Introduction
Last updated: 5 July 2026
This Privacy Policy explains how NUVI SOFTWARE LIMITED ("Nuvi", "we", "us"), the operator of the Nuvi e-commerce platform available at usenuvi.com, collects, uses, shares and protects personal data.
Nuvi is a multi-tenant e-commerce platform: merchants ("Merchants") create and operate online stores on Nuvi (on a *.usenuvi.com subdomain or on their own custom domain), and their customers ("Store Customers") shop on those stores. This policy covers both relationships, but our role is different in each — see Section 2.
If you have any questions, contact us at [email protected] or by post at the registered office address in Section 1.
---
1. Who we are
• Platform operator: NUVI SOFTWARE LIMITED, a company registered in England and Wales under company number 16475792.
• Registered office: 124-128 City Road, London, England, EC1V 2NX, United Kingdom.
• Contact: [email protected]
• Applicable law: Nuvi is established in the United Kingdom and processes personal data primarily under the UK GDPR and the Data Protection Act 2018. Where we offer services to, or monitor, individuals in the European Union / European Economic Area, the EU GDPR also applies. Because the platform serves Merchants in Türkiye and their customers, we additionally honour the Turkish Personal Data Protection Law No. 6698 ("KVKK") for users in Türkiye — see Section 12.3.
2. Our two data roles: controller and processor
Understanding this policy requires understanding two distinct roles:
2.1 Nuvi as data controller (Merchant platform accounts)
For the personal data of Merchants — the people who sign up for Nuvi, run stores, connect integrations and pay subscription fees — Nuvi is the data controller. We decide why and how this data is processed, and this Privacy Policy applies to it directly.
2.2 Nuvi as data processor (Store Customer data)
For the personal data of Store Customers — the shoppers who place orders, create accounts or subscribe to newsletters on a Merchant's store — the Merchant is the data controller and Nuvi acts only as a data processor on the Merchant's behalf and instructions. This includes order data, Store Customer names, delivery addresses, email addresses, phone numbers and purchase history held in the Merchant's store.
If you are a Store Customer and wish to exercise your privacy rights over data held in a Nuvi-powered store, please contact the Merchant operating that store first. Each Merchant is required by our Terms of Service to publish their own privacy policy. We will assist Merchants in responding to such requests, and if you contact us directly we will forward your request to the relevant Merchant where we are able to identify them.
3.1 Merchant account data (Nuvi as controller)
• Identity and contact data: name, email address, password (stored hashed), store name, subdomain, custom domain(s), billing details.
• Billing and subscription data: plan, invoices, payment status. Card payments for Nuvi subscriptions are handled by our payment processors (Section 7); full card numbers never touch Nuvi's servers.
• Usage and technical data: admin panel activity logs, IP-derived security signals for login protection, support correspondence.
• Connected-service data: data received from third-party services the Merchant chooses to connect (Sections 5 and 6).
3.2 Store Customer data (Nuvi as processor, on the Merchant's behalf)
• Order and cart contents, prices, delivery and billing addresses.
• Store account credentials (hashed), email addresses, phone numbers.
• Transactional email content and delivery status.
• Newsletter/marketing consents captured by the Merchant's store.
We process this data solely to provide the platform service to the Merchant and never use it for our own marketing or sell it to anyone.
3.3 Storefront analytics (privacy-preserving, first-party)
Nuvi storefronts include a first-party analytics system operated by Nuvi for the Merchant. It is designed to be privacy-preserving:
• No raw IP addresses are stored. Visitors are counted using a short-lived, salted hash so that no persistent cross-site identifier exists.
• No analytics data is shared with advertising networks by default.
Third-party marketing tools (Meta Pixel, GA4) run on a storefront only if the Merchant enables them, and only fire after the visitor gives marketing consent through the storefront cookie banner (Section 6 and the Cookie Policy).
4. Purposes and legal bases
We process Merchant personal data for the following purposes, on the following legal bases (Art. 6(1) UK GDPR / EU GDPR; the corresponding KVKK Art. 5 bases apply for users in Türkiye):
Purpose — Legal basis (UK/EU GDPR) — KVKK basis (users in Türkiye)
Creating and operating your Nuvi account and stores — Art. 6(1)(b) — contract — Art. 5(2)(c) — necessary for the performance of a contract
Billing, invoicing, tax and accounting records — Art. 6(1)(c) — legal obligation — Art. 5(2)(a)/(ç) — required by law / legal obligation
Operating integrations you connect (Google, Meta, payment providers) — Art. 6(1)(b) — contract — Art. 5(2)(c) — contract
Platform security, fraud and abuse prevention, service diagnostics — Art. 6(1)(f) — legitimate interests — Art. 5(2)(f) — legitimate interests, provided your fundamental rights are not harmed
Product announcements and service communications — Art. 6(1)(b)/(f) — Art. 5(2)(c)/(f)
Marketing communications (where required) — Art. 6(1)(a) — consent — Art. 5(1) — explicit consent
Store Customer data is processed on the Merchant's instructions under a data processing relationship (Art. 28 UK/EU GDPR; KVKK data-processor obligations); the Merchant is responsible for establishing the legal basis toward their customers.
5. Google API Services — Limited Use
Merchants may connect their own Google account to Nuvi to power marketing and SEO dashboards. When you do, Nuvi requests access via Google OAuth to some or all of the following, depending on the features you enable:
• Google Analytics 4 (read-only): traffic and conversion reports for your store dashboards.
• Google Search Console (read-only): search performance and indexing status.
• YouTube (read-only): channel and video statistics.
• Google Ads (read and manage): campaign metrics and, where you use the feature, campaign management actions you initiate.
• Google Indexing API: submitting your store's URLs for indexing when you request it.
• Google Merchant Center (content): managing your product feed on your behalf.
How we handle Google user data:
• You authorize access through Google's own consent screen; Nuvi never sees your Google password.
• Nuvi stores the resulting OAuth refresh tokens encrypted at rest on our servers.
• Data retrieved from Google APIs is used only to display dashboards, reports and features to you (the connecting Merchant) and to perform the actions you explicitly request (e.g. submitting a URL for indexing, publishing a product feed).
• Retrieved data is cached for a maximum of 30 days for dashboard performance, then deleted or refreshed.
• We do not use Google user data for advertising purposes of our own, do not sell it, and do not allow humans to read it except with your consent, where necessary for security/abuse investigation, or where required by law.
• You can disconnect Google at any time in your Nuvi admin (Marketing → Accounts); disconnection revokes and deletes the stored tokens and purges cached data. You can also revoke Nuvi's access from your Google Account at https://myaccount.google.com/permissions.
Limited Use disclosure: Nuvi's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.
6.1 Connected Meta accounts
Merchants may connect their own Facebook account to Nuvi via Meta's OAuth flow to:
• publish content to their Facebook Pages (posts the Merchant composes in Nuvi);
• read and manage their ad account data (campaign metrics, spend, performance shown in Nuvi dashboards);
• Instagram publishing is planned and, when released, will operate under the same rules.
How we handle Meta data:
• Nuvi stores long-lived Meta access tokens encrypted server-side (Fernet symmetric encryption); tokens are never exposed to the browser or to other tenants.
• Data received from Meta (page metadata, ad metrics) is used only to display the Merchant's own dashboards and to publish content the Merchant explicitly composes and schedules. We do not use it for any other purpose and do not share it with third parties.
• You can disconnect at any time in Nuvi admin (Marketing → Accounts), which revokes and deletes the stored tokens, and/or remove the Nuvi app from your Facebook settings (see our Data Deletion Instructions (./data-deletion-en.md)).
6.2 Meta Pixel and Conversions API (storefront)
A Merchant may enable a Meta Pixel on their own storefront. When enabled:
• Browser events (page views, add-to-cart, purchases) are sent from the visitor's browser to Meta.
• Server-side events may additionally be sent through the Meta Conversions API on the Merchant's behalf. Before sending, direct identifiers (email address, phone number) are hashed with SHA-256; events carry a deduplication ID so Meta does not double-count browser and server events.
• All pixel and Conversions API activity is gated by the storefront cookie-consent banner: no marketing events fire until the visitor grants marketing consent, and withdrawal of consent stops them.
For this processing the Merchant is the data controller (jointly with Meta, per Meta's terms); Nuvi acts as the Merchant's processor transmitting the events. Meta's own processing is described in the Meta Privacy Policy (https://www.facebook.com/privacy/policy/).
7. Payment processing
Nuvi supports the following payment methods, for both platform subscriptions and Merchant storefront checkouts (as configured by the Merchant):
• Stripe (Stripe, Inc. / Stripe Payments Europe Ltd.)
• PayTR (PayTR Ödeme ve Elektronik Para Kuruluşu A.Ş., Türkiye)
• Iyzico (iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş., Türkiye)
• Bank transfer / cash on delivery (COD) — handled directly between the Merchant and the Store Customer.
Card data never touches Nuvi's servers. Card numbers are entered into and processed by the payment provider's own secure, PCI-DSS-certified systems. Nuvi receives only transaction outcomes and references (amount, status, masked card metadata) needed to fulfil orders and reconcile payments. Each provider processes payment data under its own privacy policy.
8. Email services
• Transactional email (order confirmations, password resets, notifications) is delivered through Resend (Resend, Inc.). Resend processes recipient addresses and message content as our sub-processor.
• Mail hosting (optional add-on): Merchants may purchase mailboxes on their own domain, provisioned through OpenProvider (Hosting Concepts B.V., Netherlands). Mailbox contents are hosted by OpenProvider's mail infrastructure under its own terms; Nuvi manages provisioning only.
9. Hosting and security
• Hosting location: Nuvi's platform infrastructure is hosted with Hetzner Online GmbH in Germany (EU). Merchant and Store Customer data is stored on these EU-located servers.
• Encryption in transit: all traffic to Nuvi services and storefronts is encrypted with TLS.
• Encryption at rest for credentials: third-party OAuth tokens (Google refresh tokens, Meta long-lived tokens) are stored encrypted at rest; passwords are stored using strong one-way hashing.
• Tenant isolation: each Merchant's store runs in an isolated environment with its own database.
• Access control: production access is restricted, logged and limited to what is necessary to operate the service.
• No system is perfectly secure; if we become aware of a personal data breach we will notify affected parties and regulators as required by Arts. 33–34 UK/EU GDPR and, for users in Türkiye, KVKK Art. 12.
10. International data transfers
Our primary hosting is in Germany (EU); we are a UK-established company. Some sub-processors process data outside your country:
• UK ↔ EU: transfers between the UK and the EEA rely on the European Commission's adequacy decision for the UK and the UK's recognition of EEA adequacy.
• To the US: transfers of UK/EU personal data to providers in the United States (e.g. Google, Meta, Stripe, Resend) rely on the EU–US Data Privacy Framework and its UK Extension where the provider is certified, or otherwise on Standard Contractual Clauses / the UK International Data Transfer Addendum.
• Türkiye: data of Merchants and Store Customers in Türkiye is transferred to servers in the UK/EU and, for specific integrations, to the US. Such transfers are carried out in accordance with KVKK Art. 9 (explicit consent, adequacy decisions of the Turkish Personal Data Protection Board, or appropriate safeguards such as standard contracts/undertakings, as applicable).
11. Retention
Data — Retention
Merchant account data — For the life of the account; deleted or anonymized within 30 days of account deletion, except records we must keep by law
Billing/tax records — As required by applicable tax and company law (typically 6 years in the UK)
Store Customer data (processor role) — For as long as the Merchant's store exists and per the Merchant's instructions; deleted with the store
Google API data cached for dashboards — Maximum 30 days
Meta/Google OAuth tokens — Until you disconnect the integration or delete your account; then revoked and deleted
First-party analytics — Aggregated; no raw IPs stored at any time
Security logs — Up to 12 months
12.1 Under UK GDPR and EU GDPR
You have the right to access, rectify, erase, restrict, and port your personal data, to object to processing based on legitimate interests, and to withdraw consent at any time (without affecting prior processing).
12.2 Complaints
You may lodge a complaint with:
• the Information Commissioner's Office (ICO) in the United Kingdom — https://ico.org.uk;
• your local EU/EEA supervisory authority, if you are in the EU/EEA;
• the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu), if you are in Türkiye.
12.3 Additional rights for users in Türkiye (KVKK Art. 11)
If you are in Türkiye, you additionally have the right to ask us:
a) whether your personal data is processed; b) for information about such processing; c) the purpose of processing and whether data is used in line with that purpose; d) the third parties, in Türkiye or abroad, to whom data is transferred; e) to correct incomplete or inaccurate data; f) to have data erased or destroyed where the conditions in KVKK Art. 7 are met; g) to have corrections/erasures notified to third-party recipients; h) to object to a result produced exclusively by automated analysis that is against you; i) to claim compensation for damage caused by unlawful processing.
You may apply to the Turkish Personal Data Protection Authority if your application to us is refused or not answered within the statutory period.
12.4 How to exercise your rights
• Email [email protected] from the address associated with your account, or write to NUVI SOFTWARE LIMITED, 124-128 City Road, London, England, EC1V 2NX.
• We respond within one month (Art. 12 UK/EU GDPR); for KVKK applications, within 30 days (KVKK Art. 13).
• Store Customers: please contact the Merchant that operates the store first (Section 2.2).
Self-service options: you can disconnect any integration (which revokes and deletes tokens) and delete your stores/account from the Nuvi admin at any time — see our Data Deletion Instructions (./data-deletion-en.md).
13. Sub-processors and third-party recipients
Provider — Service — Location — Data involved
Hetzner Online GmbH — Cloud hosting of the entire platform — Germany (EU) — All platform data
Google LLC — Analytics, Search Console, YouTube, Ads, Indexing, Merchant Center APIs (Merchant-connected) — USA/EU — Merchant's own Google account data; OAuth tokens
Meta Platforms, Inc. / Meta Platforms Ireland Ltd. — Page publishing, ads dashboards, Pixel/Conversions API (Merchant-enabled) — USA/EU — Merchant's Meta account data; consent-gated storefront events (SHA-256-hashed identifiers)
Stripe, Inc. / Stripe Payments Europe Ltd. — Card payments — USA/EU — Payment transaction data (card data held by Stripe only)
PayTR Ödeme ve Elektronik Para Kuruluşu A.Ş. — Card payments (Türkiye) — Türkiye — Payment transaction data
iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş. (Iyzico) — Card payments (Türkiye) — Türkiye — Payment transaction data
Resend, Inc. — Transactional email delivery — USA — Recipient addresses, message content
Hosting Concepts B.V. (OpenProvider) — Domain registration; optional mailbox hosting — Netherlands (EU) — Domain registrant data; mailbox data for the optional add-on
We do not sell personal data. We disclose data to authorities only where legally required.
14. Children
Nuvi is a business tool and is not directed at children under 16. We do not knowingly collect children's data for our own purposes. Merchants are responsible for the audience of their own stores.
15. Changes to this policy
We may update this policy from time to time. Material changes will be announced in the Nuvi admin panel or by email before they take effect. The "Last updated" date at the top reflects the current version.
16. Contact
NUVI SOFTWARE LIMITED Company number 16475792 (England and Wales) 124-128 City Road, London, England, EC1V 2NX, United Kingdom Email: [email protected]