Privacy Policy
Nolvira AI
Version: 2.0-2026-05-06 Drafted on: May 6, 2026 Effective from: Date of publication at https://nolvira.app Controller: Nolvira Tecnología Fiscal, S.A.S.
This document gathers the English-language privacy materials of Nolvira AI: the bilingual privacy policy (English part) and the international-transfer consent text.
Table of Contents
Privacy Policy — Nolvira AI
1. Introduction
This Privacy Policy describes how Nolvira AI (hereinafter, "Nolvira," "we," or "the Controller"), operated by Nolvira Tecnología Fiscal, S.A.S., a Sociedad por Acciones Simplificada under Mexican law, represented by its sole Administrator Luis Felipe Franzoni Mathieu, with fiscal address at Tecoyotitla 320-2, Colonia Florida, Alcaldia Álvaro Obregón, Ciudad de México, 01030, México, collects, uses, stores, protects, and shares the personal information of users of its SaaS platform (web application and iOS mobile app) designed for tax assistance to Mexican freelancers (RESICO and PFAE regimes) and U.S. LLC owners.
This Privacy Policy applies to all Nolvira AI users and complies with the requirements of the Mexican Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP 2025), the Apple App Store Review Guidelines, the Stripe Services Agreement, and, where applicable, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) for California residents.
2. Information We Collect
2.1 Information You Provide Directly
- Registration information: full name, email address, password (hashed via Firebase Auth using bcrypt/Argon2; we never store your password in plain text), optional profile photo.
- Tax information: Mexican RFC, tax regime, TIN/EIN (when applicable for U.S. LLC users).
- Tax documents: XML CFDIs, images of receipts and invoices (JPG, PNG, PDF), bank transactions imported via CSV files. We do not collect banking credentials. Nolvira has no access to users' bank accounts, only to transaction data voluntarily imported by the user.
- Accounting data: accounting accounts, tax categories, classifications, and notes created by you.
Important clarifications:
- Nolvira does not have access to the user's e-signature (FIEL) and cannot perform procedures before the SAT on their behalf.
- Nolvira does not store banking credentials or credentials of any government system.
2.2 Information We Collect Automatically
- Technical data: IP address, user agent, activity timestamps, session tokens (Firebase), error logs.
- Device data: mobile device identifier (when using the iOS app), operating system, app version.
- Cookies: session and authentication cookies (necessary), preference cookies (language, UI). We do not use third-party analytics or advertising cookies.
2.3 Information from Third Parties
- When you use Sign in with Apple or Google Sign In, we receive from those services your name, email address, and a unique user identifier. If you choose to hide your email address using Sign in with Apple, we will receive a private relay email from Apple and will not have access to your real email address unless you provide it to us later.
- Stripe provides us with your Stripe Customer ID, subscription plan, and invoice history. Nolvira AI never has access to card numbers, CVV codes, or expiration dates.
3. How We Use Your Information
We use personal information to:
- Create, authenticate, and manage your user account.
- Process, store, and organize your tax documents and bank transactions.
- Calculate your tax obligations (ISR, VAT, provisional payments, deductions).
- Process subscription payments and manage your plan through Stripe.
- Send essential operational notifications (tax reminders, security alerts, subscription changes).
- Provide technical support and resolve incidents.
- Comply with legal obligations and authority requests.
- Prevent fraud, abuse, and unauthorized use of the platform.
For secondary purposes (aggregated and anonymized internal analysis, communications about new features), we request your additional consent, which you may revoke at any time.
4. How We Share Your Information
Nolvira AI does not sell, rent, or trade your personal information.
4.1 Data Processors (Lawful Communication Under Contract)
We share information only with the following service processors, who act strictly on our behalf and in accordance with data processing agreements. This communication does NOT require additional consent from the data subject:
| Processor | Purpose | Jurisdiction |
|---|---|---|
| Stripe, Inc. | Subscription payments | USA |
| OpenAI, L.L.C. | Data extraction from receipts/invoices via Vision API | USA |
| Vercel Inc. | Web hosting | USA |
| Supabase Inc. | Database hosting | USA |
| Google LLC (Firebase) | Authentication, sessions, push notifications | USA |
4.2 Co-Controllers and Third Parties with Independent Purposes
These third parties receive data for their own or additional purposes:
| Third Party | Purpose | Jurisdiction |
|---|---|---|
| Servicio de Administración Tributaria (SAT) | CFDI validation (only with your express authorization) | Mexico |
| Apple Inc. | iOS distribution, Apple Sign In, App Store subscriptions | USA |
| Google LLC (Play Store) | Future distribution of the Android app, when applicable | USA |
Third-party responsibility: Each processor's liability is limited to its contractual and legal obligations. Stripe is solely responsible for PCI DSS compliance; OpenAI is responsible for the security of its own servers under the DPA entered into with Nolvira; Vercel, Supabase, Firebase, and Apple maintain liability limited to their service agreements. Nolvira does not guarantee the absolute security of third-party systems, but selects providers with internationally recognized standards.
5. Use of OpenAI Vision API
Nolvira AI uses the OpenAI, L.L.C. Vision API to analyze images and PDF files of receipts and invoices that you upload, in order to automatically extract relevant data (amounts, concepts, dates, RFCs).
- OpenAI does not use data processed through our API to train, fine-tune, or improve its artificial intelligence models, in accordance with the API Data Processing Agreement entered into between Nolvira AI and OpenAI, unless you explicitly opt in to share data for model improvement.
- Technical configuration:
store=false, no retention, Vision API endpoints. OpenAI offers Zero Data Retention (ZDR) or Modified Abuse Monitoring under approval. Under standard configuration, OpenAI retains abuse monitoring logs for up to 30 days for security purposes, but does not retain image or document content for commercial or research purposes. - You may opt out of using the smart capture feature and enter your data manually.
6. Payment Processing with Stripe
Subscription payments are processed directly by Stripe, Inc. through its secure infrastructure. Nolvira AI:
- Does not store credit or debit card numbers.
- Does not have access to CVV codes, expiration dates, or PCI data.
- Receives only your Stripe Customer ID, subscription status, and invoices.
Stripe is solely responsible for compliance with the PCI DSS (Payment Card Industry Data Security Standard). For more information on how Stripe protects your data, visit: https://stripe.com/privacy.
7. Sign in with Apple
If you use Sign in with Apple to register or log in:
- Apple may share with Nolvira AI your name, email address (or a private relay email if you choose to hide your real address), and a unique Apple user identifier.
- Nolvira AI does not have access to your Apple ID password.
- You may, at any time, stop using Sign in with Apple to access Nolvira AI from your Apple ID settings.
8. International Data Transfer
Nolvira AI is a SaaS service with technological infrastructure and payment providers located primarily in the United States. By using our services, you acknowledge and agree that your personal data may be transferred, stored, and processed in the United States, a country that has not been declared by the competent Mexican authority as a jurisdiction with a level of data protection equivalent to that of Mexico.
Such transfer is carried out with your express consent, granted when you accept this Privacy Policy and the Integral Privacy Notice, and based on the data processing agreements entered into with our providers, who implement security measures in accordance with international standards.
You expressly declare that:
- You understand and accept that the international transfer of data to the United States involves inherent risks to data protection, including possible access by U.S. authorities under local legislation.
- You accept that Nolvira has implemented reasonable security measures but cannot guarantee absolute protection against unauthorized access.
9. Your Rights
As a Nolvira AI user, you have the right to:
- Access your personal data and obtain a copy thereof.
- Rectify your inaccurate or outdated personal data (most fields are editable directly from the app).
- Cancel your account and request the deletion of your personal data.
- Object to the processing of your data for secondary purposes.
- Revoke your consent for purposes that are not indispensable to the service.
To exercise any of these rights, contact us at arco@nolvira.app. Response timeframes are 20 business days (extendable by an additional 20 business days in justified cases).
10. Account Deletion
In accordance with the Apple App Store Review Guidelines (Guideline 5.1.1(v)), Nolvira AI provides a simple mechanism for account deletion:
- From the iOS app: Settings > Privacy and Security > Delete My Account.
- By email to arco@nolvira.app with the subject "DELETE MY ACCOUNT".
Upon receipt of a deletion request, your account will be deactivated within 15 business days. Your personal data will be deleted or anonymized within 30 to 90 calendar days, except for data that must be retained due to legal obligation (CFDIs and invoices for 5 years, audit logs for 3 years).
11. Information Security
We implement technical, administrative, and physical measures designed to protect your data:
- Encryption in transit: TLS 1.2+ on all communications.
- Encryption at rest: AES-256 in the Supabase PostgreSQL database; encrypted and geo-redundant backups.
- Passwords: Robust hashing via bcrypt/Argon2 through Firebase Auth.
- Authentication: Firebase Authentication (Google) with MFA available and revocable tokens.
- Access control: Least privilege principle; no employee has direct access to fiscal data in production without express, documented, and justified authorization.
- Row Level Security (RLS): PostgreSQL database with row-level security policies.
- Rate limiting: Prevention of brute-force attacks on APIs.
- Continuous monitoring: Audit logs, anomaly detection, and automatic security alerts.
- Incident response plan: Documented and tested quarterly.
No security system is infallible. If we detect a security breach affecting your personal data, we will notify you promptly in accordance with applicable law.
12. Limitation of Liability Regarding Data
To the maximum extent permitted by applicable law:
- Nolvira will not be liable for damages arising from: (a) unauthorized access not attributable to Nolvira's gross negligence; (b) third-party provider vulnerabilities; (c) user acts or omissions regarding security (weak passwords, sharing credentials, access from compromised devices); (d) force majeure or sophisticated cyberattacks exceeding the reasonably expected state of the art for a business of Nolvira's size and nature.
- The data controller will not be sanctioned for infringements it demonstrates are not attributable to it, in accordance with the principle of culpability and the LFPDPPP 2025.
- You acknowledge that you have been informed of the security measures implemented and accept that they constitute reasonable diligence, without implying an absolute guarantee of protection.
13. Reasonable Diligence and Force Majeure
Nolvira AI declares that it performs:
- Quarterly risk assessments on the processing of personal data.
- Staff training on data protection and information security.
- Periodic review of contracts with data processors.
- Maintenance of documented security policies.
- Response to known vulnerabilities in a reasonable time after responsible disclosure.
Nolvira will not be liable for breaches arising from events outside its reasonable control: natural disasters, third-party infrastructure failures, cyberattacks of sophistication not reasonably preventable by the SaaS industry state of the art, pandemics, emergency regulatory changes, or other force majeure events.
14. Defensive ARCO Measures
To prevent impersonation and fraud, Nolvira AI:
- Requires strict identity verification for ARCO requests.
- Reserves the right to deny requests that do not meet formal requirements or show signs of impersonation.
- Maintains photographic/documentary records of attended requests for 3 years.
- Will not be sanctioned for delays when the request is ambiguous, requires additional verification, or when legal restrictions prevent execution.
15. Children
Nolvira AI is not directed at children under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child under 18 has provided us with personal information, please contact us immediately at privacy@nolvira.app so we can proceed with deletion.
16. Tracking and Advertising
Nolvira AI does not track users across third-party applications or websites. We do not share data with advertising networks for targeted advertising purposes. We do not sell personal information. Our iOS app does not use App Tracking Transparency because we do not track activity outside of our own application.
17. Changes to This Policy
We may update this Privacy Policy from time to time. We will post any changes at https://nolvira.app/privacy (English) and https://nolvira.app/privacidad (Spanish). If changes are material, we will notify you by email with at least 7 (seven) natural days' notice. The date of the last update is indicated at the end of this document.
18. Contact Us
For questions about this Privacy Policy, exercise of rights, or privacy requests, contact us at:
- Privacy email: privacy@nolvira.app
- ARCO rights email: arco@nolvira.app
- Website: https://nolvira.app
- Address: Tecoyotitla 320-2, Colonia Florida, Alcaldia Álvaro Obregón, Ciudad de México, 01030, México.
Last updated: May 6, 2026.
International Data Transfer Consent
Consent Text (Registration)
[ ] I expressly consent to the international transfer of my personal data
I understand and agree that Nolvira AI (Controller: Nolvira Tecnología Fiscal, S.A.S., a Mexican S.A.S.) will transfer my personal data to the following processors and third parties located in the United States of America, for the purposes indicated below:
A) Data Processors (Lawful Communication Under DPA; international transfer requires express consent under Art. 36 LFPDPPP 2025)
| Recipient | Purpose of the transfer |
|---|---|
| Stripe, Inc. | Processing of subscription payments, management of my customer identifier (Stripe Customer ID), generation of invoices, and administration of my subscription plan. Stripe is solely responsible for PCI DSS compliance. |
| OpenAI, L.L.C. | Temporary processing of images and PDF files of receipts and invoices that I upload, via the Vision API, to extract relevant data (amounts, concepts, dates, RFCs). OpenAI will not use my data to train AI models (unless I explicitly opt in). Configuration: store=false, no retention, Vision API. OpenAI is responsible for the security of its own servers under the DPA entered into with Nolvira. |
| Vercel Inc. | Hosting and deployment of the web platform (frontend and API), including temporary storage of logs and static content necessary for the operation of the service. Liability limited to its service agreement. |
| Supabase Inc. | Hosting of the PostgreSQL database containing my fiscal and account data, with encryption at rest (AES-256). RLS enabled. Liability limited to its service agreement. |
| Google LLC (Firebase) | Authentication of my account, session token management, push notifications, and identity operations. MFA available. Liability limited to its service agreement. |
B) Co-Controllers / Third Parties with Independent Purposes
| Recipient | Purpose of the transfer |
|---|---|
| Apple Inc. | Distribution of the iOS application, authentication via Sign in with Apple, and management of subscriptions through the App Store. |
| Google LLC (Play Store) | Future distribution of the Android application, when applicable. |
C) National Transfer to Third Party with Independent Purposes (requires express authorization)
| Recipient | Purpose of the transfer |
|---|---|
| Servicio de Administración Tributaria (SAT) | Validation of my CFDIs only when I expressly authorize such functionality on the platform. |
I declare that I understand the following:
- The United States has not been declared by the competent Mexican authority (Secretaría Anticorrupción y Buen Gobierno) as a country with a level of personal data protection equivalent to that of Mexico, pursuant to Article 36 of the LFPDPPP 2025.
- This international transfer is necessary for the provision of the Nolvira AI SaaS service, as the identified processors are indispensable for the technical, payment, and authentication operation of the platform.
- Nolvira AI has entered into Data Processing Agreements with said processors, by which they undertake to maintain confidentiality, implement security measures, and process my data only for authorized purposes.
- I have the right to revoke this consent at any time by sending an email to arco@nolvira.app with the subject "REVOCATION OF TRANSFER CONSENT". I understand that the revocation of this consent will result in the technical impossibility of continuing to use the service, and my account will be canceled in accordance with the procedure established in the Integral Privacy Notice.
- The exercise of my ARCO rights (access, rectification, cancellation, opposition) is not affected by this consent and may be exercised at any time by contacting arco@nolvira.app. Nolvira reserves the right to deny ARCO requests that do not meet formal requirements or show signs of impersonation.
- I understand and accept that the international transfer of data to the United States involves inherent risks to data protection, including possible access by U.S. authorities under local legislation.
- I accept that Nolvira has implemented reasonable security measures but cannot guarantee absolute protection against unauthorized access.
- Nolvira will not be liable for damages arising from: (a) unauthorized access not attributable to Nolvira's gross negligence; (b) third-party provider vulnerabilities; (c) user acts or omissions regarding security (weak passwords, sharing credentials); (d) force majeure or sophisticated cyberattacks exceeding the state-of-the-art protection.