Privacy Policy

Effective Date: 2026-05-20 · Version 1.0

DRAFT — PENDING LEGAL REVIEW. This privacy policy is a working draft prepared for review by qualified privacy counsel (GDPR, UK GDPR, KVKK, CCPA, Jamaica DPA). It must not be relied upon as-is. Remove this notice only after counsel sign-off.

This Privacy Policy describes how Novus Technologies, Inc. (“Call on Novus”, “we”, “us”) collects, uses, shares, and protects personal data in connection with the Call on Novus platform (the “Service”). This Policy is incorporated by reference into our Terms of Service.

1. Who This Policy Applies To

This Policy covers personal data we process about three groups:

Customer Users—the individuals who hold accounts on the Service on behalf of an organization that has agreed to our Terms.
End Recipients—the natural persons whom our Customers call (or receive calls from) using the Service. With respect to End Recipient personal data, the Customer is the controller and Call on Novus is the processor.
Website Visitors—people who browse our marketing pages without authenticating.

2. Controller / Processor Roles

Under the EU General Data Protection Regulation, the UK GDPR, and analogous laws, Call on Novus is the controller for personal data of Customer Users and Website Visitors, and the processor acting on behalf of the Customer for any End Recipient personal data uploaded to or transmitted through the Service. Where required, the parties enter into a Data Processing Agreement reflecting this allocation.

3. Personal Data We Collect

3.1 From Customer Users

Account identifiers: email address, password hash, organization, role.
Session metadata: IP address, user-agent, login timestamps.
Audit records: Terms-of-Service acceptances (with IP and user-agent), batch consent attestations, configuration changes.
Billing details (collected and processed by Stripe; we receive only tokens, last-four card digits, and invoice metadata).

3.2 From End Recipients (as processor)

Phone numbers and any contact attributes the Customer chooses to upload.
Call audio and machine-generated transcripts (during a call).
Call metadata: duration, disposition, timestamps, originating and terminating numbers, opt-out events.

We do not select End Recipients; we do not solicit consent from End Recipients; we do not have a commercial relationship with End Recipients. End Recipient personal data is processed solely on the Customer’s documented instructions.

3.3 From Website Visitors

IP address and approximate location, browser and device type.
Pages viewed, referrer, and basic analytics events.
Cookie identifiers strictly necessary for site functionality.

4. How We Use Personal Data

Service provision—to operate the Service for Customers, including routing calls, transcribing audio, and storing recordings.
Account administration—authentication, billing, support communications.
Security and abuse prevention—detecting fraud, enforcing the Acceptable Use Policy, responding to traceback and regulatory requests, defending claims.
Compliance—meeting our own legal obligations and helping Customers meet theirs.
Improvement—using aggregated, de-identified data to improve the Service. We do not train models on End Recipient call audio or transcripts.

5. Legal Bases (GDPR / UK GDPR / KVKK)

Performance of a contract: providing the Service to Customer Users.
Legitimate interests: securing the platform, preventing abuse, improving the product (balanced against the rights of data subjects).
Legal obligation: responding to lawful regulatory and law-enforcement requests.
Consent: where required (e.g., non-essential cookies). For End Recipient personal data, the Customer is responsible for establishing a lawful basis and (where required) obtaining consent.

6. Subprocessors

We engage carefully vetted subprocessors to run the Service. Each is bound by a written agreement with confidentiality, security, and sub-processing controls at least as protective as this Policy. The current list:

Twilio, Inc.—telephony, recording storage during retention.
ElevenLabs Ltd.—text-to-speech, speech-to-text, conversational AI agents.
Google LLC—LLM inference for AI agents (Gemini), where used.
Anthropic, PBC—LLM inference, where used.
Cloudflare, Inc.—CDN, R2 object storage for recordings.
Neon, Inc.—managed PostgreSQL database hosting.
Stripe, Inc.—payment processing and billing.
Composio—calendar OAuth integrations.
Resend, Inc. / Postmark—transactional email delivery.

We will give Customers reasonable advance notice of new subprocessors and the opportunity to object. The Customer’s own carrier (e.g., Twilio account they own under BYOC) is not our subprocessor; the Customer is the controller for that carrier relationship.

7. International Data Transfers

The Service operates from infrastructure in the European Union and the United States. Where we transfer personal data of EU, UK, or Turkish data subjects outside their jurisdiction, we rely on Standard Contractual Clauses (the EU SCCs, the UK IDTA, or KVKK equivalents), supplementary measures where appropriate, or other legally recognized transfer mechanisms. Copies of relevant clauses are available on request to legal@novusasi.com.

8. Retention

Account and audit data: for the life of the Customer account plus seven (7) years, or longer where required by law.
Call audio recordings: thirty (30) days by default, then automatic deletion. Customers may configure a shorter retention period in their account settings.
Call metadata and transcripts: for the life of the Customer account plus three (3) years, unless the Customer requests earlier deletion.
Consent and opt-out records: at least five (5) years, consistent with TCPA and FTC TSR record-keeping obligations.
Backups: encrypted backups follow a thirty- to ninety-day cycle and are then overwritten.

9. Security

We employ administrative, technical, and physical safeguards appropriate to the risk, including TLS in transit, encryption at rest for sensitive credentials (including Customers’ carrier API keys), least-privilege access controls, audit logging, and regular vulnerability management. No system is perfectly secure; in the event of a personal-data breach affecting Customers or End Recipients, we will notify the controller without undue delay and in any event within seventy-two (72) hours of awareness, as required by Applicable Law.

10. Your Rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate personal data.
Delete personal data (subject to legal retention exceptions).
Restrict or object to processing.
Data portability (machine-readable export).
Withdraw consent at any time, without affecting prior lawful processing.
Lodge a complaint with your supervisory authority (EU/EEA DPA, UK ICO, Turkish KVKK, Jamaica OIC, California AG, etc.).

To exercise these rights as a Customer User or Website Visitor, email legal@novusasi.com. End Recipients should contact the Customer who initiated their call; we will route legitimate requests we receive directly to the relevant Customer. Under CCPA / CPRA we do not “sell” or “share” personal data as those terms are defined; California residents nevertheless have the right to opt out of any future sale or share and to limit the use of sensitive personal information.

11. Cookies and Tracking

We use a small number of strictly necessary cookies for session management and security. We do not use advertising cookies or cross-site trackers. Where any analytics cookie is non-essential, we request consent in compliance with the EU ePrivacy Directive (as implemented locally) before it is set.

12. Children

The Service is not directed to children under sixteen (16), and we do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by email to the address associated with the Customer’s account or by prominent in-product notice at least fifteen (15) days before they take effect. The current version is always available at /legal/privacy.

14. Contact

Privacy questions or requests: legal@novusasi.com
Operational and support questions: support@novusasi.com
Novus Technologies, Inc., a Delaware corporation, United States.