NOVAKU

Privacy Policy

Last updated: May 17, 2026

1. Introduction & Data Controller

Novaku ("we", "us", "our") operates a suite of mobile applications under the NOVAKU brand. We are the Data Controller of the personal data collected through our applications, as defined under the General Data Protection Regulation (GDPR) (EU) 2016/679.

This Privacy Policy applies to all NOVAKU applications. App-specific details are described in Section A (NOVAKU: History) and Section B (Fan Mosaic) below. The common sections (1–9) apply to all NOVAKU apps unless otherwise stated.

Data Controller: Novaku

Contact: novakuapp@gmail.com

2. Information We Collect

2.1 Account Information (Optional)

Creating an account is optional. If you choose to sign in, we collect:

If you do not create an account, no account data is collected. All app progress is stored locally on your device.

2.2 App Preferences (Local Storage)

We store your in-app preferences locally on your device using the Android DataStore API. These preferences are private to each app and are not transmitted to our servers unless you are signed in. Examples include language selection and display settings; app-specific preferences are detailed in the relevant section below.

2.3 Advertising Identifier (AdMob)

If you use a free-tier version of a NOVAKU app, Google AdMob may collect your Android Advertising ID to serve personalized advertisements. This identifier is only collected on free-tier accounts and is not collected from premium subscribers. You can opt out via your device settings: Settings → Google → Ads → Opt out of Ads Personalization. Upgrading to a premium subscription removes ads entirely.

3. Third-Party Services

3.1 Supabase

We use Supabase as our backend database and authentication provider. User data synced to the cloud is stored on Supabase servers located in Frankfurt, Germany (AWS eu-central-1), within the European Union. Supabase is GDPR-compliant and processes data under a Data Processing Agreement. Supabase Privacy Policy.

3.2 Google Sign-In

Google Sign-In is an optional authentication method. If you use it, Google processes your authentication credentials according to their own privacy policy. Google Privacy Policy.

3.3 RevenueCat

We use RevenueCat to manage in-app subscriptions (History Pro and NOVAKU Pro). RevenueCat processes subscription transaction data on our behalf. RevenueCat Privacy Policy.

3.4 Google AdMob

Free-tier users may see advertisements served by Google AdMob. AdMob may use the Android Advertising ID and usage data to serve relevant ads. Google Ads Policy | Google Privacy Policy.

4. How We Use Your Information

We do not sell your personal data to third parties under any circumstances.

5. Data Storage and Security

While we implement industry-standard security measures, no system is completely immune to unauthorised access. We cannot guarantee absolute security.

6. Your Rights

6.1 Access and Data Portability

You can view the data associated with your account directly within the relevant NOVAKU app. To request a copy in a portable format, contact us at novakuapp@gmail.com.

6.2 Deletion

You may request deletion of your personal data. Instructions specific to each app are provided in Section A and Section B. You may also refer to our account deletion guide.

6.3 Opt-Out of Personalised Advertising

Via your device settings: Settings → Google → Ads → Opt out of Ads Personalization, or by upgrading to a premium subscription.

6.4 GDPR Rights (EU/EEA Residents)

If you are located in the EU or EEA, you have the right to access, rectify, erase, restrict, object to, and port your personal data, and to withdraw consent where processing is consent-based. To exercise these rights, contact novakuapp@gmail.com. We aim to respond within 30 days. You may also lodge a complaint with your national data protection authority.

7. Children's Privacy

NOVAKU apps are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact us immediately at novakuapp@gmail.com. Fan Mosaic has a higher minimum age of 16 for photo submission — see Section B.8.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with a revised "Last updated" date. For material changes, we will provide in-app notification prior to the change taking effect. Continued use of a NOVAKU app after changes constitutes acceptance of the revised policy.

9. Contact

Novaku

Email: novakuapp@gmail.com

We aim to respond to all privacy-related enquiries within 30 days of receipt.

NOVAKU: History App-Specific Privacy Details

Section A. NOVAKU: History

The following details apply specifically to NOVAKU: History, in addition to the common sections above.

A.1 Additional Data We Collect

  • Quiz scores, number of attempts, and incorrect answers per lesson.
  • XP (experience points) earned and study streak (consecutive days of activity).
  • Lessons completed, badges and achievements unlocked.

This data is stored locally on your device. If you are signed in, it is also synchronised to our Supabase backend for cross-device continuity.

A.2 Permissions

NOVAKU: History requests only the INTERNET permission — required for account synchronisation, subscription validation, and serving advertisements to free-tier users. No camera, location, contacts, or microphone access is requested.

A.3 Data Deletion

Local progress: Navigate to Profile → Reset all progress within the app to clear all locally stored scores, streaks, and achievements.

Cloud data: Sign out to remove data from the device. To delete data from our servers, contact novakuapp@gmail.com — we will process your request within 30 days. See our account deletion guide.

Fan Mosaic App-Specific Privacy Details

Section B. Fan Mosaic

The following details apply specifically to Fan Mosaic, in addition to the common sections above.

B.1 Why This App Has Additional Privacy Considerations

Fan Mosaic allows you to submit a personal photograph that becomes part of a publicly visible team mosaic displayed to all users of the app. A photograph is personal data under the GDPR, and making it publicly visible requires your explicit consent under GDPR Article 6.1.a, which you provide via the in-app consent screen before any photo is uploaded. You may withdraw this consent at any time by deleting your account.

B.2 Additional Data We Collect

  • Your photograph — the profile photo you submit for inclusion in your team's public mosaic.
  • Display name — the name shown on your fan profile within the app.
  • Approval status — whether your submitted photo is pending review, approved, or rejected.
  • Submission timestamp — the date and time your photo was submitted.

B.3 Public Visibility of Your Photo

Once your submitted photo is approved, it becomes part of your chosen team's mosaic image, which is publicly visible to all users of Fan Mosaic. By submitting your photo and providing consent via the in-app screen, you acknowledge that your photograph will be displayed publicly within the application.

B.4 Photo Moderation (Telegram)

Before your photo is included in the public mosaic, it is reviewed by a human moderator via a Telegram bot operated by Novaku. During moderation:

  • The moderator receives a time-limited signed URL linking to your photo, valid for 60 seconds. The URL expires automatically after 60 seconds.
  • The moderator sees no other personal data associated with your account.
  • The moderator does not retain a permanent copy of your photo.

Telegram (Telegram Messenger Inc.) processes messages as part of this moderation workflow. Telegram Privacy Policy.

B.5 Permissions

  • INTERNET — required for uploading your photo and loading the team mosaic.
  • CAMERA — required only when you explicitly tap "Take photo". Not accessed at any other time.
  • READ_MEDIA_IMAGES (Android 13+) or READ_EXTERNAL_STORAGE — required only when you explicitly tap "Choose from gallery". Not accessed at any other time.

B.6 Photo Retention and Deletion

Upon account deletion or a data deletion request:

  • Your photograph is removed from cloud storage immediately.
  • Your photo may continue to appear in previously generated composite mosaic images (pre-rendered JPEGs) until the next scheduled mosaic regeneration cycle, which runs daily at approximately 02:00 UTC. After that cycle, your photo will no longer appear in any mosaic.

For step-by-step deletion instructions, see our account deletion guide.

B.7 Legal Basis for Processing Your Photo (GDPR)

  • Primary legal basis: GDPR Article 6.1.a — Explicit consent, given via the in-app consent checkbox before any photo is uploaded.
  • You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of prior processing.
  • Your right to erasure under GDPR Article 17 applies; see Section B.6 for timelines regarding composite mosaic images.

B.8 Minimum Age

Fan Mosaic requires users to be at least 16 years old to submit a photograph for the public mosaic, in accordance with GDPR Article 8. If you believe a user under 16 has submitted a photo, please contact us immediately at novakuapp@gmail.com.