Privacy Policy

Thank you for visiting our website and also for your interest in our services. Obviously, the security of your data is important to us. The Novalnet website can be used without providing any personal data. However, if a concerned person wishes to avail the special services of our company via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the explicit consent of the data subject. The processing of personal data, such as the name, address, e-mail address or telephone number of a data subject, is always carried out in accordance with the Basic Data Protection Regulation and in accordance with the country-specific data protection regulations applicable to Novalnet. By means of this data protection declaration, our company would like to inform the public about the type, scope and purpose of the collection, processing and use of the personal data by us. Furthermore, data subjects will be informed of their rights by means of this data protection declaration. Novalnet, as the agency responsible for processing, has implemented numerous technical and organisational measures to ensure that the personal data processed via this website is protected as completely as possible. Nevertheless, Internet-based data transmissions can have security gaps, so that absolute protection cannot be guaranteed. For this reason, every person concerned is free to transmit personal data to us by alternative means, for example by telephone or post.

Definitions

The data protection declaration of Novalnet is based on the terms used by the European guideline and regulation provider when the basic data protection regulation (DS-GVO) was issued. Our data privacy statement is tailored to read easily and understand both for the general public, our customers and also our business partners. To ensure this, we would like to explain the terms used in advance. We use the following terms, among others, in this data protection declaration:

Personal data

Personal data are all information relating to an identified or identifiable natural person (hereinafter “data subject”). Identifiable natural person is one who can be identified directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Affected person

Data subject is any identified or identifiable natural person whose personal data are processed by the data controller.

Processing

Limitation of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling

Profiling is any form of automated processing of personal data which consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person.

Third party

A third party is a natural or legal person, authority, institution or other body other than the data subject, the data controller, the data processor and the persons authorised to process the personal data under the direct responsibility of the data controller or the data processor.

Consent

Consent shall mean any informed and unequivocal expression of will voluntarily given by the data subject for the particular case in the form of a declaration or other clear affirmative act by which the data subject indicates his or her consent to the processing of personal data concerning him or her.

Name and address of the data controller

The person responsible within the meaning of the Basic Data Protection Regulation, other data protection laws in force in the Member States of the European Union and other provisions of a data protection nature is:

Novalnet
Gutenbergstraße 7
85748 Garching near Munich
Germany
Tel.: +49 (0)89 – 9230683-20
E-Mail:info@novalnet.de
Website: www.novalnet.com

Name and address of the data protection officer

The data protection officer of the controller is:

Mr. Falko Gülberg
Novalnet
Gutenbergstraße 7
85748 Garching near Munich
Germany
Tel.: +49 (0)89 – 9230683-20
E-Mail: datenschutz@novalnet.de
Website: www.novalnet.com

Any person concerned can contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

Cookies

The Novalnet website uses cookies. Cookies are text files which are stored on a computer system via an Internet browser.

Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited Internet pages and servers to distinguish the individual browser of the person concerned from other Internet browsers that contain other cookies. A particular Internet browser can be recognized and identified by its unique cookie ID.

The use of cookies enables Novalnet to provide users of this website with more user-friendly services that would not be possible without cookies.

By means of a cookie, the information and offers on our website can be optimized for the user. Cookies enable us, as already mentioned, to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies does not have to re-enter his access data each time he visits the website because this is taken over by the website and the cookie stored on the user’s computer system. Another example is the cookie of a shopping basket in the online shop. The online shop remembers the items that a customer has placed in the virtual shopping basket via a cookie.

The person concerned can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common internet browsers. If the person concerned deactivates the setting of cookies in the Internet browser used, not all functions of our Internet site may be fully usable.

Collection of general data and information

The Novalnet website collects a series of general data and information each time a person or an automated system access the website. This general data and information is stored in the log files of the server. It is possible to record (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrer), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of access to the Website, (6) an Internet Protocol address (IP address), (7) the Internet service providers of the accessing system, and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using this general data and information Novalnet does not draw any conclusions about the person concerned. Rather, this information is required to (1) correctly deliver the contents of our website, (2) optimize the contents of our website and the advertising for it, (3) ensure the permanent functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack. These anonymously collected data and information are therefore evaluated by Novalnet both statistically and with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimum level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a person concerned.

Registration in the contract portal of Novalnet

The data subject has the option of registering in the contract portal of the data controller, providing personal data. The personal data transferred to the data controller is determined by the respective input mask used for registration. The personal data entered by the data subject are collected and stored exclusively for internal use by the data controller and for the data subject’s own purposes. The data controller may arrange for the data to be transferred to one or more processors, who shall also use the personal data exclusively for internal use attributable to the data controller.

Furthermore, the IP address assigned by the internet service provider (ISP) to the data subject, the date and time of registration are stored during registration in the contract portal of the data controller. This data is stored against the background that this is the only way to prevent misuse of our services and, if necessary, to enable us in investigating criminal offences committed. In this respect, the storage of this data is necessary to protect the data controller. This data will not be passed on to third parties unless required to do so by law or for the purpose of criminal prosecution.

Registration of the data subject with the voluntary provision of personal data serves the data controller to offer the data subject content or services which, by their nature, can only be offered to registered users. Registered persons are free to modify the personal data provided during registration at any time or to have them completely deleted from the database of the data controller.

The data controller shall at all times, upon request, inform each data subject of the personal data relating to that data subject. Furthermore, the data controller shall correct or delete personal data at the request or notice of the data subject, provided that there is no legal obligation to keep such data in safekeeping. All the employees of the data controller are available to the data subject as contact persons in this context.

Contact possibility via website

Due to legal regulations, Novalnet’s website contains information that enables rapid electronic contact with our company and direct communication with us, which also includes a general address for so-called electronic mail (e-mail address). If a data subject contacts the data controller via e-mail or a contact-form, the personal data transmitted by the data subject will be stored automatically. Such personal data voluntarily provided by a data subject to the data controller will be stored for the purpose of processing or contacting the data subject. This personal data is not passed on to third parties.

Comment functionality in blog via website

Novalnet offers users the opportunity to leave individual comments on individual blog posts on a blog located on the website of the data controller. A blog is a portal on a website, usually open to the public, in which one or more people who are called bloggers or web bloggers can post articles or write down thoughts in the so-called blog posts. The blog posts can usually be commented by third parties.

If a person leaves a comment in the blog published on the website, not only the comments left by the person concerned but also details of the time of entering the comment and the user name (pseudonym) chosen by the person concerned are stored and published. Furthermore, the IP address assigned to the person concerned by the Internet service provider (ISP) is logged. This IP address is stored for security reasons and in the event that the person concerned violates the rights of third parties or posts illegal content by submitting a comment. The storage of this personal data is therefore in the personal interest of the data controller, so that he or she can exculpate himself or herself in the event of a violation of the law. The personal data collected will not be disclosed to third parties, unless such disclosure is required by law or serves as legal defence of the data controller.

Routine deletion and blocking of recorded personal data

The data controller shall process and store the personal data of the data subject only for the time necessary to achieve the data retention purpose or to the extent provided for by the European regulator or other legislator in laws or regulations to which the data controller is subject.

If the storage purpose ceases to apply or if a storage period prescribed by the European Directive and Regulator or another competent legislator expires, the personal data is routinely blocked or deleted in accordance with the statutory provisions.

Rights of data subject

Every data subject has the right of access to Novalnet pursuant to Article 15 DS-GVO, the right to correction pursuant to Article 16 DS-GVO, the right to cancellation pursuant to Article 17 DS-GVO and the right to limitation of processing pursuant to Article 18 DS-GVO. In addition, the supervisory authority responsible for Novalnet, the Bavarian State Office for Data Protection Supervision, may be contacted. Consents may be revoked at any time vis-à-vis the contracting party concerned.

According to Art. 21 para. 1 DS-GVO, data processing may be objected to for reasons arising from the specific situation of the data subject. The objection can be made form-free and is to be addressed to Novalnet, Gutenbergstraße 7, 85748 Garching near Munich.

Data protection for applications and for application procedure

The data controller collects and processes the personal data of applicants for the purpose of processing the application procedure. Processing may also be carried out electronically. This is particularly the case if an applicant sends corresponding application documents to the data controller by electronic means, for example by e-mail or via a web form on the website. If the data controller concludes an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the data controller does not conclude an employment contract with the applicant, the application documents shall be automatically deleted immediately after notification of the decision of refusal, provided that no other legitimate interests of the data controller stand in the way of deletion. Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

Facebook use and usage privacy policy

The data controller has integrated components of Facebook on this website. Facebook is a social network.

A social network is an Internet-based social meeting place, an online community that usually enables users to communicate with each other and interact in virtual space. A social network can serve as a platform for the exchange of opinions and experiences or enables the Internet community to provide personal or company-related information. Facebook enables social network users to create private profiles, upload photos and network via friendship requests, among other things.

Facebook Inc. 1 Hacker Way, Menlo Park, CA 94025, USA is the operating company of Facebook. The person responsible for the processing of personal data if a data subject lives outside the USA or Canada is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Each time one of the individual pages of this website is accessed, which is operated by the data controller and on which a Facebook component (Facebook plug-in) has been integrated, the Internet browser on the information technology system of the person concerned is automatically prompted by the respective Facebook component to download a representation of the corresponding Facebook component. An overview of all Facebook plugins can be found at https://developers.facebook.com/docs/plugins/?locale=en_EN. As part of this technical process, Facebook is informed about which specific subpage of our website is visited by the person concerned.

If the person concerned is logged on to Facebook at the same time, Facebook recognizes which specific subpage of our website the person concerned visits with each visit to our website including the entire duration of the respective stay on our website. This information is collected by the Facebook component and assigned by Facebook to the respective Facebook account of the person concerned. If the person concerned clicks one of the Facebook buttons integrated on our website, for example the “Like Me” button, or the person concerned makes a comment, Facebook assigns this information to the personal Facebook user account of the person concerned and stores this personal data.

Facebook receives information via the Facebook component that the person concerned has visited our website whenever the person concerned is logged on to Facebook at the same time as accessing our website; this happens regardless of whether the person concerned clicks on the Facebook component or not. If the person concerned does not want this information to be transmitted to Facebook, they can prevent it from being transmitted by logging out of their Facebook account before calling up our website.

The data policies published by Facebook, which are available at https://de-de.facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. It also explains what setting options Facebook offers to protect the privacy of the person concerned. In addition, various applications are available that make it possible to block data transmission to Facebook and such applications can be used by the person concerned to block data transmission to Facebook.

Use of Google Analytics (Universal Analytics & GA4)

We use Google Analytics, including Universal Analytics (UA) and Google Analytics 4 (GA4), services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. These tools help us analyze user interactions with our website and continuously improve user experience and website performance.

Purpose of Processing

Google Analytics enables us to understand how visitors interact with our website by collecting anonymized usage data and statistics. This includes insights into page views, navigation paths, time spent on pages, user engagement, and more. The collected data is used exclusively for website optimization, performance monitoring, and audience analysis.

Data Processing and Sharing

Depending on the version (UA or GA4), the following types of data may be processed:

• IP address (anonymized)
• Browser and device information
• Operating system, screen resolution
• Referrer URL and click paths
• Session duration and user interactions (e.g., clicks, scrolls)
• Location (approximate, based on IP geolocation)
• Event and conversion data (GA4 only)

Google may process this data as our data processor under a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR. However, when using GA4, certain data processing may fall under joint controllership as defined in Google’s Controller-Controller Data Protection Terms.

Data may be transferred to Google LLC in the United States. These transfers are secured using Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR.

Google does not use this data for advertising unless you have explicitly consented to such use.

Data Protection

We have configured Google Analytics in a privacy-conscious manner:

• IP anonymization (ga(‘set’, ‘anonymizeIp’, true))
• Automatic data retention limits (e.g., 14 months)
• No personal data stored in cookies or events
• Disabled sharing with Google products and services (unless consented)

Google implements robust technical and organizational security measures (e.g., encryption, data minimization, ISO 27001 compliance).

Data Storage

The retention period for data in Google Analytics depends on the settings we have defined:

• For UA: Data is retained for a maximum of 14 months
• For GA4: Event-level data is retained for a maximum of 14 months, with options to customize shorter periods
No personally identifiable data is stored on our servers through Google Analytics.

You can manage or withdraw your consent at any time via our cookie preferences tool.

Further details on Google’s data practices are available at: https://policies.google.com/privacy

Use of Global Site Tag (gtag.js)

We use the Global Site Tag (gtag.js), a JavaScript tagging framework provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This technology enables the integration and configuration of various Google services on our website, such as Google Analytics, Google Ads, and conversion tracking.

Purpose of Processing

The Global Site Tag (gtag.js) facilitates the centralized management of tracking functions and events on our website. It allows us to:
• Measure website traffic and user interactions
• Track conversions and evaluate ad campaign effectiveness
• Customize and optimize online advertising
• Set configuration settings for multiple Google services in one script
Depending on the services configured, the tag may activate other data-processing services (e.g., Google Analytics, Google Ads). Separate information is provided for each respective service within this Privacy Policy.

Data Processing and Sharing

By integrating gtag.js, the following data may be collected and transmitted to Google:

• IP address (shortened in the EU/EEA)
• Browser type and version
• Device type and operating system
• Referrer URL and click path
• Date and time of access
• Website usage behavior and interaction data
• Google advertising identifiers (if ads services are used)

Google processes this data on our behalf and may use it for its own purposes when permitted (e.g., if consent is given for personalized advertising). For services linked to gtag.js, such as

Google Analytics or Google Ads, Google may act as a joint controller under certain conditions.

Data may be transferred to Google LLC, based in the United States. Such transfers are protected using Standard Contractual Clauses (SCCs) under Art. 46 GDPR.

For more information, please see Google’s Privacy Policy: https://policies.google.com/privacy

Data Protection

Google applies robust technical and organizational security measures to protect user data, including:

• TLS/SSL encryption
• Anonymization of IP addresses (for analytics)
• Strict access controls and audit logs
• Certifications under ISO 27001 and other compliance standards

We also configure the tag settings to respect privacy-friendly defaults, such as disabling data sharing unless explicitly consented to.

Data Storage

Data collected through gtag.js (via linked services) is stored:

• By Google Analytics: up to 14 months (customizable)
• By Google Ads: retention depends on user interaction and account configuration
• By Novalnet: only aggregated and anonymized usage statistics

The specific duration depends on the Google service connected through the tag. Personal data will be retained only as long as necessary for the specified purposes.

You can adjust your cookie preferences at any time via our website’s cookie settings.

Use of Microsoft Clarity

We use Microsoft Clarity, a behavioral analytics tool provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA, to better understand how visitors interact with our website.

Purpose of Processing

Clarity helps us improve the usability, accessibility, and performance of our website by collecting aggregated data about user behavior, such as:

• Mouse movements and clicks
• Scrolling behavior
• Page transitions
• Technical diagnostics (e.g., device type, screen size, browser)

This allows us to identify areas for improvement and enhance user experience.

Data Processing and Sharing

Clarity collects and transmits the following types of data:

• IP address (anonymized in the EU/EEA)
• Pages visited, clicks, scroll depth, and interactions
• Browser, device, screen resolution, OS
• Referrer URL and session duration

Clarity does not record keystrokes or capture any personal form field input (e.g., passwords, names, payment info). Sensitive content is automatically masked.

Microsoft acts as a data processor under a Data Processing Agreement (DPA). Data may be transferred to and stored in Microsoft Azure servers, some of which may be located in the USA.

Microsoft uses Standard Contractual Clauses (SCCs) to safeguard international data transfers under Art. 46 GDPR.

No data is shared with third parties for marketing or profiling.

Data Protection

Microsoft Clarity implements industry-standard security measures, including:

• Data anonymization and masking
• TLS encryption for data in transit
• ISO/IEC 27001, SOC 2, and other compliance frameworks
• Segregated environments to isolate customer data

Clarity is GDPR-compliant and designed to prevent misuse or unauthorized access to data.

Data Storage

• Clarity retains data for a maximum of 13 months
• Data is stored securely in Microsoft Azure data centers
• Session data is aggregated and does not contain personally identifiable information

Further details are available in Microsoft’s privacy documents: https://privacy.microsoft.com/en-us/privacystatement

For more information about Microsoft Clarity’s privacy practices, visit:

https://privacy.microsoft.com/

https://clarity.microsoft.com/

Use of CookieYes GDPR Consent Plugin

We use the CookieYes GDPR Consent Plugin, a service provided by CookieYes Limited, based in 3 Warren Yard, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom, to manage and document user consent for the use of cookies and trackers on our website.

Purpose of Processing

The CookieYes plugin helps us obtain, store, and manage consent in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws. It ensures that non-essential cookies (e.g., for analytics or marketing) are only set with your prior, informed consent.

This tool enables:

• Display of a cookie consent banner
• Categorization of cookies (e.g., necessary, analytics, marketing)
• Storage of user choices (accept, reject, customize)
• Logging of consent for audit purposes

Data Processing and Sharing

When you interact with our cookie banner, the following data is processed:

• IP address (anonymized)
• Consent preferences (accepted, rejected, customized)
• Date and time of consent
• Browser and device information
• A unique, anonymized identifier linked to your consent status

This data is stored locally in your browser using HTTP cookies and also optionally on CookieYes servers, depending on plugin configuration.

CookieYes does not use this data for its own purposes, nor is the data shared with any unauthorized third parties.

Data may be processed on servers in the United Kingdom or European Economic Area (EEA). If any data is transferred internationally, it is protected using appropriate safeguards, such as Standard Contractual Clauses in accordance with Art. 46 GDPR.

Data Protection

CookieYes is committed to secure data processing. Measures include:

• Secure HTTPS connections
• IP anonymization
• Restricted access to consent logs
• Compliance with UK and EU data protection regulations

We configure the plugin to operate with minimal data and to automatically block non-essential cookies until consent is granted.

Data Storage

Consent logs are stored for up to 12 months, unless local legal obligations require longer retention. The cookie storing your preferences typically expires after 1 year, but you can delete or modify it at any time via your browser or our cookie settings tool.

You can change or withdraw your consent at any time by clicking the “Cookie Settings” link in the footer of our website.

For further information, you may also review the CookieYes privacy policy: https://www.cookieyes.com/privacy-policy/

Use of LinkedIn Insight Tag

We use the LinkedIn Insight Tag, a tracking tool provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. This tool allows us to evaluate the effectiveness of our LinkedIn advertising campaigns and better understand visitor interactions on our website.

Purpose of Processing

The LinkedIn Insight Tag enables us to:

• Measure conversions from LinkedIn ads (e.g., form submissions, downloads)
• Analyze campaign performance and reach
• Optimize ad targeting based on user behavior and interests
• Build retargeting audiences for future advertising

Data Processing and Sharing

When the LinkedIn Insight Tag is triggered, it collects the following information:

• IP address (truncated in the EU/EEA)
• Device and browser characteristics
• Referrer URL
• Timestamp and page views
• LinkedIn member ID (if user is logged into LinkedIn)
• Event data (e.g., page visits, conversions)

The data is encrypted and pseudonymized. LinkedIn does not share personal data with us—only aggregated, anonymous reporting.

If you are a LinkedIn member, your usage data may be linked to your profile in accordance with LinkedIn’s privacy policy. Data may also be transferred to LinkedIn Corporation, USA, under the protection of Standard Contractual Clauses pursuant to Art. 46 GDPR.

LinkedIn acts as both a data processor and, in some cases, a joint controller, particularly where user profiling or ad personalization is involved. Novalnet and LinkedIn have entered into joint controllership arrangements where required.

For details, refer to:

https://www.linkedin.com/legal/l/dpa
https://www.linkedin.com/legal/l/cookie-table

Data Protection

LinkedIn applies strong security measures to protect personal data, including:

• IP anonymization
• Secure cookie encryption and storage
• ISO/IEC 27001 certification
• Access controls and logging

We configure the Insight Tag with privacy-first settings and disable personalized advertising unless you have provided prior consent.

Data Storage

Data collected through the LinkedIn Insight Tag is stored for a maximum of 180 days. After this period, the data is automatically deleted or anonymized.

If you have a LinkedIn account, LinkedIn may retain usage data longer based on your member settings and preferences.

You can manage or withdraw your consent through our cookie settings panel or via your LinkedIn account privacy settings: https://www.linkedin.com/psettings/

For more information, please review the LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy

Use of Zoho Services (CRM, Marketing, Analytics, and Productivity Tools)

Novalnet uses a suite of cloud-based business applications provided by Zoho Corporation to streamline our operations, manage customer interactions, support our marketing and analytics efforts, and ensure internal project delivery. These services include:

• Zoho CRM Plus
• Zoho CRM
• Zoho Social
• Zoho PageSense
• Zoho Campaigns
• Zoho Webinar
• Zoho Marketing Automation
• Zoho Forms
• Zoho Projects
• Zoho Analytics

These applications form a core part of our operational stack for sales, support, marketing, and internal collaboration.

Purpose of Processing

Each of the Zoho tools is used for the following legitimate purposes:

Categories of Personal Data Processed

Depending on how users interact with Novalnet via our website, the following personal data may be collected and processed in Zoho:

• Identifying information: name, email address, phone number, company name, job title
• Behavioral data: click paths, form abandonment, A/B test group allocation (via PageSense)
• Form data: messages, inquiries, resumes/CVs (in job applications), attachments
• Communication data: email engagement (opens, clicks), webinar registration and participation data
• Social data: LinkedIn or other social handles if you interact with Novalnet’s social posts
• Technical data: IP address, browser type, language, location, session duration (via PageSense, Analytics)

Data Transfers and International Processing

Zoho Corporation is headquartered in India with data centers located in:

• The European Economic Area (EEA) (e.g., Zoho EU data centers in the Netherlands and Ireland)
• The United States, India, and other regions (in rare cases, for support or maintenance)

When data is processed outside the EEA, it is protected by:

• Standard Contractual Clauses (SCCs) adopted by the European Commission
• Data Processing Addendum (DPA) executed between Novalnet and Zoho Corporation
• Access controls and encryption applied both in transit and at rest

Data Protection Measures

Zoho and Novalnet employ a wide range of safeguards to protect your data:

• TLS/SSL encryption for data in transit
• Secure user authentication and role-based access controls
• Regular backups and disaster recovery mechanisms
• ISO 27001, SOC 2 and GDPR-compliant policies (Zoho certifications)
• Internal procedures within Novalnet to ensure only authorized personnel access CRM and marketing data

For more information, Zoho’s privacy policy is available at: https://www.zoho.com/privacy.html

Data Storage and Retention

Personal data collected through Zoho services is retained only as long as necessary for the original processing purposes, including:

• Communication history (CRM and Campaigns)
• Form and campaign data (Zoho Forms, PageSense)
• Project documentation (Zoho Projects)
• Webinar attendance and event data (Zoho Webinar)

Data may be retained longer if required by legal or contractual obligations. Campaign data and analytics logs may be retained in line with our internal data lifecycle policies.

You may request deletion of your personal data from our Zoho systems at any time.

Use of Calendly

We use Calendly, a scheduling platform operated by Calendly LLC, 115 E Main St, Ste A1B, Buford, GA 30518, USA, to facilitate appointment bookings with Novalnet’s team.

Purpose of Processing

Calendly is used to enable visitors to book meetings or consultations directly through our website. This simplifies scheduling and helps us efficiently respond to inquiries or service requests.

Data Processing and Sharing

When you schedule a meeting using Calendly, the following personal data may be collected:

• Name
• Email address
• Appointment preferences (date/time)
• Optional message or inquiry content
• Technical metadata (e.g., IP address, browser version)

Calendly processes this data on our behalf under a Data Processing Agreement (DPA).

Data may be transferred to servers in the United States, where Calendly is headquartered. These transfers are safeguarded through Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR.

Calendly does not use your data for its own purposes, such as advertising or profiling.

Data Protection

Calendly implements appropriate technical and organizational security measures, including:

• TLS encryption for data in transit
• Secure access controls and authentication
• Compliance with international standards (e.g., SOC 2 Type II, ISO 27001)

Calendly undergoes regular audits and assessments to ensure ongoing data protection.

Data Storage

Your personal data submitted via Calendly is:

• Stored for the duration necessary to fulfill the purpose of your meeting or follow-up communication
• Automatically deleted or anonymized after the scheduled meeting is completed, unless legal or contractual obligations require longer retention
• Log and diagnostic data (e.g., IP address, session metadata) may be stored temporarily (usually up to 30 days)

For more details, see: https://calendly.com/privacy

Use of Writesonic / Botsonic AI Assistant

To enhance our website experience and provide real-time support, Novalnet uses an AI-powered assistant provided by Writesonic Inc. (including its Botsonic platform). This service may offer conversational assistance to users for sales, product information, or general inquiries.

Purpose of Processing

We use Botsonic to:

• Provide instant responses to visitor questions
• Help users navigate our services or offerings
• Qualify leads and gather initial contact information
• Support sales and marketing automation
• Reduce manual response delays

The AI assistant interacts in real time through a chatbot interface embedded on novalnet.com.

Data Collected

Depending on how you interact with the AI chatbot, the following categories of personal data may be collected:

• Name (if provided)
• Email address (if requested or provided)
• Phone (optional)
• Chat content (questions, responses, and interaction logs)
• Technical data (browser type, IP address, device type, and session information)
• Timestamps and visited pages (for context within the session)

We advise users not to share sensitive personal information (e.g., health data, financial information, login credentials) in the chatbot.

Data Processing and Sharing

The chatbot data is processed by:

Service provider: Writesonic Inc.
2261 Market Street #4451, San Francisco, CA 94114, United States
https://writesonic.com

Writesonic may process chat data on servers located in the United States or other regions. Where data is transferred to third countries, we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) under Art. 46 GDPR.

Novalnet may access chat logs to improve support quality and follow up on inquiries. However, the data is not sold or shared with third parties for advertising or profiling.

Thank you for the clarification. Based on your input, here is the updated and accurate “Data Storage” section for your privacy policy, reflecting that Novalnet does not store chat data, and only Botsonic (Writesonic) stores it, while Novalnet may access the data via Botsonic’s dashboard:

Data Storage

Novalnet does not store chatbot conversation data on its own servers or systems.

All chat interactions are stored by Writesonic Inc., the provider of the Botsonic platform, on their secure infrastructure. Novalnet may access and view these chat records via the Botsonic dashboard solely for the purpose of:

• Responding to user queries
• Following up on sales or support requests
• Improving the quality of automated interactions

Writesonic may retain chat data for a limited period, typically ranging from 30 to 90 days, in accordance with its own data retention policies. After this period, data may be anonymized or deleted.

Novalnet does not download, export, or independently process chatbot conversations outside of the Botsonic environment, unless explicitly required to fulfill your request.

Data Protection

We take reasonable measures to protect your data when using Botsonic, including:

• Secure HTTPS encryption during transmission
• Access restrictions to chat logs and CRM integrations
• No usage of chatbot data for profiling, automated decision-making, or unsolicited marketing unless explicitly permitted

Writesonic implements its own security protocols, which are described in its privacy policy: https://writesonic.com/privacy

Use of Google reCAPTCHA v2

To protect our website and online forms from abuse, spam, and automated bots, we use Google reCAPTCHA v2, a security service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Purpose of Processing

Google reCAPTCHA helps us verify whether a form submission is made by a natural person rather than an automated program. This is essential for:

• Preventing spam and fraudulent submissions
• Ensuring system security and availability
• Protecting our online services from malicious use

Data Processing and Sharing

When reCAPTCHA v2 is used, it may collect and analyze the following data from the website visitor:

• IP address
• Browser and device information (e.g., user agent, screen resolution)
• Operating system
• Mouse movements and keyboard input behavior
• Time spent on the page
• Previously set cookies from Google services
• Referrer URL

This information is automatically sent to Google and processed on its servers, which may include servers located in the United States.

Google acts as an independent data controller for reCAPTCHA and processes this data in accordance with its own privacy policies.

More information:

https://policies.google.com/privacy
https://policies.google.com/terms

Data Protection

Google employs strong technical and organizational measures to protect the data processed via reCAPTCHA. However, as reCAPTCHA is embedded in our website as a third-party service, Google may set cookies or link reCAPTCHA usage with other Google services if you are logged into a Google account.

We have no control over how Google further processes this data once it has been transmitted. You may limit tracking by logging out of Google services before visiting our website or using private/incognito browser sessions.

Great question. Regarding Google reCAPTCHA v2, here is a factually accurate and GDPR-aligned explanation of data storage and retention:

Data Retention and Storage

When you interact with Google reCAPTCHA v2 on our website, no personal data is stored on Novalnet’s servers as part of this process. However, data is collected and processed directly by Google, which may include:

• IP address
• Browser and device metadata
• User behavior data (mouse movements, clicks, etc.)
• Cookies previously set by Google services (if any)
• Referrer URL and timestamp

This data is transmitted to and processed by Google Ireland Limited and may also be stored on servers in the United States or other third countries.

Google does not publicly disclose exact retention periods for the data collected through reCAPTCHA. However, based on Google’s general policies:

• Some data (e.g., logs or analytics related to reCAPTCHA) may be retained for a limited period to improve security and combat abuse.
• Cookies such as NID, _GRECAPTCHA, and others may persist in your browser for 6 months or longer, depending on your browser settings and whether you are logged into Google services.

Google acts as an independent data controller, and the data collected through reCAPTCHA is subject to Google’s own data retention and deletion policies.

For more details, see:

• Google Privacy Policy
• Google Terms of Service

Use of Cloudflare

We use the services of Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, to provide secure, high-performance content delivery and DDoS protection for our website.

Purpose of Processing

Cloudflare is a Content Delivery Network (CDN) and security service that helps us:

• Deliver content efficiently through globally distributed servers
• Secure our site from malicious traffic (e.g., DDoS attacks, bots)
• Improve website availability, reliability, and loading speed

Data Processing and Sharing

When you visit our website, Cloudflare automatically processes the following categories of data:

• IP address
• Accessed domain names and resources
• DNS query data
• System configuration information (e.g., browser type, device, OS)
• HTTP headers and performance metrics

Cloudflare acts as a data processor under a Data Processing Agreement (DPA). It processes data solely on our behalf and not for its own purposes.

Data may be routed through Cloudflare’s servers outside the European Economic Area (EEA), including the USA. In such cases, Cloudflare ensures adequate protection through Standard Contractual Clauses (SCCs) in line with Art. 46 GDPR.

Cloudflare does not use personal data for advertising or profiling.

Data Storage

Cloudflare temporarily stores certain logs for the following durations:

• Edge logs (e.g., IP address, request metadata): usually retained for no more than 7 days
• Longer retention may occur only in exceptional cases (e.g., for abuse mitigation or compliance with legal obligations)
• Cached static content (images, CSS, JS) is stored temporarily in Cloudflare’s edge servers and does not contain personal data

Cloudflare is committed to data minimization and does not store more information than necessary.

For more information, see Cloudflare’s privacy policy: https://www.cloudflare.com/privacypolicy/

Data Protection

Cloudflare applies comprehensive security measures including:

• TLS encryption
• Bot and DDoS protection mechanisms
• Rate limiting and Web Application Firewall (WAF)

Regular third-party security audits and compliance with:

• ISO/IEC 27001
• SOC 2 Type II
• PCI DSS, where applicable

Use of WP Engine as Hosting Provider

Our website is hosted by WP Engine, Inc., headquartered at 504 Lavaca Street, Suite 1000, Austin, TX 78701, USA. WP Engine provides us with secure, high-performance managed WordPress hosting services that ensure the availability, reliability, and scalability of our website.

Purpose of Processing

WP Engine processes data on our behalf to:

• Host and deliver the content of our website
• Store user interactions and form submissions (e.g., contact forms, log data)
• Provide necessary backend infrastructure such as databases and caching
• Monitor and improve website uptime, security, and performance

Data Processing and Sharing

In the course of providing hosting services, WP Engine may process the following types of data:

• IP addresses and user agent information
• Server logs (access times, requested pages, errors)
• Form submission data (e.g., contact requests, support inquiries)
• Content management and backup data
• Cookies and session identifiers (where applicable)

WP Engine acts as a data processor on our behalf, governed by a Data Processing Agreement (DPA) in compliance with Art. 28 GDPR.

Data may be processed on servers located in the European Union (for EU-based clients), but under certain conditions, limited data transfers to the United States may occur. These are protected by Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR.

WP Engine does not access or use your data for its own purposes.

More information:

https://wpengine.com/legal/dpa/
https://wpengine.com/legal/privacy/

Data Protection

WP Engine implements advanced technical and organizational measures, including:

• End-to-end TLS/SSL encryption
• Secure server and network architecture
• Daily backups and recovery tools
• ISO/IEC 27001-certified data centers
• Access control and activity logging

These measures help ensure the protection and confidentiality of personal data hosted on their infrastructure.

Data Storage

Website data (including any personal data submitted via forms or stored via cookies) is retained only as long as necessary to fulfill the stated purposes or comply with legal retention obligations.

Log data may be stored for 30 to 90 days, depending on server configuration and security practices.

Use of Custom Plugin: “Novalnet Homepage to CRM”

We use a custom-developed plugin, “Novalnet Homepage to CRM,” to manage form submissions on our website. This plugin collects, temporarily stores, and securely transmits the data you submit via various forms on our website to our internal CRM system. The data is sent in batches at 5-minute intervals via a secure server-side process.

Purpose of Processing

The plugin is used to manage user-submitted data through the following forms:

• Contact forms
• Job application forms
• Sales/lead generation forms
• Partnership and support request forms

This data is used solely for handling your request or inquiry, including:

• Responding to contact or support queries
• Evaluating job applications
• Processing partnership interest or collaboration requests
• Following up on sales or service-related leads

Data Collected and Stored

Depending on the form type, the following categories of personal and business data may be collected:

Contact / General Inquiry Form:

• Name
• Company website URL
• Email
• Phone number
• Company turnover range
• Message content

Job Application Form:

• Name
• Email address
• Phone number
• Message
• Uploaded attachments (e.g., CV, cover letter)
• Country and City
• Desired Pay
• Linkedin Profile link
• Avaiable date

Feedback / Complaints Form:

• Name
• Email
• Phone number
• TID
• Message content

Partnership / Support / Integration Request Form:

• Name
• Company name
• Email
• Website
• Phone number
• Country
• Message content

Data Processing and Storage

• Submitted data is temporarily stored on our web server, protected by secure file permissions and database access controls.
• Data is not visible to or accessed by third parties.
• Every 5 minutes, the stored form entries are transmitted to our internal CRM system using a secure server-to-server POST request.
• Once transmitted, the entries are flagged for archival or deletion on the web server in accordance with our retention policy.

No data is used for profiling, advertising, or tracking purposes.

Data Protection Measures

We implement the following measures to ensure the security of your data:

• Secure HTTPS transmission and SSL encryption
• Server-side validation and access restrictions
• Role-based access control for CRM data
• Regular deletion of processed records from the web server
• Internal logging and access auditing

The plugin is developed and maintained in-house by Novalnet, with regular security reviews.

Data Sharing and Third Parties

The collected data is not shared with any third parties outside of Novalnet. It is processed exclusively by authorized internal personnel for the purposes listed above.

No external analytics, advertising, or third-party CRM platforms receive your data.

Data Retention

The data collected through our forms is stored on our web server and transmitted to our internal CRM system every 5 minutes. At present, this data is not automatically deleted or archived from the web server after successful transmission.

As a result, submitted form entries may remain stored on the server for an indefinite period, unless manually removed. We are in the process of reviewing our retention practices to align with data minimization and storage limitation principles under the GDPR.

Data within our internal CRM system is retained in accordance with our internal retention schedules and applicable legal obligations.

If you wish to have your submitted data deleted or reviewed, you may contact us at any time using the information provided below.

Legal Basis for Processing

Article 6.para 1 letter a DS-GVO serves our company as a legal basis for processing operations for which we obtain consent for specific purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations necessary for the provision of another service or consideration, the processing is based on Art.6 para.1 letter.b DS-GVO. The same applies to such processing processes that are necessary to carry out pre-contractual measures, for example in cases of enquiries about our products or services. If our company is subject to a legal obligation requiring the processing of personal data, for example to fulfil tax obligations, the processing is based on Art.6 para.1 letter.c DS-GVO. Finally, processing operations could also be based on Art 6. para.1 letter.f DS-GVO. Processing operations which are not covered by any of the aforementioned legal bases are established on the legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. Such processing procedures are permitted to us in particular because they have been specifically mentioned by the European legislative authorities. In this respect, it took the view that a legitimate interest could be assumed if the person concerned is a customer of the person responsible (recital 47, sentence 2, DS-GVO).

Legitimate interests in processing followed by data controller or third party

If the processing of personal data is based on Art 6. para.1 letter.f DS-GVO, it is in our legitimate interest to carry out our business activities.

Period for which personal data is being stored

The criterion for the period of storing personal data is the respective legal retention period. After the expiry of this period, the corresponding data will be routinely deleted, provided that it is no longer necessary for the fulfilment or initiation of the contract.

Legal or contractual regulations for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of failure to provide them

We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information relating to contractual partner). In some cases, it may be necessary for a contract to be concluded if a data subject provides us with personal data which must subsequently be processed by us. For example, the person concerned is obliged to provide us with personal data if our company enters into a contract with him/her. Failure to provide personal data would mean that the contract with the data subject could not be concluded. Prior to the provision of personal data by the data subject, the data subject must contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of personal data is required by law or contract or required for the conclusion of the contract, whether there is an obligation to provide the personal data and what consequences the failure to provide the personal data would have.

Existence of automated decision making

As a responsible company, we do not use automated decision-making according to Art.22 DS-GVO to reach a decision on the establishment and implementation of a business relationship.

This data protection policy was drawn up by the data protection declaration generator of DGD Deutsche Gesellschaft für Datenschutz GmbH, which acts as the data protection officer, in cooperation with the data protection lawyers of the law firm WILDE BEUGER SOLMECKE | Rechtsanwälte.

Information on data processing according to Art.13 DS-GVO and Art.14 DS-GVO

We hereby inform you about the processing of your personal data and the data protection claims and rights to which you are entitled. The content and scope of data processing depends mainly on the products ordered by you from your contractual partners or the selected payment method.

Identity of the person responsible and whom can you contact?

Responsible for data processing:
Novalnet
Gutenbergstraße 7
85748 Garching near Munich
Germany
Tel.: +49 (0)89 – 9230683-29
Fax: +49 (0)89 – 9230683-11
E-Mail: info@novalnet.de

Contact data of the data protection officer

You can contact the responsible data protection officer at:
Data Protection Officer of Novalnet
Gutenbergstraße 7
85748 Garching near Munich
or datenschutz@novalnet.de

Which data are being processed and from which sources the data is collected?

We process the personal data that we receive in the course of a business relationship between you and your contractual partner in the course of payment processing. In addition, we process data that we have legitimately received from credit agencies, debtor directories and publicly accessible sources.

Personal data includes your personal details (surname, first name, address, contact data, date of birth, nationality, etc.) and payment data (bank data, credit card data, etc.).

The data from the above data categories was transmitted to us by you or your contractual partner.

For what purposes and on what legal basis the data are being processed?

The processing of personal data (Art.4 No. 2 DS-GVO) is aimed in particular at payment processing, identity verification, fraud prevention and receivables management and is based on the provisions of the Basic Data Protection Regulation.

Your data will be processed in accordance with Art.6 para.1 letter.b DS-GVO for the provision of financial services and is necessary for the fulfilment of a contract with your contractual partner, among other things, since this also includes the payment obligation respectively payment processing.

Furthermore, the processing of your data may be necessary pursuant to Art.6 para.1 letter.c DS-GVO for the purpose of fulfilling legal obligations (Payment Services Supervision Act, Money Laundering Act, etc.) and regulatory requirements (Federal Financial Supervisory Authority) to which Novalnet as a payment institution is subject.

Furthermore, data processing pursuant to Art.6 para.1 letter.f DS-GVO is necessary to safeguard the legitimate interests of the person responsible or of a third party. Our legitimate interests exist, among other things, in connection with the claim against you, which we process for your contractual partner.

Consents may be revoked at any time vis-à-vis the contracting party concerned. This also applies to consents that were granted before the DS GVO came into force. The revocation of consent does not affect the legality of the personal data processed until revocation.

Who receives your data?

Within Novalnet, those departments or employees receive your data which they need to fulfil their contractual, legal and supervisory obligations and legitimate interests.

If there is a legal or supervisory obligation, public bodies and institutions (e.g. Federal Financial Supervisory Authority, tax authorities, law enforcement authorities, etc.) may be recipients of your personal data.

In the course of payment processing, recipients of your personal data may be other credit, payment and financial institutions or similar institutions to which we transmit data in order to process payment processing.

In the context of the collection procedure, we will transfer your data to the following categories of recipients if this is necessary to collect the claim: assignees, credit agencies, service providers, third-party debtors, residents’ registration offices, courts, bailiffs, lawyers.

Duration of data retention

We process your personal data, if necessary, for the duration of the entire business relationship between you and your contractual partner as well as in accordance with the statutory retention and documentation periods, which result from the Fiscal Code (AO), the Commercial Code (HGB), the Payment Services Supervision Act (ZAG) and the Money Laundering Act (AwG), among others.

In addition, the statutory limitation periods must also be observed for the storage period, e.g. those under the German Civil Code (BGB) (the general limitation period is 3 years and may in certain cases be up to 30 years).

What data protection rights do you have?

You have the right to information, correction, deletion or restriction of the processing of your stored data if the legal requirements according to Art.15 to 22 DS-GVO are met. Furthermore, according to Art.14 para.2 letter.c in connection with Art.21 DS-GVO, you have the right to object to the processing based on Art.6 para.1 letter.f DS-GVO. In addition, the supervisory authority responsible for Novalnet, the Bavarian State Office for Data Protection Supervision, may be contacted. Consents may be revoked at any time vis-à-vis the contracting party concerned.

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Super Socializer – Social Login

We collect your public profile data only from your consent that you grant before initiating Social Login, from the social network used to login at our website. This data includes your first name, last name, email address, link to your social media profile, unique identifier, link to social profile avatar. This data is used to create your user profile at our website. You can revoke this consent at any time from your profile page at our website or by sending us an email.