Master Privacy Policy

1. Scope and Applicability

This Master Privacy Policy ("Policy") describes how Novatrix Consulting, LLC SPC ("Novatrix", "we", "us", "our") collects, uses, stores, and protects personal information across all of our products and services.

This Policy applies to all current and future Novatrix products, including (without limitation):

• NovexDocs — Personal document vault with AI-powered analysis
• Additional products as we launch them (each listed at novatrixconsultings.com/legal)

Each product publishes a Product Privacy Addendum that supplements this Policy with product-specific details. Together they constitute the full privacy disclosure for that product.

2. Who We Are

We are the data controller for personal data collected through our Services:

• Company: Novatrix Consulting, LLC SPC
• Registered in: Abu Dhabi, United Arab Emirates
• Website: novatrixconsultings.com
• Privacy contact: privacy@novatrixconsultings.com

3. Categories of Data We Collect

Depending on the product, we may collect the following categories of personal data:

3.1 Information You Provide

• Account data: email, username, password (hashed), and optional profile details.
• Authentication data: when you sign in with third-party providers (e.g., Google), we receive identifiers and basic profile information as authorized by you.
• User content: documents, files, text, or other content you upload or create within our products.
• Payment information: processed by Stripe; we do not store full payment card numbers.
• Communications: records of support requests and correspondence with us.

3.2 Information Collected Automatically

• Usage data: log files, IP address, browser, device type, operating system, timestamps.
• Product metrics: feature usage, storage consumption, scan counts (where applicable).
• Session data: for authentication and security.

3.3 Sensitive Personal Information

Some Novatrix products may process sensitive personal information (e.g., identity documents, biometric photos, health-related documents). Where applicable, the relevant Product Privacy Addendum explains the specific categories and safeguards. We process such data only with your explicit consent or where otherwise permitted by law.

4. How We Use Personal Data

We use personal data to:

• Provide, operate, maintain, and improve our Services
• Process transactions and manage subscriptions
• Authenticate users and secure accounts
• Send service notifications, alerts, and updates
• Respond to support requests and communications
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Analyze service performance (in aggregated, non-identifying form)

We do not:

• Sell your personal data to third parties
• Share your data with advertisers or for behavioral advertising
• Use your content to train AI models
• Process your data for purposes incompatible with what is described in this Policy or the relevant Product Addendum

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area, United Kingdom, and similar jurisdictions, we rely on the following legal bases:

• Contract: to provide the Service you have requested.
• Consent: for processing sensitive data, AI-based analysis where applicable, and marketing communications. You may withdraw consent at any time.
• Legitimate interests: for security, fraud prevention, product improvement, and customer support, balanced against your rights and freedoms.
• Legal obligation: to comply with applicable laws (e.g., tax, anti-money-laundering).

6. Sharing and Disclosure

We share personal data only with the following categories of third parties, and only as necessary to operate our Services:

• Cloud infrastructure: Amazon Web Services (AWS) — hosting, storage.
• Payment processing: Stripe — subscription billing for paid products.
• Authentication providers: Google — for "Sign in with Google" and similar features.
• Email delivery: SMTP providers (e.g., Dynu) — for transactional emails such as OTP, password reset, and notifications.
• AI and analytics providers: product-specific (see each Product Privacy Addendum). For example, Anthropic for AI document analysis in NovexDocs.
• Legal compliance: if required by law, court order, or to protect our rights or the safety of others.
• Business transfers: in the event of a merger, acquisition, or sale of assets, with notice to affected users.

All third-party processors are bound by data protection terms where required by applicable law.

7. International Data Transfers

Novatrix is headquartered in the United Arab Emirates. Our infrastructure may be located in multiple regions, and data may be transferred to and processed in countries outside your country of residence, including the United States and Singapore.

Where required (e.g., for transfers from the EU/UK), we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

8. Data Security

We implement industry-standard technical and organizational measures including:

• HTTPS/TLS encryption in transit
• Server-side encryption at rest
• Bcrypt password hashing
• Short-lived access tokens with refresh-token rotation
• Access control and authentication on all sensitive endpoints
• Pre-signed URLs with time-limited expiry for file access
• Regular dependency and security updates

No system is 100% secure. In the unlikely event of a data breach affecting your personal data, we will notify you and applicable authorities as required by law.

9. Data Retention

• Account data: retained while your account is active.
• User content: retained until you delete it or close your account.
• Deleted content: permanently removed within 30 days.
• Closed accounts: all personal data permanently removed within 30 days, except where retention is legally required.
• Server logs: retained for up to 90 days.
• Billing and tax records: retained for the period required by applicable tax and commercial law (typically 5-7 years).

Specific retention periods may be detailed in each Product Privacy Addendum.

10. Your Rights

Depending on your jurisdiction, you have the following rights:

• Access: request a copy of your personal data.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion ("right to be forgotten").
• Portability: receive your data in a machine-readable format.
• Restriction: limit how we process your data.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: withdraw consent at any time, without affecting the lawfulness of prior processing.
• Complaint: lodge a complaint with your local data protection authority.

To exercise these rights, email privacy@novatrixconsultings.com. We will respond within 30 days.

11. Cookies and Tracking

Our products use essential cookies and local storage for authentication, session management, and user preferences. We do not use third-party advertising cookies, behavioral trackers, or analytics tools that build user profiles.

Product-specific cookie information, if any, is detailed in each Product Privacy Addendum.

12. Children's Privacy

Our Services are not directed to children under 16 (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us personal information, please contact us and we will delete it.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The "Last Updated" date indicates the most recent revision.

14. Contact and Complaints