Privacy Policy

1. Introduction

Sonautic Inc., doing business as Nouvel ("Nouvel," "Company," "we," "us," or "our"), operates the Nouvel platform, accessible at nouvel.ai (marketing site) and app.nouvel.ai (application) (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you visit our website or use our Service.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as the legal basis for processing, we will obtain your explicit consent at the point of data collection.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Identity data: Full name, email address
• Preferences: Timezone, notification preferences (email alerts for published posts, completed generations, weekly analytics, and failed posts)
• Authentication data: Credentials managed by our authentication provider (Supabase Auth); we do not store passwords in plaintext
• Organization data: If you create or join a team, we collect organization name and membership associations

2.2 Payment Information

If you subscribe to a paid plan, our payment processor Stripe collects and processes billing details (payment card numbers, billing address) on our behalf. We do not store full payment card numbers on our servers. We receive and store only: subscription tier, subscription status, and Stripe customer/subscription identifiers.

When you use metered features such as Asset Studio, we also collect and retain per-use generation records — including the AI model used, generation type, resolution, duration, cost, and timestamp — for billing, audit, and dispute-resolution purposes. These records are shared with Stripe as itemized line items on your subscription invoice.

2.3 Brand & Product Data

To generate content, you may provide:

• Business name, description, and website URL
• Target audience descriptions and ideal customer profiles
• Tone of voice, visual style, typography, and brand guidelines
• Color palette and content mode preferences
• Product descriptions, images, and pricing (provided directly or extracted from URLs you provide)

2.4 Connected Social Media Accounts

When you connect social media accounts (Instagram, Facebook, YouTube, TikTok, LinkedIn, Pinterest, Threads, Twitter/X, Reddit), we collect and store:

• Platform identifiers: Platform user ID, username, display name
• Profile data: Avatar URL, follower count
• OAuth tokens: Access tokens and refresh tokens, encrypted at rest using AES-256-GCM (see Section 7)
• Platform metadata: Page IDs, board IDs, channel IDs, and other platform-specific configuration
• Permissions/scopes: The OAuth scopes you granted during connection

OAuth token management and platform connections are facilitated through our integration partner, Late.dev, which handles OAuth flows, token refresh, and platform API interactions on our behalf.

2.5 Generated Content

Videos, scripts, voiceovers, captions, images, and other creative assets produced by the Service are stored in your account. This includes:

• Video generation prompts and visual directions
• Script text and voiceover audio
• Intermediate assets (raw video, lip-synced video, captioned video)
• Final output videos

Generated content is retained until you delete it or close your account.

2.6 Publishing & Analytics Data

When you publish content through the Service, we collect:

• Post data: Captions, scheduled/published timestamps, platform-specific post IDs and URLs
• Performance analytics: Views, likes, comments, shares, saves, clicks, impressions, reach, and engagement rates — fetched periodically from platform APIs using your connected accounts

2.7 Product URL Scraping

When you provide a product URL, we use an automated extraction service (Firecrawl) to retrieve publicly available information from that page, including product title, description, price, and images. This data is used solely to populate your brand profile and generate creative content.

2.8 Ad Intelligence Data

To improve the quality of generated ad creative, we may query third-party ad intelligence databases (Foreplay) using your brand's domain name to retrieve:

• Examples of your brand's existing advertisements
• Competitor ad creative examples, transcripts, and calls-to-action

This data is used in-session to inform AI-generated creative direction and is not permanently stored beyond the generation context.

2.9 Usage & Technical Data

We automatically collect:

• Device data: IP address, browser type, operating system
• Usage data: Pages viewed, referring URLs, timestamps, session information
• Service logs: API request logs, error logs, and generation performance metrics (duration, processing stages)

2.10 Cookies & Similar Technologies

We use a minimal set of cookies:

We do not use analytics cookies, advertising cookies, or third-party tracking pixels. We do not engage in cross-site tracking or behavioral advertising.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

2.11 Webhook Data (Instagram/Meta)

If you connect an Instagram or Facebook account, we may receive real-time data via platform webhooks, including:

• Comments on your published posts (commenter ID, comment text, timestamp)
• Direct messages sent to your connected account (sender ID, message content, timestamp)
• Story and post performance metrics

Webhook payloads are verified using HMAC-SHA256 signatures to ensure authenticity.

3. How We Use Your Information

We process your information for the following purposes and legal bases:

4. How We Share Your Information

We do not sell or share your personal information for cross-context behavioral advertising.

We share data only in the following circumstances:

4.1 Service Providers (Sub-Processors)

We engage the following categories of third-party service providers who access your data only as necessary to perform their functions and are contractually obligated to protect it:

We maintain an up-to-date list of sub-processors. If we engage a new sub-processor that materially changes how your data is processed, we will provide notice via email or in-app notification at least 30 days before the new sub-processor begins processing your data.

4.2 Social Media Platforms

When you connect accounts and publish content, your data (captions, videos, images) is transmitted to the respective platforms (Instagram, Facebook, YouTube, TikTok, LinkedIn, Pinterest, Threads, Twitter/X, Reddit) via their APIs. Each platform's own privacy policy governs their handling of this data.

4.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, subpoena, or governmental request.

4.4 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you via email or prominent notice before your information becomes subject to a different privacy policy.

4.5 With Your Consent

We may share information for any other purpose with your explicit consent.

5. AI-Generated Content & Model Training

5.1 How AI Processes Your Data

Your creative inputs (product descriptions, brand information, creative briefs, feedback) are processed by AI models (Anthropic Claude, fal.ai Kling O3, ElevenLabs, Google Vertex AI) to generate videos, scripts, voiceovers, and captions.

• Anthropic Claude: Generates creative concepts, scripts, brand extraction, and visual direction. Anthropic's commercial API terms state that API inputs and outputs are not used to train their models.
• fal.ai (Kling O3): Generates video from text/image prompts. Processes actor reference images and product images.
• ElevenLabs: Converts script text to spoken audio. Processes text and voice configuration only.
• Google Vertex AI (Veo): Alternative video generation model. Processes visual prompts and reference images.

5.2 Model Training

• We do not use your individual inputs to train our own AI models.
• We do not provide your individual inputs to third-party providers for the purpose of training their AI models. Our agreements with sub-processors prohibit the use of customer data for model training.
• We may use aggregated, de-identified usage patterns (e.g., which features are most used, average generation times) to improve the Service's performance and reliability.

5.3 AI-Generated Content Transparency

Content generated by Nouvel is produced using artificial intelligence. Under the EU AI Act (effective August 2026), AI-generated content must be clearly identifiable. We recommend that users disclose the AI-generated nature of content as required by applicable laws in their jurisdiction.

5.4 Human Oversight

AI-generated content is presented to you for review before publishing. You maintain full editorial control over whether to publish, edit, or discard any generated content.

6. Data Retention

We retain your data according to the following schedule:

After account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax records, dispute resolution) or for legitimate business purposes as outlined above.

7. Data Security

We implement the following technical and organizational measures:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+
• Encryption at rest: OAuth access tokens and refresh tokens are encrypted using AES-256-GCM with unique initialization vectors
• Access controls: Role-based access, principle of least privilege for production systems
• Infrastructure security: Hosted on Vercel (SOC 2 compliant) and Supabase (SOC 2 Type II compliant) with automatic security patching
• Webhook verification: All incoming webhooks (Meta, Stripe) are verified using HMAC-SHA256 signatures
• Payment security: Payment processing handled by Stripe (PCI DSS Level 1 certified); we never receive or store full card numbers
• Secret management: API keys and credentials stored in encrypted environment variables, never in source code

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to security@nouvel.ai.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• We will notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Notification will include: the nature of the breach, categories of data affected, likely consequences, and measures taken to address and mitigate the breach

9. Your Rights

9.1 Rights Under GDPR (European Economic Area, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal retention requirements
• Restriction: Request that we limit processing of your data
• Data Portability: Receive your data in a structured, commonly used, machine-readable format
• Object: Object to processing based on legitimate interest, including profiling
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
• Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI generates creative content for your review — it does not make automated decisions about you.

To exercise these rights, contact us at privacy@nouvel.ai. We will respond within 30 days (extendable by 60 days for complex requests, with notice).

You also have the right to lodge a complaint with your local data protection supervisory authority.

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Categories of Personal Information Collected:

Your California Rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collected, the purposes, and the categories of third parties with whom we shared it
• Right to Delete: Request deletion of your personal information, subject to exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but you may contact us to confirm.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under CCPA/CPRA
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights

To exercise these rights, contact us at privacy@nouvel.ai or submit a request to our mailing address below. We will verify your identity before processing your request. We will respond within 45 days (extendable by an additional 45 days with notice).

Do Not Track Signals: Our Service does not currently respond to "Do Not Track" browser signals, as there is no industry-standard protocol for such signals. We do not engage in cross-site tracking.

9.3 Meta (Facebook/Instagram) Data Deletion

If you connected a Facebook or Instagram account, you may request deletion of your data through Meta's platform. We have implemented Meta's required Data Deletion Callback endpoint. Upon receiving a valid, signed deletion request from Meta, we will delete your connected account data from our systems and provide a confirmation code and status check URL.

10. International Data Transfers

Our Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For transfers from the EEA, UK, or Switzerland to the United States:

• We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers
• Our sub-processors maintain their own transfer mechanisms (e.g., Stripe, Supabase, and Anthropic participate in recognized data transfer frameworks)
• We ensure that transferred data receives an essentially equivalent level of protection as it would in the EEA

By using the Service, you acknowledge that your data may be processed in jurisdictions with different data protection laws than your home jurisdiction.

11. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@nouvel.ai.

12. Third-Party Links & Services

The Service may contain links to third-party websites and services (e.g., social media platforms, product pages you provide). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your information.

13. Data Processing Agreement (DPA)

If you are a business customer subject to GDPR or other data protection regulations that require a Data Processing Agreement, please contact us at privacy@nouvel.ai to request one. Our DPA covers:

• Processing instructions and scope
• Sub-processor management and notification
• Security measures
• Data breach notification procedures
• Audit rights
• Data return and deletion upon termination

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a revised effective date
• Sending an email notification to your registered email address for material changes
• Displaying an in-app notice for significant updates

Your continued use of the Service after changes are posted constitutes acceptance of the revised policy. The previous version of this policy is available upon request.

15. Contact Us

If you have questions or concerns about this Privacy Policy, or wish to exercise your data protection rights, contact us at:

For EEA residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

Appendix A: Sub-Processor List

Last updated: March 9, 2026

This list is updated when sub-processors change. Subscribe to updates by emailing privacy@nouvel.ai with subject "Sub-processor updates."