Novaria.ai
Privacy Policy
Version 1.1 · June 2026 · emine@novaria.ai
1. Who We Are
Novaria.ai(“we”, “us”, “our”) operates the Ecosystem Intelligence Platform at ecosystem.novaria.ai. We are a UK-registered entity and act as the data controller in respect of personal data processed in connection with this platform.
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at emine@novaria.ai.
2. What This Policy Covers
This Privacy Policy explains:
- What personal data we collect and why
- The legal basis on which we process it
- How long we retain it
- Who we share it with
- Your rights as a data subject under UK GDPR
This policy covers all users of the platform — public visitors, registered free users, paid members, startup owners, and company founders whose information appears in the directory.
3. Data We Collect and Why
3.1 Information You Provide
| Data | Purpose |
|---|---|
| Email address and password | Account registration and authentication |
| Google account details (if using social login) | Authentication via Google OAuth |
| Payment information | Processed by Stripe — we do not store card details |
| Company profile data submitted via the startup form | Populating and updating your company profile in the directory |
| Contact email submitted via the startup form | Operational communications between platform and startup owner |
3.2 Information We Collect Automatically
| Data | Purpose |
|---|---|
| Publicly available company information (crawled from websites, LinkedIn, news sources) | Populating company profiles in the directory |
| Founder names and LinkedIn profile URLs (crawled from public sources) | Profile population and startup owner verification — suppressed from all users until verified |
| Crawled email addresses (primary and secondary, where publicly available) | Operational communications — visible to startup owner and admin only |
| Profile view counts, clicks and saves | Platform analytics and profile completeness intelligence |
| Session data and authentication tokens | Session management and security |
3.3 Information We Do Not Collect
- We do not collect special category personal data (health, ethnicity, religion, political views, etc.)
- We do not collect personal financial data about individuals
- We do not track personal browsing behaviour outside of this platform
- We do not use advertising cookies or third-party tracking pixels
4. Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Crawling and publishing publicly available company and founder information | Legitimate interest (UK GDPR Article 6(1)(f)) — see our published Legitimate Interest Assessment |
| Processing account registration and login data | Contract performance (UK GDPR Article 6(1)(b)) |
| Processing payment data | Contract performance (UK GDPR Article 6(1)(b)) |
| Sending transactional emails (profile notifications, submission updates) | Legitimate interest (UK GDPR Article 6(1)(f)) |
| Platform analytics (profile views, session data) | Legitimate interest (UK GDPR Article 6(1)(f)) |
A full Legitimate Interest Assessment covering the crawling and publishing of founder personal data is available on request by emailing emine@novaria.ai.
5. How We Use Your Data
5.1 Platform Users (Registered and Paid Members)
- To create and manage your account
- To authenticate your login sessions
- To process your subscription payment via Stripe
- To provide access to the features and data tiers your subscription includes
- To improve the platform based on aggregated usage patterns
5.2 Startup Owners
- To verify your identity and assign startup owner status to your company profile
- To notify you of changes to your profile including approvals and rejections of submitted data
- To provide you with access to your startup owner dashboard
- To communicate platform updates relevant to your profile
5.3 Company Founders (Directory Subjects)
- Founder names and LinkedIn URLs are stored internally and suppressed from all user-facing views until the startup verifies their profile
- Crawled email addresses are stored internally and visible only to the verified startup owner and platform admin
- No personal data about founders is shown publicly without the startup having claimed and verified their profile
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, password hash) | For the duration of your account; deleted on account closure request |
| Payment records | 7 years (UK statutory accounting requirement) |
| Company profile data | For as long as the profile is active; deleted on removal request |
| Founder personal data (names, LinkedIn, email) | For as long as the company profile is active; anonymised on deletion |
| Analytics events (profile views, clicks) | 24 months rolling |
| Admin audit log entries | 24 months rolling |
| Session tokens | 72 hours from last activity |
When a company profile is deleted, all visible data is removed immediately. An anonymised internal record with no personal data is retained for aggregate analytics purposes only.
7. Who We Share Data With
We do not sell personal data. We do not share personal data with third parties for marketing purposes. The limited third-party sharing that does occur is as follows:
| Third Party | Purpose |
|---|---|
| Stripe | Payment processing — governed by Stripe's own Privacy Policy |
| Hosting provider (Railway / Vercel) | Infrastructure hosting — data processed under a data processing agreement |
| NewsAPI.org | News content retrieval — no personal data transmitted |
| Email delivery provider (Resend / Postmark) | Transactional email delivery — governed by their own Privacy Policy |
All third-party providers used by this platform are either UK/EU-based or operate under Standard Contractual Clauses ensuring equivalent data protection standards.
8. Cookies and Tracking
We use only the cookies necessary to operate the platform:
| Cookie Type | Purpose |
|---|---|
| Session cookie | Maintains your authenticated login session for 72 hours from last activity |
| CSRF token | Security — prevents cross-site request forgery attacks |
| Preference cookie | Remembers your filter and display preferences within a session |
We do not use advertising cookies, third-party tracking cookies, or analytics cookies that share data with external services. See our Cookie Policy for further detail.
9. Your Rights Under UK GDPR
As a data subject under UK GDPR, you have the following rights:
| Right | How to Exercise It |
|---|---|
| Right to be informed (Article 13/14) | This Privacy Policy fulfils this right |
| Right of access (Article 15) | Email emine@novaria.ai — actioned within 30 days |
| Right to rectification (Article 16) | Edit your profile directly via the startup owner dashboard, or email us |
| Right to erasure (Article 17) | Delete your profile via self-service, or email us — all visible data removed immediately |
| Right to restrict processing (Article 18) | Email emine@novaria.ai — processing paused while request is assessed |
| Right to object (Article 21) | Email emine@novaria.ai — we will assess whether compelling legitimate grounds exist to continue |
| Right to data portability (Article 20) | Not applicable — processing is based on legitimate interest, not consent or contract |
| Right to lodge a complaint | You may lodge a complaint with the ICO at ico.org.uk — we would always appreciate the opportunity to resolve concerns directly first |
10. Data Security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss or disclosure. These include:
- Encrypted data transmission (HTTPS/TLS) across all platform endpoints
- Password hashing using industry-standard algorithms
- Row-level security on the database ensuring each user can only access data their role permits
- Founder personal data suppressed from all user-facing views until startup verification is complete
- Access to admin functions restricted to authenticated admin accounts only
- Audit logging of all admin actions involving personal data
In the event of a personal data breach that is likely to result in a risk to individuals, we will notify the ICO within 72 hours and affected data subjects without undue delay, in accordance with UK GDPR Article 33 and 34.
11. Children's Data
This platform is intended for business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at emine@novaria.ai.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our processing activities or applicable law. When we make material changes, we will update the version number and date at the top of this document and, where appropriate, notify registered users by email.
We recommend reviewing this policy annually. Continued use of the platform following notification of changes constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions, concerns or requests relating to this Privacy Policy or the personal data we hold about you, please contact:
Novaria.ai
Email: emine@novaria.ai
Website: ecosystem.novaria.ai