This Privacy Policy describes how Nova Software Infrastructure Limited ("Nova") collects, uses, discloses and safeguards personal data in connection with the operation of the Nova API platform. It is aligned with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and the Hong Kong Personal Data (Privacy) Ordinance ("PDPO").
1. Roles
1.1
In relation to data Nova processes on behalf of its B2B Customers to deliver the Services (e.g., cardholder identifiers, transaction metadata, webhook payloads), Nova acts as a data processor and the Customer acts as the data controller.
1.2
In relation to data Nova collects directly from Customer personnel, prospects and website visitors (e.g., account credentials, support correspondence, marketing preferences), Nova acts as a data controller.
2. Categories of Data
2.1
Account data: name, business email, role, hashed password, MFA tokens, audit logs.
2.2
Operational data: API request identifiers, IP addresses of authenticated requests, webhook delivery telemetry, error traces.
2.3
Payment instrument data: Primary Account Numbers ("PAN"), CVV, expiry and track data are never stored in Nova's general systems. All such data is captured directly into the Issuing Partner's PCI-DSS Level 1 environment and returned to Customer exclusively as opaque network tokens or surrogate references ("Tokenization").
3. Legal Bases (GDPR)
3.1
Nova processes personal data under one or more of the following legal bases: (a) performance of a contract (Art. 6(1)(b)); (b) compliance with a legal obligation (Art. 6(1)(c)); (c) Nova's or a third party's legitimate interests, balanced against the rights of the data subject (Art. 6(1)(f)); (d) where required, the data subject's explicit consent (Art. 6(1)(a)).
4. International Transfers
4.1
Personal data may be transferred to, and processed in, jurisdictions outside the data subject's country of residence. Where such transfers leave the EEA, the UK or Switzerland, Nova relies on the European Commission's Standard Contractual Clauses (2021/914/EU) together with the UK International Data Transfer Addendum, supplemented by a documented Transfer Impact Assessment.
5. Retention
5.1
Operational logs are retained for thirteen (13) months. Audit logs relevant to AML / sanctions screening are retained for the period required by applicable law (typically five to seven years). Account data is retained for the life of the Customer relationship plus the statutory limitation period applicable to the contract.
6. Data Subject Rights
6.1
Data subjects have the right to access, rectify, erase, restrict or object to processing, and to data portability, subject to applicable law. California residents additionally have the rights to know, delete and opt out of sale or sharing of personal information. Nova does not sell personal information.
6.2
Requests may be submitted to
privacy@nova.dev. Where Nova acts as a processor, requests will be forwarded to the relevant Customer (controller) without undue delay.7. Security
7.1
Nova implements appropriate technical and organizational measures, including AES-256 encryption at rest, TLS 1.3 in transit, hardware security modules for key custody, principle-of-least-privilege access controls, continuous vulnerability scanning and an externally audited SOC 2 Type II program. Full details are published on the Security page.
8. Contact & Supervisory Authority
Nova's Data Protection Officer can be reached at dpo@nova.dev. Data subjects in the EEA, the UK or Switzerland have the right to lodge a complaint with their local supervisory authority.