1. Introduction

This Privacy Policy explains how BackNova ("we," "us," or "our") collects, uses, discloses, and protects information when you use our services, website, and software (collectively, the "Service").

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email Address: Stored as SHA-256 hash only (never plain text)
• Password: Stored as bcrypt hash with salt
• Name: Your full name
• Company Name: For team accounts
• Plan Type: Solo or Team subscription

2.2 End-User Tracking Data

When your website visitors interact with BackNova's tracking SDK, we collect:

Data Type	What We Collect	How It's Stored
Email	Email from forms	SHA-256 hash + domain only (raw email goes directly to your PP)
Phone	Phone from forms	Not stored (goes directly to your PP)
Name	Name from forms	Not stored (goes directly to your PP)
IP Address	Visitor IP	SHA-256 hash only + GEO (country code)
Click ID	Tracker click ID from URL	Plain text (for postback matching)
Browser Fingerprint	User agent, screen, timezone, language	Composite SHA-256 hash
Session ID	Random session identifier	Plain text (non-PII)
Page Info	URL, referrer, title	Plain text (non-PII)
UTM Parameters	Source, medium, campaign, etc.	Plain text (non-PII)
Behavioral Data	Time on site, scroll, clicks, etc.	Plain text (non-PII)

2.3 Payment Information

We use Stripe for payment processing. We DO NOT store your credit card information. Stripe stores payment details securely according to PCI DSS standards. We receive only:

• Payment status (successful/failed)
• Last 4 digits of card (for display)
• Subscription ID
• Billing history

3. How We Use Your Information

3.1 To Provide the Service

• Create and manage your account
• Process subscriptions and payments
• Provide lead quality scoring
• Deliver customer support
• Send service notifications

3.2 To Improve the Service

• Analyze usage patterns
• Develop new features
• Fix bugs and improve performance
• Conduct research

3.3 To Communicate

• Send account updates
• Respond to inquiries
• Send marketing (with consent)
• Conduct surveys

4. Privacy-First Architecture

4.1 Data Flow Process

When a user submits a lead form:

4.2 Tracker Privacy

We only capture click_id from your tracker URL for postback matching. Your sub IDs, pub IDs and other tracking parameters stay in your tracker — we don't see or store them.

5. Data Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.2 Service Providers

We share data with trusted service providers:

• Cloudflare: Hosting, CDN, security
• Stripe: Payment processing
• Make.com: Email notifications
• Netlify: Frontend hosting

5.3 Legal Requirements

We may disclose information if required by law, court orders, subpoenas, law enforcement requests, or to protect our rights.

6. Your Privacy Rights

6.1 GDPR Rights (EU Users)

• Right to Access: Request a copy of your data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: "Right to be forgotten"
• Right to Restrict Processing: Limit data use
• Right to Data Portability: Receive portable data
• Right to Object: Object to processing
• Right to Withdraw Consent: Withdraw consent

6.2 CCPA Rights (California Users)

• Right to Know: Request info about data collected
• Right to Delete: Request deletion
• Right to Opt-Out: Opt-out of sale (we don't sell data)
• Right to Non-Discrimination: Equal service

6.3 Exercising Your Rights

Contact us on Telegram with subject "Privacy Rights Request". We will respond within 30 days.

7. Data Retention

7.1 Active Accounts

We retain your data while your account is active and as necessary to provide the Service.

7.2 Deleted Accounts

When you delete your account, your personal data is deleted within 30 days, hashed identifiers are removed, and backup copies are overwritten within 90 days.

8. Data Security

8.1 Security Measures

• Encryption in Transit: TLS 1.3
• Encryption at Rest: All data encrypted
• Password Security: Bcrypt with salt
• PII Hashing: SHA-256
• Access Controls: Role-based
• DDoS Protection: Cloudflare

8.2 Data Breach Notification

In the event of a breach, we will notify affected users within 72 hours, notify authorities as required, provide details about the breach, and offer assistance.

9. Cookies and Tracking

9.1 Cookies We Use

• Essential Cookies: Session authentication (required)
• LocalStorage: Session ID (30-minute expiry)

9.2 No Third-Party Tracking

We do NOT use Google Analytics, Facebook Pixel, third-party advertising cookies, or marketing cookies.

9.3 Do Not Track

We respect browser "Do Not Track" signals.

10. International Data Transfers

BackNova uses Cloudflare's global network. All transfers comply with GDPR requirements through Standard Contractual Clauses (SCCs).

11. Children's Privacy

BackNova is a B2B service not intended for children. We do not knowingly collect information from individuals under 18 years of age.

12. Changes to This Policy

We may update this Privacy Policy. When we make material changes, we will update the date, notify you via email, post a notice in the Service, and request consent if required by law.

13. Your Responsibilities

When using BackNova, you must provide clear privacy notices to your users, obtain proper consent, comply with GDPR/CCPA, honor opt-out requests, and use data for legitimate purposes only.

14. Contact Us