Last updated: March 2025 · Effective: March 2025
1. Data Controller
NovaPulse AI
— address on file —
Email: legal@novapulse.ai
As data controller under the EU General Data Protection Regulation (GDPR — Regulation 2016/679), we determine the means and purposes of processing your personal data.
2. Data We Collect
2.1 Account Data
- Username — chosen at registration
- Password — stored as a bcrypt hash; we never store plaintext passwords
- TOTP secret — only if you enable two-factor authentication
- API token — if generated by you for automation purposes
- Role and credits — to manage your subscription and access level
2.2 Transaction Data
- PayPal order ID and payer ID (no payment card data is processed or stored by us)
- Amount paid and credits purchased
- Transaction timestamps and status
2.3 Usage Data
- Credit consumption logs (number of videos processed, timestamps)
- Job IDs and processing status (retained for 24 hours, then deleted)
2.4 Technical Data
- IP address — used for rate limiting and security logging; not stored persistently
- Session tokens — stored in encrypted server-side sessions; expire after 8 hours
- Server access logs — retained for up to 30 days for security purposes
2.5 Media Files
Video files, watermark images, and processed output files are stored temporarily on the server and deleted automatically after 24 hours. We do not analyse, share, or retain these files beyond processing your request.
3. Legal Basis for Processing
| Data |
Legal Basis (GDPR Art. 6) |
| Account data | Art. 6(1)(b) — Contract performance |
| Transaction data | Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation (accounting) |
| Usage logs | Art. 6(1)(f) — Legitimate interest (service improvement, fraud prevention) |
| Security logs | Art. 6(1)(f) — Legitimate interest (security) |
4. How We Use Your Data
- Provide and maintain your account and the Service
- Process credit purchases and deliver purchased credits
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations (e.g., accounting, tax records)
- Respond to your support requests
We do not use your data for advertising, profiling, or sell it to third parties.
5. Data Sharing
We share personal data only with:
- PayPal — payment processing. Subject to PayPal's own privacy policy.
- Hosting provider — server infrastructure. Bound by a Data Processing Agreement.
- Legal authorities — only when required by law or court order.
6. Data Retention
- Account data: retained until you delete your account.
- Transaction records: 10 years (French accounting law obligation).
- Credit usage logs: 12 months.
- Media files: 24 hours maximum, then automatically deleted.
- Server access logs: 30 days.
7. Your Rights (GDPR)
Under GDPR you have the right to:
- Access — obtain a copy of your personal data (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — request deletion ("right to be forgotten", Art. 17)
- Portability — receive your data in a structured, machine-readable format (Art. 20)
- Objection — object to processing based on legitimate interest (Art. 21)
- Restriction — limit how we process your data (Art. 18)
To exercise any of these rights, email legal@novapulse.ai. We will respond within 30 days. You also have the right to lodge a complaint with the French data protection authority (CNIL).
8. Security Measures
We implement the following technical and organisational measures to protect your data:
- Passwords stored using bcrypt with a minimum cost factor of 12
- HTTPS/TLS encryption in transit
- Session tokens with 8-hour expiry and CSRF protection
- Rate limiting on authentication endpoints
- Non-root Docker containers with restricted filesystem access
- Regular security reviews aligned with NIS2 and ISO 27001 principles
9. International Transfers
Data is processed and stored within the European Union. If any transfer outside the EEA is necessary, it will be protected by appropriate safeguards (Standard Contractual Clauses or adequacy decision).
10. Contact & DPO
For any privacy-related question or to exercise your rights:
NovaPulse AI
— address on file —
legal@novapulse.ai