Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your first name, last name, email address, and optionally your phone number. If you sign up through an organization, we also collect your organization name and role.

Project and Content Data

We store the content you create within Mova, including:

• Projects, tasks, comments, and file attachments
• AI conversations and chat history
• Workflow configurations and automations
• Notification preferences and settings

API Keys (BYOK)

If you provide your own API keys for Anthropic or OpenAI, we store them in encrypted form. We only use these keys to process your requests and never share them with any third party.

Usage Data

We automatically collect:

• Feature usage patterns (which features you use and how often)
• AI token consumption per conversation
• Login timestamps and IP addresses
• Device type and browser information
• Error logs and performance data

Billing Information

Payment processing is handled by Stripe. We do not store your full credit card number. Stripe provides us with a partial card number (last four digits), expiration date, and billing address for record-keeping purposes. See Stripe's Privacy Policy for details on how they handle payment data.

2. How We Use Your Information

We use your information for the following purposes:

• Providing the Service: Operating the platform, processing AI requests, delivering notifications, managing your projects and tasks
• Billing: Processing payments, tracking credit usage, issuing receipts
• Communication: Sending service-related notices, responding to support requests, delivering notifications you have configured
• Improvement: Analyzing aggregated usage patterns to improve features, fix bugs, and develop new capabilities
• Security: Detecting and preventing fraud, abuse, and unauthorized access
• Legal compliance: Meeting our legal obligations and responding to lawful requests

We do not sell your personal information. We do not use your project data, conversations, or content for advertising purposes.

3. AI Data Processing

When you use AI features in Mova:

• Your conversation messages and relevant project context are sent to the configured AI provider (Anthropic Claude or OpenAI) for processing.
• Mova does not train AI models on your data. We use the AI APIs strictly to generate responses for your requests.
• AI providers process your data according to their own privacy policies and data processing agreements:
  • Anthropic's Privacy Policy
  • OpenAI's Privacy Policy
• When using Mova-provided API access (not BYOK), API calls are made through Mova's accounts with these providers, and standard API data-handling terms apply (which generally do not include training on API inputs).
• We store AI conversation history on our servers so you can review past interactions. You can delete conversation history at any time.

4. Data Storage and Security

We take the security of your data seriously and implement the following measures:

• Encryption in transit: All connections use HTTPS/TLS encryption.
• Encryption at rest: Databases are encrypted. API keys (BYOK and integration keys) are encrypted using Laravel's application-level encryption before storage.
• Password security: Passwords are hashed using bcrypt. We never store plain-text passwords.
• Access controls: Multi-tenant data isolation ensures each organization's data is accessible only to its authorized members.
• Infrastructure: Our servers are hosted with reputable cloud infrastructure providers with industry-standard security certifications.

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

5. Third-Party Services

We share data with the following third-party services as necessary to operate the platform:

Each third-party service processes data according to its own privacy policy and terms of service. We encourage you to review their policies. We only share the minimum data necessary for each integration to function.

6. Data Retention

• Active accounts: Your data is retained for as long as your account remains active.
• Deleted accounts: When you delete your account, your data is retained for 30 days (to allow recovery if the deletion was accidental) and then permanently purged from our primary systems.
• Backups: Data may persist in encrypted backup systems for up to 90 days after deletion, after which it is purged through normal backup rotation.
• Billing records: Transaction records and invoices may be retained longer as required by applicable tax and financial regulations.
• Anonymized data: Aggregated, anonymized usage statistics (which cannot identify you) may be retained indefinitely.

7. Cookies and Tracking

We use cookies and similar technologies minimally and only for essential functionality:

• Session cookies: Required to keep you logged in and maintain your session state. These are deleted when you close your browser or your session expires.
• Security cookies: Used for CSRF protection and fraud prevention.
• Preference cookies: Used to remember your settings (such as theme preference or notification settings).

We do not use third-party advertising cookies, social media tracking pixels, or cross-site analytics trackers. We do not participate in ad networks or sell tracking data.

8. Children's Privacy

Mova is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@usemova.app.

9. International Data Transfers

Mova is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

By using the Service, you acknowledge that your data may be transferred to countries that may have different data protection laws than your country of residence. We take steps to ensure that your data receives an adequate level of protection in the jurisdictions in which we process it.

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, we rely on standard contractual clauses and other lawful transfer mechanisms where applicable.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Export: Download your project data, tasks, and content in a portable format.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and associated data.
• Restriction: Request that we limit the processing of your data in certain circumstances.
• Objection: Object to our processing of your data for certain purposes.
• Portability: Request your data in a structured, commonly used, machine-readable format.

To exercise any of these rights, contact us at support@usemova.app. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

11. BYOK Privacy Practices

When you use the Bring Your Own Key (BYOK) feature:

• API calls are made using your key, and usage is billed directly to your account with the AI provider.
• Mova does not independently monitor or log the content of BYOK API calls beyond what is necessary to display responses to you in the interface and maintain conversation history.
• Your API key is encrypted at rest using application-level encryption and is never exposed in logs, error messages, or to other users.
• We do not transmit your API key to any party other than the intended AI provider (Anthropic or OpenAI).
• Your API key is permanently deleted when you remove it from your settings or when your account is deleted.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through an in-app notification at least 30 days before the changes take effect. We will also update the "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.