GDPR Compliance
We are committed to protecting the privacy rights of EU residents and ensuring full compliance with the General Data Protection Regulation.
Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data.
Right to Access
Request a copy of all personal data we hold about you.
Right to Rectification
Correct any inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Restrict
Limit how we process your personal data.
Right to Object
Object to processing based on legitimate interests.
Automated Decisions
Not be subject to decisions based solely on automated processing.
Withdraw Consent
Withdraw consent at any time where processing is based on consent.
Legal Basis for Processing
Contract Performance
We process data necessary to provide our services to you, including account management, ticket handling, and support features.
Legitimate Interests
We process data for legitimate business purposes such as improving our services, security monitoring, and fraud prevention, balanced against your rights and interests.
Consent
For optional features like marketing communications, we obtain your explicit consent. You can withdraw consent at any time.
Legal Obligation
We may process data to comply with legal requirements, such as tax regulations, court orders, or regulatory requests.
Data Processing Details
Data Controller
Novaico, Inc. acts as the data controller for personal data collected through our platform. Our customers (tenants) may act as data controllers for their end-user data, with Novaico acting as a data processor.
Sub-Processors
We use the following sub-processors to provide our services:
| Service | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | EU (Frankfurt) |
| Clerk | Authentication services | USA (SCCs in place) |
| OpenAI | AI features (draft replies, categorization) | USA (DPA in place) |
| Stripe | Payment processing | USA (SCCs in place) |
| Upstash | Caching services | EU |
International Transfers
When data is transferred outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- Supplementary measures where required
Data Retention
We retain personal data only as long as necessary for the purposes described in our Privacy Policy:
- Account data: Duration of account plus 30 days after deletion
- Ticket data: Duration of account plus 30 days, or as required by customer DPA
- Backups: Up to 90 days
- Logs: Up to 12 months for security purposes
Exercise Your Rights
To exercise any of your GDPR rights, please contact our Data Protection team. We will respond to your request within 30 days.
Data Protection Contact
privacy@novaico.comIf you are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.