Privacy Policy

We collect information from and about you in several ways when you use our cloud infrastructure platform, security services, websites, and related products (collectively, the "Services"). The categories of information we collect include the following:

1.1 Personal Data You Provide Directly

When you register for an account, request a demo, subscribe to our Services, contact our sales or support teams, attend our events, or otherwise interact with us, you may provide us with the following types of personal data:

• Identity Data: Full name, job title, employer or company name, professional credentials, and photographs or avatars uploaded to your account profile.
• Contact Data: Business email address, telephone number, mailing address, and preferred communication channels.
• Account Data: Username, password (stored in hashed form), account preferences, multi-factor authentication configuration, API key identifiers, and role-based access control settings.
• Financial Data: Billing address, payment card details (processed and stored by our PCI DSS-compliant payment processor), purchase history, invoice records, and tax identification numbers where required by law.
• Communications Data: Records and content of correspondence with us, including support tickets, chat transcripts, emails, survey responses, feedback, and any other information you voluntarily share.
• Professional Data: Professional background, industry, role within your organization, team size, and other firmographic information provided during the sales or onboarding process.

1.2 Usage Data Collected Automatically

When you access or use our Services, we automatically collect certain technical and usage information, including:

• Service Usage Data: Features and functions accessed, API call logs, resource utilization metrics, configuration changes, deployment history, and platform interaction patterns.
• Log Data: Server logs including IP addresses, access timestamps, referring URLs, HTTP request methods, response codes, and page views.
• Performance Data: Latency measurements, throughput metrics, error rates, and diagnostic information used to maintain and improve service reliability.
• Analytics Data: Aggregated and pseudonymized data about how users navigate and interact with our platform, including session duration, click paths, and feature adoption rates.

1.3 Device and Technical Data

We collect information about the devices and systems you use to access our Services, including:

• Device type, operating system and version, browser type and version, screen resolution, and language preferences.
• Unique device identifiers, hardware model, and mobile network information (for mobile device access).
• IP address, geolocation data (derived from IP address at the city/region level), time zone settings, and network connection type.

1.4 Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies to collect information about your interactions with our Services. This includes:

• Strictly Necessary Cookies: Essential for the operation of our Services, including authentication tokens, session management, load balancing, and security features. These cookies cannot be disabled.
• Performance Cookies: Collect aggregated, anonymous data about how visitors use our website, including which pages are visited most frequently and whether users receive error messages.
• Functional Cookies: Allow our Services to remember choices you make (such as your language, region, or display preferences) and provide enhanced, personalized features.
• Targeting/Advertising Cookies: Used to deliver advertisements relevant to your interests, measure the effectiveness of advertising campaigns, and limit the number of times you see a particular advertisement. These may be set by third-party advertising partners.

You may manage your cookie preferences at any time through our cookie consent management tool, accessible via the "Cookie Settings" link in the footer of our website. Please note that disabling certain cookies may impair the functionality of our Services.

We use the information we collect for the following purposes:

• Service Delivery and Operations: To provide, maintain, monitor, and improve our cloud infrastructure platform, security services, and related products; to process transactions and send related information including confirmations, invoices, and technical notices; and to provide customer support and respond to your requests.
• Account Management: To create and manage your account, authenticate your identity, enforce role-based access controls, and maintain the security of your account credentials.
• Security and Fraud Prevention: To detect, investigate, and prevent security incidents, fraudulent activity, unauthorized access, and other harmful or illegal activities; to conduct security audits and vulnerability assessments; and to comply with our legal obligations related to information security.
• Platform Improvement: To analyze usage patterns and trends to improve our Services, develop new features and products, optimize performance, and enhance user experience. This includes using aggregated and de-identified data for machine learning and statistical analysis.
• Communications: To send you service-related communications, including security alerts, system updates, maintenance notifications, and changes to our terms or policies. With your consent, we may also send you marketing communications about products, services, events, and promotions that may be of interest to you.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests; to enforce our terms of service, acceptable use policies, and other agreements; and to protect our rights, property, and safety, as well as the rights, property, and safety of our users and the public.
• Contractual Obligations: To fulfill our contractual obligations under master service agreements, enterprise license agreements, data processing agreements, and other contracts with our customers and partners.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR) and equivalent local laws:

We do not sell your personal data. We may share your information in the following circumstances:

4.1 Service Providers and Subprocessors

We engage trusted third-party companies and individuals to perform services on our behalf, including hosting and infrastructure providers, payment processors, analytics services, customer support tools, email delivery services, and professional advisors. These service providers are contractually obligated to process personal data only on our instructions and in accordance with applicable data protection laws. We maintain an up-to-date list of our subprocessors, available upon request and published on our Security page.

4.2 Law Enforcement and Legal Requirements

We may disclose your personal data if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request, including lawful requests by public authorities to meet national security or law enforcement requirements; (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect against harm to the rights, property, or safety of Novastraxis, our users, or the public as required or permitted by law. We evaluate each request on a case-by-case basis and will challenge overly broad or legally deficient requests. We publish a transparency report annually documenting government data requests received and our responses.

4.3 Corporate Transactions

In the event of a merger, acquisition, reorganization, bankruptcy, receivership, dissolution, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy. Any successor entity will be required to honor the commitments made in this Privacy Policy with respect to personal data collected prior to the transaction.

4.4 With Your Consent

We may share your personal data with third parties when you have given us your explicit consent to do so. You may withdraw your consent at any time by contacting us at privacy@novastraxis.com.

4.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for industry analysis, benchmarking, research, and other lawful business purposes. Such information is not considered personal data under applicable data protection laws.

Novastraxis operates globally with data centers and offices across North America, Europe, and Asia-Pacific. As a result, your personal data may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from the laws in your jurisdiction.

When we transfer personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection by the European Commission or the UK Secretary of State, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (as adopted under Commission Implementing Decision (EU) 2021/914) for transfers of personal data to our subprocessors and affiliates located outside the EEA. For transfers from the UK, we use the UK International Data Transfer Addendum.
• EU-U.S. Data Privacy Framework: Novastraxis is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce.
• Supplementary Measures: Where required, we implement supplementary technical and organizational measures, including encryption in transit and at rest, pseudonymization, access controls, and transfer impact assessments, to ensure that your personal data receives an adequate level of protection.

Customers with data residency requirements may elect to restrict the geographic processing of their data through our platform's data residency controls. Please contact your account representative or our privacy team for details on available data residency options.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or regulatory requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and applicable legal requirements.

When personal data is no longer required, we securely delete or anonymize it in accordance with our data destruction policies. Destruction methods include cryptographic erasure for encrypted data and NIST 800-88 compliant media sanitization for physical storage devices.

Depending on your jurisdiction, you may have the following rights with respect to your personal data. To exercise any of these rights, please contact us at privacy@novastraxis.com. We will respond to your request within the timeframe required by applicable law (generally within 30 days for GDPR requests and 45 days for CCPA/CPRA requests).

We will not discriminate against you for exercising your privacy rights. If you believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. For individuals in the EEA, a list of supervisory authorities is available at edpb.europa.eu.

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), provides you with specific rights regarding your personal information. This section describes your CCPA/CPRA rights and explains how to exercise them.

Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA/CPRA: identifiers; personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)); commercial information; internet or other electronic network activity information; geolocation data; professional or employment-related information; and inferences drawn from any of the above categories.

Your CCPA/CPRA Rights

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collecting or selling the information, and the categories of third parties with whom we share the information.
• Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions provided by law.
• Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
• Right to Opt-Out of Sale/Sharing: Novastraxis does not sell personal information, nor do we share personal information for cross-context behavioral advertising purposes as defined under the CCPA/CPRA.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information to purposes authorized by the CCPA/CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying you services, charging different prices, or providing a different level or quality of service.

To exercise your rights under the CCPA/CPRA, you may submit a verifiable consumer request by emailing us at privacy@novastraxis.com or calling us at +1 (415) 555-0142. You may also designate an authorized agent to make a request on your behalf, provided you supply the agent with signed written authorization and we can verify your identity.

Financial Incentives: We do not offer any financial incentives or price or service differences in exchange for the retention or sale of personal information.

Our Services are designed for enterprise business users and are not directed to children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect, solicit, or maintain personal data from anyone under the age of 16. If we learn that we have inadvertently collected personal data from a child under 16, we will take steps to promptly delete such information from our systems. If you believe we may have collected information from a child under 16, please contact us immediately at privacy@novastraxis.com.

We implement and maintain robust technical and organizational security measures designed to protect the confidentiality, integrity, and availability of your personal data. These measures include, but are not limited to:

• Encryption of personal data at rest using AES-256 and in transit using TLS 1.3.
• Strict role-based access controls (RBAC), multi-factor authentication (MFA), and principle of least privilege enforcement for all personnel accessing personal data.
• Regular security assessments, including quarterly penetration testing by independent third-party firms, continuous vulnerability scanning, and red team exercises.
• A 24/7 Security Operations Center (SOC) staffed by trained security analysts monitoring for threats and anomalies in real time.
• Employee security awareness training conducted annually, with phishing simulations and role-specific security education.
• Business continuity and disaster recovery programs with regular testing to ensure data availability and resilience.
• Comprehensive incident response procedures with defined escalation paths, breach notification processes, and post-incident review protocols.

For more information about our security practices, including our compliance certifications and audit results, please visit our Security and Compliance pages. While no method of transmission over the Internet or electronic storage is completely secure, we continuously invest in state-of-the-art security infrastructure and processes to protect your data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. When we make material changes to this Policy, we will: (a) update the "Last Updated" date at the top of this page; (b) provide prominent notice on our website or within our Services; and (c) where required by applicable law, send you a direct notification via email or through the platform.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of our Services after any changes to this Policy constitutes your acceptance of the revised Policy as it applies to information collected from that point forward. For enterprise customers, material changes to data processing practices will be communicated in accordance with the terms of your Data Processing Agreement (DPA).