Privacy Policy
Effective date: July 11, 2026
Novo Industries, Inc. ("Novo North," "we," "us," or "our"), operates the Novo North platform (the "Service"). This Privacy Policy describes how we collect, use, share, and protect your personal information when you use the Service.
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
1. Information We Collect
Information you provide
- Account information: Email address, display name, role or title, and timezone
- Organization data: Organization name, website URL, and organizational context
- Content: Agent conversation history, file uploads, agent-built applications, and shared memory entries (notes and playbooks)
- Calls: Audio/video call participation and automatically generated call transcripts (saved to your Drive). We do not store recordings of call audio or video
- Payment information: Billing details processed through our payment processor (we do not store full payment card numbers)
Information collected automatically
- Agent workspace data: Configuration files, memory, and learned context that agents maintain to personalize your experience across sessions
- Browser session data: When you authorize browser automation, persistent login contexts (including cookies and authentication state from external websites) are maintained per user per Organization
- Usage data: Feature usage, agent activity logs, and per-capability cost tracking for billing
- Device information: Browser type, operating system, native app platform, app version, and an app install identifier where needed for native app operation
- Native app diagnostics: Route pathnames without query strings, network status, launch/deep-link diagnostics, and native permission or biometric confirmation outcomes used to operate and troubleshoot the native apps
Information from third parties
- OAuth connections: When you connect third-party services, credentials and connection metadata are stored by our integration provider (see Section 3)
- Onboarding research: During onboarding, your workspace name and public company website may be used to run a web search and draft your workspace context using the search and AI providers listed in Section 3. The result is stored only if you proceed with onboarding
Data architecture
Your data is stored across a central platform database and dedicated per-Organization infrastructure. Each Organization's data is logically isolated regardless of where it is stored.
2. How We Use Information
We use the information we collect to:
- Provide the Service: Deliver AI agent capabilities, store and retrieve your data, enable calls and collaboration, and run agent-built applications
- Assemble agent context: Combine your profile, organization context, shared memory, and conversation history to provide relevant agent responses
- Process payments: Bill your subscription and track usage against plan limits
- Maintain security: Monitor for unauthorized access, detect abuse, and enforce our Acceptable Use Policy
- Communicate with you: Send service-related notices, security alerts, and policy updates
We do not:
- Use your data — including inputs, outputs, conversation history, or uploaded files — to train or improve any AI model that we develop or fine-tune. Provider processing, retention, and training restrictions are governed by provider-specific business/API terms and the subprocessors listed in Section 3
- Sell or rent your personal information to third parties
- Use your data for advertising or ad targeting
Legal basis for processing (GDPR)
Where we rely on legitimate interest, we have assessed that our interests do not override your rights. You may object to processing based on legitimate interest by contacting us at .
3. AI Processing and Subprocessors
The Service processes your data through the following third-party AI and infrastructure providers:
AI providers
Infrastructure subprocessors
We use the subprocessors above to operate the Service. We maintain or are completing data-processing terms with each of them, and we update this list as our vendors change.
4. How We Share Information
We share your information only in the following circumstances:
- Subprocessors: With the providers listed above, solely to operate the Service
- Legal compliance: When required by law, regulation, legal process, or governmental request
- Safety: To protect the rights, property, or safety of Novo North, our users, or the public
- Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
- With your consent: When you explicitly direct us to share information with a third party
We do not sell or share your personal information for advertising or marketing purposes.
5. Cookies and Similar Technologies
We use cookies for authentication and session management. These cookies are set by our authentication provider and are necessary for the Service to function.
We use product analytics and operational telemetry to understand feature usage, diagnose reliability issues, and manage feature rollout. We do not use advertising cookies, tracking pixels, or targeted-advertising technology, and we do not sell or share personal information for advertising or marketing purposes.
We recognize Global Privacy Control (GPC) signals. Because we do not sell, share, or use personal information for targeted advertising, no opt-out action is triggered upon receiving a GPC signal.
6. Data Retention
You may delete your account and request deletion of your data at any time. See "Your Privacy Rights" below.
7. Data Security
We implement technical and organizational measures to protect your data, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest: Stored data is encrypted using AES-256
- Authentication: Session cookies are used solely for authentication and session management
- Database isolation: Each Organization's data is logically isolated with row-level security policies
- Agent isolation: Agent compute runs in an isolated, managed cloud runtime with scoped, short-lived credentials
- Access controls: Role-based access with secure-by-default middleware
- Encrypted backups: Database backups are encrypted and stored securely by our infrastructure provider
No method of transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
8. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
For transfers from the European Economic Area and the United Kingdom, we rely on Standard Contractual Clauses (SCCs) and other appropriate transfer mechanisms as required by applicable law. Our subprocessors maintain their own transfer mechanisms, including EU-U.S. Data Privacy Framework certifications and Standard Contractual Clauses.
9. Your Privacy Rights
For all users
You may:
- Access your personal data through the Service or by contacting us
- Correct inaccurate information through your account settings
- Delete your account and associated data through the Service. If you let a canceled subscription lapse, data is deleted automatically at day 90 of the cancellation lifecycle
- Export Drive files directly through the Service during the 30-day Suspended window. For a full database snapshot covering memory, calls, and apps, email . We respond to erasure and portability requests within 30 days of receipt per GDPR Articles 12(3), 17, and 20
For EEA residents (GDPR)
You additionally have the right to:
- Restrict processing of your personal data in certain circumstances
- Object to processing based on legitimate interests
- Data portability — receive your data in a structured, machine-readable format
- Not be subject to solely automated decision-making with legal or similarly significant effects
- Lodge a complaint with your local data protection authority
Our legal basis for processing your data is the performance of our contract with you (Article 6(1)(b) GDPR) and our legitimate interests in operating the Service (Article 6(1)(f) GDPR). See the legal basis table in Section 2 for details.
For UK residents (UK GDPR)
You have the same rights as EEA residents under the UK GDPR. You may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk. For transfers from the UK, we rely on the UK International Data Transfer Agreement and Standard Contractual Clauses.
For California residents (CCPA/CPRA)
Categories of personal information collected: Identifiers (name, email), commercial information (subscription and billing data), internet or electronic network activity (usage data, interaction logs), professional information (role, title), and contents of communications (agent conversations and call transcripts).
You have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Correct inaccurate personal information
- Opt-out of sale or sharing — we do not sell or share your personal information as defined under the CCPA
- Limit use of sensitive personal information — we use sensitive personal information (contents of communications) only as necessary to provide the Service
- Non-discrimination — we do not discriminate against you for exercising your privacy rights
You may designate an authorized agent to submit requests on your behalf.
For other US state residents
Depending on your state of residence, you may have additional privacy rights under state privacy laws (including those in Virginia, Colorado, Connecticut, Texas, and other states). These generally include rights to access, correct, delete, and port your data, and to opt out of the sale of personal data and targeted advertising. We do not sell personal data or engage in targeted advertising. To exercise any privacy rights, contact us at .
How to exercise your rights
Contact us at with your request. We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.
10. Automated Processing
The Service uses artificial intelligence to process your data as a core feature. This includes generating text, analyzing files, creating applications, and assembling contextual information from your profile, organization, and conversation history.
We do not use AI to make decisions that produce legal or similarly significant effects on you without human involvement. Decisions about your account (such as billing enforcement and terms violations) involve human review.
If you believe automated processing has affected you unfairly, contact us at .
11. Children
The Service is not directed to individuals under 18 years of age, consistent with our eligibility requirements. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information.
12. Contact and Changes
Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.
Contact us
If you have questions about this Privacy Policy or our data practices, contact us at:
- Email:
- Mail: Novo Industries, Inc., Wilmington, DE 19801