account_tree

Norvo

Privacy Policy

Last updated: March 20, 2026

1. Data Controller

The data controller responsible for processing your personal data in connection with the Norvo service is:

  • Business name: Erik Kubica NetLime
  • ICO (Business ID): 48124125
  • Address: Pri starej poste 646/59, 94352 Muzla, Slovakia
  • Registration: Okresny urad Nove Zamky, Registration No. 440-33873
  • Contact: erik.kubica@gmail.com
  • Service URL: https://norvo.pro

2. Data We Collect

We collect only the data necessary to provide the service:

  • Account data: Your name, email address, and a hashed (non-reversible) password. We never store your password in plain text.
  • Project data: Project ideas, chat messages you submit during clarification, and the AI-generated documentation produced from your inputs.
  • Payment data: Payment processing is handled entirely by Stripe. We do not store credit card numbers or full payment details on our servers. We retain only transaction identifiers and subscription status returned by Stripe.
  • Technical data: IP address and basic browser information collected solely for security purposes (e.g. detecting unauthorized access and rate-limiting abuse). We do not use this data for analytics or profiling.

We do not use analytics trackers, advertising pixels, or any third-party tracking technologies. We use only essential session and authentication cookies required for the service to function.

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)): Processing your account data and project data is necessary to provide you with the Norvo service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): We process technical data (IP address, browser information) to protect the security of the service, prevent fraud, and enforce our terms of service. We may also derive aggregated, anonymized statistics from usage patterns (e.g., trends in project types or technology preferences). Such statistics never contain personally identifiable information or content traceable to any individual user. This interest does not override your rights.
  • Consent (Art. 6(1)(a)): Where we send optional communications (e.g. product updates or announcements beyond transactional notices), we will ask for your explicit consent, which you may withdraw at any time.

4. Third-Party Processors

We share data with the following third-party processors solely to operate the service. We never sell, share, or disclose your individual project content to third parties. We may publish aggregated, anonymized statistics derived from usage patterns, but these will never be traceable to any individual user or project.

  • OpenRouter (AI generation): Your project ideas and chat messages are transmitted to OpenRouter for AI processing in order to generate documentation. OpenRouter routes requests to AI model providers (such as Google Gemini). Please review OpenRouter's privacy policy for details on their data handling.
  • Stripe (payments): Payment information is processed directly by Stripe, Inc. We share only the minimum necessary data (e.g. email for receipts) to facilitate billing. Stripe is a certified PCI DSS Level 1 service provider.
  • Hosting provider (infrastructure): Our servers and database are hosted by a third-party infrastructure provider. All data stored on our servers is subject to the provider's data processing agreement.

5. International Data Transfers

Some of our third-party processors (including OpenRouter and AI model providers) may process your data outside the European Economic Area (EEA). Where such transfers occur, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) to ensure your data receives an equivalent level of protection as required by GDPR Chapter V.

6. Data Retention

  • Account data: Retained for as long as your account is active. When you delete your account, your personal data (name, email, and any other identifying information) is anonymized in accordance with GDPR — we replace it with anonymized placeholders so that no data can be traced back to you.
  • Project data: Deleted together with your account upon account deletion.
  • Technical logs: Retained for a limited period for security purposes, then purged.
  • Payment records: Retained as required by applicable accounting and tax laws.

7. Security Measures

We apply the following technical and organizational measures to protect your personal data:

  • All data in transit is encrypted using TLS (HTTPS).
  • Passwords are stored as one-way cryptographic hashes — we cannot recover your password.
  • Access to production systems and personal data is restricted to authorized personnel only.
  • Authentication uses short-lived JWT tokens stored in HTTP-only cookies, mitigating XSS-based token theft.

8. Your GDPR Rights

As a data subject under GDPR, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): Request deletion of your account and personal data. We will anonymize your PII upon account deletion.
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): Request a machine-readable export of personal data you provided to us.
  • Right to object (Art. 21): Object to processing based on legitimate interest, including direct marketing.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Slovak supervisory authority: Urad na ochranu osobnych udajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic), Hranicna 12, 820 07 Bratislava, Slovakia — www.dataprotection.gov.sk.

To exercise any of these rights, contact us at erik.kubica@gmail.com. We will respond within 30 days.

9. Cookies

We use only essential cookies necessary for the service to function: a session authentication cookie (HTTP-only JWT token) that keeps you logged in. We do not use analytics cookies, advertising cookies, or any non-essential tracking. No cookie consent banner is required because we use only strictly necessary cookies.

10. Children

Norvo is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For any questions about this Privacy Policy or to submit a data subject request, please contact us at erik.kubica@gmail.com.