PRIVACY POLICY - Novaria, LLC

This Privacy Policy explains how Novaria, LLC ("Cosmera", "we", "our", or "us") collects, uses, discloses, and safeguards personal data when individuals ("you", "your", "Users") use our AI-powered diagnostic tools, chatbot, APIs, plugins, and related services (collectively, the "Services").

Cosmera provides an AI assistant and diagnostic engine that can be integrated into e-commerce websites, including Shopify stores, WordPress websites, and other partner platforms. This Policy applies to all Users interacting with the diagnostic tool or affiliated communication channels, regardless of geographic location.

Cosmera is operated by:

We are committed to protecting your privacy and handling your data with transparency, security, and respect.

1. Data Controller & Data Processor Roles

Depending on the context:

• When processing personal data on behalf of a brand or merchant using the Cosmera widget, the merchant is the Data Controller and Novaria, LLC acts as the Data Processor.
• When Cosmera collects data directly through its own channels (e.g., our website), Novaria, LLC is the Data Controller.

This Policy applies to both roles and explains our practices in both contexts.

2. Personal Data We Collect

We collect the following categories of personal information. The exact types of data depend on how the user interacts with Cosmera:

A. Interaction & Chat Data

• Chat messages with the Cosmera assistant
• Answers to diagnostic questions
• Descriptions of skin, hair, body, concerns, routines, or preferences
• Any information voluntarily provided during the conversation

B. Demographic and Personal Profile Information

• Age
• Sex, gender identity, gender expression
• Demographic details, including ethnicity (only when relevant for diagnostic accuracy)
• Language preferences

C. Purchase & Behavioral Data

• Products viewed, tried, recommended, added to cart, or purchased
• Products or services considered
• Personal routines and consumption behaviors
• Loyalty program activity and redemption (if applicable)

D. Customer Service & User-Generated Content

• Customer service interactions
• Ratings, reviews, testimonials
• Records of diagnostic outputs

E. Photos and Images

• Photos or selfies the user uploads for analysis
• Images submitted through any supported interface

F. Biometric-Derived Data

(Non-identifying, processed only for analysis, not identity verification)

• Facial landmarks
• Skin attributes (wrinkles, pores, pigmentation, acne markers, etc.)
• Physical characteristics (skin tone, undertone, facial shape, hair color)
• Inferences about age or ethnicity solely to enhance diagnostic accuracy

We do not use biometric data for identity confirmation or authentication.

G. Technical & Device Information

• Device identifiers
• Browser type, OS, and device model

H. Call Center / Voice Data

• Any recordings from user support calls or voice-enabled diagnostic features (where applicable)

3. How We Use Personal Data

We use the categories of personal information listed above for purposes including, but not limited to:

A. Provide and Improve the Diagnostic Service

• Perform personalized analysis
• Generate personalized product recommendations
• Tailor routines and explanations

B. User Support

• Provide customer service
• Assist with troubleshooting
• Handle inquiries or user requests

C. Personalization

• Adapt recommendations to user profile
• Localize language
• Improve relevance of answers

D. Analytics & Performance

• Evaluate effectiveness of the diagnostic
• Improve AI accuracy
• Monitor usage patterns and aggregated statistics

E. Security

• Detect misuse
• Monitor unauthorized access
• Protect against fraud or abuse

F. Compliance

• Manage data deletion, access requests, and GDPR/CCPA/other privacy-law obligations
• Comply with Shopify's mandatory privacy webhooks (shop redact, customers/data_request, customers/redact)

4. Legal Basis for Processing (GDPR)

Where GDPR applies, we process personal data under the following legal bases:

• Performance of a contract: To provide diagnostic services requested by you.
• Legitimate interest: To improve the Service, ensure security, prevent fraud, and offer relevant products.
• Consent: For optional features such as photo uploads or marketing communication.
• Compliance with legal obligations: For handling access, deletion, or data portability requests.

5. Data Retention

We retain data only as long as necessary for:

• Providing the Service
• Improving diagnostic accuracy
• Complying with legal obligations
• Supporting the ecommerce brand's operational needs

Photos used for real-time diagnostic may be deleted shortly after analysis, unless the user expressly agrees to keep them longer.

6. Data Sharing and Sub-Processing

We do not sell personal data.

We may share data with:

• Hosting providers
• Technical infrastructure vendors
• Analytics or monitoring services
• Customer support tools
• Ecommerce platforms (Shopify, WooCommerce, etc.)
• Partner brands with whom the user has expressly chosen to interact
• Affiliates, successors, or acquirers in the context of mergers or acquisitions
• Authorities or courts, where legally required

All processors operate under strict contractual and security obligations.

7. International Transfers

Data is stored in: OVH – Region OpenStack: os-de2 Frankfurt (Germany)

If data is transferred outside the EEA or UK, we rely on Adequacy decisions, Standard Contractual Clauses (SCCs), and supplemental security measures.

8. Data Security

Cosmera applies reasonable and appropriate technical and organizational measures to protect personal data. We implement safeguards that are proportionate to the sensitivity of the information we process. However, You acknowledge that no method of electronic storage or transmission can be guaranteed to be 100% secure.

9. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access your data
• Correct inaccurate data
• Request deletion (right to be forgotten)
• Object to processing
• Restrict processing
• Data portability
• Withdraw consent

Requests can be made to: contact@novaria.com

10. Children's Privacy

Our Services are not intended for users under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Policy and will indicate the "Last Updated" date above.

12. Contact Information