Privacy Policy

For data we collect directly from you as a Novex customer, account holder, or website visitor, Novex is the data controller. For data our customers upload to the Service about their end users, Novex acts as a data processor on the customer's behalf under the Data Processing Agreement.

Controller

Novex Systems LLC

State of Formation

Wyoming, USA

Registered Address

30 N Gould St, STE R, Sheridan, WY 82801, USA

Privacy Contact

privacy@nov3x.com

When personal data is processed inside a tenant workspace, the tenant is the data controller and Novex acts as data processor.

We collect and process the following categories of personal data:

• Account information: name, work email, phone number, organization, role, password (stored hashed).
• Billing information: billing address, payment method tokens (full card numbers are not stored on Novex servers).
• Communications: messages you send through support, sales, or feedback channels.
• Usage data: pages visited, features used, clicks, search queries, session duration, error reports.
• Device and connection data: IP address, browser type and version, operating system, device identifiers, time zone, language preference.
• Information from third parties: authentication identifiers via single-sign-on; payment status from processors; public business information for B2B outreach.

We do not collect or process special-category personal data about Novex customers. Customers may choose to process such data about their own end users on the Service; that processing is governed by the DPA.

We use personal information to:

• Provide the Service: authenticate your account, deliver features, process subscriptions, provide support.
• Communicate with you: send service announcements, security alerts, billing notices, and transactional emails (required for service use).
• Marketing (with consent where required): product updates, newsletters, event invitations. Unsubscribe at any time.
• Improve the Service: analyze usage patterns, debug issues, conduct research, develop new features.
• Security and fraud prevention: detect and prevent abuse, fraud, unauthorized access, and violations of our Terms.
• Legal compliance: comply with applicable law, regulatory requests, court orders, and to enforce our agreements.

Where the GDPR, UK GDPR, or Saudi PDPL applies, we rely on the following lawful bases: performance of a contract (providing the Service, sending transactional and security notifications); legitimate interests (marketing to existing customers about similar services, fraud prevention, security, defending legal claims); consent (marketing to prospects, non-essential cookies); legal obligation (tax, accounting, regulatory compliance). Where we rely on legitimate interest, we have conducted a balancing assessment and concluded that our interests do not override your rights. You have the right to object — contact privacy@nov3x.com.

We use third-party payment processors to handle subscription billing. Full card numbers are not stored on our servers; they are tokenized by the processor and returned to us only as a non-reversible token used for renewal billing. When tenants enable third-party payment integrations for their own end-user billing, payment data flows directly from the end user to that processor. Those processors are not Novex subprocessors — they are subprocessors of the tenant, who is responsible for disclosing them to its own end users.

We do not sell personal information. We share personal information only with the service providers (subprocessors) listed in the Data Processing Agreement at nov3x.com/legal/dpa, with required legal disclosures, in connection with business transfers (with notice where required), and with your explicit consent.

We require all subprocessors to provide a level of data protection at least as strong as we do, and we enter into data processing agreements with each.

All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Personal data is primarily stored and processed in data centers within the European Union.

Limited operational data may transit through service providers in the United States (transactional email, error monitoring) and may, when a tenant enables corresponding integrations, transit through other regions including the Kingdom of Saudi Arabia (local integrations) or other markets in which the tenant operates.

Where personal data is transferred outside the EEA, the UK, or Saudi Arabia, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, Saudi PDPL cross-border transfer mechanisms once they enter full force, and the customer's own consent or contractual obligations where the transfer is initiated by the customer.

You may request a copy of the safeguards in place for a specific transfer by emailing privacy@nov3x.com.

We retain personal information only as long as needed for the purposes described in this Policy.

Specific retention periods for Customer Data processed on behalf of our customers are set out in the DPA and may be configured per tenant.

Depending on your location, you may have the following rights:

• Access: request a copy of the personal information we hold about you.
• Rectification: correct inaccurate or incomplete information.
• Deletion ("right to be forgotten"): request deletion, subject to legal retention obligations.
• Restriction: limit how we process your data.
• Portability: receive your data in a structured, machine-readable format.
• Object: object to processing based on legitimate interest, including direct marketing.
• Withdraw consent: where we rely on consent, you may withdraw it at any time without affecting prior lawful processing.
• Lodge a complaint: EU/EEA — your national DPA. UK — ICO. KSA — SDAIA. California — California Attorney General.
• Non-discrimination (California): we will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact privacy@nov3x.com or use the in-app export tool. We will not charge a fee for exercising these rights unless the request is manifestly unfounded or excessive. We may need to verify your identity before responding. We respond within 30 days.

California. In the last 12 months we have collected the following categories of personal information from California residents: identifiers, commercial information, internet activity, professional information, and inferences. We have disclosed these to our service providers for the purposes in Section 3. We have not sold or shared personal information for cross-context behavioral advertising.

Saudi Arabia. We comply with the Saudi Personal Data Protection Law (PDPL) for processing of personal data of individuals in the Kingdom of Saudi Arabia. Cross-border transfers from KSA are subject to PDPL transfer requirements; when transferring KSA-originated personal data outside the Kingdom, we apply the safeguards listed in Section 7.

The Service is not directed to children under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a minor, contact privacy@nov3x.com and we will delete it.

If a customer uses the Service to process data about end users under the age of 18, the customer is the controller of that data and is responsible for obtaining any required parental consents.

Our safeguards include:

• Encryption in transit (TLS 1.2+) for all connections.
• Encryption of sensitive fields at rest.
• Role-based access control with least-privilege defaults.
• Tenant isolation at the database level (row-level security).
• Multi-layer authentication for staff access to production.
• Daily encrypted backups with periodically verified restore drills.
• Continuous security headers (HSTS, CSP, COOP, COEP, CORP).
• Static analysis and dynamic scanning on every release.
• Incident response procedures with notification timelines defined in our DPA.

No security measure is perfect. If you believe your account has been compromised, contact security@nov3x.com immediately.

We do not make decisions that produce legal or similarly significant effects on you solely through automated processing, including profiling. Our AI features (such as the in-product Copilot) generate suggestions and assistance; they do not make binding decisions, and any output is subject to your review.

You can opt out of marketing emails at any time using the unsubscribe link in every marketing message, or by emailing privacy@nov3x.com. Opt-out does not affect transactional or service-related communications, which are required for your use of the Service. We do not use your data for cross-context behavioral advertising. We do not allow third-party advertising trackers on the Service. We use a tracking subdomain (links.nov3x.com) to redirect links in marketing emails. This allows us to measure aggregate click rates and improve our communications. We do not track individual recipient browsing beyond the link click itself. You can opt out of all marketing emails via the unsubscribe link in any message.

See our Cookie Policy at nov3x.com/legal/cookies for details on cookies and similar technologies, and how to manage them.

We may update this Policy from time to time. Material changes will be announced by email to your account contact and by posting the revised Policy at nov3x.com/privacy at least 30 days before they take effect. The "Last Updated" date at the top reflects the most recent revision.

Data Protection Officer / Privacy questions: privacy@nov3x.com. Security incidents: security@nov3x.com. General inquiries: support@nov3x.com. Customer Support (call/SMS): +1 (307) 466-7333. General inquiries (SMS only): +1 (307) 466-7333. Mailing address: Novex Systems LLC, Attn: Privacy, 30 N Gould St, STE R, Sheridan, WY 82801, USA. If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority.