taxes, store credit, vouchers/gift cards (as applicable)

Customers and appointments: customer contact details, appointment/reservation data, communications, notes, and related records

Website content: pages, media, documents, contact forms/subscribers (when using website features)

Important: Some of this data may include personal information about your customers or contacts. You control what you upload and how you use it.

2.3 Technical, Device, and Diagnostic Information

We automatically collect technical information needed to operate and secure the Services, such as:

Device and app data: device model, iOS version, app version/build, language and timezone

Diagnostic logs: crash reports, performance metrics, error logs

Security signals: authentication events, suspicious activity indicators, integrity and security monitoring data

Resource usage metrics: bandwidth consumption (bytes transferred per request type), storage usage (total file sizes), and related quota data, collected per account and aggregated on a calendar-month basis for subscription plan enforcement. Bandwidth counters reset on the 1st of each calendar month (UTC)

We minimize collection of directly identifiable personal data in diagnostic and security logs; we also use redaction/sanitization where feasible.

2.4 Analytics and Usage Data (Privacy-First)

If you enable analytics and provide required consent in the app, we may collect:

Anonymous/aggregated usage events (for example: feature usage counts, screen views, and a hashed device identifier) to understand usage without directly identifying you

By default, analytics features are privacy-first and can be disabled in settings. Some minimal operational telemetry may still be necessary for security and reliability.

2.5 Integration Data (OAuth Connections and Webhooks)

If you connect third-party services (for example, Facebook/Instagram, TikTok, payment providers, email providers), we may collect:

OAuth tokens (access tokens, refresh tokens, and related metadata such as expiration)

Connected account identifiers (for example, a Facebook Page ID, Instagram Business Account ID)

Connection metadata (for example, page/account display name, token expiration timestamps)

Webhook events from third-party providers (for example, events delivered by Meta/Facebook webhooks)

We do not collect or store your third-party account passwords. Connections are established using OAuth (secure authorization flows).

2.6 Payment Data

When you use payment features, payment processing is generally handled by third-party payment processors and/or terminal providers. Depending on the feature, we may process:

Transaction metadata needed for records and reconciliation (for example, invoice IDs, totals, timestamps, status)

We aim to avoid storing full payment card numbers and other sensitive payment credentials on our systems; those are typically handled by the payment provider under their own terms.

2.7 AI Features Data (Optional — User-Initiated)

Novo Solution includes optional AI-powered features to help you with tasks such as generating product SEO titles and descriptions, creating image alt text, producing AI ad copy, and generating and enhancing product images. These features are entirely optional and only activated when you choose to use them with your own API keys.

When you use AI features, your business data (such as product names, descriptions, images, prompts, and other content you provide) may be sent to one or more of the following third-party AI providers depending on which feature you use:

TEXT GENERATION

OpenAI (GPT-4o): Product names, descriptions, prompts, and page content may be sent to OpenAI's servers to generate SEO text, ad copy, and other written content.

Google Gemini: Similar text content and product images may be sent to Google's AI infrastructure for SEO text generation and image analysis (alt text).

IMAGE GENERATION

OpenAI DALL-E: Product descriptions and prompts may be sent to OpenAI to generate or reimagine product images.

Key facts about AI features:

Every AI feature requires you to provide your own API key for the specific provider. Without an API key configured, no data is sent to that provider.

Data is sent directly from the app to the AI provider using your personal API key — Novo Solution does not store or intercept the content of AI requests.

All AI features are fully opt-in. The app works completely without enabling any of them.

AI-generated content is a suggestion only — you are responsible for reviewing and approving all AI-generated content before it is used or published.

We do not use your business data to train AI models.

For more information on how each provider handles your data, please refer to their respective privacy policies linked above.

2.8 Tax API Provider Data (Optional — User-Configured)

novo SOLUTION includes optional integrations with third-party tax calculation services to assist with real-time tax calculations. These integrations are entirely optional and only active when you choose to configure them with your own credentials.

When you enable a Tax API Provider, transaction data may be sent to that provider to perform tax calculations. This data may include:

Product details (descriptions, tax codes, quantities, and prices)

Shipping destination address (country, state/province, city, postal code)

Order totals and line-item amounts

The Tax API Providers currently supported are:

TAX CALCULATION

TaxJar (by TaxJar, Inc.): Transaction data is sent to TaxJar's servers to calculate real-time sales tax amounts and rates based on shipping destination.

Avalara AvaTax (by Avalara, Inc.): Transaction data is sent to Avalara's servers for enterprise-grade tax compliance and real-time tax calculation.

Stripe Tax (by Stripe, Inc.): Transaction data is sent to Stripe's servers to calculate tax amounts as part of the payment flow.

Key facts about Tax API Provider integrations:

Every Tax API Provider integration requires you to configure your own API credentials. Without credentials configured, no transaction data is sent to that provider.

Data is transmitted directly from our servers to the Tax API Provider using your credentials — we do not sell this data to third parties.

Tax API Provider integrations are fully opt-in for in-store (POS) sales, which always use your manually configured tax rates. For the online store, at least one Tax API Provider or a payment provider with built-in tax handling (such as Stripe with Stripe Tax, or Square with Square Tax) must be configured to enable checkout. Without this, the online store operates in Showcase Mode — products are displayed publicly but customers cannot complete a purchase. See Section 4.4.5 of the Terms of Service.

Enabling a Tax API Provider does not transfer your tax compliance responsibilities. You remain solely responsible for verifying that tax calculations are accurate for your jurisdiction. See Section 4.4 of the Terms of Service.

Each provider operates under its own terms of service, privacy policy, and data processing practices.

2.9 Subscription Data

If you purchase a subscription through Apple's App Store, Apple handles billing and payment processing. We receive limited subscription status information from Apple (such as subscription tier, expiration date, and renewal status) to provide you with the appropriate level of service. We do not receive or store your Apple ID password or full payment details.

3. HOW WE USE INFORMATION

We use information for purposes such as:

Provide and operate the Services: core business management features, syncing, website integration, and connected services

Security and fraud prevention: authentication, access control, audit logging, abuse prevention, integrity monitoring

Support and communications: responding to requests, service notices, product updates, account-related messages

Improve and develop: bug fixes, performance improvements, feature development, analytics (when enabled/consented)

Compliance and legal: meeting legal obligations, enforcing terms, and protecting rights and safety

Usage monitoring and enforcement: tracking bandwidth and storage consumption per account to enforce subscription plan limits, including automated actions such as blocking uploads when bandwidth limits are reached (100%), automatically unpublishing websites when bandwidth exceeds 120% of the plan limit, and automatically republishing websites when usage drops below limits (either through a plan upgrade or the start of a new calendar month). Usage data is displayed to all account users (including staff) through the iOS app with exact GB figures and visual indicators. See Terms of Service Section 4.5 for full details

4. LEGAL BASES FOR PROCESSING

Where applicable (for example, under GDPR), we process information under one or more legal bases, including:

Contract: to provide the Services you request

Legitimate interests: to secure, maintain, and improve the Services

Consent: for optional analytics and certain integrations where you choose to enable them

Legal obligations: compliance with applicable laws and lawful requests

5. HOW WE SHARE INFORMATION

We do not sell your personal information. We may share information:

With service providers that help us run the Services (hosting, security, analytics, customer support tooling, email delivery, etc.)

With integrated third parties you choose (for example, Meta/Facebook/Instagram, TikTok, payment processors, email providers) to perform the features you enable

With Apple iCloud/CloudKit if you enable iCloud sync on your device (Apple's terms and policies apply)

With AI providers (OpenAI, Google Gemini) when you configure an AI API key and use optional AI features — see Section 2.7 for details

With Tax API Providers (TaxJar, Avalara, Stripe Tax) when you configure a tax API integration and use optional real-time tax calculation features — see Section 2.8 for details

For legal and safety reasons: to comply with law, respond to lawful requests, protect users, prevent fraud and abuse, and enforce our terms

In connection with a merger, acquisition, or sale of assets, subject to applicable safeguards

6. SECURITY

We use administrative, technical, and physical safeguards designed to protect information, such as encryption in transit, access controls, and monitoring. No method of transmission or storage is 100% secure; however, we work to meet enterprise-grade security expectations appropriate for the Services.

7. DATA RETENTION

We retain information for as long as your account is active or as needed to provide the Services, and as needed for backups, synchronization, dispute resolution, and compliance with legal obligations. Specific retention periods include:

Business data: retained while your account is active and as long as your business uses the Services

Anonymous analytics events: if enabled/consented, anonymous analytics events (for example, event type, timestamp, session identifier, coarse device info, and an anonymized identifier) are retained for analytics purposes and periodically purged

Security and audit logs: retained as needed for security monitoring, incident investigation, and compliance

Integration tokens: retained while the integration is connected and deleted upon disconnection

8. YOUR RIGHTS AND CHOICES

Depending on your jurisdiction, you may have the right to:

Access your personal information

Correct inaccurate information

Request deletion of personal information (subject to legal exceptions)

Object to or restrict certain processing

Withdraw consent (for example, for optional analytics)

Data portability (export)

You can also manage certain privacy settings directly in the app (for example, analytics toggles and integration connections).

8A. Operational Telemetry (Security and Reliability)

Even if you disable optional analytics, we may still process minimal operational telemetry strictly for security, abuse prevention, and service reliability. Examples may include:

Security logs: authentication attempts, session and token validation outcomes, CSRF and rate-limit events, suspicious activity signals, and audit logging of administrative actions

Technical metadata: request identifiers, timestamps, device/platform info, and network metadata such as IP address and user agent (used for security and fraud prevention)

We use this information to protect the Services (for example, detect abuse, enforce access controls, investigate incidents, and prevent fraud). We do not use operational telemetry for behavioral advertising.

8B. Cookies and Similar Technologies

When you use our web properties (for example, the admin portal or your connected website), we may use cookies or similar technologies for:

Essential operation (for example, authentication/session management, CSRF protection, security controls)

Preferences (for example, tenant/company selection in multi-tenant setups)

We do not intentionally use third-party advertising cookies by default. If we introduce optional analytics or advertising cookies on web properties in the future, we will provide appropriate notice and choice mechanisms where required by law.

Do Not Track: Some browsers offer a "Do Not Track" setting. Because there is no consistent industry standard for DNT signals, our web properties may not respond to DNT signals.

8C. International Transfers

novo SOLUTION may process and store information in countries other than where you live (for example, where we or our service providers operate). Where required (for example, transfers from the EEA/UK), we use appropriate safeguards such as standard contractual clauses or other lawful transfer mechanisms.

8D. Subprocessors and Service Providers

We use vendors ("subprocessors") to help provide the Services (for example, cloud hosting, database infrastructure, security monitoring, email delivery, payment processors, and integration providers). A current list of subprocessors can be requested by contacting us.

8E. Sensitive Data

Unless expressly agreed in writing, you must not upload or store:

Government-issued identifiers (for example: Social Insurance Numbers, passport numbers)

Precise geolocation, biometric identifiers, or other sensitive categories regulated by law

Health/medical information, including Protected Health Information (PHI)

The Services are not designed to support HIPAA compliance and should not be used to store Protected Health Information unless you have a separate written agreement with us that specifically covers such use.

8F. Marketing Communications

We may send service-related communications (for example, account, security, billing, and service notices). Where we send marketing communications, you can opt out using the unsubscribe mechanism provided in the message or by contacting us, subject to legal requirements.

9. DATA DELETION (INCLUDING ACCOUNT DELETION)

9.1 Account Deletion

novo SOLUTION provides a complete account deletion feature directly within the app, in compliance with Apple App Store requirements.

How to Delete Your Account: 1. Open the novo SOLUTION app 2. Navigate to Settings > Account 3. Tap Delete Account 4. Confirm your decision when prompted

What Happens When You Delete Your Account:

Your user account and all data associated with your account (including companies, products, customers, invoices, appointments, and other records) will be permanently deleted

All connected integrations (social media, payment providers, etc.) will be disconnected and their OAuth tokens revoked with the third-party providers

All website content and backend data associated with your account will be permanently deleted from our servers

iCloud/CloudKit synced data associated with your account will be removed

All local and iCloud Drive backup files (.novo, .store) created by the app will be permanently deleted

All locally cached data, temporary files, and app preferences will be cleared

Any API keys associated with your account will be revoked and deleted

Important Subscription Information:

Your Apple App Store subscription is managed by Apple and is NOT automatically cancelled when you delete your account

You must cancel your Apple subscription separately through your Apple ID subscription settings (Settings > Apple ID > Subscriptions) or at https://apps.apple.com/account/subscriptions

If you do not cancel your Apple subscription before deleting your account, Apple may continue to charge you

You will NOT receive a refund for any remaining time on your current billing period

We recommend cancelling your subscription first, then deleting your account when the paid period ends

Important Notes:

Account deletion is permanent - this action cannot be undone

Temporary deactivation is not offered - we only provide full, permanent account deletion

No customer service required - you can complete account deletion entirely within the app without needing to call, email, or contact support

Data recovery is not possible - once deleted, your data cannot be recovered

Please export any data you wish to keep before initiating account deletion

If you create a new account using the same iCloud account after deletion, you will start with a completely fresh account - no previously deleted data will be restored (GDPR compliance)

Timing:

Account deletion is processed immediately upon confirmation

All server data, local data, iCloud/CloudKit data, backup files, and associated records are deleted immediately

Apple App Store subscriptions are NOT automatically cancelled — you must cancel through Apple (see above)

If server deletion fails due to a temporary network issue, the deletion will be retried automatically the next time you open the app

Once deleted, your data cannot be recovered

9.2 Deleting Social Media Connection Data

You can disconnect social media integrations and delete associated connection data using the in-app "Delete All Social Media Data" option, which is designed to:

Disconnect connected social platforms

Remove stored tokens and connection metadata from our systems where supported

Clear local cached social media data on the device (for example, stored page/account IDs and last-post timestamps)

Important notes:

Content you already posted to Facebook/Instagram/TikTok remains on those platforms unless you delete it from the platform directly.

Token revocation is attempted where supported, but revocation may not always succeed (for example, if a token is already expired or provider-side revocation is unavailable). If you want to fully remove access, you can also remove novo SOLUTION's access from within the provider's security settings.

Company deletion: removing a company from the app will also delete associated social media connection data.

Backend deletion: if you enabled website integration, deletion may involve deleting data stored on your connected backend as well.

Full account deletion: use the account deletion feature described in Section 9.1 for complete removal of all data.

For deletion assistance beyond in-app controls, contact us (see "Contact").

10. CHILDREN'S PRIVACY

The Services are intended for business use and are not directed to children under 13. If you believe a child has provided personal information, contact us.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy at any time, without prior notice, to the extent permitted by law. The updated version will be posted in the Services and will be effective when posted (or as otherwise stated). If notice is required by applicable law for certain changes, we will provide the required notice.

12. CONTACT

For privacy questions or requests: Email: support@novosolution.org

For legal notices: Email: support@novosolution.org

Submitting Privacy Requests:

To submit a privacy request (access, deletion, correction, portability), email us with:

Your name and account/business identifier (if available)

The type of request

The email address associated with the account (if applicable)

Any relevant details needed to locate the data

For security, we may need to verify your identity before processing your request. If you are acting on behalf of a business account, we may require proof of authority. We aim to respond within applicable legal timeframes (commonly 30-45 days, depending on your jurisdiction and the nature of the request).

Last Updated: April 10, 2026

Version 1.0.9 • Last updated: 4/9/2026