Privacy Policy

Novexa LLC (“Novexa,” “we,” “us,” or “our”) is a limited liability company organized under the laws of Wyoming, United States. We provide international software consulting services, including cloud architecture, artificial intelligence integration, and technical advisory engagements.

This Privacy Policy (the “Policy”) describes how we process personal data when you:

• visit our website at https://novexasoftware.com (the “Website”);
• contact us, request information, or engage us for professional services;
• interact with employees, representatives, or contractors of our clients or prospective clients in the course of a consulting engagement.

This Policy does not cover the processing of personal data that we perform on behalf of clients acting as data controllers. In those cases, the client determines the purposes and means of processing, and our role is that of a processor or service provider as defined under applicable law. Our obligations in that capacity are set out in the Data Processing Addendum that forms part of our client agreements.

Unless otherwise stated, Novexa LLC is the “controller” of personal data processed under this Policy within the meaning of the GDPR and UK GDPR, and the “business” under the CCPA/CPRA.

We only collect personal data that we need for a specific, identified purpose. We do not sell personal data, and we do not trade it for value-exchange with third parties for their own marketing purposes.

A. Information you provide directly

• Contact and inquiry data — name, work email address, telephone number, company name, job title, and the content of messages you send us through the Website, email, or other channels.
• Engagement data — information provided in the course of a consulting engagement, including project requirements, architectural documents, access credentials you grant, and any personal data you include in written correspondence.
• Contract and billing data — billing address, VAT or tax registration number, and payment or banking details required to invoice and receive payment.
• Recruitment data — if you apply for a position with us, we may collect your résumé, cover letter, references, and information you provide during interviews.

B. Information collected automatically

• Device and log data — IP address, device type, operating system, browser type and version, referring URL, and timestamps of requests.
• Usage data — pages viewed, time on page, clicks, and navigation patterns, collected by first-party analytics where you have consented.
• Cookies and similar technologies — see our Cookie Policy for the specific cookies we set and the choices available to you.

C. Information from third parties

We may receive limited personal data about you from business contact databases, referral partners, your employer, or publicly available sources (for example, LinkedIn profiles) where relevant to a potential engagement. We process such data in accordance with this Policy.

We process personal data for the following purposes:

• To respond to inquiries and provide information about our services.
• To deliver professional services under an engagement letter or master services agreement, including project planning, communication, invoicing, and delivery of work product.
• To operate our business — accounting, tax, insurance, internal reporting, and record-keeping.
• To comply with legal obligations under applicable tax, corporate, employment, and anti-money-laundering laws.
• To secure our systems and yours — detecting, investigating, and preventing fraud, abuse, and security incidents.
• To improve our Website and services, including measuring engagement and diagnosing technical issues.
• To send occasional updates to existing clients about relevant services, where permitted. We do not operate marketing mailing lists without opt-in consent.
• To establish, exercise, or defend legal claims, and to enforce our agreements.

When the GDPR or UK GDPR applies, we only process personal data where one or more of the following legal bases applies:

• Contract (Art. 6(1)(b)) — where processing is necessary to enter into or perform a contract with you, such as a consulting engagement.
• Legitimate interests (Art. 6(1)(f)) — where processing is necessary for our legitimate interests in running a consulting practice, communicating with business contacts, securing our systems, and improving our services, and those interests are not overridden by your rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — where processing is required to comply with a legal obligation, such as tax reporting or responding to lawful requests from authorities.
• Consent (Art. 6(1)(a)) — where you have given consent, for example for non-essential cookies or optional communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Where we rely on legitimate interests, you have the right to object, and we will stop the processing unless we have a compelling reason that overrides your interests or the processing is needed to establish, exercise, or defend legal claims.

We share personal data only when necessary and only with parties that provide appropriate safeguards. Categories of recipients include:

• Service providers and sub-processors — cloud hosting, email delivery, analytics, accounting, and professional advisors, each bound by contract and confidentiality obligations.
• Clients — where personal data about our personnel or business contacts is necessarily disclosed as part of contracting or engagement delivery.
• Professional advisors — attorneys, accountants, auditors, and insurers acting under duties of confidentiality.
• Government, regulatory, and law-enforcement authorities — where we are required to disclose information by law, court order, or valid regulatory request, or where disclosure is necessary to protect our rights.
• Successors in a business transaction — in the event of a merger, acquisition, reorganization, or asset sale, subject to the continuing protections of this Policy.

We do not sell personal data, and we do not disclose personal data to third parties for their own marketing purposes.

Because we are a United States company serving clients globally, personal data we process may be transferred to, stored in, or accessed from countries other than the country in which it was originally collected, including the United States. These countries may have data-protection laws that differ from those of your country.

When we transfer personal data from the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards, which may include:

• the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), including, where applicable, the UK International Data Transfer Addendum and the Swiss-approved addendum;
• supplementary technical, contractual, and organizational measures as appropriate following a transfer impact assessment; and
• certification frameworks such as the EU–US Data Privacy Framework where our relevant service providers are certified.

You may request a copy of the safeguards that apply to a specific transfer by contacting us at privacy@novexasoftware.com.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Typical retention periods are:

• Inquiry correspondence — up to 24 months after last contact, after which records are deleted or anonymized unless we have a legal basis to retain them longer.
• Engagement records and contracts — the duration of the engagement plus the applicable statute of limitations, typically six (6) years in the United States and up to ten (10) years in certain EU jurisdictions, for contract enforcement, audit, and tax purposes.
• Accounting and tax records — as required by applicable tax law (generally seven (7) years in the United States).
• Website logs — up to twelve (12) months for security and diagnostics, after which they are aggregated or deleted.
• Recruitment data — up to twelve (12) months after an application decision, unless you ask us to keep it on file for longer.

We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Measures include, as appropriate to the risk:

• encryption in transit (TLS 1.2 or higher) and, where appropriate, at rest;
• least-privilege access controls, strong authentication, and hardware-backed keys for administrative access;
• documented incident-response procedures and security training for personnel;
• carefully selected sub-processors bound by data-protection terms;
• regular review of our technical and organizational measures.

No security program is perfect. If we become aware of a personal data breach affecting you, we will notify you and any applicable regulator where required by law and without undue delay.

Depending on where you are located, you may have the following rights in relation to your personal data:

• Access — to obtain a copy of the personal data we hold about you.
• Rectification — to have inaccurate or incomplete data corrected.
• Erasure — to have your personal data deleted in defined circumstances.
• Restriction — to limit our processing of your personal data.
• Objection — to object to processing based on legitimate interests or for direct-marketing purposes.
• Portability — to receive certain personal data in a structured, machine-readable format.
• Withdrawal of consent — where processing is based on consent, at any time.
• Complaint — to lodge a complaint with your supervisory authority.

To exercise any of these rights, contact us at privacy@novexasoftware.com. We respond within thirty (30) days of a verified request, subject to extensions permitted by law for complex requests. We do not charge a fee unless a request is manifestly unfounded or excessive.

If you are in the EEA, you may lodge a complaint with your national data protection authority. If you are in the United Kingdom, you may complain to the Information Commissioner’s Office (ico.org.uk). We would appreciate the chance to address your concerns first.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), provides additional rights regarding your personal information.

Categories collected in the past 12 months

• identifiers (e.g., name, email, IP address);
• commercial information (e.g., services inquired about);
• internet or network activity (e.g., logs, usage);
• professional or employment-related information (where relevant to engagements);
• inferences drawn from the above, limited to business context.

Your California rights

• Right to know the categories and specific pieces of personal information we have collected about you.
• Right to delete personal information subject to statutory exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that trigger this right.
• Right to non-discrimination for exercising your rights.

To exercise your California rights, email privacy@novexasoftware.com with the subject line “California Privacy Request.” We verify requests using information already on file. You may designate an authorized agent to submit a request on your behalf by providing signed authorization.

Shine the Light. California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for direct-marketing purposes. We do not disclose personal information to third parties for direct-marketing purposes.

Our Website and services are not directed to children under sixteen (16) years of age, and we do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly. Parents or guardians who believe a child has provided personal data to us may contact privacy@novexasoftware.com.

We do not use personal data to make decisions about you that produce legal or similarly significant effects based solely on automated processing, as contemplated by Article 22 of the GDPR.

The Website uses a small number of cookies and similar technologies. For a detailed list, their purposes, their duration, and your controls, see our Cookie Policy.

Our Website may contain links to third-party websites and services that we do not operate. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of every website you visit.

We may update this Policy from time to time to reflect changes in our practices, technology, legal obligations, or for other operational reasons. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, we will notify you by email or by a prominent notice on the Website prior to the change taking effect.

For questions or requests relating to this Policy, please contact us: