Privacy Policy
How we collect, use, and protect your personal data. Select your region below.
Effective 1 July 2026 · Version 1.0
1. DATA CONTROLLER
This Privacy Policy (the "Policy") describes how your personal data is collected, used, processed, and protected by:
Nova Fintech LLC ("Novapayx," "we," "us," or "our")
Registered Address: 848 Main St, STE 10 PMB 142, Billings, MT 59105, USA
Email: privacy@novapayx.com
FinCEN Money Services Business Registration: 31000301949490
Novapayx is a consumer-facing digital platform through which regulated financial services — multi-currency wallets, virtual accounts, crypto-asset conversion (on/off-ramp), and money transmission — are made available by the applicable regulated entity and its partners for your region. The contracting entity is Nova Fintech LLC (Money Services Business registered with FinCEN under the Bank Secrecy Act) in the United States; Nova Financial Tech Limited (registered with FINTRAC, Canada) outside the U.S. and EEA; and a MiCA-authorised CASP partner in the EEA.
Novapayx is powered by Axora, a technology company that handles the technical systems, ledger management, and integration with our banking and financial partners.
This Privacy Policy applies to users located outside the European Economic Area (EEA). If you are located within the EU/EEA, please refer to our separate EU Privacy Policy, which applies to crypto-asset services provided by a MiCA-authorised CASP partner in the EEA.
We are committed to safeguarding your privacy and operating transparently. Our practices comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and other applicable data protection laws in the jurisdictions where we operate.
This Policy should be read together with our Terms of Use and our Anti-Money Laundering and Counter-Terrorist Financing Policy to the extent that personal data is processed for AML/CTF compliance, including verification, screening, and record-keeping.
2. PERSONAL DATA WE COLLECT
When you use Novapayx, we collect various categories of personal data to provide our services, comply with legal obligations, and protect our users and platform. The categories of personal data we collect include:
2.1 Information You Provide Directly
Identity and Verification Data: Your full legal name, date of birth, nationality, country of residence, government-issued identification documents (passport, driver's license, national ID), photograph, and proof of address (utility bill, bank statement, or government correspondence). For biometric verification, we use facial recognition and liveness detection technology to confirm your identity. We do not permanently store raw biometric data; biometric processing occurs through our KYC provider, and only verification results and compliance determination flags are retained.
Contact Information: Email address, telephone number, residential address, and mailing address.
Financial Information: Bank account details (account number, routing number, SWIFT/BIC), payment card information (where applicable), source of funds documentation, source of wealth documentation, tax identification numbers, and employment or business information relevant to financial profile assessment.
Transaction Data: Records of all deposits, withdrawals, cryptocurrency purchases, sales, exchanges, transfers, and settlements processed through your account, including transaction amounts, dates, times, counterparties (where applicable), and transaction reference numbers.
Blockchain and Wallet Data: Cryptocurrency wallet addresses you provide or that are generated for your account, transaction hashes, on-chain activity associated with your wallets, and blockchain analytics data used for compliance screening.
Communications Data: Support tickets, chat logs, email correspondence, telephone recordings (where permitted by law and with appropriate notice), and feedback or complaints you submit.
Consent and Preference Data: Records of your consent to our Terms of Use, this Privacy Policy, marketing communications, and cookie usage, including the date, time, and method of consent.
2.2 Information Collected Automatically
Device Information: IP address, device type, device identifier, operating system and version, browser type and version, screen resolution, and time zone settings.
Usage and Behavioral Data: Pages visited, features used, clickstream data, session duration, timestamps, referral URLs, and technical events (such as errors, crashes, or system performance issues).
Location Data: Approximate geographic location derived from your IP address. We do not collect precise GPS location data unless you explicitly enable location services and provide consent.
2.3 Information from Third Parties
Identity Verification Providers: We use specialized Know-Your-Customer (KYC) service providers to verify your identity. During onboarding, you will complete identity verification through our provider's platform, which captures your identity documents, biometric data, and proof of address. The provider shares verification results, risk scores, and compliance determination flags with us.
Blockchain Analytics Providers: We engage third-party blockchain-analytics providers to analyze blockchain transactions associated with your wallet addresses. These providers supply transaction risk scores, sanctions screening results, and transaction monitoring data to support our AML/CTF compliance obligations.
Sanctions and PEP Screening Databases: We screen all users against global sanctions lists (OFAC, UN, EU) and Politically Exposed Person (PEP) databases to comply with regulatory requirements.
Banking and Payment Partners: When you deposit or withdraw funds, our banking partners and Electronic Money Institution (EMI) partners may provide us with transaction confirmation data, settlement information, and limited personal data necessary to process your requests.
2.4 Sensitive Personal Information
Under the CCPA/CPRA, certain categories of personal information are classified as "sensitive." We may collect the following sensitive personal information:
Government-issued identification numbers (Social Security Number, driver's license number, passport number, state ID number)
Financial account information (bank account numbers, financial account login credentials when you link accounts)
Precise geolocation data (only if you enable location services)
Biometric information (facial recognition data used for identity verification)
We collect and use sensitive personal information only as necessary to provide our services, verify your identity, comply with legal obligations, and protect against fraud. We do not use or disclose sensitive personal information for purposes beyond those permitted by law.
2.5 Children's Privacy
Our Services are not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we learn that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such data from our systems. If you believe that we may have collected personal data from a child, please contact us immediately at privacy@novapayx.com.
3. HOW WE USE YOUR PERSONAL DATA
We use your personal data for the following purposes:
3.1 Service Delivery and Account Management
Creating and maintaining your Novapayx account
Processing cryptocurrency and fiat transactions, including deposits, withdrawals, exchanges, and transfers
Managing your digital wallets and virtual accounts
Facilitating settlement and reconciliation with banking partners
Providing customer support and responding to your inquiries
3.2 Legal and Regulatory Compliance
Complying with Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) laws, including the Bank Secrecy Act (BSA) and FinCEN regulations
Conducting Know-Your-Customer (KYC) and Customer Due Diligence (CDD) procedures
Screening against sanctions lists (OFAC, UN, EU) and PEP databases
Transaction monitoring and suspicious activity reporting (SARs)
Implementing the FATF Travel Rule for virtual asset transfers
Tax reporting and compliance with IRS requirements
Responding to lawful requests from regulators, law enforcement, and courts
3.3 Security and Fraud Prevention
Verifying your identity and preventing unauthorized access to your account
Detecting and preventing fraudulent transactions, identity theft, and other financial crimes
Monitoring platform security and responding to security incidents
Protecting the integrity of our systems and the funds of our users
3.4 Communications
Sending service-related notices, including transaction confirmations, security alerts, and account updates
Notifying you of changes to our Terms of Use, Privacy Policy, or Services
With your consent, sending marketing communications about new features, products, or promotional offers (you may opt out at any time)
3.5 Analytics and Service Improvement
Analyzing usage patterns to improve our platform functionality and user experience
Conducting internal research and development
Generating aggregated, anonymized statistics that do not identify individual users
4. DATA SHARING AND DISCLOSURE
We may share your personal data with the following categories of recipients:
4.1 Group Companies and Affiliates
We share personal data with our affiliates within the Novapayx/Axora Group for operational purposes, including Axora (technology infrastructure), an authorised CASP partner (EEA crypto-asset services), and Nova Financial Tech Ltd. (Canadian operations). Intra-group transfers are governed by data processing agreements that incorporate appropriate safeguards.
4.2 Service Providers and Processors
We engage third-party vendors who perform services on our behalf under contractual agreements that require them to protect your data. Our key service providers include:
Identity-verification providers for KYC/KYB processing
Blockchain-analytics providers for transaction monitoring and AML compliance
Digital-asset custody providers for secure asset custody
Cloud infrastructure providers for secure data hosting and storage
Customer support and communication platforms
4.3 Banking and Financial Partners
To facilitate transactions, settlements, and financial services, we share necessary information with banking partners, payment processors, Electronic Money Institutions (EMIs), and other financial service providers involved in completing your transactions.
4.4 Regulatory Authorities and Law Enforcement
We may disclose your personal data to Financial Intelligence Units (FIUs), regulatory authorities (including FinCEN and state regulators), law enforcement agencies, tax authorities, and courts when required or authorized by law. This includes responding to subpoenas, court orders, regulatory inquiries, and requests for information about suspected money laundering or terrorist financing.
4.5 Professional Advisors
We may share personal data with our legal counsel, auditors, accountants, and other professional advisors who require access to provide their services, subject to professional confidentiality obligations.
4.6 Business Transactions
In the event of a merger, acquisition, reorganization, bankruptcy, or other business transaction, your personal data may be transferred as part of that transaction. We will provide notice of any such transfer and your rights regarding your data.
4.7 No Sale or Sharing of Personal Data for Cross-Context Behavioral Advertising
We do NOT sell your personal data to third parties, nor do we share your personal data for cross-context behavioral advertising purposes. This applies to all categories of personal data, including sensitive personal information.
5. INTERNATIONAL DATA TRANSFERS
Novapayx operates across multiple jurisdictions, including the United States, Canada, and the European Union. Your personal data may be transferred to, stored in, and processed in countries other than your country of residence.
When we transfer personal data internationally, we implement appropriate safeguards to ensure that your data receives an adequate level of protection, including:
Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/UK
Data Processing Agreements that incorporate contractual protections with all third-party processors
Transfer Impact Assessments (TIAs) conducted for transfers to jurisdictions that may not provide adequate protection
Technical and organizational security measures to protect data in transit and at rest
By using Novapayx and providing your personal data, you acknowledge and consent to the transfer of your personal data as described in this section.
6. DATA RETENTION
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal and regulatory obligations, and protect our legitimate business interests. Our retention periods are as follows:
Legal Holds: Data may be retained longer if required by ongoing litigation, regulatory investigation, or legal hold. Deletion Requests: You may request deletion of your data where permitted by law; however, we must retain data required for compliance with legal obligations or completion of pending transactions.
7. YOUR RIGHTS
Depending on your location, you may have the following rights with respect to your personal data:
7.1 California Residents (CCPA/CPRA Rights)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected your personal information, the business or commercial purposes for collecting your personal information, and the categories of third parties with whom we share your personal information.
Right to Delete: You have the right to request that we delete your personal information, subject to certain exceptions (such as compliance with legal obligations or completion of transactions).
Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising. If this practice changes, we will provide you with the opportunity to opt out.
Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information to purposes necessary to provide our services.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
7.2 Rights Available to All Users
Right to Access: Request a copy of your personal data in a structured, commonly used format
Right to Rectification: Request correction of inaccurate or incomplete information
Right to Erasure: Request deletion of your data, except where retention is required by law
Right to Data Portability: Request your data in a transferable format
Right to Object: Object to processing for marketing or other non-essential purposes
Right to Withdraw Consent: Withdraw consent for data uses like marketing or biometric verification at any time
Opt-Out of Marketing: Unsubscribe from marketing communications at any time
7.3 How to Exercise Your Rights
To exercise any of your privacy rights, please contact us at privacy@novapayx.com with a clear statement of your request. We will verify your identity before processing your request and will respond within forty-five (45) days (or as required by applicable law). If we require additional time, we will notify you of the extension and the reasons for the delay. We may request additional information to verify your identity and ensure we process your request accurately.
Authorized Agents: California residents may designate an authorized agent to submit requests on their behalf. Authorized agents must provide proof of authorization (such as a signed power of attorney or written authorization from the consumer) and we may require the consumer to verify their identity directly.
8. DATA SECURITY
We implement robust technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:
Encryption: All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256 encryption standards.
Multi-Factor Authentication (MFA): Required for all user accounts and administrative access to protect against unauthorized access.
Access Controls: Role-based access controls ensure that only authorized personnel can access personal data on a need-to-know basis.
Audit Logging: All access to personal data is logged, monitored, and reviewed regularly for suspicious activity.
Intrusion Detection: Security monitoring tools detect and prevent unauthorized network access and potential security incidents.
Secure Custody: Digital assets are held in secure custody through a digital-asset custody provider, utilizing MPC (Multi-Party Computation) technology for enhanced security.
Incident Response: We maintain comprehensive incident response procedures, including a 24-hour detection and notification protocol for security incidents.
Employee Training: All staff undergo regular security awareness training and periodic access reviews.
While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data. In the event of a data breach that affects your personal data, we will notify you and applicable regulatory authorities as required by law.
9. COOKIES AND TRACKING TECHNOLOGIES
We use cookies and similar tracking technologies to enable core platform functionality, enhance your user experience, maintain security, and analyze usage patterns.
9.1 Types of Cookies We Use
Strictly Necessary Cookies: Required for essential platform functions, including authentication, session management, security, and fraud prevention. These cookies cannot be disabled.
Performance and Analytics Cookies: Help us understand how users interact with our platform, identify errors, and improve our services. These cookies collect aggregated, anonymized data.
Functional Cookies: Remember your preferences (such as language or display settings) to provide a personalized experience.
9.2 Managing Your Cookie Preferences
You can control cookie usage through your browser settings. Most browsers allow you to refuse cookies or delete cookies that have already been set. Please note that disabling certain cookies may limit your access to some platform features. For specific information about the cookies we use, their purpose, and duration, please contact privacy@novapayx.com.
9.3 Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no uniform standard for how to interpret DNT signals, our website does not currently respond to DNT signals. However, you can manage your tracking preferences through your browser settings and our cookie controls.
10. THIRD-PARTY LINKS AND SERVICES
Our platform may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our platform.
11. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will:
Update the "Effective Date" and "Last Updated" date at the top of this Policy
Provide notice via email or in-app notification at least thirty (30) days before material changes take effect
Post the updated Policy on our website and platform
Your continued use of Novapayx after any changes to this Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically.
12. CONTACT US
If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, or if you wish to exercise any of your privacy rights, please contact us:
Nova Fintech LLC
Attention: Privacy Officer
Email: privacy@novapayx.com
Mailing Address: 848 Main St, STE 10 PMB 142, Billings, MT 59105, USA
Response Time: Within forty-five (45) days of receipt
If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority or, for California residents, the California Attorney General's Office.
[END OF PRIVACY POLICY]
This PRIVACY POLICY (the “Policy”) describes how Novapayx (“Novapayx”, “we”, “us”, “our”), collects, uses, processes, and protects the personal data of the Users (“Users”, “you”, your”) when you use the Novapayx Platform and Services.
Novapayx is a digital platform through which crypto-asset services for EEA users are made available by a MiCA-authorised Crypto-Asset Service Provider (CASP) partner, with multi-currency accounts and fiat conversion provided through regulated partners. The CASP partner is the regulated provider responsible for the crypto-asset services, including managing your account, processing your transactions, and ensuring compliance with applicable financial services and anti-money laundering regulations.
Novapayx is powered by Axora, a technology company that handles the technical systems, ledger management, and integration with our banking and financial partners.
We are committed to safeguarding your privacy and operating transparently. Our practices comply with GDPR, UK-GDPR, PIPEDA, CCPA, and other applicable data protection laws.
This Policy applies to all users of the Novapayx website, mobile applications, and services (collectively, “Services”). If you do not agree with our privacy practices, please do not use our services.This Policy should be read together with our Anti-Money Laundering and Counter-Terrorist Financing Policy (v2.0) to the extent that personal data are processed for AML/CTF compliance, including verification, screening, and record-keeping. Where processing is required under law, Novapayx acts under Article 6(1)(c) GDPR (legal obligation) and Article 9(2)(g) GDPR (substantial public interest in the prevention of money laundering).
PERSONAL DATA COLLECTED
When you use Novapayx, we collect various categories of personal data to provide our services, including:
Identity and Verification Data - Your name, date of birth, nationality, government-issued identification documents, photograph, and proof of address. For biometric verification, we use facial recognition and liveness detection technology to confirm your identity. We do not permanently store your raw biometric data; biometric processing occurs through our KYC provider and is retained only as verification results and compliance flags.
Corporate and Beneficial Ownership Information - If you represent a corporate entity, we collect information about the company, including its registration number, business address, company formation documents, and details of Ultimate Beneficial Owners (UBOs), directors, and authorized signers.
Contact and Communication Information - Your email address, phone number, business or residential address, and records of communications you have with us via email, support tickets, or in-app messaging.
Account Information - Your username, password (encrypted), login credentials, profile information, account preferences, language settings, and security settings such as two-factor authentication preferences.
Transaction and Financial Data - Information about transactions you initiate through Novapayx, including transaction type, amounts, currencies, counterparties, wallet addresses, timestamps, and transaction status. This includes fiat deposits and withdrawals, cryptocurrency trades, virtual account transfers, and card payments (where applicable).
Device and Technical Information - Information about the devices you use to access Novapayx, including device type, operating system, IP address, browser type, approximate location based on IP address, and unique device identifiers. This information helps us maintain security, prevent fraud, and improve our services.
Transaction Risk and Screening Data - Results of our anti-money laundering (AML) screening, sanctions list matching, blockchain risk analysis, and transaction monitoring. This includes risk scores assigned to your account or transactions and compliance determination flags.
Consent and Preference Data - Records of your consent to our terms, privacy policy, marketing communications, and cookie usage, including the date and method of consent.
Usage and Behavioral Data - Information about how you interact with our platform, including pages visited, features used, time spent on platform features, and technical events (such as errors or system performance issues).
Marketing and Correspondence Data - If you have consented to marketing communications, we collect data about your preferences regarding the types of communications you wish to receive and whether you have opened or clicked on marketing emails or messages.We do not knowingly collect personal data of children under eighteen (18) years of age. If we learn that such data have been collected inadvertently, they will be securely deleted.
DATA SOURCES AND COLLECTION CHANNELS
Direct from You
Most of the personal data we collect comes directly from you when you register for an account, complete your identity verification, provide your corporate information, conduct transactions, or communicate with our support team via email, in-app messaging, or support tickets.
Third-Party Verification Providers
We use specialized Know-Your-Customer (KYC) and identity verification service providers to collect and process your identity data.
During your onboarding, you will complete identity verification through our third-party provider's platform, which captures your identity documents, biometric data (facial recognition and liveness detection), and proof of address.
You provide this data directly to the verification provider, and they share verification results and compliance determination with us.
Blockchain and Transaction Monitoring Providers
We engage third-party providers to analyze blockchain transactions associated with your wallet addresses and cryptocurrency transfers.
These providers provide us with transaction risk scores, sanctions screening results, and transaction monitoring data.
Banking and Payment Partners
When you deposit funds, withdraw money, or make payments through our banking and EMI partners, those partners provide transaction confirmation data, settlement information, and limited personal data necessary to process your requests.
Device and Behavioral Analytics
Information about how you interact with our platform and technical data about your device is collected automatically through cookies, pixels, and similar technologies when you access the Novapayx website or mobile application.
Public and Third-Party Databases
To comply with sanctions and AML regulations, we screen your information against public and commercially available sanctions lists, politically exposed person (PEP) databases, adverse media databases, and other compliance screening tools.We also maintain internal audit logs to document when and how your data were obtained, consistent with our AML/CFT record-keeping obligations (§7–10 of the the CASP partner AML Policy).
PURPOSES FOR DATA PROCESSING
Create and manage your Novapayx account, provide services, and process transactions.
Verify your identity, perform KYC/AML checks, and ensure compliance with legal requirements.
Monitor transactions to detect and prevent fraud or financial crimes.
Meet regulatory, tax, and recordkeeping obligations.
Communicate with you about your account, transactions, and service updates.
Send marketing communications, only with your due consent, and improve the Platform.
Protect our systems, enforce terms of service, and ensure account security.
Respond to legal requests and assert or defend legal rights.
LEGAL BASIS FOR DATA PROCESSING
Contract - To perform the agreement enabling your use of Novapayx services, including account setup, transactions, and support. Where we process biometric data for identity verification, we do so under Article 9(2)(g) GDPR (substantial public interest) read with the Polish AML Act of 1 March 2018. We do not store raw biometric templates; only verification results are retained.
Legal Obligation - To comply with AML, CTF, sanctions, tax, data protection, and other laws requiring data collection and compliance screening.
Legitimate Interests - To operate, secure, and improve our services, prevent fraud, and conduct analytics, while respecting your privacy rights.
Consent - For processing special categories of data or sending marketing communications, subject to withdrawal at any time.
Public Interest and Compliance - To meet financial regulations, cooperate with authorities, and fulfill institutional obligations.
DATA SHARING
Your data is shared with the following entities:
Regional regulated entities and partners (Our Operating Entities) - The regulated entity or partner responsible for your region — Nova Fintech LLC in the United States, Nova Financial Tech Limited internationally, or an authorised CASP partner in the EEA — has access to the personal and transaction data necessary to provide services and meet regulatory obligations.
Axora (Our Technology and Infrastructure Provider) - Axora, our technology infrastructure partner, processes your data as a data processor to manage the technical systems, ledger, transaction records, and integrations that power Novapayx. Axora has access to transaction metadata, wallet information, and limited identity data as necessary to deliver technology services.
Affiliated Entities - The Novapayx group includes affiliated entities in the United States (Nova Fintech LLC, Montana) and Canada (Nova Financial Tech Ltd., British Columbia), which may have access to your data for group compliance coordination, consolidated reporting, and future expansion of services to your region. Data sharing with affiliates is minimized and governed by appropriate contractual protections.
Third-Party Service Providers
Novapayx engages third-party service providers to deliver compliance, financial infrastructure, and operational support services.
All third-party service providers are bound by written Data Processing Agreements (DPAs) that impose strict confidentiality, security, and data protection obligations. These agreements specify their role, the data they may access, and how they must protect that data.
Regulatory Authorities, Law Enforcement, and Government - We may disclose your personal data to financial intelligence units (FIUs), regulatory authorities, law enforcement agencies, tax authorities, or other government entities if we are required or authorized by law to do so. This includes responding to subpoenas, court orders, regulatory inquiries, requests for information about suspected money laundering or terrorist financing, and other legal processes.
Banking Partners and External Parties - To facilitate transactions, settlements, and financial services, we share necessary information with banking partners, payment processors, EMI partners, and external parties involved in completing your transactions.
Business Successors - In the event of a merger, acquisition, bankruptcy, liquidation, or other business transaction, your personal data may be transferred as part of that transaction. We will provide notice of any such transfer and your rights regarding your data.
With Your Consent - We may share your data with other parties with your explicit consent or at your direction.
CROSS-BORDER DATA TRANSFERS
Novapayx operates across multiple jurisdictions, including the European Union, United Kingdom, United States, and Canada. Your personal data may be transferred, stored, and processed in any of these jurisdictions.
Transfers from the EU/UK to the US and Canada - Personal data collected in the EU or UK and transferred to the United States or Canada may be transferred through mechanisms approved under applicable data protection law. We implement Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK Addendum to SCCs (where applicable) to provide appropriate data protection safeguards for transfers to countries outside the EEA/UK.Where applicable, Novapayx relies on the EU-U.S. Data Privacy Framework adequacy decision (10 July 2023) for transfers to certified U.S. processors. For other destinations, Standard Contractual Clauses (2021/914/EU) and the UK Addendum are executed. Transfer Impact Assessments (TIAs) are documented for each vendor in accordance with EDPB Recommendations 01/2020.
Data Processing Agreement Protections - All third-party processors that handle personal data outside the EEA/UK are subject to Data Processing Agreements that incorporate the necessary contractual safeguards, including SCCs or other appropriate transfer mechanisms.
Transfer Impact Assessments - We conduct transfer impact assessments (TIAs) and data protection impact assessments (DPIAs) as required by law to evaluate the adequacy of protection and implement supplementary measures where necessary.
Your Consent - By using Novapayx and providing your personal data, you consent to the transfer of your personal data as described in this section.
DATA RETENTION AND DELETION
We retain your personal data only as long as necessary for legal, regulatory, or operational purposes:
KYC/KYB and AML Records - Retained for eight (8) to ten (10) years after account closure, as required under AML laws.
Transaction Records - Kept for ten (10) years to meet compliance and accounting standards.
Communications - Stored for up to twenty-four (24) months unless needed longer for disputes or legal matters.
Device and Usage Data - Retained for twelve (12) months, extended only for security or fraud investigations.
Marketing Preferences - Stored for up to twenty-four (24) months from your last interaction or opt-out.
Legal Holds - Data may be kept longer if required by law, litigation, or regulatory inquiry.
Deletion Requests - You may request deletion where permitted by law, unless retention is required for compliance or ongoing transactions.
YOUR RIGHTS
You have the following rights under applicable data protection laws:
Right to Access - Request a copy of your personal data in a structured, machine-readable format.
Right to Rectification - Request correction of inaccurate or incomplete information.
Right to Erasure - Request deletion of your data, except where retention is required by law or for compliance.
Right to Restrict - Ask us to limit data use while a request or dispute is under review.
Right to Portability - Request your data in a transferable format for another provider.
Right to Object - Object to processing for marketing or other non-essential purposes.
Right to Withdraw Consent - Withdraw consent for data uses like marketing or biometric verification at any time.
Right to Complain - File a complaint with your local data protection authority.
To exercise any of these rights, please email [dpo@novapayx.com] with a clear statement of your request. We will respond to your request within thirty days of receipt, in accordance with applicable data protection law. We may require you to provide additional information or verification to confirm your identity before we fulfill your request.
COOKIES AND ANALYTICS
Cookies are small files stored on your device that help us maintain security, manage sessions, and improve our services. Novapayx uses cookies and similar tracking technologies to enable core platform functionality, enhance user experience, and analyze usage patterns.
We deploy strictly necessary cookies (required for platform operation) and, where applicable, performance and analytics cookies (to understand how users interact with our services). We may also use functional cookies for preferences and third-party cookies for operational purposes. All third-party providers maintain appropriate data protection standards and are bound by DPAs.
You can control cookie usage through your browser settings. Disabling certain cookies may limit access to some platform features. For specific information about the cookies we use, their purpose, and duration, please contact [dpo@novapayx.com].
DATA SECURITY
Novapayx uses robust technical and organizational measures to safeguard your data against unauthorized access, alteration, disclosure, or loss.
Encryption - Data is encrypted in transit (TLS) and at rest per industry standards.
Authentication - Accounts use multi-factor authentication (MFA).
Access Control - Role-based controls ensure only authorized personnel access necessary data.
Audit and Monitoring - Access and system activities are logged and reviewed regularly.
Intrusion Detection - Security tools monitor and prevent unauthorized network access.
Data Protection by Design - Our systems are built with privacy and security principles in place.
Training and Access Reviews - Staff undergo security training and regular access reviews.
Vendor Oversight - Third-party providers are assessed for compliance with our security standards.
In the event of a security incident or data breach, we have established incident response procedures to contain the breach, preserve evidence, notify affected individuals and authorities as required by law, and implement measures to prevent recurrence.
While we have implemented industry-standard security measures, no security system is completely impenetrable. We cannot guarantee absolute security of your data. We encourage you to maintain strong passwords, keep your login credentials confidential, and notify us immediately of any suspected security incidents.
CHILDREN’S PRIVACY
Our Services are not designed for or directed to individuals under the age of eighteen (18) years.
We do not knowingly collect personal data from children under eighteen years of age. If we become aware that we have collected personal data from a child under eighteen, we will take steps to delete such data and terminate the child's account promptly.
If you are a parent or guardian and believe that a child under eighteen has provided personal data to Novapayx, please contact us immediately at [help@novapayx.com].
THIRD-PARTY LINKS AND SERVICES
Our Platform may contain links to third-party websites, applications, and services that are not operated by Novapayx. This Policy applies only to personal data collected through Novapayx services. We are not responsible for the privacy practices of third-party websites or services, and we encourage you to review their privacy policies before providing your personal data.
When you click on a link to a third-party website or service, you leave Novapayx, and that third party's terms and privacy policies will apply. We are not responsible for any damages or losses you may incur as a result of third-party services or their privacy practices.
DATA PROTECTION OFFICER (DPO)
Novapayx engages an external DPO as part of its privacy governance program.
Data subjects may contact [dpo@novapayx.com] for privacy-related queries or to lodge complaints. You also have the right to contact your supervisory authority regarding data protection matters.
AUTOMATED DECISION-MAKING AND YOUR RIGHTS
Novapayx uses automated systems, including transaction monitoring algorithms and risk scoring tools, to make certain decisions about your account, such as transaction approvals, account flags, and restrictions on certain activities.
You have the right to request manual human review of any significant automated decision affecting you, including account restrictions, transaction denials, or compliance determinations. To request human review, please contact [compliance@novapayx.com].
We will provide you with information about the logic behind any significant automated decisions that affect you, subject to confidentiality and fraud prevention considerations.
COMPLAINTS AND SUPERVISORY AUTHORITY
We encourage you to contact us directly so we may address your concerns, before you contact a supervisory authority.
If you believe that Novapayx has violated your privacy rights or data protection laws, you have the right to lodge a formal complaint with your applicable data protection supervisory authority or regulators.
European Union - You may contact the data protection authority in your member state or submit a complaint to the Polish Office for data protection in the EEA:
You may contact your local data protection supervisory authority in the EEA.
United Kingdom - You may contact the Information Commissioner's Office (ICO):
Information Commissioner's Office (ICO)
Water Lane, Wycliffe House
Wilmslow, Cheshire SK9 5AF, UK
Website - www.ico.org.uk
Canada - You may contact the Privacy Commissioner of Canada (PCC):
Privacy Commissioner of Canada
30 Victoria Street
Gatineau, QC K1A 1H8, Canada
Website - www.priv.gc.ca
California, USA - You may contact the California Attorney General:
California Attorney General
Public Inquiry Unit
300 South Spring Street
Los Angeles, CA 90013, USA
POLICY UPDATES
This Policy will be reviewed and updated periodically as our operations and legal requirements evolve.
Significant changes will be communicated to you via the website or direct notifications.
Your continued use of Novapayx following any update to this Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically to remain informed about how we handle your personal data.
CONTACT US
If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your data, please contact us:
Privacy & Data Protection
Email: privacy@novapayx.com
Compliance & Anti-Money Laundering (AML) Matters
Email: aml@novapayx.com
General Customer Support
Email: support@novapayx.com
Governance & Legal Inquiries
Email: legal@novapayx.com

