Privacy Policy

1. Introduction

NovraLab ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our website, products, and services, including the NovraLab Compliance Platform, OutfitsGen, LeadGen, and any associated digital tools.

We comply with the EU General Data Protection Regulation ("GDPR") and other applicable data protection laws. By using our services, you agree to the practices described in this Policy.

2. Data Controller

For the purposes of applicable data protection law, NovraLab is the data controller of personal data collected through our platform and website. Questions about this Policy or our data practices should be directed to:

3. Data We Collect

We collect the following categories of personal data:

• Account & Identity Data: name, email address, job title, company name, and login credentials when you register for an account.
• Billing & Payment Data: billing address and payment method details. Note: card and bank details are processed and stored exclusively by our payment provider, Paddle.com, and are never stored on NovraLab servers.
• Usage & Activity Data: pages visited, features used, session timestamps, clicks, and error logs to help us improve our products.
• Communications Data: content of messages you send us via email, support tickets, or contact forms.
• Technical Data: IP address, browser type, device identifiers, and operating system.
• Compliance Platform Data: For enterprise clients, documents, workflows, and records uploaded to the compliance platform are processed on your behalf as a data processor.

4. How We Use Your Data

We use your personal data for the following purposes and on the following lawful bases:

• Service delivery — to provide, maintain, and improve our platform and products (Contractual necessity).
• Billing & account management — to process payments, issue invoices, and manage your subscription (Contractual necessity).
• Customer support — to respond to enquiries and resolve issues (Legitimate interest).
• Security & fraud prevention — to monitor for misuse, unauthorised access, and fraudulent activity (Legitimate interest / Legal obligation).
• Product improvements — to analyse usage patterns and improve features through anonymised analytics (Legitimate interest).
• Marketing communications — to send product updates and news. You may opt out at any time (Consent).
• Legal compliance — to fulfil legal and regulatory obligations (Legal obligation).

5. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, maintain sessions, and gather analytics. Categories of cookies used:

• Essential cookies: Required for the platform to function. Cannot be disabled.
• Analytics cookies: Help us understand usage and improve our products (e.g. Vercel Analytics).
• Preference cookies: Remember your settings and preferences.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core platform functionality.

6. Data Sharing & Third Parties

We do not sell your personal data. We share data only with:

• Paddle.com — our Merchant of Record, who processes all payments. Paddle operates as an independent data controller for billing data.
• Firebase / Google — authentication and cloud infrastructure services.
• Vercel — hosting and deployment infrastructure.
• Email & support tools — to communicate with you and manage support tickets.
• Legal & regulatory authorities — where required by applicable law or a valid court order.

All third-party processors are subject to data processing agreements and are required to implement appropriate safeguards.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). Where data is transferred internationally, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses (SCCs) approved by the European Commission — to protect your data to the same standard as within the EEA.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

• Account data: For the duration of your account plus 3 years after closure.
• Billing records: 7 years to comply with financial and tax regulations.
• Support communications: 2 years from the date of last contact.
• Analytics data: Aggregated and anonymised after 12 months.

9. Your Rights

Under GDPR and applicable privacy law, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") where no overriding legal basis applies.
• Restrict processing of your data in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email privacy@novralab.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).

10. Security

We implement industry-standard technical and organisational security measures to protect your personal data, including:

• TLS/HTTPS encryption for all data in transit.
• Encryption at rest for sensitive records.
• Role-based access controls and principle of least privilege.
• Regular security reviews and vulnerability assessments.

In the event of a personal data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware.

11. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact privacy@novralab.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via a prominent notice on our website at least 14 days before the changes take effect. Continued use of our services after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy, please contact us: