NEW: Scalable sustainability data collection and reporting for supply chains. Learn More
Effective Date: April 9, 2026
1. Introduction
This Privacy Notice (“Notice”) describes how Novata, Inc. and its affiliated entities (“Novata,” “we,” “our,” or “us”) collects, processes, uses, and discloses personal information obtained through your use of our website (the “Site”), which is available at www.novata.com, as well as our subscription service (the “Subscription Service”) made available to you through the Site (collectively, the “Services”).
This Privacy Notice applies to Novata, Inc. and its affiliated entities worldwide (collectively, “Novata”). Novata, Inc. acts as the primary controller for the processing of personal information described in this Notice. Where required under applicable data protection laws, Novata’s affiliated entities may also act as independent or joint controllers with respect to certain processing activities conducted in their local jurisdictions. For example, Atlas Metrics GmbH, a Novata affiliate established in Germany, may act as a local controller for users accessing Atlas-branded websites or services in the European Economic Area.
2. Our Role: as Controller and Processor
Depending on the context and the nature of the processing, Novata may act either as a data controller or as a data processor under applicable data protection laws. When Novata processes personal information for its own business and operational purposes such as operating and securing the Services, managing customer relationships, marketing, analytics, product development, and compliance with legal obligations Novata acts as a data controller and determines the purposes and means of that processing. By contrast, when customers use the Subscription Service to collect, manage, analyze, or report data, Novata processes personal information solely on behalf of and under the instructions of its customers, who act as the data controllers for that data. In those circumstances, Novata acts as a data processor and processes personal information only as necessary to provide and support the Subscription Service and as required by applicable law.
3. Information We Collect
If you create an account with the Subscription Service (a “User”), we may collect personal information from you directly related to creating your account and offering you our Subscription Service. The categories of information we may collect from you include:
3.1 Personal information Provided by Users or Through the Site
We may also collect information about potential Users (names and email addresses) provided by other Users as part of our referral sign-up process.
Other personal information collected through the Site.
If you visit our Site, you may navigate the Site without submitting any personal information. However, if you use certain features on the Site we will collect any personal information that you provide through those features. Additionally, if you reply to one of our “call to action” submissions or download a demo of our product, we will collect your personal information in relation to those features, including your name and email address.
Server logs.
Server logs automatically record information and details about your online interactions with us. For example, server logs may record information about your visit to our Site or use our Subscription Service on a particular time and date and collect information such as your device ID or IP address.
Cookies.
We use cookies on the Site. Cookies are small files that are temporarily stored on your mobile device through the Site. A cookie allows the Site to recognize whether you have visited before and may store user preferences and other information. For example, cookies can be used to collect or store information about your use of the Site during your current session and over time (including the pages you view and the files you download), your device’s operating system, your device ID, IP address, and your general geographic location. To learn more about how we use cookies, please review our Cookie Policy.
Pixel tags.
A pixel tag (also known as a web beacon, clear GIF, pixel, or tag) is an image or a small string of code that may be placed in an advertisement or email. It allows companies to set or read cookies or transfer information to their servers when you load a webpage or interact with online content. For example, we or our service providers may use pixel tags to determine whether you have interacted with a specific part of our Services, viewed a particular advertisement, or opened a specific email.
SDKs and mobile advertising IDs.
Our Site may include third-party software development kits (“SDKs”) that allow us and our service providers to collect information about your activity. In addition, some mobile devices come with a resettable advertising ID (such as Apple’s IDFA and Google’s Advertising ID) that, like cookies and pixel tags, allow us and our service providers to identify your mobile device over time for advertising purposes.
Third-party plugins.
Our Site may include plugins from other companies, including social media companies (e.g., LinkedIn). These plugins may collect information, such as information about the pages you visit, and share it with the company that created the plugin even if you do not click on the plugin. These third-party plugins are governed by the privacy policies and terms of the companies that created them.
Third-party online tracking.
We may partner with certain third parties to collect, analyze, and use some of the personal and other information described in this Notice. For example, we may allow third parties to set pixels through the Site. This information may be used for a variety of purposes, including analytics and interest-based advertising, as discussed below.
Aggregated or de-identified information.
We may share aggregated or de-identified information about customers of the Subscription Service, such as by publishing a report on trends in the usage of the Subscription Service. Such aggregated or de-identified information will not identify you personally.
3.2 Information We Process When You Use the Subscription Service
Usage Data
We collect usage data when you interact with the Subscription Service. Usage data includes metrics and information regarding your use and interaction with the Subscription Service such as what product features you use the most and server log information.
Mobile
When you use, access, or interact with the Subscription Service via our mobile applications, we automatically collect information such as your device model and version, operating system, or device identifiers.
4 How We Use Personal Information and Legal Bases (where applicable)
We process your personal information for specific purposes, and each purpose has a corresponding lawful basis under applicable data protection laws. Below is a list of the purposes of processing and their respective lawful bases:
| Purpose of Processing | Lawful Basis for Processing |
| Provide you with our Subscription Service | Performance of a Contract |
| Respond to your questions or requests concerning the Subscription Service | Legitimate Interests |
| Fulfill the terms of any agreement you have with us | Performance of a Contract |
| Fulfill your requests for our Subscription Service or otherwise complete a transaction that you initiate | Performance of a Contract |
| Send you information about our Subscription Service and other topics that are likely to be of interest to you, including newsletters, updates, or other communications, including promotional emails and surveys | Legitimate Interests or Consent |
| Improve our artificial intelligence and machine learning for accuracy and service reliability | Legitimate Interests |
| Deliver confirmations, account information, notifications, and similar transactional or operational communications | Performance of a Contract |
| Improve your user experience and the quality of our products and Subscription Service | Legitimate Interests |
| Comply with legal and/or regulatory requirements | Legal Obligation |
| Aggregate and deidentified information | Legitimate Interests |
| Benchmark results for our customers | Legitimate Interests |
| Serve our own advertisements | Legitimate Interests or Consent |
| Analyze how visitors use the Services and various features, including to count and recognize visitors to the Site and for security and fraud prevention purposes | Legitimate Interests or Legal Obligation |
| Create new products and Services | Legitimate Interests |
| Manage our business | Legitimate Interests |
5. Processor Activities
The Subscription Service allows our customers to collect, analyze, benchmark, and report relevant ESG data. When customers use our product, they may collect personal information such as first and last name, email address, or usage data about a user.
We do not control the types of personal information our customers may choose to collect or manage using the Subscription Service. We store our customers’ information on our service providers’ servers but process it as a processor under our customers’ instructions and in accordance with our Terms and Conditions, which prohibit us from using the information except as necessary to provide and improve the Subscription Service and as required by law.
Our customers control and are responsible for correcting, deleting, or updating the information they process using the Subscription Service and for complying with any regulations or laws that require providing notice, disclosure, and/or obtaining consent prior to transferring the personal information to us for processing purposes.
6. Sharing and Disclosure of Personal Information
We may share your information with third parties for a variety of purposes, as described below. You may review Novata’s third party subprocessors list on our website.
Referring third parties.
If you were referred to Novata by another user who has requested access to data about your Company (a “Referring Third Party”), the information you input about your Company through the platform may be shared with the Referring Third Party.
Third-party service providers.
Novata uses third-party service providers that perform services on our behalf, including web-hosting companies, and mailing vendors. These service providers may collect and/or use your information, including information that identifies you personally, to assist us in achieving the purposes discussed above.
We may also share your information with third parties when necessary to fulfill your requests for Services; to complete a transaction that you initiate; to meet the terms of any agreement that you have with us or our partners; or to manage our business.
Analytics.
We partner with certain third parties to obtain the automatically collected information discussed above and to engage in analysis, auditing, research, and reporting. These third parties may use pixels or server logs, and they may set and/or access device IDs and IP addresses from your device. In particular, the Site uses Google Analytics to help collect and analyze certain information for the purposes discussed above. You may opt out of the use of cookies by Google Analytics here.
Interest-based advertising.
The Site enables third-party tracking mechanisms to collect information about you and your computing devices for use in online interest-based advertising. For example, third parties, such as Facebook, may use the fact that you visited our Site to target online ads to you about our Services. In addition, our third-party advertising networks might use information about your use of our Site to help target advertisements based on your mobile activity in general. For information about interest-based advertising practices, including privacy and confidentiality, please visit the Network Advertising Initiative website or the Digital Advertising Alliance website.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Notice. If you prefer to prevent third parties from setting and accessing cookies on your computer or other device, you may set your browser to block cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance by opting out here. Although our Site currently does not respond to “do not track” browser headers, you can limit tracking through these third-party programs and by taking the other steps discussed above.
You may also opt-out of interest-based advertising by adjusting the advertising preferences on your mobile device (for example, in iOS, visit Settings > Privacy > Advertising > Limit Ad Tracking, and in Android, visit Settings > Google > Ads > Opt out of interest-based ads). Additionally, you may opt out for companies that participate in the Digital Advertising Alliance’s AppChoices tool by downloading it here and following the instructions in the app.
Legal purposes.
We may use or share your information with third parties when we believe, in our sole discretion, that doing so is necessary:
6.1 Disclosure of Business Identity Information
As part of our Subscription Services, we may disclose your company name and logo to other customers who have a Subscription Service with us. This is done to enable customer directories, shared workflows, or functionality designed to promote connectivity and collaboration between Novata customers using our services.
We do not disclose confidential business information or any personal data as part of this feature, unless expressly authorized by You or required by law.
This processing is carried out on the basis of our legitimate interests in maintaining a functional and transparent platform for our Users, and we ensure that such disclosures are limited to what is necessary and proportionate.
6.2 Engage with our customers
As part of our legitimate interest to improve your user experience and the quality of our products and Subscription Service, we may share your personal information with other customers who have an existing relationship with your organisation. For example, if you are already a Subscription Service User, we may confirm this to another customer associated with your organisation and facilitate your access to an additional Subscription Service under that relationship.
7. International Users
The information that we collect through or in connection with the Services is transferred to and processed in the United States for the purposes described above. We may also subcontract the processing of your data to, or otherwise share your data with, affiliates or third parties in countries other than your country of residence. The data-protection laws in these countries may be different from, and less stringent than, those in your country of residence. However, we comply with all applicable laws regarding international data transfers.
Where we transfer your personal information to countries that do not have an adequacy decision by the European Commission, we use the Standard Contractual Clauses (“SCCs”) approved by the European Commission. These SCCs are further supplemented by the International Data Transfer Addendum (“Addendum”) to ensure compliance with the UK GDPR and provide additional protection for your data. The Addendum requires both Novata and the data importer to implement additional safeguards and uphold data subjects’ rights.
You may view a current list of Novata’s third party subprocessors on our website.
8. Data Retention
We retain personal information about you necessary to fulfill the purpose for which that information was collected or as required or permitted by law. We do not retain personal information longer than is necessary for us to achieve the purposes for which we collected it. When we destroy your personal information, we do so in a way that prevents that information from being restored or reconstructed.
9. Data Security
We employ physical, technical, and administrative procedures to safeguard the personal information we collect both online and offline. However, no website or platform is 100% secure, and we cannot ensure or warrant the security of any information you transmit to the Services or to us, and you transmit such information at your own risk to the fullest extent permitted by applicable law.
If you would like more information about Novata’s data security practices, visit Novata’s Trust Center.
10. Your Privacy Rights
If you wish to opt-out of marketing emails you receive from us, you may do so by following the instructions in those emails or by contacting us at privacy@novata.com.
Depending on your location and applicable law, you may have the following rights:
We will respond to a request as soon as reasonably possible and within the timeframe required under applicable law.
10.1 Fees and Excessive Requests
We do not ordinarily charge a fee for responding to privacy rights requests.
However, where permitted under applicable law, we may charge a reasonable administrative fee, or decline to act on a request, if the request is manifestly unfounded, excessive, or repetitive. In such cases, we will inform you of the reasons for our decision and any applicable fee before proceeding.
For individuals in Singapore, we may charge a reasonable administrative fee for access requests as permitted under the Personal Data Protection Act. If a fee applies, we will inform you of the amount and obtain your agreement before processing your request.
11. Children
Content on the Services is not directed at children under the age of 18. We do not knowingly collect personal information from children under the age of 18. In the event that we discover personal information from a child under the age of 18 has been collected, we will promptly take all reasonable measures to delete that information from our systems.
If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us at privacy@novata.com, and we will work diligently to remove such information
12. Regional Disclosures
12.1 European Economic Area and United Kingdom
If you believe that our processing of your personal information does not comply with the General Data Protection Regulation (“GDPR”), UK GDPR, or the Personal Data Protection Act (“PDPA”), you have the right to lodge a complaint with a supervisory authority.
Supervising Authority in the UK
Information Commissioner’s Office (ICO)
Website: ico.org.uk
Phone: +44 303 123 1113
Email: casework@ico.org.uk
Postal Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Supervising Authority in the EU
Please refer to the relevant supervisory authority in your EU member state. A list of supervisory authorities can be found here.
Data Protection Point of Contact
Novata, Inc., together with its group companies has a named Data Protection Point of Contact which is Katy Jamieson, Senior Corporate Counsel. Data subjects may contact our Data Protection Point of Contact at: privacy@novata.com with any questions, concerns, or requests relating to this Privacy Notice or Novata’s processing of personal information
EU Representative
Where required under Article 27 of the General Data Protection Regulation (“GDPR”), Novata, Inc. has appointed Atlas Metrics GmbH, as its representative in the European Union. Atlas Metrics GmbH can be contacted c/o Noerr PartG mbB, CharlottenstraBe 57, 10117 Berlin, Germany and privacy@novata.com. The EU representative acts as Novata’s point of contact for data subjects and supervisory authorities in the European Union in relation to the processing of personal data under this Privacy Notice. The EU representative may be contacted at privacy@novata.com, which is monitored for global data protection inquiries.
UK Representative
Where required under Article 27 of the United Kingdom General Data Protection Regulation (“UK GDPR”), Novata, Inc. has appointed Novata UK Ltd, as its representative in the United Kingdom. Novata UK Ltd can be contacted at Copthall House 14-18 Copthall Avenue, 5th Floor, London, England, EC2R 7DJ and privacy@novata.com. The UK representative acts as Novata’s point of contact for data subjects and the UK Information Commissioner’s Office (“ICO”) in relation to the processing of personal data under this Privacy Notice.
These appointments apply where Novata is subject to the GDPR or UK GDPR in relation to its processing activities.
12.2 U.S. Residents
This section applies to residents of U.S. states with applicable privacy laws, including California, Colorado, Connecticut, Utah, and Virginia.
Sale and Sharing of Personal Information: Certain U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”), define “sale” as the disclosure of personal information to a third party for monetary or other valuable consideration, and “sharing” as the disclosure of personal information for cross-context behavioral advertising.
Novata does not sell personal information in exchange for monetary consideration. However, we may share certain identifiers and online activity information (such as IP address, device identifiers, and interactions with our Site) with analytics and advertising partners in a manner that may be considered “sharing” under California law.
You have the right to opt out of the sale or sharing of your personal information. You may exercise this right by contacting us at privacy@novata.com or by using any available cookie preference tools provided on our Site.
Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted under applicable law. We do not use sensitive personal information to infer characteristics about individuals.
If we process sensitive personal information as defined under applicable law, we do so only for limited and permitted purposes, including providing and securing our Services, complying with legal obligations, and maintaining the integrity of our systems.
Retention of Personal Information: We retain personal information for as long as reasonably necessary to fulfill the purposes described in this Privacy Notice, including:
The duration of our contractual relationship with you or your organization;
Retention periods may vary depending on the nature of the information and the context in which it was collected.
Your Rights Under U.S. State Privacy Laws: Depending on your state of residence, you may have the right to:
To exercise your rights, please contact us at privacy@novata.com. We may take reasonable steps to verify your identity before fulfilling your request.
Authorized Agents: You may designate an authorized agent to submit a request on your behalf where permitted by law. We may require proof of written authorization from you and may require you to verify your identity directly with us.
Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights under applicable law. This means we will not deny you services, charge you different prices, or provide a different level or quality of services solely because you exercised your rights.
12.3 Singapore
This section applies to individuals whose personal data is subject to the Singapore Personal Data Protection Act (“PDPA”).
Supervising Authority in Singapore
Personal Data Protection Commissioner (PDPC)
Website: pdpc.gov.sg
Phone: +65 6325 5100
Email: pdpc@pdpc.gov.sg
Postal Address: Personal Data Protection Commission, 10 Anson Road, 05-01, Singapore 079903
Purpose Limitation: Novata collects, uses, and discloses personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that have been notified to you in this Privacy Notice or otherwise at the time of collection. We do not collect, use, or disclose personal data for purposes other than those for which consent has been obtained, unless permitted or required by applicable law.
Consent and Deemed Consent: Where required under the PDPA, we obtain your consent before collecting, using, or disclosing your personal data. Consent may be deemed under applicable law where you voluntarily provide personal data for a notified purpose and it is reasonable that you would do so.
You may withdraw your consent at any time by contacting us at privacy@novata.com. Upon receiving a request to withdraw consent, we will inform you of the likely consequences of withdrawal and will cease processing your personal data unless otherwise permitted or required by law.
Overseas Transfers: Where we transfer personal data outside of Singapore, we take appropriate steps to ensure that the recipient provides a standard of protection that is comparable to that under the PDPA. Such measures may include contractual safeguards and other legally recognized mechanisms.
Retention Limitation: We cease to retain personal data, or remove the means by which the data can be associated with particular individuals, as soon as it is reasonable to assume that:
(a) the purpose for which the personal data was collected is no longer being served by retention; and
(b) retention is no longer necessary for legal or business purposes.
Access and Correction: You may request access to personal data that we hold about you and information about how it has been used or disclosed within the past year, subject to applicable exceptions under the PDPA. You may also request correction of inaccuracies in your personal data.
13. External Links
The Site may contain links to third-party websites. If you use these links, you will leave the Site. We have not reviewed these third-party sites and do not control and are not responsible for any of these sites, their content, or their privacy policy. Thus, we do not endorse or make any representations about them, or any information, software, or other products or materials found there, or any results that may be obtained from using them. If you decide to access any of the third-party sites listed on our website, you do so at your own risk.
14. How to Contact Us
Novata, Inc.
54 W 21st Street
Suite 1201
New York, NY 10010
15. Changes to this Notice
We may make changes to the Services in the future and as a consequence may need to revise this Notice to reflect those changes. We will post all such changes here, so you should review this page periodically.