Privacy Policy

1. Who we are

NovexDocs is a service operated by Novatrix Consulting LLC SPC, a company registered in the United Arab Emirates. When this policy uses "we," "us," or "our," it refers to Novatrix Consulting LLC SPC, the data controller for your personal information under the UAE Personal Data Protection Law (PDPL) and, where applicable, the EU General Data Protection Regulation (GDPR).

You can reach us at support@novexdocs.com for any privacy-related question.

2. What we collect

Account information

• Your email address (required to create an account)
• Your name, if you provide it
• A hashed version of your password — we never store it in plain text
• If you sign in with Google, your Google account ID and email

Content you upload

• The documents and images you upload (PDFs, photos of IDs, certificates, etc.)
• Metadata you add: titles, categories, descriptions, expiration dates, custom fields
• Data automatically extracted from your documents by our AI features

Payment information

• If you subscribe to a paid plan, payment is processed by Stripe. We receive only your subscription status, plan tier, and billing dates.
• We never see or store your card number, CVV, or full bank details.

Technical information

• Your IP address (used for security and to comply with abuse-prevention requirements)
• Browser type and operating system
• The pages you visit on NovexDocs and the actions you take
• Server-side error logs that may incidentally include your user ID

We do not use third-party analytics that build cross-site profiles. We do not embed Google Analytics, Meta Pixel, or similar trackers.

3. How we use your information

We use your data to:

• Provide the service you signed up for — storing your documents and letting you retrieve them
• Run AI features (OCR, field extraction, document classification) when you request them
• Send you expiration alerts for documents you've marked with an expiration date
• Process subscription payments through Stripe
• Send you essential account emails (verification, password reset, security alerts)
• Investigate abuse, fraud, or violations of our Terms of Service
• Comply with valid legal requests from government authorities

We do not use your documents to train AI models. We do not sell your data to advertisers or data brokers. We do not share your data for marketing purposes.

4. Who we share your data with

We share your data only with the service providers we need to operate NovexDocs. Each one is bound by a contract that requires them to protect your data and use it only for the purpose we hired them for.

Anthropic (AI processing)

When you use AI extraction features (analyzing a document to find fields), the document is sent to Anthropic's Claude API for processing. Anthropic processes the document, returns the result to us, and per their published policy does not retain or use your data for training. Their privacy policy is at anthropic.com/legal/privacy.

If you never use AI features, your documents are never sent to Anthropic.

Amazon Web Services (storage)

Your documents are stored in AWS S3 in the Singapore region (ap-southeast-1). AWS encrypts files at rest with AES-256 server-side encryption. AWS acts only as a storage provider and does not access the contents of your files.

Stripe (payments)

If you subscribe to a paid plan, payment is processed by Stripe, Inc. Stripe is PCI-DSS Level 1 certified. We provide Stripe with your email and subscription tier; Stripe handles all card data. Their privacy policy is at stripe.com/privacy.

Email delivery

We use a transactional email provider to send account verification emails, password reset links, and expiration alerts. The provider sees your email address and the contents of the email.

Legal compliance

We may disclose your data to law enforcement or regulatory authorities if we receive a valid legal order, subpoena, or equivalent demand under UAE law or applicable international law. We will resist overly broad requests where we believe we have legal grounds to do so.

5. Where your data lives

Your documents and account data are stored on servers located in Singapore. If you are accessing NovexDocs from the EU, UK, or another region with cross-border data transfer restrictions, your data is transferred to Singapore for processing. We rely on Standard Contractual Clauses or equivalent legal mechanisms where required.

6. Can our staff see my data?

We want to be straight with you about this: yes, authorized members of our team can access user data when necessary.

This is the reality of any standard SaaS architecture — including ours. Documents are encrypted at rest in S3, but the decryption keys are held by our systems, and authorized engineers can retrieve files when there is a legitimate reason to. We do not use zero-knowledge or end-to-end encryption. Anyone who claims their cloud service is "zero-knowledge" while also offering AI features that analyze your documents is misleading you.

When would staff access your data? Usually:

• To investigate a bug you've reported in your account
• To investigate suspected abuse, fraud, or terms-of-service violations
• To respond to a valid legal request

Routine staff access is logged. If we make a material change to who can access user data, we will update this policy.

7. How we protect your data

• In transit: All connections to NovexDocs use HTTPS with TLS 1.2 or higher.
• At rest: Documents in S3 are encrypted with AES-256. The database is encrypted at rest.
• Passwords: Stored as bcrypt hashes with cost factor 10. We never store plain-text passwords.
• Access controls: Production servers are accessed only by authorized engineers using SSH key authentication.
• Monitoring: Failed login attempts are rate-limited. Suspicious activity may trigger account suspension pending review.

For more detail, see our Security page.

8. How long we keep your data

• While your account is active: We keep your data as long as you continue to use the service.
• After you delete your account: We delete your documents and personal data within 30 days. Some metadata may persist in encrypted backups for up to 90 days before being overwritten.
• Inactive free accounts: If a free account has no activity for 24 months, we will email you a warning. If you do not respond within 30 days, the account and its data may be deleted.
• Billing records: Stripe retains payment records for the period required by their compliance obligations, independent of our retention.
• Legal records: We may retain certain records longer when required by law (e.g., tax or anti-money-laundering rules).

9. Your rights

Depending on where you live, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data (you can do this yourself from your account settings, or by emailing us)
• Export a copy of your data in a portable format
• Object to certain types of processing
• Withdraw consent for processing where consent is the legal basis
• Lodge a complaint with a data protection authority

To exercise any of these rights, email support@novexdocs.com. We will respond within 30 days.

10. Children

NovexDocs is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will delete it.

11. Cookies

We use a small number of essential cookies to keep you signed in and remember your language preference. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. Because we use only essential cookies, no cookie banner is required under most jurisdictions, but we mention them here for transparency.

12. Changes to this policy

If we make material changes to this policy, we will email you and post a notice on the service before the changes take effect. The "Last updated" date at the top will always reflect the most recent revision.

13. Contact us

Questions, requests, or complaints about this policy:

• Email: support@novexdocs.com
• Entity: Novatrix Consulting LLC SPC, United Arab Emirates