Data Protection
Effective Date: 19-01-2026
1. Introduction
Welcome! You have clicked on the Data Protection Policy of Nova Finance AI BV, a private limited liability company (besloten vennootschap) incorporated under the laws of the Netherlands ("{Company's Name}", "we", "us", "our").
We take data protection seriously and this document outlines how we safeguard personal data, financial data, and confidential business information processed within our AI platform. We are committed to protecting customer data in accordance with the GDPR (EU 2016/679) and applicable Dutch law.
Primary data processing takes place within the European Economic Area (EEA).
2. Subject and Scope
This policy applies to the processing of personal data by our Company as Data Processor in the course of providing its services under a customer agreement. In the event of discrepancies between provisions of this policy and provisions of the customer agreement, the provisions of this policy shall prevail.
Customers act as Data Controllers. Between the Data Controllers and Data Processor a Data Processing Agreement (DPA) will be formalized, upon entering into a customer agreement.
3. Categories of Data Processed
Processing operations may include, without limitation: collection, recording, organisation and structure; storage and hosting; analysis, classification and enrichment using AI models; reconciliation, validation and anomaly detection; reporting and audit support and deletion or anonymisation.
The purpose of processing is necessary to provide our Services, as described in our Terms & Conditions. The categories of data subjects represents the employees (internal and external) of the Data Controller, the customers and suppliers of the Data Controller and the authorized users of the Data Controller's platform.
The types of personal data include identification data (f.e. name, email address, function role); financial data (f.e. invoice data, bank transaction references); business contact details and usage and log data. Processing of special categories of personal data is not intended. If such data is processed incidentally, it shall be subject to appropriate safeguards.
3.1 Data Storage Clarification
Customer source data primarily remains within customer systems. Operational data required for service delivery, processing results, logs, and configuration data may be securely stored within our Supabase-hosted infrastructure.
4. Security Measures
The Data Processor shall not be permitted to use the personal data for its own purposes. The Data Processor has implemented the following technical and organizational security measures.
4.1 Access Control
Our access control measures ensures that only authorized individuals can access our systems and data. Via authentication and authorization measures such as, Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA) and regular access reviews, access is guaranteed to authorized individuals. Access is always granted according to the least-privilege principle. Access is revoked within 24 hours upon termination or role change of previous authorized individuals.
4.2 Encryption
Our security control measures ensures that the data is protected, remain confidential, data-integrity is maintained and remains available when required. Encryption is applied to data, while it is moving across networks (in transit), application services and databases with the use of TLS. Encryption at rest is using platform-managed encryption provided by Supabase infrastructure controls.
4.3 Infrastructure Security
The testing and production environment are isolated in separate environments. Test data does not include actual customer data, but dummy data. Customer data remains on the servers and applications of our customers and is not stored on the Data Processors infrastructure. Our infrastructure is hosted on Supabased-managed cloud services. We rely on built-in security controls, including database isolation, row-level security (RLS), access policies, managed encryption and platform security controls.
Network protection and monitoring are supported through Supabase monitoring, database audit logs, query auditing, and automated security advisor tooling. Suspicious access patterns and anomalies are reviewed.
4.4 Change Management
The development of our platform and features are logged daily and monitored periodically. Code review and testing procedures are in place, prior deploying new features into production. Continuous deployment pipelines include controlled releases and rollback capability. We use AI-assisted and automated code quality and security reviews through GitHub Copilot and pull request workflows.
4.5 Monitoring and Logging
All administrative access to our test and production environment is logged. We actively monitor and log any issues arising from our applications and systems used to provide our services. We also monitor actively the key infrastructure metrics to ensure our services remain stable for ongoing use.
4.6 Business Continuity
Back-up & recovery measures are in place for business continuity through Supabase managed back-up features. Back-ups integrity are periodically verified to ensure that data can be restored, if needed. Incident reports are reviewed continuously for documented alerts for unusual unauthorized access attempts or system failures. Proper follow-up actions are planned to mitigate incidents, such as detection, containment, investigation, remediation, and post-incident review.
In the event of a personal data breach, customers are notified within 48 hours and provided with relevant information to meet regulatory obligations.
4.7. Secure Development Practices
We apply secure development lifecycle practices including peer review, automated checks, and AI-assisted code quality and security recommendations. Production changes require review before release.
5. AI & Automated Processing
Our platform uses AI to support bookkeeping automation, reconciliation, and anomaly detection. AI outputs function as decision-support tools only. No legally binding decisions are made solely through automated processing. Results are reviewable by users and supported by audit trails where applicable. Customer data is not used to train general-purpose models AI unless explicitly agreed in writing. AI-assisted development tools are used only for code quality and security recommendations.
6. Data Subject Rights
We assist customers in responding to data subject requests in accordance with GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
7. Subprocessors
Subprocessors are carefully selected and bound by written agreements aligned with Article 28 GDPR. International data transfers, where applicable, are safeguarded in accordance with Chapter V GDPR. An up-to-date subprocessor list is available upon request.
8. Data Retention & Deletion
Customer data is retained for the duration of the customer agreement and deleted or returned upon termination, unless legal retention obligations apply.
9. Compliance & Continuous Improvement
Our security framework aligns with GDPR requirements and industry best practices inspired by ISO 27001 and SOC 2 principles. We continuously review and improve our security controls.
10. Contact Information
Please mail for data protection or security inquiries to privacy@nova-finance.ai.