Nova Documentation
Legal

Privacy Notice

Privacy Notice and Data Protection information for Nova

1. Introduction

This Privacy Notice explains how DWEET LTD ("we," "us," or "our") processes personal data in connection with Nova, our AI-powered hiring platform. This notice applies to all users of Nova and individuals whose data is processed through our platform.

Data Controller:
DWEET LTD
Company Number: 12281293
Registered Office: Aston House, Cornwall Avenue, London, England, N3 1LF
Email: nova@dweet.com
Data Protection Officer: andreas@dweet.com

2. Data Controller vs. Data Processor Roles

Nova operates in different capacities depending on the type of data:

2.1 When We Act as Data Processor

For Candidate Data (job applicant information), we act as a data processor on behalf of our customers (the data controllers). This includes:

  • Resume/CV content and personal information
  • Application data from ATS integrations
  • AI-generated candidate assessments and scores
  • Interview questions and evaluation data

2.2 When We Act as Data Controller

For Account and Platform Data, we act as the data controller:

  • Customer account information and billing data
  • Platform usage analytics and performance metrics
  • Support communications and feedback
  • Security logs and audit trails

We process personal data under the following legal bases:

3.1 Contract Performance (Article 6(1)(b) GDPR)

  • Providing Nova's AI-powered hiring services
  • Processing candidate evaluations and scores
  • Generating interview questions and assessments
  • Managing customer accounts and billing

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

  • Platform improvement and analytics: Anonymized usage data to enhance Nova's functionality
  • Security and fraud prevention: Monitoring for unauthorized access and abuse
  • Customer support: Resolving technical issues and providing assistance
  • Legal compliance: Meeting audit and regulatory requirements

3.3 Legal Obligation (Article 6(1)(c) GDPR)

  • Retaining audit logs for regulatory compliance
  • Responding to lawful requests from competent authorities
  • Meeting tax and financial record-keeping requirements

4. Categories of Personal Data

4.1 Candidate and Job Data (Processed on Behalf of Customers)

  • Professional Information: Employment history, education, skills, qualifications
  • Assessment Data: Nova-generated scores, interview questions, evaluation notes
  • Application Content: Resumes, cover letters, portfolio materials
  • Job Data: Job descriptions, requirements, and other job-related information

4.2 Customer Account Data (Processed as Controller)

  • Account Information: Company name, user names, email addresses, roles
  • Billing Information: Payment details, subscription plans, usage records
  • Support Data: Communications, technical support requests, feedback

4.3 Platform Usage Data (Processed as Controller)

  • Analytics Data: Feature usage, performance metrics, error logs (anonymized)
  • Security Data: Authentication logs, access patterns, security events
  • Audit Data: System logs, compliance records, operational metrics

5. Data Sources

We collect personal data from:

  • Direct provision: Information you provide when using Nova
  • ATS integrations: Data synchronized from your applicant tracking system
  • Automated collection: Technical information about your use of Nova
  • Third parties: Sub-processors and service providers (see Section 9)

6. How We Use Personal Data

6.1 Candidate Data Processing (As Processor)

  • Analyzing resumes and application materials using AI
  • Generating candidate scores and rankings
  • Creating personalized interview questions and guidance
  • Enabling talent rediscovery and candidate search
  • Providing analytics on candidate quality and pipeline metrics

6.2 Account and Platform Data Processing (As Controller)

  • Service Delivery: Account management, authentication, billing
  • Platform Operation: Performance monitoring, error detection, optimization
  • Customer Support: Responding to inquiries and resolving issues
  • Security: Detecting and preventing unauthorized access
  • Compliance: Meeting legal and regulatory obligations

7. Data Retention

7.1 Candidate Data

  • Active processing: Duration of customer contract
  • Post-termination: 30 days for data export, then deletion
  • Exception: Anonymized data may be retained for platform improvement

7.2 Account Data

  • Billing records: 10 years (tax and accounting requirements)
  • Account information: Duration of relationship plus 30 days

8. International Data Transfers

8.1 Data Hosting and Processing

  • Primary hosting: AWS eu-west-2 (London, UK)
  • AI processing: May involve transfers to OpenAI, Google Gemini (see Sub-Processors) which do not retain any data via our zero-data retention policy
  • Support services: Various global sub-processors with appropriate safeguards

8.2 Transfer Safeguards

For transfers outside the UK/EEA, we implement:

  • Standard Contractual Clauses (SCCs) for EEA transfers
  • UK International Data Transfer Addendum (IDTA) for UK transfers
  • Adequacy decisions where available
  • Additional safeguards including encryption and access controls

8.3 Sub-Processor Details

See our Sub-Processors page for a complete list of third parties that may process personal data, including transfer mechanisms and locations.

9. Your Rights Under GDPR

9.1 Data Subject Rights

You have the following rights regarding your personal data:

  • Access (Article 15): Request copies of your personal data
  • Rectification (Article 16): Correct inaccurate or incomplete data
  • Erasure (Article 17): Request deletion in certain circumstances
  • Restriction (Article 18): Limit processing in certain situations
  • Portability (Article 20): Receive your data in a structured format
  • Objection (Article 21): Object to processing based on legitimate interests

9.2 How to Exercise Your Rights

To exercise your rights:

  1. Email: andreas@dweet.com (Data Protection Officer)
  2. Subject line: "Data Subject Request - [Type of Request]"
  3. Include: Full name, email address, specific request details
  4. Verification: We may request identity verification

9.3 Response Times

  • Standard requests: 30 days maximum
  • Complex requests: May be extended by 60 days with notification
  • Urgent requests: Prioritized based on circumstances

9.4 Candidate Data Rights

For candidate data processed on behalf of our customers:

  • Primary contact: The hiring organization (data controller)
  • Our assistance: We will cooperate with customer responses
  • Direct contact: Available if customer is unresponsive

10. Cookies and Analytics

Nova uses cookies and similar technologies for:

  • Essential functionality: Authentication, session management, security
  • Analytics: Platform usage analysis (PostHog - first-party only)
  • Performance monitoring: Error tracking and system optimization (Datadog and Sentry)
  • Consent banner: Displayed for non-essential cookies
  • Opt-out options: Available through browser settings
  • Cookie policy: Detailed information in our Cookie Policy

10.3 Analytics Data

  • First-party analytics only: No third-party advertising or tracking
  • Anonymization: Personal identifiers removed from analytics data
  • Purpose limitation: Used solely for platform improvement

11. Security Measures

11.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access controls: Role-based access with multi-factor authentication
  • Network security: Firewalls, intrusion detection, monitoring
  • Secure development: Regular security testing and code reviews

11.2 Organizational Measures

  • ISO 27001 alignment: Security management framework
  • Staff training: Regular data protection and security training
  • Confidentiality agreements: All personnel bound by confidentiality
  • Incident response: Documented procedures for security breaches

11.3 Data Breach Response

In case of a data breach:

  • Customer notification: Within 48 hours of discovery
  • Supervisory authority notification: Within 72 hours (where required)
  • Data subject notification: If high risk to rights and freedoms
  • Investigation and remediation: Immediate containment and mitigation

12. Automated Decision Making

12.1 AI-Powered Processing

Nova uses automated processing to:

  • Generate candidate scores and rankings
  • Create personalized interview questions
  • Identify relevant past candidates for new roles

12.2 Human Oversight

  • No fully automated decisions: All AI outputs require human review
  • Override capabilities: Users can modify or reject AI recommendations
  • Transparency: Clear explanations provided for all AI assessments
  • Human final authority: Hiring decisions always made by humans

12.3 Bias Mitigation

  • Regular audits: Quarterly bias testing across demographic groups
  • Transparent methodology: Resume citations and reasoning provided
  • Feedback systems: Continuous monitoring and improvement
  • Public reporting: Bias evaluation results available at https://nova.dweet.com/bias-evaluation

13. Children's Privacy

Nova is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the data promptly.

Nova may contain links to third-party websites or integrate with external services (such as ATS platforms). This Privacy Notice does not apply to third-party services. Please review their privacy policies separately.

15. Changes to This Privacy Notice

15.1 Update Process

We may update this Privacy Notice to reflect:

  • Changes in applicable law
  • New features or services
  • Improvements to our privacy practices

15.2 Notification

Material changes will be communicated through:

  • Email notification: To registered users
  • Platform notification: Prominent notice in Nova dashboard
  • Website posting: Updated notice with effective date
  • 30-day notice period: For significant changes affecting your rights

16. Contact Information and Complaints

16.1 Data Protection Officer

Andreas Asprou
Email: andreas@dweet.com

16.2 General Inquiries

Email: nova@dweet.com
Subject: Privacy Inquiry

16.3 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority:

UK: Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113

EU: Your local data protection authority
List available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

This Privacy Notice is available in multiple languages. In case of conflicts between translations, the English version shall prevail.

© 2025 DWEET LTD. All rights reserved.

On this page

1. Introduction2. Data Controller vs. Data Processor Roles2.1 When We Act as Data Processor2.2 When We Act as Data Controller3. Legal Basis for Processing3.1 Contract Performance (Article 6(1)(b) GDPR)3.2 Legitimate Interests (Article 6(1)(f) GDPR)3.3 Legal Obligation (Article 6(1)(c) GDPR)4. Categories of Personal Data4.1 Candidate and Job Data (Processed on Behalf of Customers)4.2 Customer Account Data (Processed as Controller)4.3 Platform Usage Data (Processed as Controller)5. Data Sources6. How We Use Personal Data6.1 Candidate Data Processing (As Processor)6.2 Account and Platform Data Processing (As Controller)7. Data Retention7.1 Candidate Data7.2 Account Data8. International Data Transfers8.1 Data Hosting and Processing8.2 Transfer Safeguards8.3 Sub-Processor Details9. Your Rights Under GDPR9.1 Data Subject Rights9.2 How to Exercise Your Rights9.3 Response Times9.4 Candidate Data Rights10. Cookies and Analytics10.1 Cookie Usage10.2 Cookie Controls10.3 Analytics Data11. Security Measures11.1 Technical Safeguards11.2 Organizational Measures11.3 Data Breach Response12. Automated Decision Making12.1 AI-Powered Processing12.2 Human Oversight12.3 Bias Mitigation13. Children's Privacy14. Third-Party Links and Services15. Changes to This Privacy Notice15.1 Update Process15.2 Notification16. Contact Information and Complaints16.1 Data Protection Officer16.2 General Inquiries16.3 Supervisory Authority