Novafy AI
Legal

Privacy Policy

Last updated: 2 June 2026

Novafy AI (“we”, “us”, or “our”) is committed to protecting your privacy. This policy explains what data we collect, how we use it, who we share it with, and what rights you have — in compliance with the Protection of Personal Information Act (POPIA) of South Africa, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

1. Overview

Novafy AI provides an AI-powered customer support chatbot platform. When you use our services — whether as a business operator (subscriber) or as an end-user interacting with a chatbot deployed by one of our customers — we process certain personal data.

Data Controller: Novafy AI, novafy.co.za, South Africa.
Contact: thandoxsndlovu@gmail.com

By using our platform, you agree to the collection and use of information described in this policy. If you do not agree, please discontinue use of our services.

2. Data We Collect

2.1 Account & Operator Data

When you create a Novafy AI account or organisation, we collect:

  • Name and email address
  • Organisation name
  • Billing information (processed by PayPal — we do not store card numbers)
  • Subscription plan and payment history
  • Authentication credentials (managed by Clerk — we do not store raw passwords)

2.2 Widget Configuration Data

When you configure your chatbot widget, we store:

  • Greeting messages and default suggestions you set
  • Brand settings and customisation preferences
  • API keys for third-party integrations (e.g. Vapi) — stored encrypted

2.3 Knowledge Base Data

Documents, text, URLs, and other content you upload to train your chatbot. This content is stored securely and used solely to power your chatbot's responses. It is processed using embeddings (Voyage AI) and retrieved using RAG technology.

2.4 Conversation Data (End-User Data)

When a visitor interacts with a chatbot you have deployed, we collect:

  • Name and email address provided by the visitor during contact intake
  • The full text of the conversation between the visitor and the AI
  • Session metadata: browser type, operating system, screen resolution, timezone, referrer URL, and the URL of the page where the chatbot was accessed
  • Session ID and expiry timestamp

As a Novafy AI customer deploying a chatbot on your website, you are the data controller for conversation data collected from your website visitors, and we act as your data processor. You are responsible for informing your own users that a chatbot is present and may collect their data.

2.5 Usage and Analytics Data

  • Dashboard activity and feature usage
  • Conversation volume and resolution metrics
  • Error logs and performance data

3. How We Use Your Data

We use the data collected for the following purposes:

PurposeLawful Basis (GDPR)POPIA Condition
Provide and operate the Novafy AI platformContract performanceContractual necessity
Process subscription payments via PayPalContract performanceContractual necessity
Authenticate users via ClerkContract performanceContractual necessity
Generate AI responses using your knowledge baseContract performanceContractual necessity
Send transactional emails (billing receipts, alerts)Contract performance / Legitimate interestsContractual necessity
Improve and develop our services (aggregated, anonymised)Legitimate interestsLegitimate interest
Comply with legal obligationsLegal obligationLegal obligation
Prevent fraud and ensure securityLegitimate interestsLegitimate interest

We do not sell your personal data to third parties. We do not use conversation data to train AI models beyond what is necessary to fulfil your specific service requests.

4. Third-Party Services

We use trusted third-party providers to operate our platform. Each processes data as necessary to deliver their service:

4.1 Clerk (Authentication)

Purpose: User authentication, session management, and organisation management.
Data shared: Email address, name, and authentication tokens.
Location: United States. Clerk complies with GDPR via Standard Contractual Clauses.
Privacy policy: clerk.com/legal/privacy

4.2 Convex (Database & Backend)

Purpose: Storing conversation data, widget settings, subscriptions, contact sessions, and knowledge base embeddings.
Data shared: All platform data (operator accounts, widget configurations, conversation logs, contact session data).
Location: United States (AWS). Convex complies with GDPR via Standard Contractual Clauses.
Privacy policy: convex.dev/legal/privacy

4.3 PayPal (Payments)

Purpose: Processing subscription payments and billing.
Data shared: Name, email, billing amount, subscription plan. PayPal manages all payment card data — we never receive or store card numbers.
Location: United States / Luxembourg.
Privacy policy: paypal.com privacy policy

4.4 Groq (AI Inference)

Purpose: Processing conversation prompts and generating AI responses using large language models.
Data shared: The text of user queries and relevant knowledge base excerpts. Data is transmitted securely and not used to train Groq's models.
Location: United States.
Privacy policy: groq.com/privacy-policy

4.5 Voyage AI (Embeddings)

Purpose: Converting knowledge base documents into vector embeddings for semantic search (RAG).
Data shared: Text content from your uploaded knowledge base documents.
Location: United States.
Privacy policy: voyageai.com

4.6 Vapi (Voice AI — optional)

Purpose: Providing voice agent capabilities when enabled by the operator.
Data shared: Voice assistant configuration and API credentials stored encrypted.
Privacy policy: vapi.ai/privacy

5. Data Storage & Security

All data is stored in Convex, hosted on Amazon Web Services (AWS) infrastructure in the United States. We implement the following security measures:

  • All data transmitted over HTTPS / TLS 1.2+
  • API keys and secrets stored with encryption at rest
  • Authentication managed by Clerk with industry-standard session security
  • Role-based access controls — operators can only access data within their own organisation
  • Contact session data isolated per organisation with automatic expiry
  • No raw passwords stored — Clerk manages credential security

While we implement strong security measures, no system is 100% secure. In the event of a data breach affecting your personal data, we will notify you in accordance with POPIA and GDPR requirements (within 72 hours for GDPR-covered incidents).

6. Data Retention

Data TypeRetention Period
Account and operator dataDuration of subscription + 90 days after cancellation
Conversation dataDuration of subscription + 90 days after cancellation
Contact session data24 hours (sessions auto-expire); conversation logs persist with operator account
Knowledge base documentsUntil deleted by operator or account closure
Billing records7 years (legal and tax compliance requirement)
Error and audit logs90 days

On account closure, we will delete or anonymise your data within 90 days, except where retention is required by law (e.g. billing records for tax purposes).

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under GDPR:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Request correction of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) — Request deletion of your personal data where we have no legal grounds to retain it.
  • Right to data portability — Receive your data in a structured, machine-readable format.
  • Right to restriction — Request that we restrict processing of your data in certain circumstances.
  • Right to object — Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at thandoxsndlovu@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

8. Your Rights Under POPIA (South Africa)

As a South African business, we comply with the Protection of Personal Information Act 4 of 2013 (POPIA). South African data subjects have the following rights:

  • Right to access — Request confirmation of whether we hold your personal information and receive a copy.
  • Right to correction or deletion — Request that inaccurate, irrelevant, or outdated information be corrected or deleted.
  • Right to object — Object to the processing of your personal information on reasonable grounds.
  • Right to complain — Lodge a complaint with the Information Regulator of South Africa if you believe we have violated POPIA.

Information Officer: The responsible party for POPIA compliance is the operator of Novafy AI. Contact: thandoxsndlovu@gmail.com

Information Regulator of South Africa: justice.gov.za/inforeg

9. Cookies & Tracking

We use a minimal set of cookies and local storage:

  • Authentication cookies (Clerk) — Required to maintain your login session. These are strictly necessary and cannot be disabled.
  • Session tokens (Novafy widget) — The embedded chatbot widget stores a contact session ID in localStorage to persist conversations across page loads within the same domain. This expires after 24 hours.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

10. Children's Privacy

Our services are not directed at children under the age of 13 (or 16 in certain jurisdictions under GDPR). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us immediately at thandoxsndlovu@gmail.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active subscribers of material changes by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after a change constitutes acceptance of the updated policy.

12. Contact Us

For any privacy-related questions, data subject requests, or complaints:

Terms of Service →Contact Us →Pricing →