Privacy Policy
Effective date: 01.07.2026
This Privacy Policy explains what personal data Novograde collects when you visit or use the platform at novograde.com, how that data is used, who it is shared with, how long it is kept, and the rights you have over it.
Novograde is owned and operated by ETI BOX FAMILY SRL ("Novograde", "we", "us"), a company registered in Romania (European Union) with the following identification details:
- Company name: ETI BOX FAMILY SRL
- Contact e-mail: office@novograde.com
ETI BOX FAMILY SRL is the data controller for personal data processed through novograde.com.
This Policy covers data processed in connection with the Novograde website and service. It does not apply to information collected offline or through channels other than this website. We may update this Policy from time to time; changes take effect when published here, so please check the date above periodically.
1. What information we collect
Depending on how you interact with Novograde, we may collect the following categories of personal data:
Account data. When you create an account, we collect your e-mail address and a password. Authentication is handled by our processor Clerk; your password is stored and hashed by Clerk, and Novograde never has access to it in plaintext. We may also store a display name and account identifiers.
Assessment data. When you take an assessment, we process the role/skill you select, the questions presented, the answers and free-text responses you submit during the interview, the scores generated, and your final scorecard. These responses may contain personal data that you choose to include (for example, your employer, projects, or other details you mention while answering).
Usage and credit data. We store information about your use of the service, including how many free and paid assessment credits you have used or have remaining, and basic technical data such as IP address, browser/device type, and timestamps of your visits.
Payment data. When you purchase credits, payment is processed by Stripe. Novograde does not receive or store your full card number; Stripe tokenizes card details. We retain order/transaction records (amount, date, status, invoice data) as required for accounting and tax purposes.
Communications data. If you contact us by e-mail, we process your e-mail address and the content of your message.
2. How we use your information and our legal bases
We process your personal data for the following purposes, on the following legal bases under the GDPR (Regulation (EU) 2016/679):
- To provide the service — creating and maintaining your account, running assessments, generating and storing your scorecard, and managing your credit balance. Legal basis: performance of a contract (Art. 6(1)(b)).
- To process payments and meet accounting/tax obligations — handling purchases of credits, issuing invoices, and retaining financial records. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c)).
- To respond to your enquiries — handling support and contact requests. Legal basis: legitimate interests (Art. 6(1)(f)) or steps prior to a contract (Art. 6(1)(b)).
- To understand and improve the service — aggregated, non-identifying usage analytics. Legal basis: legitimate interests (Art. 6(1)(f)).
- To protect security and prevent fraud — securing accounts and transactions. Legal basis: legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)).
We do not send marketing communications unless you have separately and explicitly opted in, in which case the legal basis is your consent (Art. 6(1)(a)), withdrawable at any time.
3. Automated processing and scoring
Your assessment is scored using automated processing. To generate questions and evaluate your answers, the text you submit during an interview is transmitted to Anthropic (the provider of the Claude AI model) through its commercial API, which returns scoring and feedback that form your scorecard.
The score and scorecard are produced automatically. This processing is necessary to provide the service you request. You have the right to obtain human intervention, to express your point of view, and to contest a result — to do so, contact us at the e-mail above. The scorecard is intended as a skills-assessment tool and does not by itself produce legal effects concerning you.
Under Anthropic's commercial terms, the data sent to its API is not used to train Anthropic's models and is retained only for a limited period in line with those terms.
4. Who we share your information with
We share personal data only with service providers ("processors") that help us operate Novograde, and only to the extent necessary. Each is bound by a data processing agreement. Our main processors are:
- Clerk — authentication and account management (e-mail, password, session data).
- Supabase — database hosting for assessment data and scorecards.
- Anthropic — AI processing of interview answers for question generation and scoring.
- Stripe — payment processing. Stripe also acts as an independent controller for payment and fraud-prevention data under its own privacy policy.
- Vercel — website hosting and infrastructure, and privacy-friendly usage analytics.
We may also disclose data where required by law or competent authorities, to protect our rights, or in connection with a corporate transaction (e.g. merger or acquisition), in each case with appropriate safeguards.
We do not sell your personal data.
5. International data transfers
Some of our processors (including Clerk, Anthropic, Stripe, and Vercel) are based in or process data in the United States. Where personal data is transferred outside the European Economic Area, the transfer is protected by appropriate safeguards — typically the European Commission's Standard Contractual Clauses and the data processing agreements we have in place with each provider.
6. How we keep your information secure
We protect personal data through measures including: encrypted connections (HTTPS); authentication and password hashing handled by Clerk; access controls on our database; restricting internal access to those who need it; and relying on infrastructure providers that maintain their own security standards. No method of transmission or storage is completely secure, but we take reasonable steps to protect your data.
7. How long we keep your information
- Account and assessment data — kept while your account is active. You may delete your account or request deletion at any time; we delete or anonymize the associated data within 30 days of your request, except where we must retain it by law.
- Payment and invoice records — retained for 5 years as required by Romanian accounting legislation (Law no. 82/1991, as amended by Law no. 36/2023), calculated from 1 July of the year following the financial year concerned.
- Communications — kept only as long as necessary to handle your request, and no longer than 12 months unless needed for legal reasons.
- Usage/analytics data — kept in aggregated, non-identifying form.
8. Cookies
We use only the cookies necessary to operate the website and process payments. These are limited to session cookies set by our authentication provider (Clerk) and payment cookies set by Stripe during checkout. We do not use advertising or cross-site tracking cookies, and our usage analytics (Vercel Web Analytics) is cookieless and does not identify individual users.
Because these cookies are strictly necessary to provide the service and process payments, they do not require prior consent. You can block or delete cookies through your browser settings, but doing so may prevent you from logging in or completing a purchase.
9. Your rights
Under EU data protection law (GDPR) you have the right to:
- be informed about how and why your data is processed;
- access your data and obtain a copy;
- rectify inaccurate or incomplete data without undue delay;
- request erasure of your data;
- restrict processing in certain circumstances;
- be notified of any rectification, erasure, or restriction;
- object to processing based on legitimate interests, including any profiling;
- request data portability;
- not be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you (see Section 3);
- withdraw consent at any time, where processing is based on consent;
- lodge a complaint with the supervisory authority.
To exercise any of these rights or withdraw consent, contact us at office@novograde.com. We aim to respond within one month.
If you are not satisfied, you may lodge a complaint with the Romanian supervisory authority, the National Supervisory Authority for Personal Data Processing (ANSPDCP) — www.dataprotection.ro. We ask that you contact us first so we can try to resolve the matter directly.
10. Contact
If you have questions about this Privacy Policy or our handling of your data, contact:
ETI BOX FAMILY SRL Iași, Iași County, Romania E-mail: office@novograde.com