Privacy Policy
Last updated: 4 mars 2026
[Company name to be determined], a company in the process of incorporation, with its registered office to be located at [Registered office address], Abidjan, Republic of Côte d'Ivoire (hereinafter "NovaFlow Consulting", "we", "our" or "us"), is committed to protecting the privacy and personal data of all visitors to its website accessible at https://novaflow-consulting.com (hereinafter the "Website").
This Privacy Policy is intended to inform you in a transparent manner about the conditions under which your personal data is collected, processed, and protected when you use our Website.
By accessing the Website and using our services, you acknowledge that you have read this policy. We invite you to read it carefully.
1. Applicable legal framework
This policy is established in compliance with:
- Ivorian Law No. 2013-450 of June 19, 2013 on the protection of personal data
- ECOWAS Supplementary Act A/SA.1/01/10 on the protection of personal data
- The General Data Protection Regulation (EU) 2016/679 ("GDPR"), applicable insofar as our Website is accessible from the European Union
- Any other applicable data protection regulations
The competent regulatory authority in Côte d'Ivoire is the Telecommunications/ICT Regulatory Authority of Côte d'Ivoire (ARTCI), located in Abidjan, Côte d'Ivoire — https://www.artci.ci
2. Data controller
The data controller for your personal data is:
[Company name to be determined]
[Registered office address], Abidjan, Côte d'Ivoire
For any questions regarding the protection of your personal data or to exercise your rights, you may contact us at the email address above.
3. Personal data collected
In the course of operating the Website, we may collect the following categories of data:
3.1 Contact form
When you fill in our contact form, the following data is collected:
- First and last name
- Email address
- Phone number
- Company name
- Nature of your inquiry (type of service requested)
- Free-text message
This data is transmitted by email to our team at contact@novaflow-consulting.com and is not stored in any automated database.
3.2 Conversational assistant (chatbot)
Our Website integrates an AI-powered conversational assistant. When you interact with this assistant:
- The content of your messages is transmitted to the Google Gemini API (Google LLC) to generate a response
- Your conversation history (limited to the last 7 exchanges) is temporarily stored in your browser's memory (sessionStorage) and automatically deleted when you close the tab
- No conversations are recorded, stored, or retained on our servers
3.3 Newsletter subscription
If you subscribe to our newsletter, we collect your email address and, where applicable, your professional role. This data is processed by our email service provider, Brevo (Sendinblue), for the sole purpose of sending our communications.
You may unsubscribe at any time via the unsubscribe link included in each email.
3.4 Technical data
When you browse the Website, the following technical data may be automatically collected:
- IP address (used transiently for abuse prevention, held in server memory for a maximum of 60 seconds, never written to disk)
- Standard connection data (browser type, operating system, screen resolution) via standard HTTP headers transmitted by your browser
We do not use any audience analytics tools, tracking pixels, or fingerprinting technologies.
4. Purposes and legal bases for processing
Your personal data is processed for the following purposes:
| Purpose | Legal basis | Data concerned |
|---|---|---|
| Responding to your inquiries via the contact form | Performance of pre-contractual measures (Art. 6.1.b GDPR) | Name, email, phone, company, message |
| Providing assistance via the conversational assistant | Legitimate interest (Art. 6.1.f GDPR) | Conversation messages |
| Sending newsletters and communications | Consent (Art. 6.1.a GDPR) | Email address, role |
| Abuse prevention and Website security | Legitimate interest (Art. 6.1.f GDPR) | IP address (transient) |
| Technical operation of the Website | Legitimate interest (Art. 6.1.f GDPR) | Technical browsing data |
5. Artificial intelligence processing
In line with our commitment to transparency, we inform you that our conversational assistant uses Google Gemini artificial intelligence technology, provided by Google LLC.
Nature of processing
Your messages are transmitted to the Google Gemini API to generate contextual responses related to NovaFlow Consulting's services.
No automated decision-making
The conversational assistant provides general information. It does not make any automated decisions producing legal effects or significantly affecting you within the meaning of Article 22 of the GDPR.
No profiling
No profiling is carried out. Your exchanges with the assistant are not used to categorize you, analyze your behavior, or personalize advertising content.
Optional use
Use of the conversational assistant is entirely optional. You may contact us directly at any time by email at contact@novaflow-consulting.com.
6. Recipients and processors
Your personal data may be disclosed to the following recipients, exclusively to the extent necessary for the purposes described above:
| Processor | Country | Purpose | Safeguards |
|---|---|---|---|
| Google LLC (Gemini AI) | United States | Processing chatbot messages | Standard Contractual Clauses (SCCs) |
| Vercel Inc. | United States / Global | Website hosting | Standard Contractual Clauses (SCCs), SOC 2 certifications |
| Brevo (Sendinblue) | France | Newsletter delivery | EU hosting, GDPR compliant |
We do not sell, rent, or transfer your personal data to any third parties for commercial or advertising purposes under any circumstances.
7. Data transfers outside Côte d'Ivoire
Some of our processors are located outside Côte d'Ivoire and the European Union (notably in the United States), and your data may be subject to international transfers. In such cases, we ensure that appropriate safeguards are in place, including:
- The execution of Standard Contractual Clauses (SCCs) approved by the European Commission
- The use of processors holding recognized certifications (SOC 2, ISO 27001)
- The implementation of supplementary technical and organizational measures (encryption, pseudonymization)
8. Data retention periods
We retain your personal data only for the period necessary to fulfill the purposes for which it was collected:
| Data | Retention period |
|---|---|
| Contact form data | 12 months after the last exchange |
| Chatbot messages (server-side) | Not retained (transient processing) |
| Chatbot history (browser) | Duration of the browsing session |
| IP addresses (rate limiting) | 60 seconds maximum |
| Newsletter data | Until withdrawal of consent (unsubscription) |
Upon expiry of these periods, your data is deleted or irreversibly anonymized.
9. Cookies and similar technologies
Our Website uses a very limited number of local storage technologies:
| Name | Type | Purpose | Duration |
|---|---|---|---|
| novaflow_admin_auth | HTTP cookie (strictly necessary) | Administration panel authentication | 24 hours |
| novaflow_chat_history | sessionStorage | Storing conversation history in the browser | Browsing session |
| novaflow_chat_opened | sessionStorage | Remembering chatbot open state | Browsing session |
| novaflow_initial_load | sessionStorage | Managing initial loading animation | Browsing session |
Our Website does not use any advertising cookies, analytics cookies, or third-party cookies. As the authentication cookie is strictly necessary for the operation of the administration panel (not accessible to the public), no cookie consent banner is required.
Data stored in your browser's sessionStorage is never transmitted to our servers and is automatically deleted when you close your browser tab.
10. Data security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:
- Encryption of all communications via the HTTPS/TLS protocol
- Cookies configured with httpOnly, secure, and sameSite: strict attributes
- Administration area authentication via signed JWT tokens (HS256 algorithm)
- Timing-safe credential verification (protection against timing analysis attacks)
- Request rate limiting to prevent abuse
- Hosting on Vercel infrastructure, holding SOC 2 Type II and ISO 27001 certifications
11. Your rights
In accordance with applicable legislation, you have the following rights regarding your personal data:
Right of access
Obtain confirmation of whether your data is being processed and receive a copy thereof (Art. 15 GDPR)
Right to rectification
Have inaccurate data corrected or incomplete data supplemented (Art. 16 GDPR)
Right to erasure
Obtain the deletion of your data under the conditions provided by law (Art. 17 GDPR)
Right to restriction of processing
Request the suspension of the processing of your data under certain circumstances (Art. 18 GDPR)
Right to data portability
Receive your data in a structured, commonly used, and machine-readable format (Art. 20 GDPR)
Right to object
Object to the processing of your data based on legitimate interest (Art. 21 GDPR)
Withdrawal of consent
Withdraw your consent at any time, without affecting the lawfulness of prior processing
To exercise any of these rights, send your request to contact@novaflow-consulting.com, specifying your identity and the right you wish to exercise. We undertake to respond within thirty (30) days of receiving your request.
If you believe that the processing of your data constitutes a violation of your rights, you may file a complaint with ARTCI (Telecommunications/ICT Regulatory Authority of Côte d'Ivoire) or, if you reside in the European Union, with the supervisory authority of your country of residence (for example, the CNIL in France).
12. Protection of minors
Our Website and services are intended exclusively for professionals and are not directed at persons under the age of sixteen (16). We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data, we will promptly delete such data.
13. Changes to this policy
We reserve the right to modify this Privacy Policy at any time. Any material changes will be indicated by a visible notice on the Website. The last updated date shown at the top of this document shall prevail.
We encourage you to review this page regularly to stay informed of any changes.
14. Contact
For any questions regarding this Privacy Policy or the processing of your personal data, you may contact us:
Postal address: [Registered office address], Abidjan, Côte d'Ivoire
Competent supervisory authorities:
ARTCI — Telecommunications/ICT Regulatory Authority of Côte d'Ivoire — https://www.artci.ci
CNIL — French Data Protection Authority (for EU residents) — https://www.cnil.fr
© 2026 NovaFlow Consulting. Last updated: 4 mars 2026