← Back to Home

RoverView Privacy Policy

Last updated: May 20, 2026 GDPR

Information provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and the applicable national legislation on the protection of personal data (Italian Legislative Decree 196/2003 as amended by Italian Legislative Decree 101/2018 — the "Italian Data Protection Code") to those who interact with the RoverView service.

1. Data Controller and privacy roles

Nova42 S.r.l.

VAT: 16709281006

Registered office: Rome, Italy

Email: info@nova42.it

For the processing relating to the management of the contractual relationship, the creation and administration of accounts, platform security, and the use of the website and applications, the Data Controller of personal data is Nova42 S.r.l. (hereinafter the "Controller" or "Nova42").

For the data that the Agency imports, uploads, generates, or connects to the Service on behalf of its own clients — including performance metrics, editorial content, documents, brand memory, creative assets, and data originating from third-party platforms — Nova42 acts as a data processor pursuant to Article 28 of the GDPR on behalf of the Agency, which remains the data controller of such data. In any event, the processing carried out for legal obligations, platform security, abuse prevention, and the protection of its own rights remains the responsibility of Nova42 as an independent Controller.

An Agency wishing to formally designate Nova42 as a data processor may request the execution of a specific agreement under Article 28 of the GDPR (Data Processing Agreement) by writing to info@nova42.it.

2. Data collected

The Controller collects and processes the following categories of personal data:

2.1. Permissions and features of the Meta integration (Facebook and Instagram)

RoverView processes data originating from Facebook and Instagram exclusively through the permissions and features listed below. All access is read-only: RoverView does not publish, modify, or delete content on the connected accounts.

Permissions granted by the User upon connecting a Facebook Page or an Instagram Business account, through Meta's OAuth consent screen:

App-level features for accessing exclusively public data, used for the competitive benchmarking dashboard:

The User may revoke access at any time from Facebook's settings ("Settings → Apps and Websites"). Data deletion requests submitted through Meta are handled automatically: the connected accounts, the related credentials, and the synchronized data are removed immediately from the Service and permanently deleted within 90 days of the request. See also the Terms and Conditions of Use, Article 8.

2.2. Permissions and features of the TikTok integration

RoverView processes data originating from TikTok exclusively through the permissions (scopes) listed below, granted by the User through the official TikTok Login Kit authorization flow (OAuth 2.0 with PKCE). All access is read-only: RoverView does not publish, modify, delete, or comment on content on the connected TikTok accounts, and does not use any publishing endpoint (Content Posting).

Scopes granted by the User upon connecting a TikTok account:

TikTok access tokens are encrypted at rest, automatically renewed, and revoked upon disconnection of the account. The User may revoke access at any time from the settings of their TikTok account ("Settings and privacy → Manage app permissions"). Upon disconnection, the connected accounts, the related credentials, and the synchronized data are removed immediately from the Service and permanently deleted within 90 days. The processing of TikTok data takes place in compliance with the TikTok Developer Terms of Service and the related Platform Policies. See also the Terms and Conditions of Use, Article 8.

3. Purposes of the processing

Personal data is processed for the following purposes:

4. Legal basis of the processing

Each processing purpose is based on a specific legal basis pursuant to Article 6 of the GDPR:

5. Recipients and disclosure of data

Personal data may be disclosed to the following categories of recipients, each within the limits of what is strictly necessary:

Personal data is in no case transferred, sold, licensed, or otherwise shared with third parties for marketing, commercial profiling, or advertising purposes.

6. Transfer of data outside the EEA

Some of the providers indicated in point 5 — in particular the artificial intelligence and cloud infrastructure providers — may be located in or process data outside the European Economic Area, including the United States of America. In such cases, the transfer takes place on the basis of one or more of the following instruments provided for in Chapter V of the GDPR:

The data subject may obtain a copy of the safeguards adopted by contacting the Controller at the address info@nova42.it.

7. Data retention

Personal data is retained for the time strictly necessary to pursue the indicated purposes, in compliance with the principle of data minimization. The RoverView platform distinguishes three categories of data with different retention rules:

8. Nature of the provision and consequences of refusal

The provision of the data necessary for registration, authentication, and the management of the contractual relationship is mandatory. Failure to provide it makes it impossible to create an account and access the Service.

The provision of additional data — such as documents, brand memory content, creative assets, or the connection to third-party platform accounts — is optional. However, failure to provide such data may prevent the use of specific features of the Service or limit their effectiveness.

9. Rights of the data subject

Pursuant to Articles 15 to 22 of the GDPR, the data subject may exercise the following rights at any time:

Access (Article 15)

To obtain confirmation of the existence of processing and to access their personal data and the information relating to the processing.

Rectification (Article 16)

To obtain without delay the correction of inaccurate personal data or the completion of incomplete data.

Erasure (Article 17)

To obtain the erasure of their personal data where one of the grounds provided for by the GDPR applies.

Restriction (Article 18)

To obtain the restriction of processing in the cases provided for in Article 18 of the GDPR.

Portability (Article 20)

To receive the data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

Objection (Article 21)

To object at any time to processing based on legitimate interest, on grounds relating to their particular situation.

To exercise the rights indicated above, the data subject may contact the Controller by writing to info@nova42.it. The Controller will respond without undue delay and, in any event, within 30 days of receipt of the request, save for a justified extension of a further 60 days in cases of particular complexity.

The data subject also has the right to lodge a complaint with the competent supervisory authority: the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it.

10. Cookies, local storage, and tracking technologies

RoverView does not use profiling cookies, advertising cookies, or tracking technologies intended to monitor the User's behavior for commercial purposes.

The cookies and equivalent technologies possibly used by the website and the web app are limited to technical purposes strictly necessary for the operation of the Service (authentication, session management, storage of interface preferences) and, as such, are exempt from the obligation of prior consent pursuant to Article 122(1) of Italian Legislative Decree 196/2003 and the Italian Data Protection Authority's Guidelines on cookies of June 10, 2021.

In the client applications, authentication tokens and local preferences may be stored on the User's device through local storage mechanisms functionally equivalent to technical cookies.

11. Automated decision-making and artificial intelligence

The Controller does not carry out solely automated decision-making that produces legal effects or similarly significantly affects the data subject within the meaning of Article 22 of the GDPR.

The artificial intelligence features integrated into the Service — including performance analysis, insight generation, editorial suggestions, and semantic search within documents — are exclusively of an informational and operational support nature. The outputs generated by the AI do not replace the User's professional judgment, who in any event remains solely responsible for the decisions taken on the basis of such outputs.

The data submitted for AI processing is not used by the third-party providers to train their own models, within the limits of what is provided for by their respective contractual agreements and the related data processing policies.

12. Security measures

The Controller adopts technical and organizational measures adequate to ensure a level of security appropriate to the risk, pursuant to Article 32 of the GDPR. Such measures include, by way of example and not exhaustively: encryption of data in transit (TLS) and at rest, role-based access control, hashing of credentials, audit logs, periodic backups, and incident response procedures.

13. Changes to this policy

The Controller reserves the right to modify or update this policy at any time, in order to adapt it to the applicable legislation or to changes in the processing methods. Changes will be published on this page with an indication of the date of the last update. In the event of substantial changes, the Controller will inform registered Users via email communication or a notice on the platform.

Users are invited to consult this policy periodically.