1. Who We Are
2. Data We Collect
2.1 Data You Provide Directly
When you create an account, we collect your name, email address, and profile image from your OAuth provider for authentication purposes. As you use the platform, we collect the data you enter — including accomplishment descriptions, self-assessment responses, skill and trait ratings, goals, and values — to power growth tracking and AI-generated insights. If you participate in collaborative features such as Growth Syncs or 1:1 Syncs, we collect the peer feedback ratings, conversation signals, and commitments you contribute for perception calibration and coaching.
2.2 Data We Collect From Authentication Providers
When you sign in through a supported OAuth provider, we receive your name, email address, and profile image. We do not request or receive access to any other data from the provider (e.g., contacts, calendars, repositories, or files). The list of supported authentication providers is displayed on the login page and may change over time.
2.3 Data Generated by the Platform
As you use UpNova, the platform generates derived data to power your growth insights. This includes AI-generated content (such as accomplishment drafts, growth narratives, and coaching insights), deterministic calculations (such as perception gaps and readiness snapshots), and profiling outputs (such as AI fluency assessments). All generated data is derived from your inputs and activity on the platform — we do not incorporate external data sources. The specific features that generate data will evolve over time as the platform grows.
2.4 Technical Data
We collect standard technical data necessary for operating the service: IP address, browser type, device type, access timestamps, and error logs. We do not use this data for profiling or advertising.
3. How We Use Your Data
We process your data for the following purposes, each with its legal basis under the DPDPA:
Providing the UpNova service (legal basis: performance of contract) — this includes storing your growth data, generating your capability portrait, producing reports, and enabling all core platform features.
AI-powered insight generation (legal basis: performance of contract) — when you use an AI-powered feature, we process the relevant data through our AI provider to generate the requested output. AI is used only at inference time, scoped to the specific action you triggered, and your data is not retained by the AI provider.
Peer feedback and calibration (legal basis: explicit consent at the point of participation) — when you participate in collaborative features such as Growth Syncs or 1:1 Syncs, your contributions are processed as described in the feature's consent flow.
Team-level analytics (legal basis: legitimate use for organizational development) — we aggregate individual data into team-level insights for team leads and organization administrators. Team leads can see coaching context for their direct reports (such as peer feedback and perception gaps) but cannot see personal growth data (such as self-reads, accomplishments, or goals). Organization administrators can see team-level aggregates only.
Service improvement and debugging (legal basis: legitimate use) — we use technical data and anonymized usage patterns to maintain and improve the platform.
Email communications (legal basis: performance of contract) — we use your email address and name to send invitations, reports, and service notifications.
The specific features and data processing activities will evolve as the platform grows. The purposes and legal bases above are durable — new features will fall under one of these categories.
3.1 What We Do NOT Do With Your Data
We do not sell your data to any third party.
We do not use your data for advertising or ad targeting.
We do not use your identifiable personal data to train AI/ML models. AI processing occurs at inference time on your data only when you use a feature that requires it. If we introduce model training in the future, it will only use anonymized, aggregated data, and we will update this policy with at least 30 days' notice before any such change.
We do not share your personal growth data (self-reads, accomplishments, goals, values, journal entries) with your organization administrator or team lead.
4. Data Sharing
4.1 Within Your Organization
Your personal growth data (Tier 1) is never shared with organizational roles. Shared growth data (Tier 2) — such as peer feedback and team snapshots — is accessible to team leads and administrators as described in Section 3 above.
4.2 Third-Party Service Providers
We use third-party providers for AI processing, cloud hosting, and email delivery. These providers receive only the data necessary for their specific function, and all are bound by data processing agreements. The specific providers we use may change over time; our privacy commitments apply regardless of which providers are used.
4.3 Legal Requirements
We may disclose your data if required by law, court order, or governmental authority. We will notify you of such requests where legally permitted.
5. Data Retention
We retain your data for as long as your account is active. When you request account deletion, we permanently remove your personal data from production systems within 30 days and from backups within 90 days. Technical logs are retained only as long as needed for service operation and debugging, and are periodically purged.
6. Your Rights (Data Principal Rights under DPDPA)
As a Data Principal under the DPDPA, you have the right to access, correct, and erase your personal data, to inquire about who has processed it, to withdraw consent for specific processing activities, and to nominate a person to exercise these rights on your behalf. You can correct most data directly within the platform. For all other requests — including data access, erasure (see ToS §8), consent withdrawal, nominations, or grievances — contact admin@upnova.ai. We will respond within 30 days. If we cannot fulfill a request, we will explain why and inform you of your right to escalate to the Data Protection Board of India.
7. Data Security
We implement security measures appropriate to the sensitivity of the data we process, including encryption of data in transit and at rest, role-based access controls, OAuth-only authentication (no passwords stored), and automated backups. In the event of a data breach affecting your personal data, we will notify you and the Data Protection Board of India as required by the DPDPA.
8. Cookies & Tracking
UpNova uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that track you across websites.
9. Children
UpNova is not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has created an account, contact admin@upnova.ai.
10. International Data Transfers
Your data is stored on cloud infrastructure hosted in data centers operated by established providers. If you access UpNova from outside India, your data is transferred to and processed in the region where our infrastructure operates. We ensure that any international transfer of personal data complies with applicable data protection laws, including the DPDPA's provisions on cross-border data transfer.
11. Changes to This Policy
We may update this policy from time to time. The "Last Updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically. Your continued use of UpNova after any changes constitutes acceptance of the updated policy.
12. Contact & Grievance Officer
Data Protection / Privacy queries: admin@upnova.ai
Grievance Officer: Praveen Selvam
Email: admin@upnova.ai
Response time: Within 30 days of receipt