Last updated: April 30, 2026
1. Who we are
Nuvi ("we", "us", "our") operates the platform at usenuvi.com and provides hosted e-commerce, content, and AI tooling to merchants ("operators") and their end-customers. This Privacy Policy explains what personal data we process, why, and on what legal basis.
Our role depends on the relationship: for visitors of usenuvi.com we act as data controller; for data processed on behalf of an operator's storefront we act as a data processor, and the operator is the controller. The Data Processing Addendum (DPA) governs the latter.
2. Data we collect
- Account data: name, email, password hash, billing address, VAT/Tax ID, plan tier.
- Usage data: IP address, user-agent, page views, error traces, AI assistant interactions.
- Payment data: last-4 digits, card brand, country — the full PAN never reaches our servers; Stripe and Iyzico tokenize at point of capture.
- Support data: emails, tickets, chat transcripts you send to us.
- Storefront content: products, blog posts, customers, orders — processed on behalf of the operator.
3. Why we process it (legal bases under GDPR / KVKK)
| Purpose | Legal basis |
|---|---|
| Provide the platform you signed up for | Contract (GDPR 6(1)(b)) |
| Bill you / collect taxes | Legal obligation (GDPR 6(1)(c)) |
| Detect fraud, abuse, security incidents | Legitimate interest (GDPR 6(1)(f)) |
| Product analytics & improvement | Consent (cookie banner, opt-in) |
| Marketing emails | Consent — you can unsubscribe at any time |
4. Sub-processors
We use the following sub-processors. Full list with regions: see the DPA at /dpa.
- Hetzner Online GmbH — primary hosting (EU, Germany)
- Stripe, Inc. — global payments (US, with SCCs)
- Iyzico Ödeme Hizmetleri A.Š. — Turkey payments (TR)
- Resend, Inc. — transactional email (US, with SCCs)
- OpenAI, L.L.C. — AI assistant inference (US; we set
store=false) - Cloudflare, Inc. — CDN and DDoS protection (Global)
5. International transfers
When we transfer data outside the EEA / Türkiye, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or KVKK’s comparable transfer mechanisms. We never transfer data to jurisdictions without an adequate framework.
6. Retention
- Account & billing records: 10 years (Turkish Commercial Code obligation).
- Server logs: 30 days rolling.
- AI prompt history: 30 days, or shorter if you turn off history in your account.
- Marketing data: until you withdraw consent.
7. Your rights
Under GDPR and KVKK you have the right to: access, rectify, delete, restrict, port, and object to processing. To exercise any of these, email privacy@usenuvi.com from the email associated with your account. We respond within 30 days.
You also have the right to lodge a complaint with the supervisory authority of your member state (in Türkiye: KVKK Kurumu).
8. Security
We encrypt data in transit (TLS 1.2+) and at rest (AES-256). We isolate per-tenant database schemas, rotate credentials regularly, and run a public bug-bounty program. Incident notifications follow GDPR Art. 33 and KVKK Art. 12 timelines.
9. Children
The platform is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@usenuvi.com for immediate deletion.
10. Changes to this policy
We will post material changes with a 30-day notice via email and an in-app banner. The version and "last updated" date at the top of this page always reflect the current text.
11. Contact
Data Protection Officer / Veri Sorumlusu: privacy@usenuvi.com
Postal: see Contact.