Privacy Policy

Last updated: May 20, 2026

1. Introduction

Norvius (“the Service”) is operated by Christian Pastor d/b/a Norvius (“we,” “us,” “our”). This Privacy Policy explains what data we collect, how we store and protect it, who we share it with, and what rights you have over it.

By using the Service, you agree to the practices described in this policy. If you do not agree, do not use the Service.

2. Data We Collect

We collect only what is necessary to provide and improve the Service:

  • Account information. Your name, email address, and password when you create an account. If you join a team, your role within that team.
  • Connected data source content. When you connect a business tool (such as Shopify, QuickBooks, or Google Sheets), we access and store data from that tool as needed to run your queries and automations. You choose which tools to connect and can disconnect them at any time.
  • Chat queries and automation configuration. The natural language questions you ask and the automations you create, including their schedules and settings.
  • Payment information. Billing details are collected and processed by Stripe. We do not store your credit card number, CVV, or full payment credentials on our servers.
  • Usage analytics. We use Plausible Analytics, a privacy-focused, cookieless analytics service. Plausible does not use cookies, does not collect personal data, and does not track you across sites. We see aggregate page views and referral sources only.

We do not use tracking cookies, fingerprinting, or any cross-site tracking technology.

3. How We Store and Protect Your Data

Your data is stored in Supabase (built on PostgreSQL) with multiple layers of protection:

  • Encryption at rest and in transit. All data is encrypted at rest using AES-256 encryption. All connections use TLS encryption in transit.
  • Tenant isolation. Every database query is enforced through Row-Level Security (RLS) policies that isolate your data from other customers. Your data is never accessible to other accounts.
  • Credential encryption. OAuth tokens and API keys for your connected tools are encrypted with AES-256 via pgcrypto and are decrypted only at the moment they are needed to execute a query. They are never exposed to the AI processing layer.

4. Third-Party Services

We share data with the following third-party services only as necessary to operate the Service:

  • Anthropic (Claude API).Your chat queries and relevant data context are sent to Anthropic's Claude API for AI processing. Anthropic does not use your data to train their models when accessed via their API. Credentials and secrets are never sent to the AI layer.
  • Stripe.Handles payment processing and subscription management. Stripe's privacy policy governs their handling of your payment data.
  • Resend. Sends transactional emails (notifications, alerts, password resets) from notifications@norvius.com. Resend receives your email address and the content of the notification.
  • Plausible Analytics. Collects anonymous, aggregate website usage data. No personal data is collected or stored by Plausible. No cookies are used.
  • Sentry. Collects error reports and performance data to help us identify and fix issues. Error reports may include technical context but never include your business data or credentials.

We do not sell, rent, or trade your data to any third party. We do not use your data for advertising.

5. AI-Generated Content and Your Data

When you ask questions or create automations, relevant portions of your connected data are processed by AI to generate responses. All AI-generated outputs are observational descriptions of what the data shows and do not constitute business, financial, or legal advice.

We may extract anonymized, structural patterns from automations (such as “monitor inventory levels weekly”) to improve our template library. These patterns never contain your actual data values, account information, or anything that could identify you or your business.

6. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service. Specifically:

  • Account data is retained while your account is active.
  • Connected data source content is retained while the data source is connected and your account is active.
  • Chat history and automation logs are retained while your account is active.
  • On account closure, all your data is permanently deleted within 30 days. This includes account information, connected data, chat history, automations, and all associated records.

7. Your Rights

Regardless of where you are located, you have the following rights over your data:

  • Access. You can view all data associated with your account at any time through the Service.
  • Export. You can export your data at any time from Settings → Data Export.
  • Deletion. You can request deletion of your account and all associated data by contacting us. Deletion is completed within 30 days.
  • Correction. You can update your account information at any time through your profile settings.
  • Disconnect. You can disconnect any connected data source at any time. When disconnected, stored data from that source is deleted.

8. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to know what personal information we collect and how it is used (described in this policy).
  • Right to delete your personal information (see Section 7).
  • Right to opt out of sale. We do not sell your personal information to third parties. There is nothing to opt out of.
  • Right to non-discrimination. We will not treat you differently for exercising your privacy rights.

9. European Users (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) provides additional protections:

  • Legal basis. We process your data based on your consent (when you create an account and connect data sources) and our legitimate interest in providing and improving the Service.
  • Data portability. You can export your data in a machine-readable format at any time (see Section 7).
  • Right to object. You can object to certain processing by contacting us.
  • Data transfers. Your data is stored on servers in the United States. By using the Service, you consent to this transfer.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

Questions about this policy or your data? Contact us at notifications@norvius.com or visit our contact page.