Privacy Policy

This Privacy Policy explains how Nova Studios - operated by a single individual based in the Palestinian Territories - processes personal data in connection with this website (the “Site”), the quote form, the client portal, and the design and development services I provide (collectively, the “Services”).

It applies to website visitors, prospects who submit a quote, and clients I am actively engaged with. Where you provide me with personal data of third parties (for example employees or end users of the website I am building for you), this Policy applies to my processing of that data, but you remain primarily responsible for the lawful basis of that disclosure to me.

Nova Studios is the trading name used by Gabi Kamel, an individual freelancer (sole proprietor; not a registered company) based in the Palestinian Territories. For privacy purposes, I am the data controller for the personal data described in this Policy.

For privacy enquiries, contact hello@nova-studios.dev. You may also reach me via WhatsApp using the link in the footer.

I collect personal data in the following categories. I collect only what I need to provide the Services and to comply with applicable legal obligations.

• Quote form data. When you submit the quote form I collect your name, business name, phone number (in international E.164 format), email address, the language you would like the project to be in, the service type you select (website, app, or both), your business type, your style preferences, the inspiration links and screenshots you provide, your free-text project description, and a honeypot field used for spam prevention. A recommended package and a price range are derived from your inputs using a large-language-model service (see Subprocessors).
• Account and authentication data. If you become a client, an account is created in the authentication provider using your email address. Authentication is by magic link; no passwords are collected or stored.
• Project workspace data. Through the client portal I process information related to the project I am building for you: milestones, deliverables (files), invoices, payment receipts you upload, and the messages exchanged through the portal or email. Where you give me access to third-party systems (for example a content management system or hosting dashboard), I may receive credentials or tokens which I hold only for as long as needed to perform the Services.
• Agreement and approval data. When you approve a quote, scope, or written agreement (for example by email or WhatsApp), I keep a record of what was agreed, together with the date and time and the relevant message or email. I retain this record to evidence what we agreed.
• Communications. I retain emails, WhatsApp messages, and portal messages exchanged with you for as long as they are useful for the engagement and any subsequent record-keeping obligations.
• Technical data. When you visit the Site, the hosting provider and the error-monitoring provider receive standard log information including IP address, browser user-agent, requested URL, referrer, and timestamp. Where you consent to my use of cookies (see Cookies), pageview and session data may also be processed and, in a small percentage of sessions, a session replay used to reproduce errors.

I do not knowingly collect special categories of personal data (for example, data concerning health, religious beliefs, or biometric identifiers) and I ask that you do not submit such data to me through the Site or the portal.

I process personal data only where I have a lawful basis to do so. The basis depends on the purpose:

• To respond to your enquiry and provide a quote. Steps taken at your request prior to entering into a contract.
• To deliver the Services and fulfil my contract with you. Performance of a contract to which you are a party.
• To send invoices and process payments. Performance of a contract and compliance with applicable record-keeping obligations.
• To secure the Site, prevent fraud and abuse, and maintain audit trails (including for agreements and approvals). My legitimate interest in protecting my work and my clients, balanced against your privacy interests.
• To improve the Site and the Services. My legitimate interest in operating effectively. Analytics and session replay are limited and aggregated where possible.
• To send service-related communications (such as project updates, magic-link sign-in emails, and invoice notifications). Performance of a contract.
• To comply with applicable law and respond to lawful requests from public authorities. Compliance with a legal obligation.

I do not use your personal data for automated decision-making with legal or similarly significant effects. The package and price-range recommendation generated on the quote form is non-binding, advisory in nature, and exists solely to give you an early indication before we speak; no commercial decision affecting you is taken automatically.

I work with the following third-party service providers (“subprocessors”) to deliver the Services. Each is bound by its own data-processing terms.

I update this table when the stack changes. The current version of the Policy is shown at the top of this page.

Where we agree to a live consultation through your client portal, the call is a direct peer-to-peer connection between your browser and mine, established with WebRTC. The audio and video stream is encrypted end-to-end (DTLS-SRTP) and is not relayed through any Nova Studios server. Only the small signalling messages required to set up the call (session descriptions and ICE candidates) pass through Supabase Realtime channels, and they do not contain any audio or video content.

If the call is recorded, recording happens only on my browser and only after I press a “record” control. You will see a prominent red banner the entire time recording is active - there is no covert recording. The two video feeds are composited side-by-side and the two audio tracks are mixed into a single WebM file in my browser, then uploaded directly to my private Cloudflare R2 bucket via a presigned URL. The file is not sent to any third party.

Lawful basis. I rely on your explicit consent (shown by you remaining on the call after the banner appears) and my legitimate interest in keeping accurate records of our consultations. You can ask me to stop recording at any time, and you can ask me to delete an existing recording at any time by emailing the address in the “Who I am” section above. Recordings are deleted from R2 within 7 days of a deletion request.

Who can access. Recordings are visible only to me through the admin workspace and to you through the same meeting in your portal. Each playback request issues a fresh short-lived link (typically 10 minutes); the underlying file is not publicly addressable.

Some subprocessors are based in, or process data from, jurisdictions outside the Palestinian Territories - most notably the European Union and the United States. Where data is transferred to a country that has not been recognised by the European Commission as providing an adequate level of data protection, the relevant provider relies on standard contractual safeguards (such as the European Commission’s standard contractual clauses) and supplementary measures consistent with current European data-protection guidance.

You may request a copy of the safeguards in place for any specific transfer by writing to hello@nova-studios.dev.

I retain personal data only for as long as I need it for the purposes set out above, and then for the shortest additional period required by law:

• Quote form submissions that do not become engagements: up to 24 months from the date of submission, then deleted or irreversibly anonymised.
• Active client account and project workspace: for the duration of the engagement and for a further 12 months after the last contractual obligation is performed, unless specific records must be kept longer.
• Agreements, invoices, and payment records: retained for seven (7) years for accounting purposes.
• Authentication sessions: for as long as the session is valid, normally not exceeding 30 days from last activity.
• Error and replay data in Sentry: 90 days, following the provider’s default retention.
• Live-meeting recordings: retained until I manually delete them, or earlier on your request. I will normally delete a recording within 90 days of the consultation once the related notes have been captured, unless the recording is part of an active project record.
• Backups: rolling 30-day point-in-time recovery backups; data deleted from primary stores ages out of backups within that window.

I aim to keep cookie use to the minimum necessary to operate the Site. The cookies set fall into the following categories:

• Strictly necessary. Cookies set by the authentication provider (Supabase) when you sign in to the client portal, and cookies used by the Next.js framework for locale and routing.
• Functional. A cookie storing your locale preference so that the correct language is rendered on subsequent visits.
• Analytics and performance. Vercel Analytics uses no cookies; it relies on aggregated, hashed information that is not used to identify you. Sentry session replay identifies a sampled session by a randomly generated identifier stored in browser storage and used solely to correlate the session with any errors that occur during it.

I do not use third-party advertising cookies and I do not participate in cross-site tracking. You can disable cookies through your browser settings; doing so may affect the functionality of the client portal.

Subject to applicable law, you have the right to:

• Access the personal data I hold about you and receive a copy in a commonly used format;
• Rectify data that is inaccurate or incomplete;
• Erase your data where one of the recognised grounds applies (for example, the data is no longer needed for the purpose, or you withdraw consent that was the sole basis for processing);
• Restrict or object to certain processing, including processing based on legitimate interest;
• Port data you provided to me, in a structured, commonly used, machine-readable format, where the processing is based on your consent or on contract and is carried out by automated means; and
• Withdraw consent at any time, where consent is the basis for processing, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, write to hello@nova-studios.dev. I will respond within thirty (30) days. I may need to verify your identity before fulfilling your request; this is to protect you against impersonation.

I implement reasonable technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• encryption in transit (TLS 1.2+) for all network traffic;
• encryption at rest in the database, object storage, and backup systems;
• row-level security (RLS) on every database table, enforced at the database engine, with role-based access via a centralised authorisation policy;
• short-lived presigned URLs for access to files in object storage (no public buckets);
• rate limiting and a honeypot field on public form endpoints to deter automated abuse;
• tightly scoped Content Security Policy, HSTS preload, X-Frame- Options DENY, and other recommended security headers; and
• audit logging of admin actions and key account events.

No system is perfectly secure. If I become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, I will notify you without undue delay.

The Site and the Services are directed at businesses and at adults acting on behalf of businesses. I do not knowingly collect personal data from children under the age of sixteen (16). If you believe that I have inadvertently collected such data, please contact me and I will delete it promptly.

I use third-party large-language-model services (currently Groq running open-weight models, and Anthropic Claude in my internal development tooling) as part of how I operate. The most user-facing use is the recommendation card on the quote form, which sends your form inputs to Groq to generate a suggested package and price range.

In respect of these providers, and where the provider offers the option, I have opted out of the use of my prompts and outputs for training. I do not knowingly send special-category data, payment-card data, or anything I hold under a duty of confidence to AI providers.

The recommendation generated on the quote form is advisory only. No legal or similarly significant decision affecting you is taken on an automated basis.

I may update this Policy from time to time. The “Last updated” date at the top of this page reflects the most recent material change, and the version number changes whenever a substantive update is made. Where a change materially expands the categories of data I collect, the purposes for which I use it, or the recipients I share it with, I will give at least thirty (30) days’ prior notice through the Site or by email, and your continued use of the Site or the Services after that date constitutes acceptance of the updated Policy.

For questions, complaints, or requests under this Policy, contact me at hello@nova-studios.dev. For general queries, see the Terms of Service or message me via the WhatsApp link in the footer.