General Privacy Statement

Novantra (“we”, “us”, “our”) respects your privacy. This statement describes the categories of personal information we process, the purposes for which we process it, and the rights you have. If you have questions, contact us at privacy@novantra.io.

We collect personal information in three ways:

• Information you provide directly. When you join the waitlist we collect your email and, optionally, your name, country, and the language preference of your browser (locale). When you submit the contact form we collect your name, work email, company, an optional phone number, the country you selected, and the message you wrote. When you create a Managed Cloud account or interact with our team about a subscription we collect business contact details and billing information.
• Information generated when you use the Service. The platform records authentication events, audit-trail entries, security telemetry (signed-in identity, IP address for the active session, action and resource), and event correlation identifiers so that we can investigate incidents and meet customer obligations.
• Information collected automatically. The Novantra website sets a small set of strictly-necessary cookies (your locale preference, an authentication session cookie when you are signed in, and a Cloudflare Turnstile cookie used to verify that you are a human submitting a form). See the separate Cookies Policy for details. We do not currently set analytics or advertising cookies.

We use personal information to provide and operate the Service, to authenticate users, to process billing, to detect and prevent security incidents, to comply with legal obligations, and to communicate with you about the Service. We do not sell personal information, and we do not use personal information to train third-party machine-learning models.

Where the General Data Protection Regulation, the UK GDPR, or comparable laws apply, we process personal information on the legal bases of performance of a contract (operating the Service you subscribed to), compliance with legal obligation (tax records, incident response, lawful interception), legitimate interest (preventing abuse and securing the platform), or consent (marketing communications, where applicable), depending on the purpose.

We share personal information with the small set of vetted subprocessors that help us operate the Service: cloud infrastructure, transactional email, bot-defence, identity providers, and billing-event ingestion. Each subprocessor is bound by contractual obligations to protect the information. The current inventory, processing location, and purpose for each is published on our Subprocessors page and updated when the list changes. We also share information where required by law or to protect the rights and safety of Novantra, our customers, or others.

Customer Data submitted to the Service is treated as confidential. The Managed Cloud service places each customer organisation in its own dedicated database, with isolation enforced at the database boundary; no shared business schema is used across tenants. Member identity is org-local. Customer Data submitted on the Sovereign tier remains within your own infrastructure and is not transmitted to Novantra as part of operating the licensed software.

We use technical and organisational measures designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. Concretely:

• Encryption at rest. Personal identifiers and free-text content (names, emails, phone numbers, messages, narratives, evidence text) are stored as AES-256-GCM ciphertext with versioned envelopes.
• Privacy-preserving lookup. Where we need to find a row by email (for example, to deduplicate a waitlist signup or to honour an erasure request) we use a HMAC-SHA256 blind index over the email, so plaintext is never required at query time.
• In-transit encryption. All traffic to and from the Service uses TLS 1.2 or above with modern cipher suites; HSTS is enforced on the marketing and cloud surfaces.
• Audit logs. Control-relevant actions are recorded in a per-organisation, append-only event store with hash-chained source tracing. Audit append is idempotent so the chain survives retries.
• Authentication and access control. Mandatory MFA is enforced for administrator access; role-based access control gates every governed action; sessions stay org-local.
• Customer-controlled keys. Managed Cloud customers entitled to cloud.byokmay wrap their organisation’s encryption keys under their own AWS KMS or Azure Key Vault instance. Sovereign customers may use HashiCorp Vault Transit instead. The platform fails closed for the affected organisation if the customer-controlled key provider is unreachable; there is no silent fallback to a platform-managed key.

We retain personal information only for as long as needed for the purpose it was collected. Each category carries its own retention rule, and rows are hard-deleted when the rule expires (no soft-delete shadow copy is kept).

• Waitlist signups. Retained until we send your invitation, or for 12 months from the last activity if no invitation is sent. Erasure requests are honoured ahead of the rule by hashing your email through the blind index.
• Contact-form submissions. Retained for 24 months from the most recent status update on the request, then hard-deleted.
• Account, organisation, and Customer Data. Retained for the active life of your subscription. Following termination, account and organisation data is deleted within 30 days unless we are legally required to keep it longer.
• Audit and security event logs. Retained for at least 12 months on the Managed Cloud service. Sovereign customers may configure their own retention rule.
• Billing records. Retained for as long as required by applicable tax law (typically 6 to 10 years).

Subject to applicable law, you may have the right to access, correct, delete, restrict, or port your personal information, and to object to processing based on legitimate interest. To exercise any of these rights, contact us at privacy@novantra.io. We will acknowledge your request within 5 business days and respond substantively within 30 days from receipt, aligned with the GDPR Article 12 timelines. Complex requests may be extended by up to a further 60 days with notice. You also have the right to lodge a complaint with your local data protection authority.

The Managed Cloud service is currently hosted in eu-central-1 (AWS Frankfurt): the compute layer runs on Amazon EC2, the database surface is managed by Neon, and transactional email from the workspace is dispatched through Amazon SES in the same region. Marketing transactional email (waitlist acknowledgement and contact-form notification) is sent through Zoho ZeptoMail in the EU region. Personal information may be transferred to or stored in countries other than your country of residence in the following limited situations: Stripe billing-webhook ingestion (United States, with EU data plane); Cloudflare Turnstile bot verification (global anycast); Google or GitHub OAuth identity when you choose to sign in with one of those providers (United States). Where these transfers occur outside the European Economic Area, they rely on the European Commission’s Standard Contractual Clauses or an equivalent transfer mechanism. A multi-region option for Managed Cloud is on the roadmap; the timing is to be confirmed before general availability.

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will take appropriate steps to delete it.

We may update this General Privacy Statement from time to time. Material changes will be notified through the Service or by email to the account contact. The effective date of the current version is shown at the top of this page.

Questions about this Privacy Statement or your personal information may be sent to privacy@novantra.io.