1. Who We Are

NOVTRIQ ("we", "us", "our") is the trading name of Novus Projects Ltd, a company registered in England and Wales (company registration number 13629950). We operate the novtriq.tech platform — a suite of AI-powered engineering intelligence tools, Energy-as-a-Service (EaaS) subscriptions, Technical Due Diligence (TDD) reports, an Academy, an MCP Server, and a Partner Network. The platform is accessible globally, with primary coverage in the United Kingdom, European Union, Switzerland, and United Arab Emirates.

2. Data We Collect

2.1 Data You Provide

• Account registration: Name, email address, company name, country/region
• API key generation: Email address, intended use case
• EaaS / TDD purchase: Name, email, billing address, payment intent (processed by Stripe — we do not store card numbers)
• Academy enrolment: Name, email, professional background (optional)
• Partner Network application: Company name, contact name, email, LinkedIn URL
• Contact / support form: Name, email, message content
• Newsletter / waitlist: Email address only

2.2 Data Collected Automatically

• Usage analytics: Pages visited, tool interactions, session duration (via Google Analytics 4 — anonymised IP)
• API call logs: Endpoint called, timestamp, response time, error codes (no payload content stored)
• Cookies: See our Cookie Policy
• Technical metadata: Browser type, OS, referring URL — for security and debugging

2.3 Data from Third Parties

• Payment processor: Payment status, transaction ID, and subscription status only. Card numbers and full payment details are processed and stored exclusively by our payment provider and are never stored on NOVTRIQ servers. Payment records are retained for a minimum of 7 years for legal and tax compliance purposes.
• Workflow automation services: Webhook triggers for CMS publishing — no personal data transferred.

2.4 Academy Subscription Data

When you purchase an Academy subscription, NOVTRIQ stores your email address and subscription status (active / cancelled / expired) to control course access. This data is held only for the duration of your subscription plus a 30-day grace period after expiry. Payment history is managed by our payment processor. You may request deletion at any time by emailing dpo@novtriq.com.

3. Legal Basis for Processing

Purpose	Legal Basis
Providing the platform, API, EaaS, TDD, Academy	Contract (Art. 6(1)(b) GDPR)
Sending transactional emails (receipts, API keys)	Contract (Art. 6(1)(b) GDPR)
Marketing emails (newsletter, product updates)	Consent (Art. 6(1)(a) GDPR)
Analytics and platform improvement	Legitimate interest (Art. 6(1)(f) GDPR)
Fraud detection and security	Legitimate interest (Art. 6(1)(f) GDPR)
Legal compliance (VAT, audit trail)	Legal obligation (Art. 6(1)(c) GDPR)

4. How We Use Your Data

• Authenticate and manage your account and API access
• Deliver EaaS monitoring dashboards, TDD reports, and Academy course access
• Process payments and issue invoices
• Send platform notifications, regulatory update alerts, and — if opted in — marketing emails
• Monitor API usage against your plan limits and send rate-limit notifications
• Improve tool accuracy, calibrate AI models, and improve UX (using anonymised usage data)
• Detect abuse and ensure platform security

4.1 Automated Decision-Making and AI Disclosure (EU AI Act Article 50)

Our platform uses AI-powered tools to generate engineering intelligence, content recommendations, and analysis. Where AI is used to generate content sent to you (such as personalised reports or communications), this is clearly identified. All material decisions affecting individuals are subject to human review. You have the right not to be subject to solely automated decision-making (see Section 8).

5. Data Retention

Data Type	Retention Period
Account data (active user)	Duration of account + 30 days after deletion request
API call logs	90 days rolling
Payment records (legal requirement)	7 years (EU VAT / UK HMRC compliance)
TDD report data	Duration of engagement + 12 months
Academy subscription data	Duration of subscription + 30 days grace period
Marketing email consent	Until withdrawn, plus 3 years evidence of consent
Analytics data (GA4)	14 months (anonymised)
Cookie consent records	12 months
Security and audit logs	12 months

6. Data Sharing

We do not sell your personal data. We may share data with the following categories of recipients, all bound by data processing agreements:

• Payment processing providers — PCI-DSS certified payment infrastructure
• Analytics services — anonymised website and platform usage data
• Workflow automation platforms — non-personal payload triggers
• Cloud infrastructure and hosting providers — EU data centres
• Website hosting and CMS platforms
• Email and communication services
• Professional advisors — legal counsel, accountants, auditors where required
• Data protection representatives — see Section 9
• Legal authorities — when required by law (we will notify you where legally permitted)

All third-party processors are contractually bound by Data Processing Agreements requiring confidentiality, security measures, and data protection obligations equivalent to our own standards.

7. International Transfers

Your data is primarily processed within the European Union and United Kingdom. Where we transfer data internationally, we implement appropriate safeguards including:

• Adequacy decisions recognised by the UK Government or European Commission
• Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreement (IDTA)
• EU-US Data Privacy Framework certifications where applicable
• Other appropriate safeguards under GDPR
• Your explicit consent where required

UAE users are covered under UAE PDPL (Federal Decree-Law No. 45 of 2021) and we apply equivalent safeguards. Swiss users are covered under the Swiss Federal Act on Data Protection (FADP). You may request information about specific safeguards by contacting dpo@novtriq.com.

8. Your Rights

Depending on your jurisdiction, you have the following rights:

Under GDPR (EU), UK GDPR, and Swiss FADP:

• Right of access — request a copy of your data
• Right to rectification — correct inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing (including marketing)
• Rights related to automated decision-making
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

Under UAE PDPL:

• Right to access, correct, and request destruction of your personal data
• Right to withdraw consent at any time
• Right to data portability
• Right to object to automated processing

To exercise any of these rights, email dpo@novtriq.com with the subject line "Privacy Request". We respond within 30 days. EU/EEA and Swiss residents may also contact our representative (see Section 9).

9. EU/EEA and Swiss Representative

In accordance with Article 27 of the EU GDPR, Article 14 of the Swiss FADP, and Article 13 of the EU Digital Services Act (DSA), we have appointed DataRep as our representative in the European Union/EEA, Switzerland, and for DSA purposes.

EU/EEA residents, Swiss residents, and EU regulatory authorities may contact our representative directly regarding any matter related to the processing of personal data or the DSA:

DataRep maintains contact addresses in 30 EU/EEA member states and Switzerland. See www.datarep.com/locations for local addresses. All correspondence to local addresses must be addressed to 'DataRep' to reach us.

Digital Services Act (DSA): Our DSA point of contact and Member State of main establishment for DSA purposes is Ireland. EU users and authorities may contact DataRep regarding DSA matters using the details above.

10. Security

We implement technical and organisational measures in accordance with ISO 27001 principles, including:

• TLS 1.3 encryption in transit, AES-256 at rest
• API key hashing (bcrypt) and secure credential storage
• Role-based access controls and multi-factor authentication
• Automated vulnerability scanning and regular penetration testing
• Staff data protection training and confidentiality agreements
• Documented incident response and breach notification procedures

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) and relevant EU data protection authorities within 72 hours where required, and affected individuals where the breach is likely to result in a high risk to their rights and freedoms. No method is 100% secure — if you suspect a breach, contact dpo@novtriq.com immediately.

11. Cookies

We use essential, analytics, and functional cookies. Full details are in our Cookie Policy. You can manage your preferences at any time via the cookie banner or by emailing us. Withdrawing consent will not affect the lawfulness of processing prior to withdrawal.

12. Children

NOVTRIQ is a professional engineering platform directed exclusively to professional and business audiences. We do not knowingly collect personal data from individuals under 16 years of age (UK GDPR / EU GDPR) or under the equivalent age of consent in your jurisdiction. If you believe a minor has submitted data, contact us immediately at dpo@novtriq.com for deletion.

13. Changes to This Policy

We may update this policy to reflect product changes, regulatory updates, or operational changes. Material changes will be notified by email to registered users and by banner on novtriq.tech at least 14 days before taking effect. The "last updated" date at the top of this page always reflects the current version. Your continued use of our services after such changes constitutes acceptance of the updated policy.

14. Supervisory Authorities

If you believe we have breached your rights, you have the right to lodge a complaint with the supervisory authority in your jurisdiction:

• United Kingdom: Information Commissioner's Office (ICO)
• European Union: Your local Data Protection Authority — see EDPB Members List
• Ireland (DSA lead authority): Data Protection Commission
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
• United Arab Emirates: UAE Data Office (UAEDO)