Privacy Policy

Privacy Policy

Last updated: 15 April 2026

1. Introduction

NovaGate Pty Ltd ("NovaGate", "we", "us", "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you access or use our website, platform, APIs, and all related products and services (collectively, the "Services").

We are bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and comply with applicable data protection laws in the jurisdictions where we operate.

By using the Services, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree, please do not use the Services.

2. Data Controller and Processor Roles

2.1 When We Are the Controller

NovaGate acts as the data controller for personal information we collect directly from you in connection with your account, our website, marketing communications, and business operations. This Privacy Policy governs that processing.

2.2 When We Are the Processor

When you use our Services (such as NovaShield authentication or NovaTwin AI assistant) to process personal information of your own end users or customers ("Customer Data"), you are the data controller and we act as a data processor on your behalf. We process Customer Data solely in accordance with your instructions and our Terms of Service. This Privacy Policy does not apply to Customer Data — your own privacy policy governs the collection and use of your end users' information.

3. Information We Collect

3.1 Information You Provide

We collect personal information that you voluntarily provide, including:

  • Account information: name, email address, phone number, password (stored as a cryptographic hash, never in plain text), organisation name
  • Billing information: payment method details, billing address (processed and stored by our third party payment processor — we do not store full card numbers)
  • Profile information: profile picture, job title, preferences, and settings
  • Communications: messages, support requests, feedback, survey responses, and correspondence with us
  • User generated content: data, files, and content you create, upload, or transmit through the Services

3.2 Information Collected Automatically

When you use the Services, we automatically collect:

  • Device information: IP address, browser type and version, operating system, device type, screen resolution
  • Usage data: pages visited, features used, actions taken, session duration, timestamps, click patterns, and navigation paths
  • Log data: server logs, error reports, and performance metrics
  • Location data: approximate geographic location derived from your IP address (we do not collect precise GPS location)

3.3 Information from Third Parties

We may receive information from:

  • Authentication providers: if you sign in using a social login (e.g., Google, GitHub), we receive your name, email, and profile picture as authorised by you
  • Analytics providers: aggregated and anonymised usage insights
  • Business partners: referral information and integration data

4. How We Use Your Information

We process your personal information for the following purposes:

  • Service delivery: to provide, operate, maintain, and improve the Services and your account
  • Authentication and security: to verify your identity, manage sessions, detect fraud, and prevent unauthorised access
  • Communications: to send transactional messages (account verification, password resets, billing notifications), respond to support requests, and provide product updates
  • Analytics and improvement: to understand how the Services are used, identify trends, diagnose technical issues, and improve functionality and user experience
  • Personalisation: to tailor the Services to your preferences, including theme settings and product recommendations
  • Billing and payments: to process transactions, manage subscriptions, and send invoices
  • Legal compliance: to comply with applicable laws, regulations, legal processes, and government requests
  • Safety and protection: to protect the rights, property, and safety of NovaGate, our users, and the public
  • Marketing: to send promotional communications about our products and services (with your consent where required; you can opt out at any time)

We will not process your personal information for purposes materially different from those described above without notifying you and, where required, obtaining your consent.

5. AI Powered Features and Data Processing

Certain Services, including NovaTwin, use artificial intelligence and machine learning technologies. When you use AI powered features:

  • Your inputs (prompts, queries, context) are processed to generate responses and perform requested actions
  • We may use third party AI model providers to process your requests; these providers are contractually bound to protect your data and not use it for their own purposes
  • We do not use Your Content or Customer Data to train AI models without your explicit, informed consent
  • We may use anonymised and aggregated usage patterns (not containing personal information) to improve AI feature performance
  • AI interaction logs may be retained for a limited period for debugging and quality assurance, after which they are deleted or anonymised

6. How We Store and Protect Your Data

6.1 Security Measures

We implement industry standard technical and organisational measures to protect your personal information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Cryptographic password hashing using industry standard algorithms (passwords are never stored in plain text and cannot be recovered)
  • Role based access controls and least privilege principles for internal systems
  • Multi factor authentication for administrative access
  • Regular security assessments, penetration testing, and vulnerability scanning
  • Audit logging and monitoring of access to personal information
  • Incident response procedures and breach notification processes

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security and are not responsible for unauthorised access resulting from circumstances beyond our reasonable control.

6.2 Data Location

Your data is primarily stored on infrastructure located in Australia (AWS Sydney region). Some data may be processed in other regions as necessary to provide the Services — see Section 10 (International Transfers).

7. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

  • Service providers: third party vendors who assist in operating the Services (cloud hosting, payment processing, email delivery, analytics, customer support tools), subject to contractual confidentiality obligations and data processing agreements
  • Cross product processing: where you use multiple NovaGate Products, we may share your account information across Products to provide an integrated experience (e.g., single sign on across the Platform)
  • Professional advisors: legal counsel, accountants, and auditors, as necessary for business operations
  • Law enforcement and regulators: when required by law, regulation, legal process, or enforceable government request; we will endeavour to notify you unless prohibited by law
  • Business transfers: in connection with a merger, acquisition, corporate restructuring, or sale of assets, your information may be transferred to the successor entity, subject to the commitments in this Privacy Policy
  • With your consent: in any other circumstance where you have given explicit consent

8. Cookies and Tracking Technologies

8.1 Types of Cookies

We use cookies and similar technologies in the following categories:

  • Essential cookies: required for the Services to function (authentication tokens, session management, security, CSRF protection). These cannot be disabled.
  • Functional cookies: remember your preferences (theme, language, display settings) to enhance your experience
  • Analytics cookies: help us understand how the Services are used, which pages are most visited, and where errors occur. We use privacy focused analytics tools.

8.2 Managing Cookies

You can control non essential cookies through your browser settings. Disabling certain cookies may limit the functionality of the Services. We honour browser level "Do Not Track" signals where technically feasible.

8.3 Third Party Tracking

We do not use third party advertising cookies or participate in cross site advertising tracking networks. We do not sell or share your data with advertisers.

9. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including:

  • Active accounts: for the duration of your account and use of the Services
  • After account closure: for a reasonable period (typically up to 90 days) to allow for account recovery, followed by deletion or anonymisation
  • Billing records: for a minimum of 7 years as required by Australian tax law
  • Audit logs: retained in accordance with our audit log retention policy and applicable compliance requirements
  • Legal obligations: as required to comply with legal holds, regulatory requirements, or dispute resolution

When your information is no longer needed, we will securely delete or irreversibly anonymise it using industry standard methods.

10. International Data Transfers

Our primary infrastructure is located in Australia. However, some of our service providers (e.g., cloud infrastructure, AI model providers, payment processors) may process data in other countries, including the United States.

Where personal information is transferred outside Australia, we ensure appropriate safeguards are in place, including:

  • Contractual obligations requiring equivalent data protection standards
  • Transfers to jurisdictions recognised as providing adequate protection under the Privacy Act
  • Standard contractual clauses or binding corporate rules where applicable

By using the Services, you acknowledge and consent to the transfer of your information to countries outside Australia that may have different data protection laws.

11. Children's Privacy

The Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete that information. If you believe a child has provided us with personal information, please contact us at hello@novagate.com.au.

12. Your Rights

Under the Australian Privacy Principles and applicable law, you have the right to:

  • Access: request a copy of the personal information we hold about you
  • Correction: request correction of inaccurate, incomplete, or outdated information
  • Deletion: request deletion of your personal information, subject to our legal obligations and legitimate interests
  • Data portability: request your data in a structured, commonly used, machine readable format where technically feasible
  • Object to processing: object to processing of your information for direct marketing purposes
  • Withdraw consent: withdraw consent for any processing based on consent, without affecting the lawfulness of prior processing
  • Complaint: lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au

To exercise any of these rights, contact us at hello@novagate.com.au. We will respond to verified requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

13. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches (NDB) scheme under the Privacy Act. We will also take reasonable steps to contain and remediate the breach.

14. Third Party Links and Services

The Services may contain links to third party websites, applications, or services that are not operated or controlled by NovaGate. We are not responsible for the privacy practices, content, or security of those third parties. We encourage you to review the privacy policies of any third party services you access through or in connection with the Services.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will provide at least 30 days' notice of material changes by posting the updated policy on our website with a revised "Last updated" date and, where practicable, by email. Your continued use of the Services after the effective date constitutes acceptance of the revised policy.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have a privacy related complaint, please contact us:

NovaGate Pty Ltd
Privacy Officer
Email: hello@novagate.com.au
Sydney, Australia

We will acknowledge your complaint within 7 days and provide a substantive response within 30 days.