Nuave ("we") is committed to protecting your privacy in accordance with Law Number 27 of 2022 on Personal Data Protection (PDP Law) of the Republic of Indonesia. This policy explains how we collect, use, store, and protect your personal data when using the Nuave service at https://nuave.ai.
By using our service, you agree to the practices described in this Privacy Policy.
1Personal Data We Collect
We collect the following categories of data:
1.1 Identity & Account Data
| Full name | Provided via Google OAuth during registration |
| Email address | Provided via Google OAuth during registration |
| User ID | Automatically generated by our system (Supabase Auth) |
1.2 Business Data (User Input)
| Brand name | Entered by the user for AEO audit purposes |
| Website URL | Entered by the user; used for public content scraping |
| Business profile information | Company overview, product differentiation, competitors — AI-generated from public website content |
1.3 Service Usage Data
| Audit results | AI responses from GPT-4o, visibility scores, competitor analysis |
| Credit transaction history | Credit purchases, credit usage, balance |
| Activity logs | Audit timestamps, types of actions performed |
1.4 Technical Data
| Session data | Authentication tokens (stored in httpOnly cookies) |
| IP address | For rate limiting and system security purposes |
Note: We do not collect sensitive data such as national ID numbers, health data, biometric data, sexual orientation, political views, or financial data (credit cards are processed directly by Stripe and never touch our servers).
2Legal Basis for Data Processing
In accordance with Article 20 of the PDP Law, we process your personal data based on:
Consent (Article 20 letter a): You provide explicit consent when registering and using our service.
Contract Performance (Article 20 letter b): Processing is necessary to provide the AEO audit service you requested.
Legitimate Interest (Article 20 letter f): For system security, fraud prevention, and service quality improvement.
3Purpose of Data Use
We use your data to:
Provide and operate the AEO audit service (sending prompts to GPT-4o, analyzing AI responses, calculating Visibility Score)
Authenticate your identity and manage your account
Manage credit balances and process payment transactions
Generate content recommendations and blog articles using Claude AI
Improve the accuracy and quality of our service
Fulfill legal obligations and prevent service abuse
Send service-related notifications (not marketing without consent)
4Third Parties & Cross-Border Data Transfer
In accordance with Article 56 of the PDP Law, we inform you that your data is processed by the following third-party service providers:
| Provider | Purpose | Server Location | Data Sent |
|---|---|---|---|
| Supabase | Database & authentication | Singapore (AWS ap-southeast-1) | Email, name, audit data, credit history |
| OpenAI (GPT-4o) | AI prompt simulation | United States | Generated prompt text (no PII) |
| Anthropic (Claude) | Website scraping, analysis, recommendations | United States | Public website URLs, public content text |
| Stripe | Payment processing | United States | Email, transaction history (card data never touches our servers) |
| Vercel | Web application hosting | United States / Global Edge | HTTP requests, access logs |
5Data Retention & Deletion
| User account data | While account is active + 30 days after account deletion |
| Audit results (with account) | While account is active |
| Anonymous audits (no account) | 48 hours — automatically deleted |
| Credit transaction history | 5 years (Indonesian tax law obligation) |
| Security / access logs | 90 days |
6Your Rights as a Data Subject
In accordance with Articles 5-16 of the PDP Law, you have the following rights:
Right to Access
Request a copy of your personal data that we store.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data ('right to be forgotten').
Right to Restrict
Request restriction of processing your data under certain conditions.
Right to Portability
Receive your data in a machine-readable format.
Right to Object
Object to data processing for specific purposes including marketing.
Right to Withdraw Consent
Withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint
Lodge a complaint with us or with the Personal Data Protection Authority.
To exercise any of the above rights, send a request to hello@nuave.ai. We will respond within 14 business days.
7Data Security
We implement appropriate technical and organizational security measures, including:
Data encryption in transit using TLS/HTTPS
Authentication tokens stored in httpOnly cookies (not accessible by JavaScript)
Row Level Security (RLS) in Supabase — each user can only access their own data
AI API keys (OpenAI, Anthropic) stored server-side only, never exposed to the browser
Rate limiting on critical endpoints to prevent abuse
Stripe keys verified via webhook signature for every transaction
8Cookies & Local Storage
We use cookies necessary for authentication functionality:
| Supabase session cookie | httpOnly, Secure — maintains your login status — until logout |
| Browser sessionStorage | Client-side only — temporarily stores brand & URL before login — deleted when tab closes |
We do not use third-party analytics cookies or cross-site trackers on authenticated pages.
9Protection of Minors
Nuave's Service is intended for users aged 18 years and older. We do not knowingly collect personal data from minors. If you become aware that someone under 18 has registered, please contact us at hello@nuave.ai.
10Changes to Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notification at least 14 days before taking effect.
11Contact Us
For questions, data subject rights requests, or privacy-related complaints: