Nuvio Logo
← Back to home

Nuvio Lab Privacy Policy

Last updated: March 19, 2025

Privacy Policy Summary

This privacy policy explains how Nuvio Lab collects, uses, and protects your personal information when you use our AI-based workflow automation services. Below is a summary of the key points:

  • Data collected: Contact information, technical data, usage information, and integration metadata.
  • Purpose: Service provision, product improvement, commercial communication, and legal compliance.
  • Legal basis: Contractual execution, legitimate interests, and consent.
  • Transfers: We do not perform international data transfers.
  • Security: Encryption, access control, continuous monitoring, and backups.
  • Rights: Access, rectification, deletion, opposition, limitation, and portability.
  • Contact: info@nuviolab.com - Dubai, Meydan Free Zone (MFZ).

Please read the complete policy below for detailed information on each of these aspects.

1. Introduction

Welcome to Nuvio Lab's Privacy Policy. At Nuvio Lab, we respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we care for your personal data when you visit our website, use our AI-based workflow automation services, or interact with our integrations, and it will inform you about your privacy rights and how the law protects you.

Our mission is to provide innovative AI automation solutions that enhance your business efficiency while maintaining the highest standards of privacy and data security. By using our services, we trust that you understand the importance we place on protecting your personal and business information.

2. Important Information and Who We Are

2.1 Data Controller

Nuvio Lab is the controller of your personal data (collectively referred to as "Nuvio Lab," "we," "us," or "our" in this privacy policy).

Contact details:

  • Address: Dubai, Meydan Free Zone (MFZ)
  • Email: info@nuviolab.com

If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us using the details provided above.

2.2 Commitment to Transparency

At Nuvio Lab, we believe that transparency is fundamental to establishing trust relationships with our clients. This privacy policy is designed to provide clear and comprehensive information about how we handle your personal data. We are committed to keeping it updated and accessible at all times.

3. Personal Data We Collect

We may collect, use, store, and transfer different kinds of personal data about you, which we have grouped as follows:

  • Identity Data: Includes first name, last name, username or similar identifier, position, company you represent, and, if necessary, identification documents for identity verification in compliance with KYC (Know Your Customer) processes.
  • Contact Data: Includes email address, telephone numbers, postal address, country of residence, and preferred time zone for communications.
  • Financial Data: Limited information necessary for billing and payment processing, such as credit card details (processed through secure payment providers) or bank details for transfers.
  • Technical Data: Includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website or services.
  • Profile Data: Includes your username and password (stored in encrypted form), preferences, feedback, and survey responses.
  • Usage Data: Includes information about how you use our website, products, and services, usage patterns, and performance metrics of implemented automations.
  • Marketing and Communications Data: Includes your preferences for receiving marketing and other communications from us.

3.1 Data Processed During Integration with n8n

During integration with the n8n platform, we may process data that third-party tool APIs enable us to access, which may include:

  • Document and file metadata for workflow management
  • Calendar information for schedule automation
  • CRM data for sales process optimization
  • System and application performance metrics
  • Activity logs for monitoring and debugging
  • Structured data from forms and surveys
  • Support ticket or incident information
  • System configuration parameters

The exact scope of processed data depends on the specific configuration of each project and the particular needs of each client. In all cases, we apply the data minimization principle, processing only the information strictly necessary to meet the automation objectives.

3.2 Data Processed in Integrations with Slack, Gmail, and WhatsApp Business

We do not use user or client data during these integrations beyond what is strictly necessary to provide the requested services. Specifically:

  • Slack: We process message metadata, channel and team names, and limited user data including user ID and display name. We do not access the content of private conversations.
  • Gmail: We process email header information, labels, and metadata related to email organization. Access to email content only occurs when explicitly necessary for requested functionalities and with the client's explicit consent.
  • WhatsApp Business: We process information related to phone numbers, contact names, and metadata necessary for automated message management. We do not store or analyze conversation content unless explicitly requested and authorized by the client for specific functionalities.

All information processed through these integrations is handled in accordance with the terms of service and privacy policies of the respective platforms.

3.3 Information Stored in SupaBase and Pinecone

We primarily store reports and non-sensitive company information in our databases. This includes:

SupaBase:

  • Workflow activity logs
  • Performance and usage metrics of automations
  • System configurations and preferences
  • Audit logs for security purposes
  • Structured data related to business processes
  • Resource information and system availability

Pinecone:

  • Embedding vectors for natural language processing
  • Semantic indexes for advanced search
  • Knowledge models related to specific business domains
  • Vector representations for recommendation systems
  • Structured data for predictive analysis

We do not store sensitive personal data in these platforms, unless strictly necessary and with corresponding additional security measures.

3.4 Special Categories of Personal Data

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We also do not collect information about criminal convictions and offenses.

4. How We Collect Your Personal Data

We use different methods to collect data from and about you, including:

4.1 Direct Interactions

You may provide us with your identity, contact, and financial data by:

  • Filling out forms on our website
  • Creating an account on our client portal
  • Subscribing to our services or publications
  • Requesting marketing information to be sent to you
  • Participating in satisfaction surveys or market research
  • Providing feedback or contacting us
  • During consulting meetings or project implementation
  • Through contracts and service level agreements

4.2 Automated Technologies

As you interact with our website and systems, we may automatically collect technical data about your equipment, browsing actions, and patterns. We collect this data using cookies, server logs, web beacons, tracking pixels, and other similar technologies.

4.3 Third-Party Sources

We may receive personal data about you from various third parties, such as:

  • Technical service providers (such as payment processors)
  • Analytics providers (such as Google Analytics)
  • Professional social networks (such as LinkedIn)
  • Business partners or authorized distributors

5. Purposes of Data Processing

We use your personal data only when the law allows us to. The data is used primarily for commercial purposes, including:

5.1 Main Purposes

  • Business relationship management: To establish, maintain, and develop our business relationships, including the creation and management of customer accounts.
  • Service provision: To set up, implement, maintain, and optimize our n8n-based workflow automation solutions.
  • Technical assistance: To provide technical support, troubleshoot issues, and respond to queries related to our services.
  • Product and service improvement: To analyze the use of our services, identify trends, and develop new functionalities.
  • Commercial communication: To keep you informed about service updates, new features, and relevant offers.
  • Billing management: To process payments, issue invoices, and manage accounting related to our services.
  • Legal and regulatory compliance: To comply with our legal and regulatory obligations, including tax record retention and responding to legal requests.
  • Information security: To protect our systems, networks, and services against security threats and ensure data integrity.

5.2 Data Retention Duration

We will retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including to satisfy any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider:

  • The amount, nature, and sensitivity of the personal data
  • The potential risk of harm from unauthorized use or disclosure
  • The purposes for which we process your personal data
  • Whether we can achieve those purposes through other means
  • The applicable legal requirements

We apply the following retention policies:

  • Active customer data: While you maintain an active business relationship with us, plus an additional period of 5 years after the end of the relationship.
  • Commercial prospecting data: Up to 2 years from the last significant interaction.
  • Billing and transaction data: 10 years, in accordance with the tax and accounting requirements of the United Arab Emirates.
  • Technical support records: 3 years from case resolution.
  • Activity and audit logs: 2 years for security and compliance purposes.
  • Marketing data: Until you request to stop receiving communications or 2 years from the last interaction, whichever comes first.

At the end of the retention period, data will be securely deleted or anonymized in such a way that it can no longer be associated with you.

6. Legal Basis for Processing

We process your personal data based on the following legal grounds:

6.1 Main Legal Bases

  • Contractual execution: Processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract. This includes:
    • Configuration and provision of our automation services
    • Management of your customer account
    • Processing transactions and payments
    • Providing technical support
  • Legitimate interests: Processing is necessary for our legitimate interests or those of a third party, provided that your interests and fundamental rights do not override those interests. Our legitimate interests include:
    • Improving and developing our products and services
    • Protecting our systems and networks against security threats
    • Efficient management of our business operations
    • Promoting our services to existing and potential customers
  • Consent: You have given consent to the processing of your personal data for one or more specific purposes, such as:
    • Sending marketing communications
    • Using non-essential cookies on our website
    • Detailed analysis of the use of our services
  • Legal obligation: Processing is necessary to comply with a legal obligation to which we are subject, such as:
    • Retention of financial and tax records
    • Responding to requests from regulatory authorities
    • Compliance with data protection laws

6.2 Consent Process

Clients accept the privacy policy when they provide us with their data. Consent is obtained through:

  • Clear and visible checkboxes on our contact forms and during the registration process
  • Double opt-in processes for newsletter subscriptions and marketing communications
  • Cookie banners that allow selecting granular preferences
  • Specific consent clauses in contracts and service agreements
  • Privacy configuration options in the client portal

All consent mechanisms are designed to be:

  • Specific: Related to a concrete purpose
  • Informed: With clear information about what the consent entails
  • Unambiguous: Requiring a clear affirmative action
  • Freely given: Without conditioning the provision of unrelated services
  • Revocable: With simple mechanisms to withdraw consent at any time

We maintain records of all consents obtained, including when and how they were obtained, for audit and regulatory compliance purposes.

7. Data Transfers

We do not transfer personal data outside the territory of the United Arab Emirates. All our servers and data processing systems are located within the country or in regions that provide an adequate level of data protection.

7.1 Security Measures for Transfers

In case international transfers become necessary in the future, we will implement the following security measures:

  • Advanced encryption: We use AES-256 encryption for data in transit and at rest, ensuring that transmitted information is protected against unauthorized access.
  • Standard contractual clauses: We implement contractual clauses approved by data protection authorities to ensure that third-party data recipients comply with equivalent protection standards.
  • Impact assessments: We conduct data transfer impact assessments to identify and mitigate potential risks.
  • Data minimization: We transfer only the data strictly necessary to fulfill the specific purpose.
  • Pseudonymization: When possible, we pseudonymize data before transfer to reduce risks to data subjects.
  • Strict access controls: We implement technical and organizational controls to ensure that only authorized personnel can access transferred data.

Any change in our data transfer policy will be communicated through an update to this privacy policy.

8. User Rights

According to applicable data protection laws, you have the following rights:

8.1 ARCO Rights (Access, Rectification, Cancellation, and Opposition)

  • Right of access: You have the right to request a copy of your personal data. We will provide you with a complete report of all personal data we hold about you, including:
    • Categories of data collected
    • Sources of the data
    • Purposes of processing
    • Recipients or categories of recipients
    • Planned retention period
    • Information about international transfers, if any
  • Right of rectification: You have the right to request that we correct any information you believe is inaccurate or incomplete. We will promptly update our records once your request is verified.
  • Right of deletion (or right to be forgotten): You have the right to request that we delete your personal data in certain circumstances, such as:
    • When the data is no longer necessary for the purposes for which it was collected
    • When you withdraw your consent and there is no other legal basis for processing
    • When you object to processing and there are no overriding legitimate interests
    • When the data has been unlawfully processed
  • Right of opposition: You have the right to object to the processing of your personal data in certain circumstances, such as:
    • Direct marketing (including related profiling)
    • Processing based on legitimate interests or public interest
    • Processing for scientific or historical research or statistical purposes

8.2 Additional Rights

  • Right to restriction of processing: You can request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or significantly affect you.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the applicable regulations.

8.3 Procedure for Exercising Your ARCO Rights

To exercise any of your rights, please send a written request to our email address info@nuviolab.com with the subject "Exercise of ARCO Rights." In your request, please include:

  • Your full name
  • Contact information (email, phone)
  • Customer number or identifier (if applicable)
  • Clear description of the right you wish to exercise
  • Specific details of the request (e.g., what data you want to rectify)
  • Any relevant information to identify your data in our systems

To protect your privacy and ensure the security of your data, we implement a two-step identity verification process:

  1. Initial verification: We will confirm that the email address used for the request matches the one registered in our systems.
  2. Secondary verification: Depending on the nature of the request, we may request additional documentation:
    • Copy of an official identity document (passport, ID card, driver's license)
    • Confirmation through a secure link sent to your registered email address
    • Verification code sent to your registered phone number

This process is designed to ensure that only you, or a person authorized by you, can access or modify your personal data.

8.4 Response Time to Requests

We strive to respond to all legitimate requests within a maximum period of 30 calendar days from receipt of your request. This timeframe includes:

  • 5 days for initial acknowledgment
  • 15 days for identity verification and request assessment
  • 10 days for implementation and final response

Occasionally, it may take us longer if your request is particularly complex or if you have made several simultaneous requests. In this case, we will notify you within the initial 30-day period and keep you informed of progress, indicating:

  • The reason for the delay
  • The estimated timeframe for resolution
  • Alternative channels available if urgency requires it

We do not charge any fee for processing standard ARCO rights requests. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive, or we may refuse to comply with your request in these circumstances. In such cases, we will inform you of our decision and the reasons behind it.

9. Data Security

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. These measures include:

9.1 Technical Measures

  • Encryption: We use AES-256 encryption for data at rest and TLS 1.3 for data in transit.
  • Layered security architecture: We implement multiple security levels, including firewalls, intrusion detection systems, and malware protection.
  • Access control: We use multi-factor authentication systems, identity management, and role-based access controls (RBAC).
  • Continuous monitoring: We maintain 24/7 monitoring systems to detect and respond quickly to security incidents.
  • Regular backups: We perform encrypted and verified backups daily, with storage in physically separate locations.
  • Patch management: We apply critical security updates within 24 hours of their release.
  • Vulnerability scanning: We conduct automated weekly scans and quarterly penetration tests by certified external companies.

9.2 Organizational Measures

  • Clean desk policy: We require all employees to keep their workspaces free of confidential information when not in use.
  • Security training: We offer mandatory information security training quarterly to all staff.
  • Confidentiality agreements: All employees and contractors sign strict confidentiality agreements.
  • Segregation of duties: We implement separation of responsibilities to prevent conflicts of interest and reduce the risk of misuse.
  • Incident management procedures: We maintain clear protocols for managing, reporting, and recovering from security incidents.
  • Regular audits: We conduct quarterly internal audits and annual external security compliance audits.
  • Onboarding and offboarding procedures: We apply strict controls during employee onboarding and departure to protect data access.

9.3 Specific Protocols in Google Cloud and Docker

We use standard security protocols provided by Google Cloud and Docker, which include:

Google Cloud:

  • Default encryption for all data at rest and in transit
  • Virtual Private Cloud (VPC) with restrictive firewall rules
  • Identity and Access Management (IAM) with minimal privilege
  • Cloud Key Management Service (KMS) for secure key management
  • Cloud Security Command Center for centralized monitoring
  • Cloud Audit Logs for immutable activity logs
  • Secure Boot and Shielded VMs for protection against rootkits and bootkits
  • Cloud Armor for protection against DDoS attacks and web threats

Docker:

  • Minimal base images that are regularly scanned
  • Container configuration following the principle of least privilege
  • Network isolation between containers using dedicated virtual networks
  • Secure secret management using Docker Secrets
  • Image integrity verification using Docker Content Trust
  • Automated vulnerability scanning in images
  • Runtime behavior monitoring
  • Automatic security updates

9.4 Security Incident Management

We have established a comprehensive procedure for managing security incidents that includes:

  • Detection and classification: Automated systems and human supervision to identify potential incidents
  • Containment and mitigation: Rapid procedures to limit impact
  • Investigation and forensic analysis: Determination of root cause and scope
  • Notification: Timely communication to affected parties according to legal requirements
  • Recovery: Secure restoration of systems and data
  • Post-incident review: Analysis to prevent future recurrences

In case of a data breach that may affect your rights and freedoms, we will notify you without undue delay, generally within 72 hours after becoming aware of the breach.

10. Use of Cookies and Similar Technologies

10.1 Types of Cookies Used on the Website

We use cookies and similar technologies to distinguish you from other users of our website and to provide enhanced functionalities. The cookies we use are classified as:

  • Strictly necessary cookies: Essential for you to browse our website and use its functionalities. These include:
    • Session cookies to maintain state during your visit
    • Authentication cookies to keep you logged in
    • Security cookies to prevent CSRF attacks and similar
    • Load balancing cookies to direct traffic efficiently
  • Analytical/performance cookies: Allow us to recognize and count the number of visitors and see how visitors move around our website. This helps us improve the way our website works, for example, by ensuring that users can find what they are looking for easily. We use:
    • Google Analytics with IP anonymization
    • Heatmapping to understand browsing patterns
    • Error tracking cookies to identify technical issues
    • Performance cookies to optimize loading speed
  • Functionality cookies: Used to recognize you when you return to our website. This enables us to personalize our content for you, greet you by name, and remember your preferences. These include:
    • Language preference cookies
    • Design or style cookies (dark/light mode)
    • Location cookies for regional content
    • Notification preference cookies
  • Targeting/advertising cookies: Record your visit to our website, the pages you have visited, and the links you have followed. We use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose. These include:
    • Remarketing cookies
    • Conversion tracking cookies
    • Social network cookies
    • Content personalization cookies

10.2 Cookie Management

You can set your browser to refuse all or some cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

Our Cookie Preferences Panel is available at all times through the "Cookie Settings" link in the footer of our website, allowing you to adjust your preferences at any time.

10.3 Other Tracking Technologies

In addition to cookies, we may use:

  • Web beacons: Small transparent images that let us know if you have visited a page or opened an email.
  • Pixel tags: Similar to web beacons, they allow tracking of specific actions on our site.
  • Local storage: We use localStorage and sessionStorage to improve performance and user experience.
  • Fingerprinting: Techniques that collect information about your device for security and fraud prevention purposes.

All these technologies are subject to the same options and controls as cookies, and you can manage your preferences through our Preferences Panel.

11. Applicable Jurisdiction

11.1 Country of Primary Operation

Nuvio Lab operates primarily from Dubai, United Arab Emirates. Our operations are subject to the laws and regulations of the United Arab Emirates, including Federal Law No. 45 of 2021 on Personal Data Protection.

11.2 Specific Legislations We Comply With

We are committed to complying with the following data protection legislations:

United Arab Emirates data protection laws:

  • Federal Law No. 45 of 2021 on Personal Data Protection
  • Dubai International Financial Centre (DIFC) Regulations
  • Abu Dhabi Financial Services Regulatory Authority (FSRA) Regulations

GDPR (General Data Protection Regulation): For clients and users from the European Union, we comply with all aspects of the GDPR, including:

  • Processing principles (lawfulness, fairness, transparency, purpose limitation, minimization)
  • Consent requirements
  • Data subject rights
  • Appropriate technical and organizational measures
  • Data breach notification
  • Impact assessments when necessary

CCPA (California Consumer Privacy Act) and CPRA: For clients and users from California, United States, we comply with specific requirements, including:

  • Disclosure of categories of personal information collected
  • Rights of access, deletion, and opt-out
  • Non-discrimination for exercising rights
  • Disclosure of data selling practices (although we do not sell personal data)

Other relevant regulations:

  • LGPD (Brazil's General Data Protection Law)
  • PIPEDA (Personal Information Protection and Electronic Documents Act of Canada)
  • POPI (Protection of Personal Information Act of South Africa)
  • Other regional and national laws as applicable to specific operations

Our regulatory compliance approach is proactive and regularly updated to adapt to legal changes. We conduct periodic compliance audits and maintain a comprehensive data governance program.

12. Changes to the Privacy Policy

We may update our privacy policy from time to time to reflect changes in our practices, respond to legislative modifications, or adapt to new technologies. We are committed to maintaining transparency about any significant changes in how we handle your personal data.

12.1 Process for Notifying Changes

When we make changes to this privacy policy, we will follow this process:

  • Policy update: We will update the "last updated" date at the beginning of this privacy policy and post the revised version on our website.
  • Notification period: For substantial changes, we will post a visible notice on our website for at least 30 days before the changes take effect. This notice will include a summary of the main changes and a link to the complete revised version.
  • Direct notification:
    • For significant changes affecting users' fundamental rights, we will send an email notification to all registered users.
    • For minor changes or clarifications, we will post notifications on the user dashboard.
  • Consent when necessary: In cases where applicable law requires explicit consent for new uses of personal data, we will implement:
    • Interactive consent forms
    • Double confirmation processes
    • Granular controls that allow accepting or rejecting specific changes
  • Version archive: We will maintain an accessible archive of previous versions of the privacy policy, allowing users to consult changes over time.
  • Grace period: We will provide a reasonable period between notification and implementation of changes to allow users to review, ask questions, or exercise their rights before the changes take effect.

12.2 Changes Requiring Special Notification

We consider especially important and subject to direct notification changes related to:

  • Purposes of data processing
  • Categories of personal data collected
  • Disclosure of data to new categories of third parties
  • International data transfers
  • Data retention periods
  • Significant security measures
  • Process for exercising privacy rights

12.3 User Responsibility

While we strive to notify all significant changes, we recommend that you review this privacy policy periodically to stay informed about how we protect your information. Continued use of our services after the posting of changes will constitute your acknowledgment and, when required by law, your consent to such changes.

13. Specific AI Processing

As an agency specializing in developing and automating workflows using AI, we place special importance on transparency about how we use artificial intelligence in our operations and services.

13.1 Use of Data for AI Systems

Our AI development is proprietary and based on the following fundamental principles:

  • Specific data for training: Our AI systems are primarily fed by:
    • Synthetic data generated specifically for training
    • Properly licensed and anonymized public datasets
    • Domain-specific knowledge provided by experts
    • Technical configuration indications and parameters
  • Customer data consent: We do not use personal or business data from customers to train our AI systems without:
    • Explicit and specific consent
    • Complete and irreversible anonymization
    • Clearly defined and limited purpose
    • Direct benefit to the customer in question
  • Training data lifecycle:
    • We have a specific retention policy for training data
    • We implement periodic review processes to eliminate biases
    • We establish quality controls for training data
    • We maintain detailed records of the data sources used
  • Responsible continuous improvement:
    • We conduct ethical assessments before implementing new capabilities
    • We monitor performance to detect unexpected results
    • We implement feedback mechanisms for users
    • We document methodologies and known limitations

13.2 Automated Profiling and Automated Decision-Making

We perform automated profiling to improve our services and provide personalized recommendations. This may include:

  • Types of profiling implemented:
    • Usage pattern analysis for workflow optimization
    • Data categorization for efficient processing
    • Segmentation for service personalization
    • Anomaly detection for security and preventive maintenance
  • Limits and safeguards:
    • We do not make significant decisions based solely on automated processing without human intervention
    • We implement a "human-in-the-loop" principle for all important decisions
    • We provide clear explanations about the logic used in profiling
    • We offer options to request human review of automated decisions
  • Technical and organizational measures:
    • Periodic algorithmic audits to detect and correct biases
    • Cross-validation tests to ensure accuracy and fairness
    • Specific quality controls for profiling systems
    • Complete documentation of models and parameters used
  • Transparency and control:
    • We inform users when they are subject to automated profiling
    • We provide opt-out options when technically feasible
    • We offer intuitive interfaces to manage personalization preferences
    • We facilitate understanding of how profiling affects the user experience

13.3 Ethics in AI and Automation

We are committed to the highest ethical standards in the development and use of AI technologies:

  • Fundamental principles:
    • Transparency in all AI applications
    • Responsibility for the results of automated systems
    • Fairness and non-discrimination in implementation
    • Privacy by design in all solutions
  • AI governance:
    • Internal ethics committee that reviews new developments
    • Impact assessments for critical applications
    • Specific policies for high-risk use cases
    • Independent review of systems in production
  • Training and awareness:
    • Continuous training for developers in AI ethics
    • Educational resources for clients on system limitations
    • Clear guidelines on appropriate use cases
    • Feedback mechanisms to report ethical issues

As technology evolves, we continuously review and update our practices to maintain a responsible and human-centered approach to AI and automation.

14. Data Processors

14.1 Policy on Data Processors

Currently, we do not use data processors that can access your personal data. We prefer to keep all data processing operations under our direct control to ensure maximum protection and compliance.

However, we recognize that in the future we might need to rely on specialized providers for certain aspects of data processing. In such a case, we commit to:

  • Rigorous selection: We will implement a thorough evaluation and selection process, considering:
    • Technical and organizational measures implemented by the processor
    • Compliance history and incident response
    • Relevant security and privacy certifications
    • Ability to comply with our standards and legal requirements
  • Robust contractual agreements: We will establish binding agreements that include:
    • Specific data protection clauses
    • Strict limitations on use, retention, and disclosure
    • Confidentiality obligations for the processor's personnel
    • Right to audit and verify compliance
  • Total transparency: If we incorporate processors:
    • We will update this privacy policy with a complete list
    • We will notify affected customers at least 30 days in advance
    • We will provide information about the nature of the delegated processing
    • We will offer options to object when legally possible
  • Continuous supervision:
    • We will conduct periodic assessments of processors
    • We will require regular reports on security measures
    • We will implement alert mechanisms for potential incidents
    • We will conduct random audits to verify compliance

14.2 Auxiliary Service Providers

Although we do not use processors for primary data processing, we work with various auxiliary service providers that may have limited or incidental access to certain data in the course of their functions:

  • Infrastructure providers:
    • Google Cloud Platform (cloud infrastructure)
    • Docker (container technology)
    • DNS and CDN services
  • Operational tools:
    • Monitoring and logging services
    • Technical support platforms
    • Security and antivirus solutions

These providers do not process personal data as part of their primary function, but rather provide the technical infrastructure necessary for our operations. In all cases, we implement the necessary measures to minimize access to personal data and ensure that these providers comply with our security and privacy standards.

15. Contact and Data Protection Officer

15.1 General Contact Information

If you have any questions about this privacy policy or our privacy practices, please contact us at:

  • Email: info@nuviolab.com
  • Postal address: Dubai, Meydan Free Zone (MFZ)
  • Web form: Available in the "Contact" section of our website

15.2 Data Protection Officer

For specific queries related to data protection or to exercise your privacy rights, you can contact our Data Protection Officer directly:

  • Email: privacy@nuviolab.com
  • Postal address: Dubai, Meydan Free Zone (MFZ) (Attn: Data Protection Officer)
  • Availability: Monday to Friday, 9:00 AM - 5:00 PM (GMT+4)

The Data Protection Officer is responsible for overseeing compliance with data protection regulations, providing advice on data protection obligations, and serving as a point of contact for queries related to the processing of personal data.

16. Complaints and Dispute Resolution

16.1 Internal Complaint Process

If you have any concerns or complaints about how we handle your personal data, we are committed to addressing them in a timely and fair manner:

  • Initial submission: Send your complaint in writing to privacy@nuviolab.com, including:
    • Detailed description of the complaint
    • Relevant information about when and how the issue occurred
    • Your contact details
    • Your preferred outcome
  • Acknowledgment: We will acknowledge receipt of your complaint within 3 business days.
  • Internal investigation: We will thoroughly and impartially investigate your complaint.
  • Resolution: We will strive to resolve your complaint within 15 business days, providing you with:
    • A clear explanation of our position
    • The actions we will take to rectify any issues
    • Compensation, if applicable
  • Internal escalation: If you are not satisfied with the initial response, you can request that your complaint be reviewed by our Privacy and Compliance Committee, which will provide a final response within an additional 10 business days.

16.2 Supervisory Authorities

If you are not satisfied with our response to a privacy complaint or believe that our processing of your personal data does not comply with data protection laws, you have the right to lodge a complaint with the relevant data protection authority, which may include:

In the United Arab Emirates:

  • UAE Data Protection Commissioner's Office
  • Dubai Data Regulatory Authority

In the European Union:

  • The supervisory authority of the EU member state where you habitually reside, work, or where the alleged infringement occurred.

In the United States:

  • California Attorney General (for California residents)
  • Federal Trade Commission (FTC)

16.3 Alternative Dispute Resolution Methods

In addition to formal complaint procedures, we offer alternative dispute resolution options:

  • Voluntary mediation: We collaborate with independent mediation services to resolve disputes amicably when both parties agree.
  • Arbitration: In some circumstances, and when permitted by applicable law, we may offer an arbitration process to resolve disputes that have not been resolved by other means.

We are committed to the fair and transparent resolution of all complaints related to data privacy, and we value these mechanisms as opportunities to improve our data protection practices.