Nova Documentation
Legal

Privacy Notice

Last updated: 2025-11-16

1. Introduction

This Privacy Notice explains how DWEET LTD ("we," "us," or "our") processes personal data in connection with Nova, our AI-powered hiring platform. Nova is a software-as-a-service product owned and operated by DWEET LTD. This notice applies to all users of Nova and individuals whose data is processed through our platform.

Data Controller:

DWEET LTD

Company Number: 12281293

Registered Office: Aston House, Cornwall Avenue, London, England, N3 1LF

Email: nova@dweet.com

Data Protection Contact: andreas@dweet.com

2. Data Controller vs. Data Processor Roles

Nova operates in different capacities depending on the type of data:

2.1 When We Act as Data Processor

For Candidate Data (job applicant information), we act as a data processor on behalf of our customers (the data controllers). This includes:

  • Resume/CV content and personal information
  • Application data from ATS integrations
  • AI-generated candidate assessments and scores
  • Interview questions and evaluation data

2.2 When We Act as Data Controller

For Account and Platform Data, we act as the data controller:

  • Customer account information and billing data
  • Platform usage analytics and performance metrics
  • Support communications and feedback
  • Security logs and audit trails

3. Legal Basis for Processing

We process personal data under the following legal bases:

3.1 Contract Performance (Article 6(1)(b) GDPR)

  • Providing Nova's AI-powered hiring services
  • Processing candidate evaluations and scores
  • Generating interview questions and assessments
  • Managing customer accounts and billing

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

  • Platform improvement and analytics: Usage data (including logs and telemetry, which may include limited identifiers) to enhance Nova's functionality, using aggregation or pseudonymisation where feasible.
  • Security and fraud prevention: Monitoring for unauthorized access and abuse
  • Customer support: Resolving technical issues and providing assistance
  • Legal compliance: Meeting audit and regulatory requirements

3.3 Legal Obligation (Article 6(1)(c) GDPR)

  • Retaining audit logs for regulatory compliance
  • Responding to lawful requests from competent authorities
  • Meeting tax and financial record-keeping requirements

4. Categories of Personal Data

4.1 Candidate and Job Data (Processed on Behalf of Customers)

  • Professional Information: Employment history, education, skills, qualifications
  • Assessment Data: Nova-generated scores, interview questions, evaluation notes
  • Application Content: Resumes, cover letters, portfolio materials
  • Job Data: Job descriptions, requirements, and other job-related information

4.2 Customer Account Data (Processed as Controller)

  • Account Information: Company name, user names, email addresses, roles
  • Billing Information: Payment details, subscription plans, usage records
  • Support Data: Communications, technical support requests, feedback

4.3 Platform Usage Data (Processed as Controller)

  • Analytics Data: Feature usage, performance metrics, and error logs, which may include limited identifiers and, where reasonably necessary, portions of application content (for example ATS request and response payloads), and are aggregated or pseudonymised where feasible.
  • Security Data: Authentication logs, access patterns, security events
  • Audit Data: System logs, compliance records, operational metrics

5. Data Sources

We collect personal data from:

  • Direct provision: Information you provide when using Nova
  • ATS integrations: Data synchronized from your applicant tracking system
  • Automated collection: Technical information about your use of Nova
  • Third parties: Sub-processors and service providers (see Section 9)

6. How We Use Personal Data

6.1 Candidate Data Processing (As Processor)

  • Analyzing resumes and application materials using AI
  • Generating candidate scores and rankings
  • Creating personalized interview questions and guidance
  • Enabling talent rediscovery and candidate search
  • Providing analytics on candidate quality and pipeline metrics

6.2 Account and Platform Data Processing (As Controller)

  • Service Delivery: Account management, authentication, billing
  • Platform Operation: Performance monitoring, error detection, optimization
  • Customer Support: Responding to inquiries and resolving issues
  • Security: Detecting and preventing unauthorized access
  • Compliance: Meeting legal and regulatory obligations

7. Data Retention

7.1 Candidate Data

  • Active processing: We process candidate data for as long as our customer has an active Nova subscription and uses the platform in line with the applicable agreement.
  • Post termination: When a customer terminates their agreement, we provide a default 30 day window for data export, after which production copies of customer data are deleted within 60 days, unless longer retention is required by law or agreed in the customer settings. Backups are overwritten on their normal rotation schedule.
  • Anonymised and aggregated data: We may retain de-identified or aggregated data created from candidate data for analytics, benchmarking and platform improvement, including after your account is closed, as described in our Data Processing Agreement and AI Terms. We do not attempt to re-identify this data.

7.2 Account Data

  • Billing records: Retained for up to 10 years to meet tax, accounting and legal requirements.
  • Account information: Retained for the duration of the customer relationship and up to 30 days after closure, unless longer retention is required by law or reasonably needed to resolve disputes or enforce our agreements.

8. International Transfers and Sub-Processors

We use third-party service providers ("sub-processors") to host and operate Nova, provide support, and deliver certain features, including AI-based functionality.

  • Transfers outside the UK/EEA: Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or adequacy decisions.
  • Sub-processors: Our current sub-processors and their roles, locations and transfer safeguards are listed on our Sub-Processors and International Data Transfers page.
  • More detail: Our Data Processing Agreement describes our use of sub-processors and international transfer mechanisms in more detail.

9. Your Rights Under GDPR

9.1 Data Subject Rights

You have the following rights regarding your personal data:

  • Access (Article 15): Request copies of your personal data
  • Rectification (Article 16): Correct inaccurate or incomplete data
  • Erasure (Article 17): Request deletion in certain circumstances
  • Restriction (Article 18): Limit processing in certain situations
  • Portability (Article 20): Receive your data in a structured format
  • Objection (Article 21): Object to processing based on legitimate interests

9.2 How to Exercise Your Rights

To exercise your rights:

  1. Email: privacy@dweet.com (Data Protection Contact)
  2. Subject line: "Data Subject Request - [Type of Request]"
  3. Include: Full name, email address, specific request details
  4. Verification: We may request identity verification

9.3 Response Times

  • Standard requests: 30 days maximum
  • Complex requests: May be extended by 60 days with notification
  • Urgent requests: Prioritized based on circumstances

9.4 Candidate Data Rights

For candidate data processed on behalf of our customers:

  • Primary contact: The hiring organization (data controller)
  • Our assistance: We will cooperate with customer responses
  • Direct contact: Available if customer is unresponsive

10. Cookies and Analytics

10.1 Cookie Usage

Nova uses cookies and similar technologies for:

  • Essential functionality: Authentication, session management, security
  • Analytics: Platform usage analysis (PostHog - first-party only)
  • Performance monitoring: Error tracking and system optimization (Datadog and Sentry)

10.2 Cookie Controls

  • Consent banner: Displayed for non-essential cookies
  • Opt-out options: Available through browser settings
  • Cookie policy: Detailed information in our Cookie Policy

10.3 Analytics and Telemetry

We use first-party analytics and operational telemetry (including logs) to understand how Nova is used, improve performance and reliability, and support customers.

  • No advertising cookies: We do not use third-party advertising or cross-site tracking cookies in Nova.
  • Content and identifiers in telemetry: Analytics and telemetry may include limited identifiers (for example user IDs or business contact details) and, where reasonably necessary for support, security, or product improvement, portions of application content such as ATS request and response payloads.
  • More detail: Our use of analytics and logs is described in more detail in our Data Processing Agreement and on our Sub-Processors and International Data Transfers page.

11. Security Measures

11.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.2 or higher, targeting TLS 1.3) and at rest (AES-256)
  • Access controls: Role-based access with multi-factor authentication
  • Network security: Firewalls, intrusion detection, monitoring
  • Secure development: Regular security testing and code reviews

11.2 Organizational Measures

  • ISO 27001 alignment: Security management framework
  • Staff training: Regular data protection and security training
  • Confidentiality agreements: All personnel bound by confidentiality
  • Incident response: Documented procedures for security breaches

11.3 Data Breach Response

If we become aware of a personal data breach affecting customer data, we will notify affected customers and, where required, relevant supervisory authorities in line with applicable law and our Data Processing Agreement. We will take appropriate steps to investigate, contain, and remediate the incident and will provide updates as more information becomes available.

12. Automated Decision Making and AI Features

Nova includes AI-based features that help analyse recruitment data, generate scores and summaries, and suggest interview questions or similar decision-support outputs.

  • Decision support: AI features are designed to support human decision making, not to replace it. Customers remain responsible for reviewing AI outputs and deciding how to use them, especially where decisions may have legal or similarly significant effects for individuals.
  • Data use and training: We do not use identifiable customer personal data itself to train general models. We may create and use de-identified or aggregated data to operate, secure and improve Nova, including to train and evaluate models, as described in our Data Processing Agreement and AI Terms.
  • More detail: Our AI Terms explain how AI features work, how customer data is used with third-party AI providers, and the responsibilities that apply when you enable these features.

13. Children's Privacy

Nova is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the data promptly.

14. Third-Party Links and Services

Nova may contain links to third-party websites or integrate with external services (such as ATS platforms). This Privacy Notice does not apply to third-party services. Please review their privacy policies separately.

15. Changes to This Privacy Notice

15.1 Update Process

We may update this Privacy Notice to reflect:

  • Changes in applicable law
  • New features or services
  • Improvements to our privacy practices

15.2 Notification

Material changes will be communicated through:

  • Email notification: To registered users
  • Platform notification: Prominent notice in Nova dashboard
  • Website posting: Updated notice with effective date
  • 30-day notice period: For significant changes affecting your rights

16. Contact Information and Complaints

16.1 Data Protection Contact

Andreas Asprou

Email: andreas@dweet.com

16.2 General Inquiries

Email: privacy@dweet.com

Subject: Privacy Inquiry

16.3 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority:

UK: Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Phone: 0303 123 1113

EU: Your local data protection authority

List available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

On this page

1. Introduction2. Data Controller vs. Data Processor Roles2.1 When We Act as Data Processor2.2 When We Act as Data Controller3. Legal Basis for Processing3.1 Contract Performance (Article 6(1)(b) GDPR)3.2 Legitimate Interests (Article 6(1)(f) GDPR)3.3 Legal Obligation (Article 6(1)(c) GDPR)4. Categories of Personal Data4.1 Candidate and Job Data (Processed on Behalf of Customers)4.2 Customer Account Data (Processed as Controller)4.3 Platform Usage Data (Processed as Controller)5. Data Sources6. How We Use Personal Data6.1 Candidate Data Processing (As Processor)6.2 Account and Platform Data Processing (As Controller)7. Data Retention7.1 Candidate Data7.2 Account Data8. International Transfers and Sub-Processors9. Your Rights Under GDPR9.1 Data Subject Rights9.2 How to Exercise Your Rights9.3 Response Times9.4 Candidate Data Rights10. Cookies and Analytics10.1 Cookie Usage10.2 Cookie Controls10.3 Analytics and Telemetry11. Security Measures11.1 Technical Safeguards11.2 Organizational Measures11.3 Data Breach Response12. Automated Decision Making and AI Features13. Children's Privacy14. Third-Party Links and Services15. Changes to This Privacy Notice15.1 Update Process15.2 Notification16. Contact Information and Complaints16.1 Data Protection Contact16.2 General Inquiries16.3 Supervisory Authority
Privacy Notice - Nova