Privacy Policy

The data controller responsible for the processing of personal data on this website and within the NuvoraSync application is:

This Privacy Policy explains how NuvoraSync ("we", "us", "our") collects, uses, stores and shares your personal data when you visit nuvora-app.com or use the NuvoraSync application. It applies to personal data processed in the context of providing the service. Third-party websites linked from NuvoraSync have their own privacy policies; we are not responsible for their content.

The categories of personal data we process include:

• Account data. Email address, password (stored as a salted hash by our authentication provider), profile information you provide voluntarily (name, time zone, bio, trading experience), and any optional second-factor authentication credentials (TOTP factors).
• Trading data. Information about the trading accounts you connect: broker name, account number, trading-server hostname, base currency, balance and equity, individual trades, open positions, account transactions, daily metrics and synchronisation events. We do not receive or store the login credentials of your broker account.
• User-generated content. Custom dashboards, EA strategy groups and rules, notification templates, and any suggestions, attachments or messages you submit through the feedback feature.
• Communication preferences. Notification settings and, if you choose to enable Telegram notifications, your Telegram chat identifier and the metadata required to deliver messages to that chat.
• API tokens. A unique token that the NuvoraSync MT5 Expert Advisor uses to push trade data into your account. Tokens are stored hashed where the implementation allows.
• Technical data. IP address, user-agent string, request timestamps and other technical metadata generated when you access our services, primarily for security, abuse prevention and operational logging by our hosting and authentication providers.
• Cookies. A small number of strictly necessary cookies: session cookies set by our authentication provider (Supabase) to keep you signed in, your saved preferences (e.g. the "Keep me signed in" marker) and the cookie that records your cookie-consent choice. Optional analytics cookies are used only if you accept them; we do not use advertising cookies.

We process the data above for the following purposes. Where applicable, the legal basis under Article 6(1) of the EU General Data Protection Regulation (GDPR) is indicated.

• Service provision (Art. 6(1)(b) GDPR). To create and maintain your account, sync and display your trading data, run analytics, allow you to manage strategies and dashboards, and respond to support requests.
• Security and abuse prevention (Art. 6(1)(f) GDPR). To protect accounts (e.g. via password hashing, optional two-factor authentication, rate-limiting at the infrastructure layer) and to detect or prevent fraudulent use of the service. Our legitimate interest is the integrity and security of the service for all users.
• Communication (Art. 6(1)(b) and 6(1)(a) GDPR). Transactional messages such as password resets are sent on the basis of contract performance. Telegram notifications are sent only after you actively connect a Telegram account, which constitutes consent that you can withdraw at any time from your settings.
• Compliance with legal obligations (Art. 6(1)(c) GDPR). Where applicable for tax, accounting or other regulatory obligations under German law.
• Service improvement (Art. 6(1)(f) GDPR). Aggregated, non-identifying operational metrics to understand load and reliability. We do not currently operate user-behaviour analytics on the application.

We rely on the following processors and infrastructure providers. They process personal data on our behalf under written data-processing agreements and are bound by their own privacy policies and security standards.

• Supabase (database, auth, storage). Stores account data, authentication and session data, your trading data (accounts, trades, positions, transactions, metrics), user preferences and any files you upload. Hosts the PostgreSQL database, authentication system and file storage behind the application.
• Vercel (hosting). Hosts the NuvoraSync web application and its edge functions and receives standard request metadata — IP address, user agent and request timestamps — together with operational and runtime logs.
• Vercel Speed Insights. Receives anonymous performance telemetry (Core Web Vitals and route timing) used to monitor and improve page performance. It does not receive your trading data, account identifiers or report contents.
• Paddle (Merchant of Record). Acts as Merchant of Record for paid subscriptions: Paddle is the seller of record and processes your billing and customer details, subscription and payment metadata, invoices and the tax/VAT data required to bill you. Card and payment data are handled by Paddle and are not stored by NuvoraSync.
• Resend (email). Delivers transactional emails (e.g. password-reset links and account notifications) and receives the recipient address and the content and metadata of each transactional message.
• Telegram (Telegram Messenger Inc.). Used only if you connect Telegram notifications. Telegram receives the chat identifier you connected, the contents of the notifications we send and the related delivery metadata.
• Google Analytics / Google Tag (only with your consent). Loaded only after you accept analytics cookies. Receives page views, sanitised route paths and device/browser metadata to measure product usage. It never receives your trading data, raw account identifiers or report contents.
• Your broker / MT5 terminal. When you connect AutoSync, the NuvoraSync MT5 Expert Advisor reads trade data from your terminal and sends it to NuvoraSync over an authenticated API. We do not connect to your broker directly and do not receive your broker login credentials.

A current list of sub-processors (e.g. those used by Supabase or Vercel) is maintained by the respective providers. We do not sell personal data and do not share it beyond what is described here. Any future marketing or advertising pixels (e.g. ad networks) would load only after your consent and only once configured.

Some of our processors may transfer or process personal data outside of the European Economic Area, in particular in the United States. Where such transfers occur we rely on appropriate safeguards under Articles 44 to 49 GDPR, including the European Commission's Standard Contractual Clauses or — where applicable — the EU–US Data Privacy Framework certification of the relevant processor.

We retain personal data only for as long as we have a legitimate purpose to do so. In particular:

• Account and trading data. Retained for the lifetime of your account. When you delete your account from Settings → Danger Zone, the underlying records are removed from our application database in the same request. See section 9 for details.
• Operational and security logs. Retained by our hosting providers for short rolling periods (typically days to weeks) for security and troubleshooting purposes.
• Backup snapshots. Database backups may continue to contain previously deleted data until the backup is rotated out, normally within a few weeks.
• Legal obligations. Where retention is required by applicable law (for example tax or accounting law in Germany) we retain only the minimum data necessary to comply for the period required.

Subject to the conditions set out in the GDPR, you have the following rights with respect to your personal data:

• Right of access (Art. 15). You may ask us to confirm whether we process personal data about you and, if so, to provide a copy.
• Right to rectification (Art. 16). You may ask us to correct inaccurate personal data.
• Right to erasure (Art. 17). You may ask us to delete your personal data. For most data you can do this directly from Settings → Danger Zone in the application.
• Right to restriction of processing (Art. 18). You may ask us to restrict processing in specific circumstances.
• Right to data portability (Art. 20). You may ask us to provide your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.
• Right to object (Art. 21). Where processing is based on our legitimate interests, you may object to it on grounds relating to your particular situation.
• Right to withdraw consent (Art. 7). Where processing is based on your consent (e.g. Telegram notifications), you may withdraw consent at any time without affecting the lawfulness of processing carried out beforehand.
• Right to lodge a complaint. You may lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement.

To exercise any of the above rights, please contact us at support@nuvora-app.com. We may need to verify your identity before responding to ensure that data is not disclosed to the wrong person.

You can delete your account at any time from Settings → Danger Zone in the application. Deletion removes all of the following in a single transaction: your trading accounts and their connections, all trades, open positions, transactions, daily metrics and synchronisation events; EA strategies, custom dashboards and analytics state; notification settings, Telegram link, notification templates and delivery log; suggestions, attachments and conversation history; API tokens; and saved preferences. After application data has been removed, the underlying authentication record is also deleted and you will be signed out.

Backup snapshots may continue to contain previously deleted data until the backup is rotated out, normally within a few weeks. After that period, no live copy of your account data remains.

NuvoraSync uses cookies and similar device storage in three categories. Necessary cookies are always active; optional categories are only used with your consent.

• Necessary. Required for authentication (Supabase session cookies), security, session management, your saved preferences (e.g. the "Keep me signed in" marker), and core app functionality. The cookie that records your consent choice itself also falls into this category.
• Analytics. Optional. Help us understand product usage and improve NuvoraSync. We currently do not load analytics scripts; this category is reserved for future use and is only activated with your consent.
• Marketing. Optional. Help measure campaigns and improve ad relevance. We currently do not load marketing scripts; this category is reserved for future use and is only activated with your consent.

You can change your preferences at any time on our Cookie Preferences page. Withdrawing consent does not affect the lawfulness of processing carried out beforehand.

We apply technical and organisational measures appropriate to the risk of processing, including transport encryption (TLS) for all traffic, password hashing, optional two-factor authentication, row-level access controls in our database, and the use of established hosting providers with their own certifications. No system can guarantee absolute security; please contact us at support@nuvora-app.com if you suspect any security issue.

The NuvoraSync service is not directed to children under the age of 18 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so that we can delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, technical setup or applicable law. The "Last updated" date at the top of the page indicates when the most recent change was made. Material changes will be communicated through the application or by email where appropriate.

For any questions about this Privacy Policy or the processing of your personal data, please contact us at support@nuvora-app.com.