Last updated: February 2026
This Privacy Policy describes how Nova ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Nova app and related services (the "Service").
We are committed to protecting your privacy in accordance with:
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email, password (encrypted) | Create and manage your account |
| Profile Information | Profile photo, bio, municipality, gender | Personalize service and trainer matching |
| Training Goals | Goals (strength, weight loss, etc.), experience level | Recommend suitable trainers and programs |
| Communications | Messages, images, audio files in chat | Enable communication with trainer |
| Category | Examples | Legal Basis |
|---|---|---|
| Training Data | Exercises, weight, repetitions, duration | Consent (GDPR Art. 9(2)(a)) |
| Body Measurements | Weight, height, body measurements | Consent (GDPR Art. 9(2)(a)) |
| Progress Photos | Photos to track physical changes | Consent (GDPR Art. 9(2)(a)) |
We do NOT collect: GPS location, contact lists, call logs, or other data from your device without explicit consent.
We process your personal data based on the following legal grounds (GDPR Article 6):
| Basis | Application |
|---|---|
| Contract (Art. 6(1)(b)) | Deliver the service you registered for |
| Consent (Art. 6(1)(a)) | Health data, marketing, progress photos |
| Legitimate Interest (Art. 6(1)(f)) | Improve service, prevent fraud, security |
| Legal Obligation (Art. 6(1)(c)) | Retention per accounting and tax laws |
When you connect with a personal trainer, the following is shared:
Progress photos are NOT shared with trainers unless you explicitly choose this.
| Provider | Purpose | Location |
|---|---|---|
| Google Firebase | Authentication, database, storage | EU (eur3) |
| Google Cloud Platform | Hosting and infrastructure | EU |
| Stripe/RevenueCat | Payment processing | EU/USA (SCC) |
All data processors are bound by Data Processing Agreements (DPA) per GDPR Article 28.
Nova does not sell, rent, or trade your personal data to third parties for marketing purposes.
All personal data is stored on servers within the EU/EEA (Google Cloud, region eur3). For transfers outside EU/EEA, we use EU Commission Standard Contractual Clauses (SCC).
| Data Type | Retention Period |
|---|---|
| Account Information | Until account deletion + 30 days |
| Training History | Until account deletion |
| Chat Messages | Until you or the other party deletes the chat |
| Progress Photos | Until you delete them |
| Payment Information | 5 years after last transaction (accounting law) |
Under GDPR, you have the following rights:
You have the right to obtain confirmation of whether we process your personal data, and if so, access to the data.
You can request correction of inaccurate information about you.
You can request deletion of your personal data ("right to be forgotten").
You can request restriction of processing of your data.
You can request your data in a structured, machine-readable format.
You can object to processing based on legitimate interest.
You can withdraw consent at any time.
We respond to all requests within 30 days.
Nova is not intended for persons under 13 years of age. We do not knowingly collect personal data from children under 13. If you are between 13 and 16 years old, you need parental consent to use the Service.
The Nova app does not use cookies. Our web application only uses necessary technical cookies for authentication and security.
We may update this Privacy Policy from time to time. For material changes, we will notify you via email or in the app at least 30 days before the changes take effect.
If you believe we are processing your personal data in violation of regulations, you can file a complaint with the Norwegian Data Protection Authority:
For questions about this Privacy Policy or our processing of your personal data:
© 2026 Nova Fitness. All rights reserved.