Privacy Policy

TNova Labs LLC ("TNova," "we," "us") operates tnovalabs.com and provides AI Visibility audit and marketing services to independent HVAC contractors in the United States. This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, how long we keep it, and the rights you have over it.

Questions or requests: hello@tnovalabs.com. We respond within 7 business days.

1. Scope

This Policy applies to: (a) visitors to tnovalabs.com; (b) individuals who submit any form on the Site, including the AI Visibility Audit form; (c) recipients of audit reports and transactional email from us; and (d) prospective and active clients during a sales conversation prior to a signed Master Services Agreement. Once you sign an MSA, the data terms in that contract govern the engagement and supersede this Policy where they conflict.

2. Personal information we collect

2.1 From the AI Visibility Audit form

• Business name
• Business website URL
• City and US state
• Primary service line (HVAC; future: Plumbing, Roofing)
• Your name
• Email address
• Phone number (optional)
• A Cloudflare Turnstile token (anti-bot signal, discarded after validation)
• Approximate IP-derived metadata (country and ISP — no precise location)

We use this information to generate and deliver the requested AI Visibility audit report, send confirmation and report-ready emails, and follow up at most twice with reminders.

2.2 Information derived from the audit itself

To produce the audit, we automatically gather public information about your business from third-party sources:

• Content of your public-facing website pages (we use a standard web fetcher to read pages a search engine could read)
• Your Google Business Profile (via the Google Places API)
• Mentions of your business across Yelp, Better Business Bureau, Yellow Pages, Angi, HomeAdvisor, and other public business directories
• Page-load and Core Web Vitals metrics from Google PageSpeed Insights
• Counts of how often your business name (and competitors' names) appear when we run standardized homeowner-style queries against multiple AI assistants — see Section 4

All of this information is publicly available; we do not bypass any paywall, login, or robots.txt directive.

2.3 Cookies, analytics, and on-site events

We use first-party analytics (PostHog, EU-hosted) to understand which pages get traffic, which sections of the site convert, and where to improve. Analytics events are loaded only after you consent via our cookie banner. Without consent, no analytics cookies are set. Consent state itself is stored as a single essential cookie (not subject to consent under EU and US rules).

Cloudflare Turnstile sets a short-lived essential cookie required to verify you are not a bot when you submit a form. This cookie does not track you across sites.

2.4 Server logs

Our hosting provider (Vercel) keeps standard server logs of requests for approximately 30 days for security, debugging, and abuse detection. These logs contain IP address, requested URL, referrer, user agent, and timestamp.

2.5 What we do NOT collect

• We do not collect health-related personal information (PHI) from homeowners or business owners. The Site is not a HIPAA-covered application.
• We do not run third-party advertising pixels (Meta Pixel, LinkedIn Insight, TikTok Pixel, etc.) on tnovalabs.com.
• We do not knowingly collect data from anyone under 16 years of age.
• We do not sell or rent your contact information to anyone.

3. How we use your information

• To produce and deliver the AI Visibility audit you requested
• To email you the audit report, confirmations, and at most two reminder follow-ups
• To monitor abuse and protect the Site from automated attacks and spam
• To analyze aggregate traffic and conversion patterns so we can improve the Site (PostHog, after consent)
• To respond when you contact us (email, phone, or any form submission)
• To meet legal obligations and protect our rights when required

We do not use your information for automated decision-making with legal or similarly significant effects on you.

4. AI vendors and how we use them

The AI Visibility Audit calls multiple AI assistants to measure how often your business is recommended when homeowners ask AI for help. For each audit we send the following AI vendors a small set of standardized homeowner-style search prompts containing your city, state, and service line (e.g., “best HVAC company near Cleveland”):

• Anthropic (Claude API) — see Anthropic privacy policy
• OpenAI (ChatGPT / GPT API) — see OpenAI privacy policy
• Perplexity (Sonar API) — see Perplexity privacy policy
• Google (Gemini / AI Overviews via SerpAPI) — see Google privacy policy and SerpAPI privacy policy

We do not send your name, email address, phone number, IP address, or any other personally identifying information to these AI vendors. We send only the prompts (which contain publicly known business information: your business name, city, state, and service line) and parse their responses. AI vendors may retain prompts and responses per their own published privacy policies; we have no control over their retention.

5. How we share your information

We share personal information only with the limited set of vendors who help us run the Site and produce audits, and only to the extent each vendor needs the information to provide its service:

• Vercel (hosting · United States) — site delivery and serverless API execution
• Cloudflare (United States) — DNS, Turnstile bot protection, and email routing
• Supabase (Postgres database · United States) — storage of audit form submissions and report metadata
• Resend (transactional email · United States) — delivery of confirmation, report-ready, and follow-up emails
• Sanity (content management · European Union) — blog content delivery
• Cloudflare R2 (object storage · United States) — storage of generated audit PDFs (90-day retention)
• PostHog (analytics · European Union) — aggregate and anonymized site analytics; loaded only after consent
• Anthropic, OpenAI, Perplexity, Google, SerpAPI — see Section 4 above
• Twilio (telecommunications · United States) — optional, for clients who opt into call and SMS tracking under a signed MSA

We do not sell, rent, or trade personal information. We do not disclose personal information to third parties for those parties' own marketing.

We may disclose personal information when required by law or court order, when needed to protect our rights or the safety of others, or in connection with a corporate transaction (merger, acquisition, sale of assets), in which case the recipient will be bound by terms no less protective than this Policy.

6. International data transfers

We are based in the United States and most of our vendors store data in the United States. If you access the Site from outside the United States (including from the European Economic Area, the United Kingdom, or Switzerland), you understand and consent to the transfer of your personal information to the United States, where data-protection laws may differ from those in your jurisdiction. Where required, we rely on Standard Contractual Clauses (SCCs) for cross-border transfers.

7. How long we keep your information

• AI Visibility Audit form submissions: 24 months from submission, then hard-deleted from Supabase. The generated audit PDF in R2 is retained 90 days from generation, then hard-deleted.
• Email-list subscribers: until you unsubscribe; then 90 days for compliance evidence, then hard-deleted.
• Active client data (after a signed MSA): kept for the duration of the engagement plus 36 months for audit and tax purposes, after which it is hard-deleted unless legal obligations require longer retention.
• Server logs: approximately 30 days, then auto-purged by the provider.

8. Your rights

Regardless of where you live, you have the right to email hello@tnovalabs.com and request:

• A copy of all data we hold about you (right of access)
• Correction of inaccurate data (right to rectification)
• Deletion of your data (right to erasure)
• Restriction or objection to processing
• Portability of your data in a common machine-readable format
• Withdrawal of any consent you have given

We respond within 7 business days.

8.1 California residents (CCPA / CPRA)

California residents have the additional rights under the California Consumer Privacy Act (as amended by the CPRA) to:

• Know what personal information we collect, use, and disclose
• Delete personal information (subject to legal exceptions)
• Correct inaccurate personal information
• Opt out of any “sale” or “sharing” of personal information — we do not sell or share, but you may record the opt-out at any time
• Limit the use of sensitive personal information — we do not collect sensitive personal information as defined by CPRA
• Be free from discrimination or retaliation for exercising your rights

To exercise any California right, email hello@tnovalabs.comwith “California Privacy Request” in the subject line. We verify the request by matching the email address you submitted against our records, and we may ask one clarifying question to confirm identity.

8.2 EU / UK residents (GDPR / UK-GDPR)

If you reside in the European Economic Area, the United Kingdom, or Switzerland, you have the rights enumerated above plus the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are: (a) performance of the contract you requested when you submit a form (Art. 6(1)(b) GDPR); (b) our legitimate interest in operating, securing, and improving the Site (Art. 6(1)(f) GDPR); and (c) your consent for analytics cookies (Art. 6(1)(a) GDPR).

9. Security

We use industry-standard administrative, technical, and physical safeguards: HTTPS everywhere, content security policy headers, encryption at rest at our database and storage providers, principle-of-least-privilege access controls, secret rotation, and multi-factor authentication on every administrative account. No internet transmission or storage is 100% secure; we cannot guarantee absolute security.

If we discover a breach affecting your personal information, we will notify affected individuals without undue delay (and in any event within 72 hours where required by law) and notify the relevant supervisory authority where applicable.

10. Audit-report intellectual property

Audit reports we deliver to you are licensed for your internal business use under a non-exclusive, non-transferable, royalty-free license. The methodology, scoring rubric, language, structure, and formatting of the report are proprietary to TNova Labs. You may share the report with your employees and advisors. You may not reproduce, white-label, rebrand, paraphrase, or republish the report under another business or agency name. See our Terms of Service for the full license. Audit reports embed technical measures to deter unauthorized AI-assisted regeneration; bypassing those measures is a violation of these Terms and may also violate the U.S. Digital Millennium Copyright Act.

11. Children

tnovalabs.com is not directed at children under 16 and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact hello@tnovalabs.com and we will delete it promptly.

12. Changes to this Policy

We will update this Policy when our data practices change. The “last updated” date at the top reflects the most recent revision. For material changes (a new third party, a new data type, a substantive change to your rights or our retention), we will notify previous form-submitters by email at least 14 days in advance and post a notice on the homepage.

13. Contact

Privacy questions, requests, or complaints — hello@tnovalabs.com. For postal mail or service of legal process, please email first to request a current physical address.

This Privacy Policy was prepared by TNova Labs and is provided in plain English to be useful as well as legally adequate. It is not legal advice, and you should consult your own attorney before relying on any portion of it for your own business.