Privacy Policy
Last updated: February 7, 2026
Summary: Noovra reads your emails only to generate response suggestions. We do not store your email content, never sell your data, and you can delete your account at any time.
1. Introduction
Noovra ("we", "our", "us") is an AI-powered customer support copilot. Our service consists of a Chrome extension (Manifest V3) that integrates into Gmail, and a web application (noovra.com).
The extension analyzes support emails you open in Gmail and suggests response drafts. No email is ever sent automatically — you always remain in control.
This privacy policy explains how we collect, use, share and protect your personal data, in compliance with the General Data Protection Regulation (GDPR, EU Regulation 2016/679).
2. Data Controller
The data controller for your personal data is:
Noovra
Email: contact@noovra.com
Website: noovra.com
As a Noovra user, you are the data controller for your own customers' data. Noovra acts as a data processor for the processing of such data within the scope of the service.
3. Data Collected
3.1 Authentication Data
When you sign up via Google OAuth, we collect your email address and name. This information is necessary to create your account and identify you.
3.2 Email Content
When you open a support email in Gmail, our Chrome extension reads its content to generate response suggestions. This content is:
- Transmitted securely (HTTPS/TLS) to our API
- Sent to an AI model (GPT-4o via OpenRouter) to generate suggestions
- Not permanently stored — only anonymized metadata (subject, detected intent, confidence score) is retained
3.3 Policy Cards (Business Rules)
You can enter your support rules (refund policy, timeframes, FAQ). This text data is stored in your account and used to personalize suggestions.
3.4 Imported Orders
You can import customer order data via CSV file or Stripe/Gumroad integration. This data (order number, amount, status) is stored in your account to enrich suggestion context.
3.5 Usage Data
We collect anonymized data about your service usage:
- Number of suggestions generated and copied
- Average confidence scores
- Detected intents (request categories)
This data helps us improve our algorithms and does not personally identify you.
4. Legal Basis for Processing (Art. 6 GDPR)
Each data processing activity relies on a specific legal basis:
| Processing | Legal basis |
|---|---|
| AI suggestion generation | Performance of contract (Art. 6.1.b) |
| Suggestion storage | Performance of contract (Art. 6.1.b) |
| Policy Cards storage | Performance of contract (Art. 6.1.b) |
| Order import (CSV, Stripe) | Explicit consent (Art. 6.1.a) |
| Usage analytics | Legitimate interest (Art. 6.1.f) |
| Billing and payment | Legal obligation (Art. 6.1.c) |
| Authentication (Google OAuth) | Performance of contract (Art. 6.1.b) |
5. How We Use Your Data
- Provide the service: analyze your support emails and generate relevant response suggestions
- Personalize suggestions: apply your business rules (Policy Cards) and customer context (orders)
- Improve the service: analyze anonymized usage data to optimize our algorithms
- Customer support: assist you with technical issues
- Billing: manage your subscription and process payments via Stripe
6. Sub-processors and Data Sharing
We never sell your personal data. We share it only with the following sub-processors, necessary for the service to function:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt) |
| OpenRouter | AI request routing | United States |
| OpenAI (GPT-4o) | AI suggestion processing | United States |
| Stripe | Payments and billing | EU / United States |
| Vercel | Web application hosting | United States |
| OAuth authentication | United States |
7. Data Transfers Outside the EU (Art. 44-49 GDPR)
Some of our sub-processors (OpenRouter, OpenAI, Vercel, Google) are located in the United States. These transfers are governed by:
- The European Commission's Standard Contractual Clauses (SCCs)
- The EU-US Data Privacy Framework where the sub-processor is certified
- Additional security measures (encryption in transit and at rest)
Your primary database is hosted in Europe (Supabase, Frankfurt region). Only email content is temporarily transmitted to AI APIs (US) to generate suggestions, with no permanent storage.
8. Security
We implement appropriate security measures to protect your data:
- Encryption in transit (HTTPS/TLS) for all communications
- Encryption at rest for sensitive data (Supabase)
- Automatic PII (personally identifiable information) masking before AI processing
- Secure authentication via Google OAuth (no passwords stored)
- Row Level Security (RLS) to isolate data between users
- Primary hosting on European infrastructure (Supabase EU, Frankfurt)
9. Your Rights (GDPR)
Under Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): request deletion of your account and all your data
- Right to data portability (Art. 20): receive your data in a structured, readable format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to restriction (Art. 18): request restriction of processing in certain cases
To exercise these rights, contact us at: contact@noovra.com. We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g., CNIL in France).
10. Data Retention
| Data | Duration |
|---|---|
| User account | As long as the account is active |
| Email content | Not retained (processed then immediately deleted) |
| Generated suggestions | 90 days (caching and improvement) |
| Policy Cards | As long as the account is active |
| Imported orders | As long as the account is active |
| Technical logs | 30 days maximum |
After deleting your account, all your data is erased within 30 days.
11. Cookies
Our website and extension only use strictly necessary cookies:
- Authentication session cookie (Supabase Auth)
- Language preference (EN/FR)
We do not use any tracking, advertising, or behavioral analytics cookies.
12. Changes and Contact
We may update this privacy policy. In case of substantial changes, we will notify you by email at least 15 days before they take effect.
For any questions about this policy or your personal data:
Email: contact@noovra.com
Response time: 30 days maximum