Privacy
Policy.

Who we are: NovoCreation LLC, a Connecticut limited liability company.

What we collect: contact details, project context, payment information (handled by Stripe), makerspace request descriptions, and basic technical logs.

What we don’t do: sell your data, rent email lists, share details beyond what the work requires, or train public AI models on client content.

Your rights anywhere: access, correct, delete, export, and opt-out of marketing — detailed in §11. US state-specific rights in §15, GDPR in §16.

Privacy contact: [email protected]

This policy covers information collected through the NovoCreation marketing site (novocreation.online), the client portal, the makerspace storefront, and any engagement you enter with us for IT, web, mobile, creative, automation, AI, or makerspace services.

It does not cover third-party sites linked from ours (e.g., Stripe checkout, GitHub, LinkedIn, Instagram). Those have their own privacy policies which you should review before interacting with them.

For clients where NovoCreation handles data subject to a Business Associate Agreement (HIPAA), Data Processing Addendum (GDPR), or other contractual privacy regime, the terms of that agreement govern for the specific data it covers. This policy governs everything else.

Identity and contact. Name, email address, phone number, mailing address (if provided), company name, and job title.

Engagement and project data. Project briefs, scope details, uploaded files, credentials you hand over for us to do the work (DNS, hosting, cloud admin, API keys), revision feedback, and meeting notes.

Payment and billing. Invoice and payment records. Card numbers and bank details are handled directly by Stripe and never stored on our servers — we receive only a token and last-4 digits for reconciliation.

Makerspace requests. When you request a pass, we collect the tier, variants (hours, material, printer preference, welcome-kit choice), your description of what you plan to make (for print-job class), and the acceptable-use attestation you tick at checkout.

AI conversations and prompts. Chat assistant messages, Novo agent interactions, content you generate or iterate on inside the portal. Stored to allow you to continue a conversation and to audit what the agents did.

Device and usage data. IP address, user agent, pages visited, session cookies, and telemetry needed to keep the site secure and running (e.g., Cloudflare Turnstile bot-protection signals). We don’t run behavioral-advertising cookies or retargeting pixels.

Communications you send us. Email, contact-form submissions, chat transcripts, support tickets, feedback.

We don’t knowingly collect sensitive categories (race, religion, political affiliation, health, precise geolocation, genetic or biometric data) unless you volunteer them in a project brief and we’ve agreed in writing about handling.

AI Compute Node engagements. For clients in our AI Compute Node service line, we additionally collect: site location and facility type (residential or SMB), electrical panel specifications, ISP bandwidth details, IPMI/BMC access credentials for the commissioned hardware, and ongoing telemetry (thermal readings, uptime events, GPU health metrics, network traffic volume) generated by the node monitoring stack. Telemetry is retained for the duration of the NOC engagement plus 90 days, then purged. Credentials are stored encrypted and rotated at engagement end. Clients who supply custom model weights (BYOW) acknowledge that those files are handled solely on the client-owned hardware; NovoCreation does not retain, copy, or transmit model weights beyond what is necessary to complete the installation.

• Directly from you — through forms (contact, estimate, subscribe, makerspace checkout), email, portal uploads, meeting notes, and chat sessions.
• Automatically — through server logs, cookies, Cloudflare Turnstile, and standard web-server telemetry as you navigate the site.
• From third parties — authentication providers (Google OAuth) when you sign in, payment processors (Stripe) when you pay, and public business registries when we do light KYC on commercial clients.
• During engagement work — we receive whatever you or your team shares in the course of a project (designs, drafts, internal docs, credentials).

We use information only for the purposes below. Legal bases are given for visitors in jurisdictions that require them (GDPR, UK GDPR, Swiss FADP).

• Service delivery and contract performance — to scope engagements, deliver work, issue invoices, provide support, and run the makerspace. Basis: contract.
• Security and fraud prevention — to protect accounts, detect bots, prevent chargeback abuse, and investigate policy violations. Basis: legitimate interest + legal obligation.
• Communications about your engagement — transactional emails (invoices, passes, receipts, scheduling), client portal notifications, support replies. Basis: contract.
• Marketing with opt-out — newsletter, new-work announcements, case studies. Only to individuals who opted in or existing clients with a prior relationship. Basis: consent (opt-in) or legitimate interest (existing clients), with easy opt-out in every message.
• AI processing — to draft estimates, proposals, campaign copy, status updates, and to power the portal chat assistant and Novo agent. Detailed in §07. Basis: contract (for client engagements) or legitimate interest (for internal drafting).
• Legal compliance — to comply with tax law, regulatory obligations (e.g., CTA beneficial-ownership reporting), and to respond to lawful requests from government authorities. Basis: legal obligation.
• Service improvement — aggregated, de-identified analytics to understand what parts of the site work for visitors. Basis: legitimate interest.

We share information only with service providers who help us deliver the service, and only what each provider needs to do its job. Every provider below is contractually bound to handle data consistently with this policy.

• Stripe— payment processing for invoices, quick-sale passes, and membership billing. Stripe is the controller of the card and bank data it handles; we receive only tokens and reconciliation metadata. See Stripe’s privacy policy.
• NovoPay — our USDC stablecoin payment processor. When used for payment, NovoPay receives the wallet address you pay from, the on-chain transaction hash, and amount; it does not see your name or email unless you separately attach them to the payment.
• Google (Workspace, Gemini, OAuth) — authentication (“Sign in with Google”), AI inference for drafting and chat, transactional email delivery via Workspace-backed SMTP. Google is a processor for AI inference under its paid-API terms and does not train on submitted content.
• Mistral (and other approved AI providers as needed) — production-tier API used as a fallback or for specific features, on the same non-training posture as Google. We may add other production-tier providers (Anthropic Claude, OpenAI, Hugging Face, or similar) over time; in every case we use paid-tier APIs that exclude submissions from training by default and never use free-tier or “Labs” endpoints that may train on content.
• Cloudflare — CDN, DDoS protection, and Turnstile CAPTCHA. Receives IP, user agent, and challenge-response telemetry.
• Railway (and underlying cloud providers) — application hosting, PostgreSQL database. Data is stored on Railway’s managed infrastructure in US-East region.
• AWS S3 / Railway S3 — file storage for uploaded assets, email attachments, and generated PDFs.
• Resend — campaign and fallback transactional email delivery. Processes recipient email, subject, and message content.
• Upstash (Redis) — rate-limiting and ephemeral session state.
• Sentry — error monitoring. Receives stack traces and may incidentally see user-input snippets if they appear in an error; we scrub common PII patterns before send.
• Professional advisors — legal counsel, accountants, insurers, when required to advise on specific engagements, under ordinary professional-secrecy obligations.
• Law enforcement or regulators — when required by valid legal process. We notify you unless prohibited by law.
• M&A successors— if NovoCreation is acquired or merged, data transfers as part of the transaction under the same privacy commitments. We’ll notify you of any material changes.

We do not sell personal information and we do not share it with data brokers, advertising networks, or analytics providers beyond what’s listed above.

We use AI for drafting (estimates, proposals, campaign copy, status updates, code generation), retrieval (internal knowledge search), and conversational features (client portal assistant, Novo marketing agent).

Training posture.We use production-tier APIs from approved providers, currently Google (Gemini) and Mistral, all under terms that by default exclude submitted content from training. We may add other production-tier providers (Anthropic Claude, OpenAI, or similar) over time on the same non-training posture. Where a provider offers an explicit opt-out of training, we opt out. We never use free-tier or “Labs” endpoints that train on user submissions.

What gets sent to AI providers. Only the context needed for the specific task: the prompt, relevant project snippets (for drafting), or your chat message (for the assistant). We don’t pipe your entire account or other clients’ content through the model.

Human review. AI-generated deliverables are reviewed by a human on our team before they ship to you. Client-facing chat output is clearly marked and not a substitute for professional advice.

Opting out.If you would prefer your engagement be handled without AI assistance, say so in your first project conversation. We’ll adjust the workflow. The portal chat assistant can be disabled on your account by emailing [email protected].

We use cookies and equivalent technologies only for what the site needs to work:

• Session cookies — keep you signed in, maintain form state. Expire on browser close or after inactivity.
• Preference cookies — theme choice (light/dark), cookie-banner acceptance.
• Security cookies — Cloudflare Turnstile challenge tokens, CSRF tokens, rate-limit counters.

We do not use advertising cookies, cross-site retargeting pixels, or third-party analytics cookies that profile visitors. If that changes, we’ll update this section and the cookie banner will require opt-in for the new category.

Most browsers let you block or delete cookies. Blocking all cookies may break parts of the site (e.g., sign-in, makerspace checkout).

Retention varies by data category and the purpose it serves:

• Invoice and payment records — seven (7) years, matching IRS and Connecticut record-keeping requirements.
• Project deliverables and work files — retained for the duration of the engagement plus three (3) years after, unless you request earlier deletion or we’ve separately agreed on longer retention for warranty or support.
• Makerspace passes — retained for the validity window plus three (3) years for tax + dispute records.
• Makerspace request descriptions — retained for five (5) years as part of the review audit trail (insurance, ATF, and safety context).
• Email outbox and transactional messages — retained for two (2) years for delivery auditing.
• AI chat logs— retained for 90 days for account continuity + abuse investigation, then deleted unless the conversation is linked to an active engagement where it’s part of the work record.
• Marketing contacts— retained until you unsubscribe, then for six (6) months in a suppression list so we don’t accidentally re-add you.
• Server logs and security telemetry — 90 days rolling, unless an active investigation requires longer retention.
• Backups— database backups are kept for 30 days and then overwritten; data you’ve requested deletion of may persist in backups until that cycle completes, but won’t be restored to production.

When a retention period ends, data is deleted or de-identified. You can always ask us to delete earlier — see §11.

We implement commercially reasonable administrative, technical, and physical safeguards:

• TLS 1.2+ for data in transit; at-rest encryption on managed database and object storage.
• Hashed authentication tokens (portal tokens, pass QR tokens) — raw values never persist server-side.
• Scoped OAuth grants, refresh-token rotation, and encrypted storage of third-party service credentials.
• Role-based access for staff; least-privilege defaults.
• WebAuthn / passkey support and strong password hashing (bcrypt) for accounts.
• Rate limiting, CAPTCHA gates on public forms, and bot protection on the edge.
• Error monitoring with PII-aware scrubbing before dispatch to Sentry.
• Regular review of dependencies for known vulnerabilities.

No system is perfectly secure. If we learn of a breach affecting your information, we’ll follow the notification procedure in §17.

Regardless of where you live, you can ask us to:

• Access — confirm whether we hold information about you and provide a copy.
• Correct— update information that’s inaccurate or incomplete.
• Delete— remove your information, subject to retention obligations we can’t waive (tax records, active-engagement records during the engagement).
• Export — get your information in a portable format (JSON or CSV as applicable).
• Opt out of marketing — unsubscribe link in every marketing email, or email us directly.
• Restrict or object— limit how we use your information in certain circumstances where you’ve objected and we don’t have a compelling legal basis that overrides.
• Withdraw consent — where we rely on consent as the legal basis, you can revoke it at any time (though actions taken before withdrawal remain valid).

Email [email protected] from the address on your account with a short description of the right you want to exercise. We aim to respond within 30 days (sometimes extended to 45-60 days for complex requests, with an interim update).

We may ask you to verify your identity before acting on an access, deletion, or export request — typically by confirming control of the account email plus answering a question about a recent engagement detail. We won’t ask for a driver’s license or Social Security number for routine verification.

Exercising your rights is free unless a request is manifestly unfounded or excessive (e.g., repeated identical requests), in which case we may charge a reasonable fee or decline to act, and we’ll explain why.

If we deny part of a request, we’ll explain the specific reason (e.g., “we retain invoice records for 7 years under IRS rules”). You can appeal internally by replying to our response, or file a complaint with your state attorney general’s office or data-protection authority.

We may send you marketing emails — newsletter, case studies, new-service announcements — if you subscribed or have an existing business relationship with us. Every marketing email has a one-click unsubscribe, which takes effect within 10 business days (US CAN-SPAM Act allows up to 10; we usually apply within 24 hours).

Transactional emails (invoices, pass receipts, pickup reminders, support replies) are not marketing and are sent on a legitimate-interest basis even after you unsubscribe from marketing. You can request we suppress your address entirely by replying to any message with “remove me from everything” — we’ll confirm.

Our services are directed to adults and businesses. We do not knowingly collect personal information from children under 13 (COPPA) or, for European visitors, children under the applicable age of digital consent (13 to 16 depending on member state).

Minors using the makerspace do so under parent or guardian supervision, and any account or pass purchase is made by the parent or guardian. See the Terms §16 for the minors rule.

If you learn that a child under the applicable age has submitted information to us, email [email protected] and we’ll promptly delete it.

If you are a resident of a US state with a comprehensive privacy law, you may have specific rights under that law. The rights in §11 apply globally; the notes below clarify state-specific mechanics.

• California (CCPA/CPRA). We do not sell personal information or share it for cross-context behavioral advertising. You have the right to know, delete, correct, limit use of sensitive personal information (we don’t intentionally collect SPI), and not be discriminated against for exercising rights.
• Connecticut (CTDPA). You have rights of access, correction, deletion, portability, and opt-out of sale, targeted advertising, and certain profiling. We don’t engage in sale, targeted advertising, or in-scope profiling.
• Virginia, Colorado, Utah, Texas, Oregon, Montana, Iowa, Delaware, Minnesota, Indiana, Tennessee, and New Hampshire — we honor the access, correction, deletion, portability, and opt-out rights provided in those states’ respective acts, following the same request process in §12.
• Authorized agents— an authorized agent may submit a request on your behalf with proof of authorization (e.g., a power of attorney or a signed authorization). We’ll verify both your identity and the agent’s authority.

We do not discriminate against you for exercising any of these rights. Prices, service levels, and terms remain the same.

NovoCreation is based in the United States and processes data in the US. If you visit or engage from the European Economic Area, the United Kingdom, or Switzerland, your information is transferred to the US.

For transfers that require a GDPR-valid mechanism, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK Addendum to the SCCs, and, where applicable, our partners’ participation in the EU-US Data Privacy Framework.

Under GDPR, you additionally have the right to lodge a complaint with your local data-protection authority, and the right to data portability in a structured, machine-readable format.

If you need to enter a formal Data Processing Addendum for an engagement, email [email protected].

If we discover a security incident likely to cause a risk to your rights or to compromise the confidentiality, integrity, or availability of your information:

• We’ll investigate and contain it promptly.
• Where legally required (GDPR 72-hour window, various US state breach-notification laws, HIPAA where applicable), we’ll notify the relevant regulator.
• Where your rights are affected, we’ll notify you directly via the email address on file, describing what happened, what information was involved, steps we’re taking, and recommended actions on your end.
• For business clients, we’ll also notify under the incident-response timing in your engagement contract if shorter than the statutory window.

We may update this policy as the business evolves, as the law changes, or as we add or remove third-party services. Material changes will be communicated by an email to account holders and a notice on the marketing site at least 30 days before they take effect.

The version and last-updated date at the bottom of this page identify the current revision. Past versions are archived and available on request.

Privacy matters: [email protected]

General inquiries: [email protected]

Mailing address: NovoCreation LLC, 15 Boyden Street, Office I, Waterbury, CT 06704, USA.

Under the CCPA, California residents can also reach us at the email above for privacy requests; we don’t maintain a separate toll-free number as we do not engage in selling or sharing personal information.

When you use Novopay, certain information (such as your wallet address, transaction hashes, and payment amounts) is permanently recorded on the public Ethereum blockchain. By design, on-chain data is public, immutable, and cannot be deleted or “forgotten.”

NovoCreation uses this data to confirm your payments and provide dashboard analytics. While we do not link your on-chain activity to your identity outside of our private database, blockchain analysis tools may allow third parties to associate your wallet address with other public activity.