Privacy Policy | NovaPact

Overview

NovaPact, Inc. ("NovaPact," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you visit our website (novapact.ai), use our deal execution platform, or engage with our services.

This policy applies to all users worldwide, including those protected under the California Consumer Privacy Act (CCPA/CPRA) and the EU/UK General Data Protection Regulation (GDPR).

Information We Collect

We collect the following categories of personal information:

Identifiers — name, email address, phone number, company name, job title, and IP address
Professional information — job title, company, and role when you submit a form, are added to a deal room, or engage with our platform
Internet activity — pages visited, time spent on pages, browser type, device information, and interaction data collected via cookies and analytics tools
Platform usage data — deal room visits, quote views, document interactions, messages sent, and engagement signals within the NovaPact platform
Communication data — messages exchanged within deal rooms, and any information you provide when contacting us via email or form submissions

We do not collect sensitive personal information such as Social Security numbers, financial account information, precise geolocation, or biometric data.

Sources of Personal Information

Directly from you — when you fill out a form, send us an email, or interact with our platform
From your organization — when a seller or account executive adds you to a deal room as a buyer, team member, or approver
Automatically from your device — via cookies and analytics technologies when you browse our website or use the platform
From integrated systems — such as Salesforce, when your organization connects NovaPact to their CRM
From service providers — such as hosting and analytics platforms that process data on our behalf

How We Use Your Information

We use your personal information for the following purposes:

To operate and deliver the NovaPact platform, including deal rooms, quote presentations, approval workflows, and e-signature
To authenticate your identity and manage access to deal rooms
To enable communication between buyers, sellers, and deal stakeholders
To provide engagement analytics to sellers (e.g., buyer visited the deal room, viewed a quote)
To respond to your inquiries and provide customer support
To improve our platform and user experience
To detect, prevent, and address security issues
To comply with legal obligations

Legal bases for processing (GDPR): We process your data based on: (a) your consent, (b) performance of a contract or steps prior to entering a contract, (c) our legitimate interests in operating, improving, and securing our platform — where we rely on legitimate interests, we ensure those interests do not override your data protection rights, or (d) compliance with a legal obligation.

Deal Room Data & Buyer Privacy

When you are invited to a NovaPact deal room, we collect limited data to enable the deal experience:

Email verification — we verify your email address to authenticate access. We use time-limited, cryptographically signed codes.
Engagement signals — we track deal room visits, quote views, and time spent. This data is shared with the selling organization to help them understand buyer interest.
Messages — messages you send within the deal room are visible to the selling team and may be relayed to their Slack workspace.
E-signature — when you sign a document, the signature event is processed through DocuSign and recorded in the deal record.

We do not use buyer engagement data for advertising, profiling, or any purpose beyond facilitating the specific deal.

Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience and analyze site traffic.

Strictly necessary cookies — required for authentication and platform functionality. These cannot be disabled.
Analytics cookies — help us understand how visitors interact with our website. Only activated with your consent.

We do not use cookies for advertising, retargeting, or third-party behavioral tracking. You can manage cookie preferences through your browser settings.

Data Sharing and Disclosure

We do not sell or share your personal information as defined under the CCPA/CPRA.

We may disclose your information to:

Your deal counterparts — engagement signals and messages are shared between buyer and seller within the deal room
Service providers — hosting (Netlify), database (Supabase), e-signature (DocuSign), messaging (Slack, Resend), AI processing (Anthropic), and CRM (Salesforce) providers who process data on our behalf under contractual obligations
Your organization's Salesforce instance — deal data is persisted back to your organization's Salesforce org. NovaPact does not store a copy of your pricing or CRM data beyond what is needed for the active deal session.
Professional advisors — legal, accounting, and insurance professionals when required
Regulatory authorities — when required by law, subpoena, or legal process
Business transfers — in connection with a merger, acquisition, or sale of assets

Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Multi-tenant isolation — row-level security ensures each organization's data is isolated at the database level
Immutable audit log — all state-changing operations are logged in an append-only audit trail
Encryption — data is encrypted in transit (TLS) and at rest
Access controls — authentication via cryptographically signed tokens with time-limited sessions
Input validation — all API boundaries enforce strict input validation to prevent injection attacks

Your Rights Under CCPA (California Residents)

If you are a California resident, the CCPA/CPRA provides you with the following rights:

Right to Know — request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties with whom we share it
Right to Delete — request deletion of your personal information, subject to certain exceptions
Right to Correct — request correction of inaccurate personal information
Right to Opt-Out of Sale or Sharing — we do not sell or share personal information. No opt-out is necessary.
Right to Non-Discrimination — we will not discriminate against you for exercising your rights
Right to Limit Use of Sensitive Personal Information — we do not collect sensitive personal information as defined by the CCPA

To exercise your rights, contact us at nr@novapact.ai. We will verify your identity and respond within 45 days. You may designate an authorized agent to submit a request on your behalf.

Your Rights Under GDPR (EEA/UK Residents)

If you are located in the European Economic Area or the United Kingdom, the GDPR provides you with the following rights:

Right of Access — request a copy of the personal data we hold about you
Right to Rectification — request correction of inaccurate or incomplete data
Right to Erasure — request deletion of your data when there is no compelling reason for continued processing
Right to Restrict Processing — request limitation of processing under certain circumstances
Right to Data Portability — request your data in a structured, commonly used, machine-readable format
Right to Object — object to processing based on legitimate interests
Right to Withdraw Consent — withdraw consent at any time where processing is based on consent
Right to Lodge a Complaint — file a complaint with your local data protection supervisory authority

To exercise your rights, contact us at nr@novapact.ai with "GDPR Request" in the subject line. We will respond within 30 days.

Data Retention

Deal room data — retained for the duration of the active deal plus 12 months, unless the organization requests earlier deletion
Contact form submissions — retained for 24 months unless you request earlier deletion
Analytics data — aggregated and anonymized after 26 months
Audit logs — retained for 3 years for compliance and security purposes

International Data Transfers

NovaPact operates in the United States, Canada, and India. Your data may be transferred to and processed in any of these countries. For transfers from the EEA/UK, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission, and the UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom
Data processing agreements with service providers that ensure adequate protection

Data Processing Agreements

For business clients requiring formal data processing arrangements, NovaPact enters into Data Processing Agreements (DPAs) where required by applicable law or client contract. Contact us at nr@novapact.ai to request a DPA.

Children's Privacy

Our website and platform are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. We currently do not respond to DNT signals. You can manage tracking preferences through your browser settings.

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be posted on this page with an updated revision date. If changes are significant, we may notify you via email or a prominent notice on our website.

Contact Us

For questions about this privacy policy, your personal data, or to exercise your rights:

NovaPact, Inc.
San Ramon, CA, USA
nr@novapact.ai

For CCPA requests: include "CCPA Request" in the subject line.
For GDPR requests: include "GDPR Request" in the subject line.
We will verify your identity and respond within the timeframes required by applicable law.