Privacy policy

Last Updated: April 1, 2026

Introduction

This Privacy Notice explains how Nuwa Labs, Inc. ("Nuwa," "we," "our," or "us") collects, uses, discloses, and otherwise processes personal data in connection with the Nuwa Pen hardware, the Nuwa+ App, our websites (including nuwapen.com), and all related services (collectively, the "Services").

This Privacy Notice is not a contract and does not create any legal rights or obligations not otherwise provided by law.

Before reading the full policy, here are the principles that guide our approach to your privacy:

  • Our revenue comes from selling our Services to users, not from selling your personal information.
  • We protect your data. We work with trusted vendors in limited circumstances to process user data for operating our Services, but do not permit third parties to use your personal information for their own commercial or marketing purposes without your consent.
  • We encrypt your personal data at rest and in transit.
  • You can request to access or delete your personal information at any time.
  • You have the right to object to or opt out of certain data uses, including AI model training, as described in this Notice.

1. Personal Data We Collect

The categories of personal data we collect depend on how you interact with our Services. We collect information you provide to us, information collected automatically, and information from other sources.

Information You Provide to Us

  • Contact Information: Your name, email address, phone number, and shipping/billing addresses.
  • Account Information: Your account credentials (username and password), language preference, dominant hand (left/right-handed), country, and other profile settings.
  • Payment Information: When you make a purchase, our third-party payment processors collect your payment card information and billing details. Nuwa does not directly store your full payment card number.
  • Communications and Support Information: The content of your communications with us, such as feedback or inquiries sent to our support team.

Information Collected Automatically

When you use our Services, we and our partners automatically collect certain information about your devices and your interaction with our Services.

From the Nuwa Pen Hardware

We collect two categories of information directly from the hardware:

  • Digital Ink Representation: To render a precise and fluid digital version of your handwriting, the pen captures data relating to the optical and positional characteristics of your strokes, as well as dynamic motion data (such as pressure, tilt, and acceleration). This data includes behavioral characteristics that may be considered biometric in nature under certain privacy laws (see "Important Note on Handwriting Data" below). This data is treated with a heightened standard of care.
  • Hardware Performance Analytics: To ensure your pen is functioning optimally, we collect diagnostic and operational data about the hardware itself, including battery status, firmware version, memory usage, performance metrics, and error logs.

Important Note on Handwriting Data: The dynamic motion data captured by the Nuwa Pen (such as pressure patterns, tilt, and acceleration) may constitute behavioral biometric characteristics under certain privacy laws, including the EU General Data Protection Regulation (GDPR). We do not use this data for the purpose of uniquely identifying you. This data is collected and processed solely to provide, maintain, and improve the handwriting capture and transcription features of the Services. We apply heightened security measures to this data category, including encryption at rest and in transit and strict access controls. For residents of the European Economic Area, please see Section 10 for additional information about your rights regarding this data.

From the Nuwa+ App and Cloud Service

  • User Content: Your handwriting data, final transcribed text, and other content you create, which we store to provide syncing, backup, and other features.
  • Usage Analytics: Data about when and how you interact with the Services, including session timing, feature usage patterns, and performance data. This data is used to operate, improve, and develop the Services. We do not read the content of what you write as part of routine analytics. In the limited circumstance where reviewing individual content is necessary to diagnose a specific technical issue, we will request your separate, explicit consent before doing so.
  • Usage Metadata: Data associated with your content and activity, such as creation date, time, and last modified date. Location data is collected only if you enable this feature.

From Our Website and Services

  • Device and Network Information: Your IP address, browser type, operating system, unique device identifiers, and information about the network you are using.
  • Website Usage Information: Information about how you navigate our website and interact with our marketing communications. This may include recording user behavior such as mouse movements, clicks, and scrolling to improve our website design. Non-essential cookies used for this purpose are set only with your prior consent via our cookie preference center.

Information from Other Sources

  • Third-Party Services: If you choose to log in using a third-party service (such as Google or Apple), we receive information from that service as permitted by your privacy settings with that service, such as your name and email address.
  • Our Partners: We may receive information from partners who assist us with marketing or promotional services to measure the performance of our campaigns.
  • Inferences: We may generate inferences about your interests or preferences based on your interaction with our Services to help us provide a more personalized experience.

2. How We Use Your Personal Data and Our Legal Bases

We use the personal data we collect for the purposes described below. For each purpose, we have identified the legal basis for the processing under applicable law, including the GDPR.

  • To Provide and Maintain the Services: To fulfill your orders, process payments, sync your notes across devices, provide cloud storage, and perform transcription.
    Legal Basis: Performance of a contract with you.
  • For Service Improvement and Analytics: We use data generated through your use of the Services to understand usage patterns, diagnose issues, and improve the Services. For these purposes, we aggregate and de-identify data so that it no longer identifies you personally. We apply industry-standard anonymization techniques and conduct re-identification risk assessments to confirm that data used for these purposes cannot reasonably be linked back to an individual. Once data has been genuinely anonymized in accordance with applicable law (including GDPR Recital 26), it is no longer personal data.
    Legal Basis: Our legitimate interests in improving the Services. We have conducted a balancing test and determined that our interest in service improvement does not override your rights and freedoms, particularly given the anonymization measures we apply.
  • For AI and Machine Learning Model Training: We may use aggregated and de-identified data to train and improve our proprietary handwriting recognition models and other AI capabilities. We do not use the identified content of your notes for model training without your consent. Prior to anonymization, your data is processed as personal data and is subject to all applicable rights. You may object to the processing of your personal data for this purpose prior to anonymization by contacting us at privacy@nuwapen.com. We will honor such objections, though this may affect your ability to use certain features.
    Legal Basis: Our legitimate interests in developing and improving our technology. For identified personal data used in the anonymization pipeline, you retain the right to object under GDPR Article 21.
  • For Research, Development, and Personalization: To analyze usage trends, inform our product roadmap, and personalize your experience. If you object to this processing, please contact us at privacy@nuwapen.com. Please note that objecting to certain processing activities may affect your ability to use some features of the Services.
    Legal Basis: Our legitimate interests in developing and improving the Services.
  • To Communicate With You: To provide customer support and send important transactional communications (e.g., order confirmations, security alerts, and policy updates). We may also send marketing communications in accordance with your preferences.
    Legal Basis: Performance of a contract and our legitimate interests for transactional messages; your consent for marketing messages.
  • For Security, Fraud Prevention, and Legal Compliance: To protect our users and our Services, prevent fraud, enforce our Terms of Service, and comply with legal obligations.
    Legal Basis: Legal obligations and our legitimate interests in protecting our company and users.
  • Automated Decision-Making: We do not use your personal data to make automated decisions that have a legal or similarly significant effect on you.

3. How We Share Your Personal Data

We do not sell your personal data. We may disclose your personal data to the following categories of third parties to provide and improve our Services:

  • Service Providers: We share data with third-party vendors who perform services on our behalf. These vendors are contractually obligated to protect your data and can only use it to perform the services we have engaged them for. These categories include:
    • Cloud Hosting and Storage Providers
    • Payment Processors
    • Fulfillment and Shipping Partners
    • Customer Support Platform Providers
    • Analytics and Marketing Service Providers
  • Third-Party AI Providers: If you use our AI-powered features (such as the AI Assistant), we share relevant User Content (such as text from your notes) with third-party AI providers to deliver those features. Our current AI providers include, but are not limited to: Anthropic, Google, OpenAI, and xAI. This list may change as we evolve our technology. For an up-to-date list of current providers, you may contact us at privacy@nuwapen.com. Use of AI features is optional. When you use an AI feature, you will be informed that your content will be shared with a third-party AI provider. These providers process your data under data processing agreements that restrict their use of your data. However, some providers may use inputs and outputs to improve their models in accordance with their own terms; where this applies, we will inform you before you use the feature and obtain your consent where required by applicable law.
  • Affiliates: We may share information within our corporate family for operational, support, and development purposes.
  • Business Transactions: In connection with a merger, acquisition, financing, or sale of company assets, your data may be transferred to a successor or acquiring entity. In the event of such a transaction, we will notify you via email or a prominent notice on our website before your personal data is transferred.
  • Legal and Safety Obligations: To comply with lawful requests from public authorities, such as law enforcement, or to protect our legal rights, property, or the safety of our users or others.
  • Other Parties With Your Consent: We may share your personal information for other purposes disclosed to you at the time of collection or pursuant to your consent.

3.1 Nuwa MCP (AI Assistant Connector)

When you connect your Nuwa account to a third-party AI assistant (such as Claude by Anthropic) through our MCP (Model Context Protocol) connector, the following applies:

What we share. The MCP connector provides the AI assistant with read-only access to your note transcriptions, notebook names, and note metadata (timestamps, status). No data is modified, deleted, or created through this connector. Raw handwriting stroke data is not shared unless you explicitly request it.

Authentication. You authenticate using your existing Nuwa account credentials (email/password or Google Sign-In) through a secure OAuth 2.0 flow. Your password is never transmitted to or stored by the AI assistant. Session tokens are stored server-side with encryption and are automatically refreshed; you do not need to re-authenticate after each session.

Data handling. Note content is fetched on-demand from the Nuwa API for each request and passed directly to the AI assistant. The MCP server does not cache, log, or persistently store the content of your notes. We store only your email address, login timestamps, and aggregate tool usage counts for service operation and analytics purposes.

Third-party data access. The AI assistant (e.g., Claude) receives your note transcriptions in order to respond to your queries. The AI assistant's use of your data is governed by its own privacy policy (e.g., Anthropic's Privacy Policy for Claude). We encourage you to review the privacy policy of any AI assistant you connect.

Archived and trashed notes. By default, archived and trashed notes are excluded from results returned to the AI assistant. They are only included if you explicitly request them.

Revoking access. You can disconnect the MCP connector at any time through the AI assistant's settings. Once disconnected, the AI assistant can no longer access your notes. Server-side session data is automatically purged after 90 days of inactivity.

Security. All communication between the MCP server and the Nuwa API, and between the MCP server and the AI assistant, occurs over encrypted HTTPS connections. Login attempts are rate-limited to prevent abuse. Session data is stored in a restricted-access database with owner-only file permissions.

4. Cookies and Other Technologies

Our websites and services use cookies, web beacons, SDKs, and other similar technologies to operate and improve our Services, understand user behavior, and measure the effectiveness of our communications.

  • Strictly Necessary Cookies: Required for the operation of our website. These do not require your consent.
  • Performance and Analytics Cookies: Help us understand how visitors interact with our services. Set only with your prior consent via our cookie preference center.
  • Marketing Cookies: May be used to track your activity across websites to deliver more relevant advertising. Set only with your prior consent via our cookie preference center.

Your Choices: For non-essential cookies, we obtain your consent before setting them via our cookie preference center, accessible through the cookie banner displayed on your first visit. Non-essential cookies are blocked until you provide consent. You may withdraw or update your consent at any time by revisiting your cookie preferences via the link in our website footer. You can also opt out of targeted advertising by visiting the opt-out pages of the Digital Advertising Alliance or the Network Advertising Initiative. We honor Global Privacy Control (GPC) signals transmitted by your browser as a valid opt-out request.

5. Your Privacy Rights and Choices

We empower you with choices and rights regarding your personal data.

  • Access or Update Your Information: You may review and update certain account information by logging into your account settings.
  • Data Export: You can request an export of your notes by contacting us. We currently support PDF, TXT, and SVG formats.
  • Account Deletion: You can request the permanent deletion of your account and associated User Content by emailing team@nuwapen.com from the address linked to your account with the subject line "Account Deletion Request." We will delete your data from active systems within 30 days and from our backups within 90 days. We may retain certain transactional records and data necessary to comply with legal and accounting obligations for up to 7 years (e.g., under Dutch fiscal record-keeping requirements and US tax law), after which such data will be deleted. Genuinely anonymized data that has been aggregated and can no longer be linked to you is retained indefinitely as it is no longer personal data. Once your identifiable data is deleted, it cannot be recovered.
  • Object to AI Model Training: You may object to the processing of your personal data in the pre-anonymization pipeline used for AI and machine learning model training by contacting privacy@nuwapen.com. We will honor your objection. Please note that genuinely anonymized data that has already been aggregated and can no longer identify you is not subject to this objection, as it is no longer personal data under applicable law.
  • Opt-Out of Sale or Sharing: We do not sell your personal information for monetary compensation. To opt out of the sharing of your personal information for targeted advertising purposes, please visit: https://nuwapen.com/pages/data-sharing-opt-out. We also honor Global Privacy Control (GPC) signals as valid opt-out requests.
  • Communication Preferences: You can unsubscribe from marketing emails at any time by clicking the "unsubscribe" link in any email we send you. You also have the right to object at any time to processing of your personal data for direct marketing purposes, including related profiling. To exercise this right, contact us at privacy@nuwapen.com.

6. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, provide the Services, and comply with our legal obligations. The following table sets out our retention periods by data category:

Data Category Retention Period Justification
Account Information Duration of your account, plus up to 7 years Service provision; legal and fiscal record-keeping obligations
User Content (handwriting data, transcriptions, notes) Duration of your account, plus up to 90 days (backup deletion) Service provision; backup integrity
Handwriting Stroke and Motion Data Duration of your account, plus up to 90 days (backup deletion) Service provision (transcription, digital ink rendering)
Payment and Transaction Records Up to 7 years from date of transaction Dutch fiscal record-keeping (AWR Art. 52); US tax obligations
Hardware Diagnostics and Firmware Telemetry Up to 36 months (rolling) Product quality, warranty support, safety monitoring
Usage Analytics and Metadata Up to 36 months (rolling) Service improvement, product development
Customer Support Communications Duration of your account, plus up to 3 years Support quality, dispute resolution, legal compliance
Marketing and Communication Preferences Duration of your account, plus up to 3 years Compliance with opt-out obligations
Anonymized and Aggregated Data Indefinitely Not personal data; used for analytics, product development, and model improvement

When you request account deletion, we follow the deletion timeline described in Section 5. At the end of the applicable retention period, data is securely deleted or anonymized.

7. Security

We implement robust administrative, technical, and physical security measures, including industry-standard encryption for your data both in transit and at rest. We apply heightened security measures to handwriting stroke and motion data given its sensitive nature. However, no system is perfectly secure, and we cannot guarantee the security of your personal data.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay in accordance with applicable law.

8. International Data Transfers

Nuwa Labs, Inc. is based in the United States, and we use service providers that operate globally. Your personal data may be transferred to and processed in the United States and other countries outside of where you live. For data transferred from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on approved legal mechanisms, such as Standard Contractual Clauses (SCCs), to ensure an adequate level of data protection. Where required, we conduct Transfer Impact Assessments to evaluate whether the laws of the recipient country provide adequate protection and implement supplementary measures (such as additional encryption or pseudonymization) where necessary.

9. Children's Data

Our Services are not directed to children. We do not knowingly collect personal data from individuals under 13 years of age (or a higher age threshold where applicable under local law). If we become aware that we have collected a child's personal data without verifiable parental consent, we will take steps to delete it promptly.

10. Region-Specific Disclosures

For Residents of the EEA, UK, and Switzerland

You have the right to: access, rectify, erase, and port your personal data; restrict or object to our processing of your data (including the right to object to processing based on legitimate interests under Article 21 GDPR); withdraw consent at any time where processing is based on consent; and lodge a complaint with a data protection authority. For residents of the Netherlands, the competent authority is the Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl).

Handwriting and Biometric Data: If the dynamic motion data captured by your Nuwa Pen constitutes special category data (biometric data) under the GDPR in your jurisdiction, our processing of this data for the purpose of providing the Services is based on your explicit consent, which we obtain through a dedicated consent flow during the setup of your Nuwa Pen. You may withdraw this consent at any time by contacting privacy@nuwapen.com. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent, certain features of the Services that rely on handwriting capture may no longer be available.

Our Privacy Contact for data protection matters can be reached at privacy@nuwapen.com.

For Residents of California and Other US States with Applicable Privacy Laws

You have rights including the Right to Know, the Right to Delete, the Right to Correct, and the Right to Limit Use of Sensitive Personal Information. You also have the Right to Opt-Out of the "Sale" or "Sharing" of your personal information for targeted advertising, and the Right to Non-Discrimination for exercising your privacy rights.

We do not sell your personal information for monetary compensation. To exercise your rights, please contact us at privacy@nuwapen.com or visit https://nuwapen.com/pages/data-sharing-opt-out. We honor Global Privacy Control (GPC) browser signals as valid opt-out requests. You may also submit requests by emailing privacy@nuwapen.com.

We will verify your identity before processing access, deletion, or correction requests. We respond to verified requests within 45 days, with the possibility of a 45-day extension for complex requests, as permitted by law.

11. Updates to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of material changes by posting the new notice on our website and updating the "Last Updated" date. For any changes that materially affect how we process your personal data, we will seek your explicit consent separately and will not rely solely on continued use of the Services as acceptance.

12. Contact Us

If you have any questions about this Privacy Notice, wish to exercise your rights, or have a complaint about how we handle your data, please contact us at:

Privacy Contact: Marc Tuinier
Email: privacy@nuwapen.com
Entity: Nuwa Labs, Inc.