Information provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and the applicable national legislation on the protection of personal data (Italian Legislative Decree 196/2003 as amended by Italian Legislative Decree 101/2018 — the "Italian Data Protection Code") to those who interact with the RoverView service.
1. Data Controller and privacy roles
For the processing relating to the management of the contractual relationship, the creation and administration of accounts, platform security, and the use of the website and applications, the Data Controller of personal data is Nova42 S.r.l. (hereinafter the "Controller" or "Nova42").
For the data that the Agency imports, uploads, generates, or connects to the Service on behalf of its own clients — including performance metrics, editorial content, documents, brand memory, creative assets, and data originating from third-party platforms — Nova42 acts as a data processor pursuant to Article 28 of the GDPR on behalf of the Agency, which remains the data controller of such data. In any event, the processing carried out for legal obligations, platform security, abuse prevention, and the protection of its own rights remains the responsibility of Nova42 as an independent Controller.
An Agency wishing to formally designate Nova42 as a data processor may request the execution of a specific agreement under Article 28 of the GDPR (Data Processing Agreement) by writing to info@nova42.it.
2. Data collected
The Controller collects and processes the following categories of personal data:
- Registration data: first name, last name, email address, password (stored exclusively in the form of a cryptographic hash), agency name, and company role provided by the User when creating the account.
- Authentication and session data: access and refresh tokens, session identifiers, information about the device used, IP address, and user-agent string, necessary for secure authentication and session management.
- Browsing and diagnostic data: IP address, browser type and version, operating system, pages visited within the Service, HTTP request timestamps, and technical logs automatically collected by the Service infrastructure.
- Statistical data from connected accounts ("Statistical Data"): when the User connects accounts from supported platforms, RoverView accesses — through OAuth tokens and the relevant APIs — performance metrics, audience data, content statistics, and campaign performance information, within the limits of the permissions granted during the authorization flow. The integrations currently available include Instagram/Meta, TikTok, Google Analytics, and LinkedIn; additional platforms may be added or removed over time. Statistical Data is stored on the platform independently of the Agency and the Client: it is associated with the originating third-party platform account and not with the Agency that established the connection. This allows the continuity of the analytical history even in the event of a change in the Agency managing the Client or of disconnection of the account.
- Agency documentary data and content ("Agency Content"): the Service allows the Agency and its Users to upload, create, and store within the platform documents, URLs, operational notes, creative briefs, editorial guidelines, brand memory, graphic assets, generated reports, and any other content entered on behalf of their Clients. Such data is owned by the Agency that entered it, is stored in the Provider's systems for the entire duration of the contractual relationship, and remains accessible to the Agency and the Users authorized by it.
- Data processed through artificial intelligence: the texts, documents, and data submitted by the User to the Service's analysis, insight generation, and semantic search features are transmitted to the integrated AI providers (currently Anthropic and OpenAI) to the extent strictly necessary for the requested processing. The generated outputs are saved on the platform and associated with the Agency's workspace as Agency Content.
- Technical cookies and equivalent technologies: the website and applications use exclusively cookies and local storage technologies that are strictly necessary for the operation of the Service, for authentication, and for storing the User's preferences.
2.1. Permissions and features of the Meta integration (Facebook and Instagram)
RoverView processes data originating from Facebook and Instagram exclusively through the permissions and features listed below. All access is read-only: RoverView does not publish, modify, or delete content on the connected accounts.
Permissions granted by the User upon connecting a Facebook Page or an Instagram Business account, through Meta's OAuth consent screen:
- pages_show_list — list of Facebook Pages managed by the User (identifier and name). Purpose: to allow the operator to select the Client's Page to connect. Legal basis: performance of the contract.
- pages_read_engagement — aggregated engagement counters at the Page level (totals of reactions, comments, and shares). Purpose: to feed the Facebook organic analytics dashboard. Legal basis: performance of the contract.
- pages_read_user_content — the posts published by the Page and the comments left on them. Purpose: to show the operator the Page's content and conversations. Legal basis: performance of the contract.
- instagram_basic — profile data of the connected Instagram Business account (handle, biography, profile image). Purpose: to display the Instagram profile in the dashboard. Legal basis: performance of the contract.
- instagram_manage_insights — insights of the Instagram account (reach, profile views, aggregated follower demographics, reach, likes, and comments per individual post). Purpose: to feed the Instagram organic analytics dashboard. Legal basis: performance of the contract.
App-level features for accessing exclusively public data, used for the competitive benchmarking dashboard:
- Page Public Content Access — public metadata and posts of the competitor Pages added by the agency: metadata (name, category, number of fans and followers, image, description, link, verification status, website) and public posts (identifier, text, publication date, permalink, aggregated totals of reactions, comments, and shares). Purpose: competitive benchmarking and calculation of the average engagement shown in the relevant dashboard. Legal basis: legitimate interest of the agency, balanced against the public nature of the data.
The User may revoke access at any time from Facebook's settings ("Settings → Apps and Websites"). Data deletion requests submitted through Meta are handled automatically: the connected accounts, the related credentials, and the synchronized data are removed immediately from the Service and permanently deleted within 90 days of the request. See also the Terms and Conditions of Use, Article 8.
2.2. Permissions and features of the TikTok integration
RoverView processes data originating from TikTok exclusively through the permissions (scopes) listed below, granted by the User through the official TikTok Login Kit authorization flow (OAuth 2.0 with PKCE). All access is read-only: RoverView does not publish, modify, delete, or comment on content on the connected TikTok accounts, and does not use any publishing endpoint (Content Posting).
Scopes granted by the User upon connecting a TikTok account:
- user.info.basic — account identifiers (
open_id,union_id), display name and profile image (display_name,avatar_url). Purpose: to identify the connected account and display its name and avatar in the dashboard. Legal basis: performance of the contract. - user.info.profile — profile data (
username,bio_description,is_verified,profile_deep_link). Purpose: to show the@handle, the biography, the verified account badge, and the link to the profile. Legal basis: performance of the contract. - user.info.stats — aggregated account statistics (
follower_count,following_count,likes_count,video_count). Purpose: to feed the KPI cards and the trend charts of the dashboard. Legal basis: performance of the contract. - video.list — metadata and performance metrics of only the videos owned by the User (views, likes, comments, and shares per individual video), read through the Display API. Purpose: to feed the grid and the per-video performance charts. Legal basis: performance of the contract.
TikTok access tokens are encrypted at rest, automatically renewed, and revoked upon disconnection of the account. The User may revoke access at any time from the settings of their TikTok account ("Settings and privacy → Manage app permissions"). Upon disconnection, the connected accounts, the related credentials, and the synchronized data are removed immediately from the Service and permanently deleted within 90 days. The processing of TikTok data takes place in compliance with the TikTok Developer Terms of Service and the related Platform Policies. See also the Terms and Conditions of Use, Article 8.
3. Purposes of the processing
Personal data is processed for the following purposes:
- Provision of the Service: delivery of RoverView's features, including multi-channel analysis of marketing performance, connection and synchronization with third-party platform accounts, document management, storage of brand memory and assets, and the generation of insights and reports through artificial intelligence tools.
- Account management: creation, authentication, role-based authorization (Administrator, Operator, Client), credential recovery, and technical support.
- Storage and persistence of Statistical Data: retention of statistical data originating from connected accounts independently of the Agency, in order to ensure the historical continuity of the metrics, the portability of the data to newly appointed Agencies, and the operation of the Service.
- Storage of Agency Content: retention of the documents, brand memory, reports, and assets uploaded or generated by the Agency within the platform, in order to ensure their availability and accessibility over time.
- Legal compliance: regulatory, accounting, tax, and document retention obligations.
- Security and abuse prevention: protection of the integrity of the platform, prevention of unauthorized access, management of audit logs, and troubleshooting.
- Improvement of the Service: aggregated and pseudonymized analyses of platform usage, in order to optimize existing features and develop new ones.
4. Legal basis of the processing
Each processing purpose is based on a specific legal basis pursuant to Article 6 of the GDPR:
- Performance of the contract (Article 6(1)(b)): for the provision of the Service, account management, authentication, the storage of Agency Content and Statistical Data on the platform, and the execution of the features requested by the User, including connections to third-party platforms and AI processing.
- Legitimate interest of the Controller (Article 6(1)(f)): for platform security, the prevention of abuse and fraud, log management, troubleshooting, the improvement of the Service, as well as for the retention of the Statistical Data of connected accounts independently of the Agency, in order to ensure the continuity of the analytical history, the portability of the data, and the correct operation of the platform. The data subject has the right to object to such processing pursuant to Article 21 of the GDPR.
- Legal obligation (Article 6(1)(c)): for the regulatory, accounting, and tax obligations imposed by Italian and European Union legislation.
5. Recipients and disclosure of data
Personal data may be disclosed to the following categories of recipients, each within the limits of what is strictly necessary:
- Hosting and cloud infrastructure providers: for the technical delivery of the Service, the secure storage of data, and the distribution of content (servers, databases, CDN, backup services).
- Artificial intelligence providers: providers of language and embedding models used by the Service for the analysis, insight generation, and semantic search features (currently Anthropic and OpenAI). The data transmitted is limited to the content strictly necessary for the processing of the User's specific request.
- Connected third-party platforms: Meta/Instagram, TikTok, Google Analytics, LinkedIn, and other platforms that may be integrated, limited to the data flows authorized by the User through the OAuth mechanism.
- Authorized consultants and suppliers: parties that assist Nova42 in technical, administrative, legal, accounting, or IT security matters, designated where necessary as data processors pursuant to Article 28 of the GDPR.
- Competent authorities: judicial, administrative, or supervisory bodies, in the cases provided for by law or by binding measures.
Personal data is in no case transferred, sold, licensed, or otherwise shared with third parties for marketing, commercial profiling, or advertising purposes.
6. Transfer of data outside the EEA
Some of the providers indicated in point 5 — in particular the artificial intelligence and cloud infrastructure providers — may be located in or process data outside the European Economic Area, including the United States of America. In such cases, the transfer takes place on the basis of one or more of the following instruments provided for in Chapter V of the GDPR:
- Adequacy decisions adopted by the European Commission pursuant to Article 45 of the GDPR, including the EU-U.S. Data Privacy Framework for the providers certified thereunder.
- Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, where applicable supplemented by additional technical and organizational security measures.
- Further appropriate safeguards provided for in Article 46 of the GDPR.
The data subject may obtain a copy of the safeguards adopted by contacting the Controller at the address info@nova42.it.
7. Data retention
Personal data is retained for the time strictly necessary to pursue the indicated purposes, in compliance with the principle of data minimization. The RoverView platform distinguishes three categories of data with different retention rules:
- Statistical Data from connected accounts: the performance metrics, audience data, and statistics originating from the accounts of the connected third-party platforms are retained on the platform indefinitely and independently of the Agency and the Client. Such data constitutes an asset of the platform and is not deleted in the event of: (i) the disconnection of a Client from an Agency; (ii) the deletion of a Client from the platform; (iii) the deletion of the Agency's account. The Statistical Data remains available to be viewed by any new Agency that may be appointed to manage the same account. An exception applies to deletion requests submitted by a user through Meta (Facebook): in such cases the data relating to the Meta integration is removed from the Service and permanently deleted within 90 days of the request (see point 2.1).
- Agency Content (documents, brand memory, briefs, assets, reports, AI outputs): is owned by the Agency and is retained for the entire duration of the contractual relationship. In the event of deletion of the Agency's account, such Content is deleted from the platform's systems, subject to the technical times required for removal from backups (as a rule within 90 days) and any retention obligations provided for by law. In the event of deletion of a Client from the platform, the Agency Content associated with that Client (documents, brand memory, briefs, and assets uploaded by the Agency) is retained for a period of 90 days from the date of deletion, during which the Agency may request its export, after which it is permanently deleted.
- Account data and administrative data: for the entire duration of the contractual relationship and, subsequently, for up to 10 years from termination, for tax and accounting obligations and for the possible protection of rights in court pursuant to Articles 2946 et seq. of the Italian Civil Code.
- Technical logs and browsing data: as a rule for a maximum of 12 months from collection, unless there is a different documented IT security need or legal obligation.
- Tokens and session data: until revocation, natural expiry, or disconnection of the connected account. The data relating to temporary OAuth flows is automatically deleted upon the expiry of the relevant technical terms.
8. Nature of the provision and consequences of refusal
The provision of the data necessary for registration, authentication, and the management of the contractual relationship is mandatory. Failure to provide it makes it impossible to create an account and access the Service.
The provision of additional data — such as documents, brand memory content, creative assets, or the connection to third-party platform accounts — is optional. However, failure to provide such data may prevent the use of specific features of the Service or limit their effectiveness.
9. Rights of the data subject
Pursuant to Articles 15 to 22 of the GDPR, the data subject may exercise the following rights at any time:
To obtain confirmation of the existence of processing and to access their personal data and the information relating to the processing.
To obtain without delay the correction of inaccurate personal data or the completion of incomplete data.
To obtain the erasure of their personal data where one of the grounds provided for by the GDPR applies.
To obtain the restriction of processing in the cases provided for in Article 18 of the GDPR.
To receive the data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
To object at any time to processing based on legitimate interest, on grounds relating to their particular situation.
To exercise the rights indicated above, the data subject may contact the Controller by writing to info@nova42.it. The Controller will respond without undue delay and, in any event, within 30 days of receipt of the request, save for a justified extension of a further 60 days in cases of particular complexity.
The data subject also has the right to lodge a complaint with the competent supervisory authority: the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it.
10. Cookies, local storage, and tracking technologies
RoverView does not use profiling cookies, advertising cookies, or tracking technologies intended to monitor the User's behavior for commercial purposes.
The cookies and equivalent technologies possibly used by the website and the web app are limited to technical purposes strictly necessary for the operation of the Service (authentication, session management, storage of interface preferences) and, as such, are exempt from the obligation of prior consent pursuant to Article 122(1) of Italian Legislative Decree 196/2003 and the Italian Data Protection Authority's Guidelines on cookies of June 10, 2021.
In the client applications, authentication tokens and local preferences may be stored on the User's device through local storage mechanisms functionally equivalent to technical cookies.
11. Automated decision-making and artificial intelligence
The Controller does not carry out solely automated decision-making that produces legal effects or similarly significantly affects the data subject within the meaning of Article 22 of the GDPR.
The artificial intelligence features integrated into the Service — including performance analysis, insight generation, editorial suggestions, and semantic search within documents — are exclusively of an informational and operational support nature. The outputs generated by the AI do not replace the User's professional judgment, who in any event remains solely responsible for the decisions taken on the basis of such outputs.
The data submitted for AI processing is not used by the third-party providers to train their own models, within the limits of what is provided for by their respective contractual agreements and the related data processing policies.
12. Security measures
The Controller adopts technical and organizational measures adequate to ensure a level of security appropriate to the risk, pursuant to Article 32 of the GDPR. Such measures include, by way of example and not exhaustively: encryption of data in transit (TLS) and at rest, role-based access control, hashing of credentials, audit logs, periodic backups, and incident response procedures.
13. Changes to this policy
The Controller reserves the right to modify or update this policy at any time, in order to adapt it to the applicable legislation or to changes in the processing methods. Changes will be published on this page with an indication of the date of the last update. In the event of substantial changes, the Controller will inform registered Users via email communication or a notice on the platform.
Users are invited to consult this policy periodically.