Novus Technologies

Privacy

Privacy Policy

Effective May 18, 2026.

Novus Technologies ("Novus Technologies", "we", "our") is a Software-as-a-Service platform operated by Novus Technologies Pte Ltd. We respect your privacy and process personal data in line with Indonesian Law No. 27 of 2022 on Personal Data Protection ("UU PDP") and applicable derivative regulations.

This policy explains how we collect, use, share, and protect personal data when you (a) visit our website, (b) sign up for or use the Novus Technologies product, or (c) are contacted because one of our customers sent you a message through our platform.

1. Scope

This policy applies to personal data we process as a data controller (e.g. account data of our customers) and as a data processor (e.g. contact lists customers upload). Where we act as a processor, the customer's own privacy policy governs the relationship with end-recipients.

2. Data we collect

We collect only what is needed to run the service and improve it.

  • Account data — name, work email, workspace name, password hash, role.
  • Billing data — billing address, tax ID, invoice history (processed by our payment partner).
  • Recipient data — names, phone numbers, email addresses, tags, consent flags, and metadata you upload as contacts.
  • Message content — templates and rendered messages you author or that the platform generates.
  • Delivery telemetry — send timestamps, channel responses, retry counts, failure reasons.
  • Product telemetry — page views, feature usage, browser type, IP-derived city (anonymised aggregates only).
  • Support data — emails, chat transcripts, screenshots you share to resolve issues.

We do not collect biometric data, government identifiers (NIK, NPWP) unless you voluntarily upload them as contact metadata, or sensitive categories (health, religion, political opinion).

3. Purposes of processing

  • Provide and operate the Novus Technologies service (accounts, workspaces, sending, queues).
  • Bill, invoice, and recognise revenue.
  • Detect abuse, fraud, spam, and policy violations.
  • Provide customer support and incident response.
  • Improve the product through aggregated, de-identified analytics.
  • Send service announcements (transactional emails you cannot opt out of while you have an account).
  • Contract — when processing is needed to deliver the service you signed up for.
  • Consent — for optional features like marketing emails, demo personas, or non-essential cookies.
  • Legitimate interest — for fraud prevention, security logs, and platform analytics.
  • Legal obligation — when responding to lawful requests from Indonesian authorities.

5. How we share data

We share data only with the parties below and only as needed:

  • Channel providers — when you send a message, recipient phone/email and template content are routed via the SMS, WhatsApp, email, or voice provider you've enabled.
  • Infrastructure providers — Postgres, Redis, object storage, error tracking, hosted in Singapore or Jakarta.
  • Payment processor — billing details (we do not store card numbers).
  • Legal compliance — when we receive a valid lawful request.
  • Business transfer — in a merger or acquisition, after notice to you.

We do not sell personal data, and we do not share data with advertising networks.

6. International transfer

Primary hosting is in Singapore (ap-southeast-1) with disaster-recovery snapshots in Jakarta (ap-southeast-3). Some channel providers operate globally. Where data leaves Indonesia, we rely on safeguards permitted under UU PDP, including contractual commitments equivalent to local protection and end-to-end transport encryption.

7. Retention

  • Account data — for as long as you keep a workspace open, plus 30 days after closure.
  • Contact data — under your control; deletion in the UI is immediate, soft-deleted entries purged after 30 days.
  • Delivery logs — 18 months, then aggregated and anonymised.
  • Billing records — 10 years, as required by Indonesian tax law.
  • Backups — encrypted, rotated within 35 days.

8. Security

  • TLS 1.2+ in transit, AES-256 at rest.
  • Workspace-scoped data isolation enforced at the database query layer.
  • Least-privilege access controls for our own employees, with quarterly review.
  • Continuous deployment with mandatory code review and automated security checks.
  • Incident response within 72 hours, with notification per UU PDP Article 46.

9. Your rights

Under UU PDP you have the right to:

  • Access — request a copy of personal data we hold about you.
  • Rectify — correct inaccurate or incomplete data.
  • Delete — request deletion of data we no longer need.
  • Restrict / object — limit certain processing or object to legitimate-interest processing.
  • Portability — receive a machine-readable export (we support CSV / JSON from each page).
  • Withdraw consent — without penalty, at any time.

Send requests to [email protected]. We respond within 7 working days and complete most requests within 30 days. If you're contacted because a Novus Technologies customer messaged you, please raise the request with that business first — they're the controller of their list.

10. Cookies

We use a small number of strictly-necessary cookies (session, CSRF, language preference). We do not use advertising cookies. No third-party analytics SDK is loaded without your explicit consent.

11. Children

Novus Technologies is not directed at people under 17. If you believe a child has provided personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy when the service or the law evolves. Material changes will be highlighted in the product and announced 14 days before they take effect.

13. Contact

Novus Technologies Pte Ltd
Email: [email protected]
Data Protection Officer: [email protected]