Privacy Policy – Ovio Public App
Last updated: October 2025
Novalia Solutions (“we,” “our,” or “us”) operates the mobile application Ovio Public App (hereinafter referred to as “the App”). The App enables students and social media users to connect with local businesses, claim promotional offers, and share social media content in exchange for discounts or rewards.
We take your privacy seriously and are committed to processing your personal data in a lawful, fair, and transparent manner, in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable French data-protection laws.
This Privacy Policy explains how and why we collect, use, store, and share your personal information when you use the App, and what rights you have in relation to that information.
1. Data Controller
The entity responsible for determining the purposes and means of the processing of your personal data is:
Novalia Solutions
31 Rue Alsace Loraine
31000 Toulouse, France
Email: contact@novalia-solutions.com
If you have any questions about this Privacy Policy or our data-protection practices, you may contact us at the address or email above.
2. Scope of Application
This Privacy Policy applies exclusively to the Ovio Public App and governs all personal data collected or processed through the App. It does not apply to the Ovio Merchant App (intended for business users) or to the Ovio Admin Dashboard (used internally by administrators). Those platforms are covered by separate privacy policies.
3. Information We Collect
We collect and process only the information that is strictly necessary for the proper operation of the App and the fulfillment of its features. The categories of personal data collected are as follows:
Account Information.
When you create an account, we collect your email address and password, which are managed and stored through Supabase Auth, our authentication provider. Each user is also assigned an internal unique identifier.
Profile Information.
To verify your eligibility for offers and confirm your authenticity as a social-media user, we collect your Instagram handle, follower count, and a screenshot of your Instagram profile or follower data. This information is used solely for verification purposes and to prevent fraudulent activity. The verification status (pending, verified, or rejected) is recorded in our database.
Offer and Redemption Data.
When you claim or redeem offers through the App, we record the offer details, the unique QR codes generated, the time and date of redemptions, and the screenshots you upload as proof of social-media activity (for example, a published story). These screenshots may contain metadata, such as device time and visual timestamps, which are used only to confirm the authenticity and timing of your post.
Technical and Diagnostic Data.
Certain technical data are collected automatically to ensure the security and stability of the App, including device model, operating system, IP address, and error or crash logs generated by Supabase. This information may also be used to troubleshoot technical issues and maintain service reliability.
Optional Information.
You may voluntarily provide additional information—for instance, through feedback forms, customer-support requests, or survey participation. Any such data will be processed solely for the purpose for which it was submitted.
We do not collect or process any sensitive personal data (such as racial or ethnic origin, religious beliefs, political opinions, or biometric data). The App does not track or collect precise geolocation data.
4. Purposes of Processing
Your personal data are used exclusively for purposes that are directly related to the operation and improvement of the App. Specifically, we process your information in order to:
• Create, manage, and authenticate your user account;
• Verify your eligibility to access and redeem promotional offers;
• Process and track offer claims, QR-code redemptions, and proof uploads;
• Maintain the integrity and security of the App, including the prevention and detection of fraud or misuse;
• Generate aggregated and anonymized statistics on usage trends to improve service performance; and
• Comply with our legal and regulatory obligations, including those related to record-keeping and dispute resolution.
We do not use your data for marketing, behavioral advertising, or profiling purposes. Your personal data will never be sold, rented, or otherwise made available to third parties for commercial gain.
5. Legal Basis for Processing
The processing of your personal data is carried out on one or more of the following legal bases, as provided for under Articles 6(1)(a)–(f) of the GDPR:
• Performance of a Contract: The processing is necessary to provide you with the App’s core functionalities, including account management, offer participation, and reward verification.
• Consent: Certain features, such as uploading screenshots for verification or receiving optional notifications, are based on your explicit consent, which you may withdraw at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Legitimate Interest: We have a legitimate interest in ensuring the security, proper functioning, and continuous improvement of our platform and in preventing fraud or abuse.
• Legal Obligation: In limited circumstances, we may process data to comply with applicable legal requirements, such as responding to lawful requests by public authorities or retaining certain records for accounting and compliance purposes.
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with our legal obligations. Specifically:
• Account information is retained for as long as your account remains active.
• Verification screenshots are retained for no longer than 30 days following validation or rejection, after which they are automatically and permanently deleted.
• Offer and redemption records are retained for a period of up to one (1) year for internal reporting, security monitoring, and fraud prevention.
• Technical logs are retained for a maximum of twelve (12) months to ensure operational security and compliance auditing.
When data are no longer required for any of these purposes, they will be securely erased or anonymized in accordance with industry best practices.
7. Disclosure of Personal Data
We do not sell or lease your personal data to third parties. Access to your information is strictly limited to service providers and partners who perform services on our behalf under contractual terms ensuring compliance with data-protection laws. These include:
• Supabase, which provides database hosting, storage, and authentication services. Data are primarily hosted within the European Union.
• OpenAI API, which may process uploaded screenshots to assist in automated verification analysis.
• Internal automation, which facilitates secure internal workflows related to verification and notification processes.
• Public authorities or courts, where disclosure is required by law or necessary to protect our rights, property, or safety, or that of our users.
All such third parties act as processors and are bound by confidentiality and security obligations consistent with this Privacy Policy and the GDPR.
8. Data Security
We implement appropriate technical and organizational measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include encryption in transit and at rest, access control based on user roles, and secure authentication mechanisms. The App’s infrastructure and database are operated within secure environments managed by reputable providers.
While we strive to use commercially reasonable means to protect your personal data, no electronic storage or transmission system can be guaranteed to be completely secure. You acknowledge that you use the App and transmit your data at your own risk, subject to these limitations.
9. International Data Transfers
Your personal data are primarily stored and processed within the European Union. Certain services used in connection with the App, such as the OpenAI API, may involve data transfers to countries outside the EU, including the United States. In such cases, we ensure that appropriate safeguards are in place, such as the Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent legal mechanisms, to guarantee an adequate level of protection for your personal data.
10. Your Rights under the GDPR
As a data subject within the European Economic Area, you have the following rights with respect to your personal data:
• Right of Access: to obtain confirmation as to whether we process your data and, if so, to receive a copy of it.
• Right to Rectification: to have inaccurate or incomplete data corrected.
• Right to Erasure: to request the deletion of your data where permitted by law (“right to be forgotten”).
• Right to Restriction of Processing: to request the limitation of processing under certain circumstances.
• Right to Data Portability: to receive your data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object: to object, on grounds relating to your particular situation, to processing carried out on the basis of legitimate interest.
• Right to Withdraw Consent: to withdraw your consent at any time, without affecting the lawfulness of processing carried out before such withdrawal.
To exercise any of these rights, please contact us at contact@novalia-solutions.com. We may need to verify your identity before responding to your request.
If you believe that your rights have been infringed, you also have the right to lodge a complaint with your national data-protection authority, such as the Commission Nationale de l’Informatique et des Libertés (CNIL) in France.
11. Children’s Privacy
The App is intended for users who are at least sixteen (16) years of age. If you are under the age of 16, you must obtain verifiable parental consent before creating an account or submitting any personal data. We do not knowingly collect personal data from minors under this age threshold without such consent. If we become aware that personal data have been collected from a child under 16 without appropriate authorization, we will take immediate steps to delete that information.
12. Cookies and Analytics
The Ovio Public App does not employ cookies or tracking technologies for advertising or behavioral profiling purposes. Certain anonymous analytical or diagnostic information may be collected automatically to monitor app performance, identify bugs, and improve user experience. Such information does not identify you personally and is processed solely for operational purposes.
13. Push Notifications
With your consent, we may send push notifications to your device for operational reasons, such as updates about offer status, verification requests, or account notifications. You may disable push notifications at any time through your device settings without affecting your access to the App’s core features.
14. Updates to this Privacy Policy
We may modify or update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal obligations. The updated version will be indicated by a revised “Last Updated” date at the top of this page. In the event of material changes, we will notify you directly within the App or by email before such changes take effect.
We encourage you to review this Policy periodically to stay informed about how we protect your data.
15. Contact Information
If you have any questions, concerns, or complaints about this Privacy Policy or the way we handle your personal data, please contact us using the details below:
Novalia Solutions