Privacy policy

Last updated: 5 May 2026. DRAFT — pending lawyer review per §12.

What we collect

When you submit a website for a Nova Insight audit, we record:

• The URL you submitted and your email address (kept until you delete the audit; see retention).
• A salted hash of your IP address (per §11.1 / §12.1 — we never persist plain IPs).
• Your browser's user-agent string.
• The audit results themselves: pillar scores, screenshots of your homepage, and structured findings.

We do not collect cookies for analytics. We do not sell or share your data with advertisers. The crawler that fetches your site identifies itself as NovaInsightAudit/2.0 and respects a polite 1-second delay between requests.

How we use it

Your audit data is used to produce the report at /a/<slug> that we email you. Aggregated, de-identified metrics may be used internally to improve the scoring rubric and recommendation library; never published with your URL or email attached.

PII redaction in screenshots

Per §12.3, every screenshot the audit captures runs through an automated PII-redaction pass before storage: email addresses, phone numbers, national IDs, credit card numbers, and authentication-looking strings get blacked out. Authentication-bearing requests (Cookie, Authorization headers, query-string tokens) are stripped from network traces before anything is persisted.

What we won't crawl

Per §12.7, the audit will not capture:

• Anything inside /admin, /wp-admin, /portal, /account, /dashboard, or /my-account paths (unless your consultant has explicitly provided test credentials for a paid audit).
• Anything served with Cache-Control: private.
• Anything behind a payment-form URL (/checkout, /cart/checkout, /pay).
• Anything inside iframes whose origin is a known third-party PII vendor (Stripe, PayPal).

Retention

Per §12.4, three retention classes apply:

• Free-tool audits: 90 days for the audit row + report, 30 days for screenshots. Hard-deleted nightly thereafter.
• Paid audits (Bronze, Silver, Gold, Platinum): 24 months for everything by default.
• Active monitoring (Pulse, Sentinel) or rebuild engagements: duration of contract + 24 months.

You can request earlier deletion through the data-subject-rights form below.

Cross-border transfer

Nova Insight uses Anthropic, OpenAI, Google, and (for paid tiers) Cloudflare APIs that run in the United States. Per §12.6, we minimise personal data in those API payloads:

• LLM prompts include audit evidence but never your email address, name, or other intake-form fields.
• Screenshots are sent to multimodal LLMs only after the redaction pass.
• Network traces are summarised to counts; raw bodies never reach an LLM.

Standard Contractual Clauses (SCCs) for cross-border transfer are on file with each of those providers.

Your rights

Under the Kenya Data Protection Act 2019 and the GDPR (which applies when our service touches data subjects in the EU/UK), you can request:

• Access: a copy of all data we hold referencing you or your email.
• Deletion: immediate hard-delete of all rows referencing you, ahead of the standard retention schedule.
• Rectification: correction of inaccurate data.

Submit a data-subject-rights request via /privacy/request. We acknowledge within 7 days and respond fully within 30 days (statutory under both regimes).

Contact

Questions about this policy: privacy@novainsight.ke.

Records of every data-subject-rights request are retained for 6 years, per the statutory record-keeping requirement under both KDPA and GDPR.