Novo NorthSign in

Privacy Policy

Effective date: July 11, 2026

Novo Industries, Inc. ("Novo North," "we," "us," or "our"), operates the Novo North platform (the "Service"). This Privacy Policy describes how we collect, use, share, and protect your personal information when you use the Service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.


1. Information We Collect

Information you provide

  • Account information: Email address, display name, role or title, and timezone
  • Organization data: Organization name, website URL, and organizational context
  • Content: Agent conversation history, file uploads, agent-built applications, and shared memory entries (notes and playbooks)
  • Calls: Audio/video call participation and automatically generated call transcripts (saved to your Drive). We do not store recordings of call audio or video
  • Payment information: Billing details processed through our payment processor (we do not store full payment card numbers)

Information collected automatically

  • Agent workspace data: Configuration files, memory, and learned context that agents maintain to personalize your experience across sessions
  • Browser session data: When you authorize browser automation, persistent login contexts (including cookies and authentication state from external websites) are maintained per user per Organization
  • Usage data: Feature usage, agent activity logs, and per-capability cost tracking for billing
  • Device information: Browser type, operating system, native app platform, app version, and an app install identifier where needed for native app operation
  • Native app diagnostics: Route pathnames without query strings, network status, launch/deep-link diagnostics, and native permission or biometric confirmation outcomes used to operate and troubleshoot the native apps

Information from third parties

  • OAuth connections: When you connect third-party services, credentials and connection metadata are stored by our integration provider (see Section 3)
  • Onboarding research: During onboarding, your workspace name and public company website may be used to run a web search and draft your workspace context using the search and AI providers listed in Section 3. The result is stored only if you proceed with onboarding

Data architecture

Your data is stored across a central platform database and dedicated per-Organization infrastructure. Each Organization's data is logically isolated regardless of where it is stored.

2. How We Use Information

We use the information we collect to:

  • Provide the Service: Deliver AI agent capabilities, store and retrieve your data, enable calls and collaboration, and run agent-built applications
  • Assemble agent context: Combine your profile, organization context, shared memory, and conversation history to provide relevant agent responses
  • Process payments: Bill your subscription and track usage against plan limits
  • Maintain security: Monitor for unauthorized access, detect abuse, and enforce our Acceptable Use Policy
  • Communicate with you: Send service-related notices, security alerts, and policy updates

We do not:

  • Use your data — including inputs, outputs, conversation history, or uploaded files — to train or improve any AI model that we develop or fine-tune. Provider processing, retention, and training restrictions are governed by provider-specific business/API terms and the subprocessors listed in Section 3
  • Sell or rent your personal information to third parties
  • Use your data for advertising or ad targeting

Legal basis for processing (GDPR)

Processing activityLegal basisNotes
Account creation, service delivery, calls, and collaborationContractual necessity (Art. 6(1)(b))Required to provide the Service
AI agent conversations and context assemblyContractual necessity (Art. 6(1)(b))Core service feature
Payment processing and billingContractual necessity (Art. 6(1)(b))Contractual obligation
Browser automation on your behalfContractual necessity (Art. 6(1)(b))User-initiated feature
Security monitoring and abuse detectionLegitimate interest (Art. 6(1)(f))Protecting users and the Service
Service communicationsContractual necessity (Art. 6(1)(b))Operational notices
Onboarding personalization researchLegitimate interest (Art. 6(1)(f))Improving user experience; you may skip personalization during onboarding
Usage analytics and billing enforcementLegitimate interest (Art. 6(1)(f))Service operation and fraud prevention

Where we rely on legitimate interest, we have assessed that our interests do not override your rights. You may object to processing based on legitimate interest by contacting us at .

3. AI Processing and Subprocessors

The Service processes your data through the following third-party AI and infrastructure providers:

AI providers

ProviderData processedPurpose
Novo Agents CloudConversations, tool interactions, file analysis, managed workspace and browser context, and usage eventsHosted AI agent runtime, inference orchestration, and managed tools (including code tasks, media generation, and browser automation)
Google (Vertex AI)Uploaded file content (images, video, audio, documents, text) and content embeddingsContent analysis and enrichment, semantic search indexing
ElevenLabsUploaded audio and video file contentMedia transcription (speech-to-text) during upload processing
AssemblyAI or DeepgramCall audio routed through LiveKit Inference GatewayReal-time call transcription
PerplexityWorkspace name and public company website domain during onboardingWeb search for drafting workspace context
Fireworks AIWorkspace and profile context you provide during onboarding, public website content, and web search resultsAI-assisted onboarding drafts (workspace context and setup suggestions)

Infrastructure subprocessors

ProviderData processedPurpose
VercelApplication code and request dataApplication compute, hosting, and API delivery
SupabaseAll persistent dataDatabase and file storage
WorkOSSign-in identity: email address, display name, authentication events, and session stateAuthentication and session management
MergeConnected-service credentials, connection metadata, and the requests and responses involved when your agents act on connected servicesThird-party service integrations (email, calendar, chat, and similar)
Google Cloud StorageTemporary file staging for large-file processing before Vertex AI; best-effort deleted after processingTemporary media and document staging
Novo Agents Cloud (managed browser)Browser session status, screenshots, and page content while a managed browser task is active; live-view URLs are not persisted by Novo NorthRemote browser automation
LiveKitCall audio/video transport, call metadata, webhook event dataReal-time audio/video calls infrastructure
StripePayment informationPayment processing
GitHubRepository contents, commit metadata, and repository identifiers sent to GitHub through Novo's managed git proxy; the GitHub access token is held by the proxy, not in your agent workspaceCode repository registration, cloning, and agent-assisted development
Google and MicrosoftOAuth sign-in profile identifiers such as email address, display name, and account IDs when you choose those sign-in methodsSign-in options
ConvertAPIDocument and image file contentFile format conversion for previews and thumbnails
ReductoDocument and image file content through short-lived signed URLsDocument parsing and content extraction
ResendEmail recipient address, subject, body content, delivery statusTransactional email delivery (sign-in, invites, billing notifications)
SentryError events and diagnostic metadataReliability and incident investigation
PostHogProduct usage events, feature-flag evaluation data, and session replay for non-strict workspaces when enabledProduct analytics, reliability diagnostics, and feature management

We use the subprocessors above to operate the Service. We maintain or are completing data-processing terms with each of them, and we update this list as our vendors change.

4. How We Share Information

We share your information only in the following circumstances:

  • Subprocessors: With the providers listed above, solely to operate the Service
  • Legal compliance: When required by law, regulation, legal process, or governmental request
  • Safety: To protect the rights, property, or safety of Novo North, our users, or the public
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
  • With your consent: When you explicitly direct us to share information with a third party

We do not sell or share your personal information for advertising or marketing purposes.

5. Cookies and Similar Technologies

We use cookies for authentication and session management. These cookies are set by our authentication provider and are necessary for the Service to function.

We use product analytics and operational telemetry to understand feature usage, diagnose reliability issues, and manage feature rollout. We do not use advertising cookies, tracking pixels, or targeted-advertising technology, and we do not sell or share personal information for advertising or marketing purposes.

We recognize Global Privacy Control (GPC) signals. Because we do not sell, share, or use personal information for targeted advertising, no opt-out action is triggered upon receiving a GPC signal.

6. Data Retention

Data categoryRetention period
Active account dataRetained while your account is active
Agent conversation historyRetained while your account is active; deletion available per agent
Call transcriptsRetained while the Organization exists
Shared memoryRetained while the Organization exists (survives individual agent deletion)
File uploadsRetained while your account is active, subject to storage limits
Browser session dataRetained while your account is active; cleared on account deletion
Post-termination30-day read-only export window → 60-day paused-data window (support-only access) → permanent deletion at day 90
Payment and billing recordsUp to 7 years as required by tax and financial regulations
Runtime and operational logsLimited retention for troubleshooting, typically no more than 90 days

You may delete your account and request deletion of your data at any time. See "Your Privacy Rights" below.

7. Data Security

We implement technical and organizational measures to protect your data, including:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
  • Encryption at rest: Stored data is encrypted using AES-256
  • Authentication: Session cookies are used solely for authentication and session management
  • Database isolation: Each Organization's data is logically isolated with row-level security policies
  • Agent isolation: Agent compute runs in an isolated, managed cloud runtime with scoped, short-lived credentials
  • Access controls: Role-based access with secure-by-default middleware
  • Encrypted backups: Database backups are encrypted and stored securely by our infrastructure provider

No method of transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

8. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

For transfers from the European Economic Area and the United Kingdom, we rely on Standard Contractual Clauses (SCCs) and other appropriate transfer mechanisms as required by applicable law. Our subprocessors maintain their own transfer mechanisms, including EU-U.S. Data Privacy Framework certifications and Standard Contractual Clauses.

9. Your Privacy Rights

For all users

You may:

  • Access your personal data through the Service or by contacting us
  • Correct inaccurate information through your account settings
  • Delete your account and associated data through the Service. If you let a canceled subscription lapse, data is deleted automatically at day 90 of the cancellation lifecycle
  • Export Drive files directly through the Service during the 30-day Suspended window. For a full database snapshot covering memory, calls, and apps, email . We respond to erasure and portability requests within 30 days of receipt per GDPR Articles 12(3), 17, and 20

For EEA residents (GDPR)

You additionally have the right to:

  • Restrict processing of your personal data in certain circumstances
  • Object to processing based on legitimate interests
  • Data portability — receive your data in a structured, machine-readable format
  • Not be subject to solely automated decision-making with legal or similarly significant effects
  • Lodge a complaint with your local data protection authority

Our legal basis for processing your data is the performance of our contract with you (Article 6(1)(b) GDPR) and our legitimate interests in operating the Service (Article 6(1)(f) GDPR). See the legal basis table in Section 2 for details.

For UK residents (UK GDPR)

You have the same rights as EEA residents under the UK GDPR. You may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk. For transfers from the UK, we rely on the UK International Data Transfer Agreement and Standard Contractual Clauses.

For California residents (CCPA/CPRA)

Categories of personal information collected: Identifiers (name, email), commercial information (subscription and billing data), internet or electronic network activity (usage data, interaction logs), professional information (role, title), and contents of communications (agent conversations and call transcripts).

You have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information
  • Correct inaccurate personal information
  • Opt-out of sale or sharing — we do not sell or share your personal information as defined under the CCPA
  • Limit use of sensitive personal information — we use sensitive personal information (contents of communications) only as necessary to provide the Service
  • Non-discrimination — we do not discriminate against you for exercising your privacy rights

You may designate an authorized agent to submit requests on your behalf.

For other US state residents

Depending on your state of residence, you may have additional privacy rights under state privacy laws (including those in Virginia, Colorado, Connecticut, Texas, and other states). These generally include rights to access, correct, delete, and port your data, and to opt out of the sale of personal data and targeted advertising. We do not sell personal data or engage in targeted advertising. To exercise any privacy rights, contact us at .

How to exercise your rights

Contact us at with your request. We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

10. Automated Processing

The Service uses artificial intelligence to process your data as a core feature. This includes generating text, analyzing files, creating applications, and assembling contextual information from your profile, organization, and conversation history.

We do not use AI to make decisions that produce legal or similarly significant effects on you without human involvement. Decisions about your account (such as billing enforcement and terms violations) involve human review.

If you believe automated processing has affected you unfairly, contact us at .

11. Children

The Service is not directed to individuals under 18 years of age, consistent with our eligibility requirements. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information.

12. Contact and Changes

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

Contact us

If you have questions about this Privacy Policy or our data practices, contact us at:

  • Email:
  • Mail: Novo Industries, Inc., Wilmington, DE 19801
Terms of ServicePrivacy PolicyAcceptable Use PolicySecurity

© 2026 Novo Industries, Inc.