Nova8

Privacy Policy

Effective April 27, 2026 Last updated May 16, 2026 Version 1.0

This Privacy Policy explains how Apex AI Labs, doing business as Nova8 (“Nova8,” “we,” “us,” or “our”) collects, uses, and shares information about you when you use the Nova8 website at https://nova8.dev, the Nova8 web application, and any related services we offer (together, the “Services”).

This policy covers data we collect about you, the Nova8 customer. It does not cover data collected by the apps you build using Nova8 — those apps are owned and operated by the developers who built them, and each one publishes its own privacy policy at /privacy/<projectId>.

1. Information we collect

1.1 Information you provide directly

Account information. When you create an account, we collect your email address, your chosen display name, and a password (which we store only as a one-way bcrypt hash, never in plain text). If you sign in with Google or Apple, we receive your email address and name from those providers in lieu of a password.
Payment information. If you subscribe to a paid plan or buy a credit top-up, we use Stripe to process your payment. We never receive or store your full card number, CVV, or bank credentials. Stripe returns a customer ID and a subscription ID to us, which we store on your account row so we can manage your billing. Your billing address (if entered) is held by Stripe.
Project content. When you build an app on Nova8, we store the prompts you send, the chat history with the build agent, the code files generated for your project, screenshots produced during preview, and any images, attachments, or assets you upload. Chat history may contain unstructured text you typed casually — we store it for up to 12 months after the project’s last edit so you can scroll back through your build, and you can delete an individual chat thread at any time from the project workspace.
Third-party credentials you choose to add. If you connect API keys, OAuth tokens, or service accounts (for example, your Apple Developer credentials, an OpenAI API key for your generated app, a Stripe key, a Supabase key, or a RevenueCat key), we encrypt those secrets at rest using envelope encryption with Google Cloud KMS before persisting them. They are decrypted only inside an isolated build sandbox at the moment they are needed and are never exposed to the front-end JavaScript bundle.
Support communications. If you email us at [email protected], we keep a record of the conversation so we can answer follow-ups.

1.2 Information we collect automatically

Usage and telemetry. We log API requests, build events, error traces, and timestamps for product analytics, abuse prevention, and debugging. This includes your IP address, browser user-agent string, the URL path you requested, and approximate response time.
Signup attribution (one time only). At the moment you create your account, we record your country (derived from your IP via standard geo-IP lookup), your IANA timezone (sent by your browser), the truncated user-agent string, your document.referrer, any UTM query parameters in the URL (utm_source, utm_medium, utm_campaign), and the path you first landed on. We capture these once and never update them, so we can understand where new customers come from. They are not used to track you across the web.
Last active timestamp. Each authenticated request bumps a last_active_at field on your account so we can compute aggregate daily/weekly/monthly active-user counts.
Cookies and local storage. See our Cookie Policy for the full list. In short, we use a single auth-token cookie, no advertising cookies, and no third-party analytics tags that fire before you sign in.

1.3 Sensitive Personal Information (California & comparable laws)

California’s CPRA and several other US state laws define a category called “Sensitive Personal Information.” The only category in this definition that Nova8 processes is the contents of your messages (i.e. your prompts and chat history with the build agent), and we process them solely to provide the Services you asked for — we do not infer characteristics about you from those messages, do not use them to build a profile, and do not share them outside the strict vendor list in Section 4. As a result, no separate “Limit the Use of My Sensitive Personal Information” right applies in practice; if you nonetheless want us to stop processing them, you can delete the project (or your account) at any time.

1.4 Information we do not collect

We do not collect biometric identifiers, precise GPS location, contacts lists, photo libraries, or microphone/camera input from your device.
We do not run third-party advertising trackers, social-media pixels, or session-replay tools.
We do not sell, rent, or trade personal information to data brokers, ever.

2. How we use your information

We use the information described above for the following purposes only:

Provide the Services. Authenticate you, run your build jobs, render your previews, deliver your generated code, host your support and privacy pages, and back up your projects.
Process payments. Manage subscriptions, top-ups, refunds, and tax compliance through Stripe.
Improve the product. Aggregate usage metrics to understand which features work, fix crashes, and prioritise the roadmap. Aggregate metrics never identify individual users to humans inside Nova8 unless we are diagnosing a specific support ticket you opened.
Improve our AI (only if you consent). If you have training-data sharing turned on in Settings › Privacy, we may store anonymised prompts, the code we generated, and the outcome (build pass, build fail, your thumbs-up / thumbs-down) so we can fine-tune our own AI agent over time. We strip emails, phone numbers, API keys, OAuth tokens, credit-card numbers, SSNs, and URLs containing secrets before the data is stored, and we replace your account ID with an irreversible cryptographic hash before any export. You can turn this off any time, and you can wipe any data we’ve already collected by deleting your account from Settings (the cascade includes training events) or by emailing [email protected] if you want to keep the account. See section 3.1 below for full details.
Communicate with you. Send transactional emails (verification, receipts, security alerts, deletion confirmations). We will only send you product or marketing announcements if you opt in, and every such email contains a one-click unsubscribe link.
Prevent abuse. Detect and block fraud, spam, brute-force authentication attempts, prompt-injection attacks, and any use of the platform that violates our Acceptable Use Policy.
Comply with the law. Respond to subpoenas, court orders, and lawful requests from authorities with jurisdiction over us; defend our legal rights; and meet tax, accounting, and regulatory obligations.

3. How your data flows through the build pipeline

When you ask Nova8 to build, edit, or preview an app, your prompt and the relevant project files are passed to a sandboxed build environment for the duration of that single build. Your prompt is also sent to one or more AI providers we contract with for code generation. We send only what is necessary for the request — not your email, billing details, or other unrelated account information — and we do not allow these providers to use your prompts or project content to train their public models. Build sandboxes are ephemeral: they are destroyed after each session and their contents are not retained beyond the scope of the build.

3.1 Nova8’s own use of your prompts and code for training

Effective May 16, 2026, Nova8 may use a consent-gated, privacy-scrubbed subset of your activity to fine-tune Nova8-owned AI models. The full mechanics are below so you can decide for yourself.

What we collect (only with your consent). For each build, edit, or generation request: the prompt text you sent, the code or files we generated in response, the model that produced it, approximate token counts, and the outcome — build pass, build fail, your thumbs-up or thumbs-down, or a successful TestFlight ship. We do not collect your chat history outside generation events, your account profile, your billing data, or any third-party credentials you connect to your projects.
What we strip before storing. Email addresses, phone numbers, API keys, OAuth and bearer tokens, credit-card numbers, U.S. social-security numbers, and URLs containing query-string secrets are removed from both the prompt text and the generated code before the row is written. Individual fields are capped at 200 KB to prevent runaway content. PII scrubbing happens server-side at the moment of capture, not at export time.
How exports work. Before any training row leaves Nova8 (for internal fine-tuning, a research partner, or an acquirer in a due-diligence process), your account ID is replaced with an irreversible SHA-256 hash. The exported rows cannot be linked back to your account, your email, or your projects.
Default state. For accounts created on or after May 16, 2026, this setting is on by default; for accounts that existed before that date, the setting is off by default and we will not capture anything for your account until you turn it on yourself. Either way, you can change the setting any time in Settings › Privacy, and the change takes effect immediately.
Deletion. Turn the toggle off and we stop logging new training events for your account immediately. To wipe rows we’ve already collected, you have two self-serve options — both take effect immediately, not on a 30-day timer: (a) delete your entire Nova8 account, which cascades through every table including training events, projects, builds, and analytics linkage, or (b) email [email protected] with the subject line “Delete my training data” (mention the account email you signed up with) if you want to keep your account but remove only the training-data rows. Either path satisfies your GDPR Article 17 / CCPA §1798.105 right to erasure.
Retention. Even if you take no action, training events are kept for a maximum of three years from the date they were captured, after which they are irreversibly deleted by an automated nightly process. This is a hard cap satisfying GDPR Article 5(1)(e) storage-limitation; we may shorten it but we will not extend it without first asking for your consent.
What we still do not do. We do not sell training data. We do not let third-party AI providers train their own public models on your prompts or generated code — that contractual prohibition (described in section 3, paragraph 1) is unchanged. Aggregate, fully de-identified usage statistics (for example, “the average build takes 47 seconds”) are not part of the training-data programme and are not affected by your consent setting.

3.2 Automated decision-making

The build agent is an automated system: it reads your prompt and writes code without a human in the loop. We do not consider this “automated decision-making producing legal or similarly significant effects” under GDPR Article 22, because the output is editable code that you review before shipping — you are always the human in the loop on what reaches your users. If you disagree, you have the right to ask for a human review of any specific build by emailing [email protected].

4. Sharing of information

Nova8 does not sell your personal information. We share information only with the limited set of vendors that help us run the Services, and only to the extent each vendor needs to do its job:

Vendor	What we share	Why
Stripe, Inc.	Email, name, billing token	Process subscription payments and one-time top-ups.
Cloud hosting and infrastructure providers	Encrypted database contents, encrypted file storage, request logs	Run the application servers, store project files, and host the dashboard.
AI model providers (under contract)	Build prompts and project file context relevant to the current request	Generate the code your app is built from. These providers are contractually prohibited from training on your data.
Email delivery provider	Email address and message body	Send verification emails, password resets, billing receipts, and support replies.
Google Cloud KMS	Encrypted data-encryption keys (never the underlying secrets in plaintext)	Envelope-encrypt the API keys and credentials you connect to your projects.
Third-party services you connect yourself (e.g. RevenueCat, Apple, your own OpenAI or Stripe keys for your generated app)	Whatever the service requires — controlled by you	You explicitly opted in by connecting them. Each is governed by that vendor’s own privacy policy.

We may also disclose information when required by law, when responding to a valid legal process, when defending our legal rights, or in connection with a merger, acquisition, or sale of assets — in which case we will require any successor entity to honour this Privacy Policy or notify you of any material change.

5. Data retention

Account data is retained for as long as your account is active.
Project content (code, prompts, chat history, uploads) is retained for as long as the project exists in your account.
Backups may persist deleted data for up to 35 days before being permanently overwritten.
Billing and tax records are retained for at least 7 years to comply with US tax law.
Server logs with IP addresses and request paths are retained for up to 90 days.
When you delete your account, we delete or irreversibly anonymise all of the above other than billing and tax records, which we are legally required to keep.

6. Your rights

Regardless of where you live, you have the following rights with respect to your personal information held by Nova8:

Access. You can request a copy of the personal data we hold about you.
Correction. You can update your name, email, and other profile details directly from your account settings, or ask us to correct anything you cannot edit yourself.
Deletion. You can delete your account from your account settings at any time. You can also email us at [email protected] and we will action the deletion within 30 days.
Export. You can download every project you have built (code, assets, chat history) at any time from the project workspace.
Object / restrict. You can ask us to stop processing your data for any non-essential purpose (such as product analytics) by emailing us.
Withdraw consent. Where we rely on your consent (for example, to send you product newsletters), you can withdraw it at any time without affecting any processing already done.
Lodge a complaint. If you are in the European Economic Area, the United Kingdom, or another jurisdiction with a data-protection authority, you have the right to complain to that authority. We would prefer the chance to fix things first — please email us before filing.

To exercise any of these rights, email [email protected]. We will verify your identity by sending a confirmation email to the address on file before acting on the request.

7. Rights for residents of California (CCPA / CPRA)

If you live in California, you have all the rights described in Section 6, plus the right to know the specific categories of personal information we collect, the right to know whether we sell or share your information (we do not sell, and we do not “share” for cross-context behavioural advertising), and the right to non-discrimination for exercising these rights. We will never charge you a different price or give you a degraded service because you exercised a privacy right.

8. Rights for residents of the EEA, the UK, and Switzerland (GDPR / UK GDPR)

If you live in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing your data are: (a) contract — we need to process your data to deliver the Services you signed up for; (b) legitimate interests — for product analytics, security, and abuse prevention, balanced against your privacy rights; (c) consent — for optional marketing emails or non-essential cookies, where you have explicitly opted in; and (d) legal obligation — for tax records, KYC, and lawful requests. Where we transfer personal data out of the EEA/UK to the United States, we rely on the European Commission’s Standard Contractual Clauses with our sub-processors and we apply additional safeguards (encryption in transit and at rest, access controls, and minimum-necessary disclosure).

9. Children’s privacy

Nova8 is not directed to children, and we do not knowingly collect personal information from anyone under the age of 13. If you believe we have inadvertently collected information from a child under 13, please contact us at [email protected] and we will delete it promptly.

10. Security

We protect your data with industry-standard practices: TLS 1.2+ for all data in transit, AES-256 for data at rest, bcrypt for password storage, envelope encryption with Google Cloud KMS for sensitive secrets, principle-of-least-privilege access controls for our staff, audit logs on every privileged action, and rate-limiting plus input validation on every endpoint. No system is perfectly secure, but we treat your data as if it were our own.

10.1 If something goes wrong: data-breach notification

If we ever discover a personal-data breach that creates a meaningful risk to your rights, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware (as GDPR Article 33 requires for users in the EEA/UK), and
Notify you directly by email within 72 hours if your information was meaningfully affected and the law of your jurisdiction requires individual notice (or sooner if applicable state breach laws — e.g. California Civil Code § 1798.82 — impose a shorter window).

The notice will describe, as best we know it at the time, what happened, what data was involved, what we are doing to contain it, and what (if anything) you should do. We will follow up with a more detailed post-mortem once we have one.

11. International users

Nova8 is operated from the United States of America. If you access the Services from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States.

12. Changes to this Policy

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email (sent to the address on file) and by posting a prominent notice on this page at least 14 days before the change takes effect. Continuing to use the Services after the change takes effect means you accept the updated policy. The “Effective” and “Last updated” dates at the top of this page always reflect the current version.

13. Data Processing Agreements (B2B users)

If you use Nova8 to build apps that handle personal data on behalf of your own customers (for example, you are an agency building an app for a client, or a company building an internal app for your employees), you may be a “controller” under GDPR/UK GDPR or a “business” under CPRA, and Nova8 acts as your “processor” or “service provider” with respect to that data. We make a standard Data Processing Agreement (DPA) available on request — email [email protected] with the subject line DPA Request and we will send you our current DPA, including the EU Standard Contractual Clauses where applicable, to countersign.

14. Contact us

For any privacy question, request, or complaint, email [email protected]. We respond within 7 business days, usually much sooner. If you would prefer to address a request to a named privacy contact, write to “Privacy Team, Apex AI Labs, doing business as Nova8” in the subject line and your message will reach the same inbox.