Privacy Policy

Last updated: May 12, 2026

This document is provided in English only. If a translated version is made available in the future, the English version will control in the event of any conflict.

This Privacy Policy describes how Novu (“Novu,” “we,” “us,” or “our”) collects, uses, discloses, and protects your personal information when you access or use the Novu platform, website, applications, and related services (collectively, the “Service”). This policy applies to merchants, customers, and all other users of the Service. By using the Service, you agree to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

  • Account information: Name, email address, phone number, and password or authentication credentials when you create an account.
  • Business information (merchants): Business name, legal name, business address, city, state, postal code, and country.
  • Identity verification: Information required for Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance when using off-ramp or withdrawal features, processed by our third-party verification provider.
  • Financial information: Bank account details for off-ramp withdrawals, subscription billing information processed by Stripe.
  • Communications: Information you provide when you contact our support team or respond to surveys.

1.2 Information Collected Automatically

  • Blockchain data: Wallet addresses, transaction hashes, block numbers, on-chain transfer amounts, and confirmation status associated with payments made through the Service.
  • Device and usage information: IP address, browser type, operating system, device identifiers, pages visited, features used, and interaction timestamps.
  • Location information: Approximate geographic location derived from your IP address. For check-in features, we may collect more precise location data (latitude and longitude) with your consent.
  • Check-in data: Timestamps, timezone, device information, and location signals associated with loyalty program check-ins and visit verification.

1.3 Information from Third Parties

  • Blockchain networks: On-chain transaction data from the Base network to detect and confirm payments.
  • Wallet providers: Public wallet address and connection status when you connect a wallet to the Service.
  • Payment and billing providers: Subscription status and billing events from Stripe.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process and facilitate cryptocurrency payment transactions
  • Administer merchant accounts, team management, and NFC chip configuration
  • Operate loyalty programs, including tracking enrollment, check-ins, reward eligibility, and redemption
  • Process off-ramp conversions and bank account withdrawals
  • Send transactional communications, including OTP codes, payment confirmations, transfer receipts, reward notifications, and loyalty program updates
  • Verify your identity and comply with KYC/AML legal obligations
  • Detect, investigate, and prevent fraud, abuse, and unauthorized access
  • Monitor and analyze usage patterns to improve the Service
  • Enforce our Terms of Service and protect the rights and safety of our users
  • Comply with applicable legal obligations and respond to lawful requests

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • With merchants:When you enroll in a merchant's loyalty program or make a payment, we share relevant information (such as your name, email, visit history, and reward status) with that merchant to administer the program and complete the transaction.
  • With service providers: We share information with third-party vendors that help us operate the Service, including:
    • Stripe — billing and subscription management
    • SendGrid — transactional email delivery
    • Twilio — SMS and phone verification
    • Bridge (by Stripe) — identity verification (KYC) and off-ramp services
    • Alchemy — blockchain transaction monitoring
    • Coinbase — smart account and wallet infrastructure
    • PostHog — product analytics and error tracking
  • On public blockchains: Cryptocurrency transactions are recorded on the Base blockchain, which is publicly accessible. Wallet addresses and transaction details are visible on-chain and cannot be deleted.
  • For legal purposes: We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction.

4. Cookies & Tracking Technologies

We use only essential and analytics-related technologies:

  • Essential cookies and local storage: Authentication tokens, session data, language preferences, and application state necessary for the Service to function.
  • Analytics: We use PostHog to collect anonymized usage data that helps us understand how the Service is used and identify errors. PostHog may set cookies or use similar technologies for this purpose.

We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. After account closure, we retain information as required by applicable law, including for tax, legal, accounting, and fraud prevention purposes. When retention is no longer required, we will securely delete or anonymize your personal information.

Blockchain transaction data (wallet addresses, transaction hashes, and transfer amounts) is recorded on a public blockchain and cannot be deleted or modified by Novu.

6. Data Security

We implement commercially reasonable technical and organizational safeguards to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit, secure credential storage, access controls, and regular security reviews. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

7. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions (such as legal obligations or fraud prevention).
  • Right to Correct: You may request that we correct inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please contact us at legal@novu.fast. We will verify your identity before processing your request and respond within 45 days, or notify you if we need additional time as permitted by law.

8. Do Not Sell or Share My Personal Information

Novu does not sell your personal information. Novu does not share your personal information for cross-context behavioral advertising purposes as defined by the CCPA/CPRA.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at legal@novu.fast.

10. International Users

The Service is operated from the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction. By using the Service, you consent to the transfer of your information to the United States.

11. Third-Party Links & Services

The Service may contain links to third-party websites or services, including wallet providers and blockchain explorers. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through the Service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time by posting a revised version on this page with an updated “Last updated” date. For material changes, we will provide reasonable notice (such as email notification or a prominent notice within the Service) before the changes take effect. Your continued use of the Service after the updated policy takes effect constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about our data practices, please contact us at:

Novu
Email: legal@novu.fast

See also our Terms of Service.