GDPR Compliance Statement

Effective Date: January 1, 2025
Last Updated: January 1, 2025

Our Commitment to GDPR Compliance

Novareach AI LLC is fully committed to compliance with the General Data Protection Regulation (GDPR) and respects the privacy rights of all individuals in the European Union. As a US-based company processing EU personal data, this page outlines our comprehensive approach to GDPR compliance and how we protect your personal data.

Legal Basis for Processing

1. Lawful Bases Under Article 6 GDPR

1.1 Contract Performance (Article 6(1)(b)): We process personal data necessary for performing our service agreement with you, including account management and service delivery.

1.2 Legitimate Interests (Article 6(1)(f)): We process data for legitimate business interests such as service improvement, security monitoring, and customer support, always balanced against your rights and freedoms.

1.3 Legal Obligation (Article 6(1)(c)): We process data to comply with legal requirements including tax obligations, regulatory reporting, and law enforcement requests.

1.4 Consent (Article 6(1)(a)): For optional processing activities such as marketing communications and non-essential analytics, we obtain explicit consent.

2. Special Categories of Data

2.1 Minimal Processing: Our AI systems are designed to minimize processing of special categories of personal data under Article 9 GDPR.

2.2 Technical Safeguards: Where special categories might be incidentally processed (e.g., in customer communications), we implement technical measures to prevent identification and ensure data minimization.

2.3 Explicit Consent: Any intentional processing of special categories requires explicit consent with clear opt-out mechanisms.

Your Rights Under GDPR

1. Right to Information (Articles 13 & 14)

1.1 Transparency: We provide clear, understandable information about how we process your personal data through this statement and our Privacy Policy.

1.2 Data Processing Activities: We maintain detailed records of all processing activities as required by Article 30 GDPR.

1.3 Contact Information: Our Data Protection Officer is available to answer questions about data processing activities.

2. Right of Access (Article 15)

2.1 Data Subject Access Requests: You have the right to obtain confirmation of whether we process your personal data and access to such data.

2.2 Information Provided: We provide information about processing purposes, categories of data, recipients, retention periods, and your rights.

2.3 Response Timeframe: We respond to access requests within 30 days, with possible extension to 60 days for complex requests.

2.4 Format and Delivery: Information is provided in a commonly used electronic format unless otherwise requested.

3. Right to Rectification (Article 16)

3.1 Correction Rights: You may request correction of inaccurate personal data and completion of incomplete data.

3.2 Verification Process: We verify the accuracy of new information and update our records promptly.

3.3 Third-Party Notification: We notify relevant third parties of corrections where legally required.

4. Right to Erasure (Article 17)

4.1 "Right to be Forgotten": You may request deletion of personal data under specific circumstances outlined in Article 17.

4.2 Deletion Process: We implement secure deletion procedures ensuring data cannot be recovered.

4.3 Technical Limitations: We explain any technical limitations that may prevent immediate deletion (e.g., backup systems).

4.4 Balancing Test: We balance deletion requests against other legal obligations and legitimate interests.

5. Right to Restrict Processing (Article 18)

5.1 Restriction Circumstances: You may request processing restrictions under the specific conditions outlined in Article 18.

5.2 Restriction Implementation: We implement technical measures to prevent further processing while maintaining data integrity.

5.3 Lifting Restrictions: We notify you before lifting any processing restrictions.

6. Right to Data Portability (Article 20)

6.1 Portable Formats: We provide personal data in structured, commonly used, and machine-readable formats.

6.2 Direct Transfer: Where technically feasible, we can transfer data directly to another controller.

6.3 Scope Limitations: Portability applies only to data provided by you and processed based on consent or contract.

7. Right to Object (Article 21)

7.1 Objection Grounds: You may object to processing based on legitimate interests or for direct marketing purposes.

7.2 Assessment Process: We assess objections and cease processing unless compelling legitimate grounds exist.

7.3 Direct Marketing: We always honor objections to direct marketing without assessment of grounds.

8. Rights Related to Automated Decision-Making (Article 22)

8.1 Automated Decisions: You have rights regarding decisions based solely on automated processing with legal or significant effects.

8.2 Human Intervention: We provide mechanisms for human review of automated decisions where required.

8.3 AI Transparency: We explain the logic, significance, and consequences of automated decision-making systems.

Data Processing Principles

1. Lawfulness, Fairness, and Transparency (Article 5(1)(a))

1.1 Legal Basis: All processing activities have a clear legal basis under GDPR.

1.2 Fair Processing: We process data fairly without deception or misleading practices.

1.3 Transparency Measures: We provide clear, plain language information about data processing.

2. Purpose Limitation (Article 5(1)(b))

2.1 Specified Purposes: Personal data is collected for specified, explicit, and legitimate purposes.

2.2 Compatible Use: Further processing occurs only for compatible purposes or with additional legal basis.

2.3 Purpose Documentation: We maintain detailed documentation of processing purposes.

3. Data Minimisation (Article 5(1)(c))

3.1 Adequate and Relevant: We process only data that is adequate and relevant for the intended purposes.

3.2 Not Excessive: Data processing is limited to what is necessary for the specified purposes.

3.3 Regular Review: We regularly review data processing to ensure continued minimization.

4. Accuracy (Article 5(1)(d))

4.1 Accurate Data: We maintain procedures to ensure personal data accuracy and currency.

4.2 Error Correction: Inaccurate data is corrected or deleted without delay.

4.3 Verification Systems: We implement systems to verify data accuracy during collection and processing.

5. Storage Limitation (Article 5(1)(e))

5.1 Retention Periods: Personal data is kept only as long as necessary for the processing purposes.

5.2 Deletion Schedules: We maintain documented data retention and deletion schedules.

5.3 Archive Exceptions: Longer retention for archiving, research, or historical purposes includes additional safeguards.

6. Integrity and Confidentiality (Article 5(1)(f))

6.1 Security Measures: We implement appropriate technical and organizational measures to ensure data security.

6.2 Confidentiality: All personnel with access to personal data are bound by confidentiality obligations.

6.3 Breach Prevention: We maintain systems to prevent unauthorized access, alteration, disclosure, or destruction.

Data Protection by Design and by Default

1. Technical Measures

1.1 Encryption: Personal data is encrypted in transit and at rest using industry-standard algorithms.

1.2 Access Controls: Role-based access controls limit data access to authorized personnel only.

1.3 Audit Logging: Comprehensive logging systems track all data access and processing activities.

1.4 Anonymization: We use anonymization and pseudonymization techniques where appropriate.

2. Organizational Measures

2.1 Privacy Policies: Comprehensive privacy policies govern all data processing activities.

2.2 Staff Training: Regular training ensures all personnel understand GDPR requirements and our procedures.

2.3 Privacy Impact Assessments: We conduct DPIAs for high-risk processing activities.

2.4 Vendor Management: All data processors are contractually bound to GDPR compliance requirements.

International Data Transfers

1. Transfer Mechanisms

1.1 Adequacy Decisions: We rely on European Commission adequacy decisions where available.

1.2 Standard Contractual Clauses: We use approved Standard Contractual Clauses for transfers to non-adequate countries.

1.3 Binding Corporate Rules: Our group-wide data protection standards ensure consistent protection levels.

2. Transfer Safeguards

2.1 Technical Safeguards: Encryption and access controls protect data during international transfers.

2.2 Legal Safeguards: Contractual provisions ensure recipient countries provide adequate protection.

2.3 Monitoring: We regularly monitor the effectiveness of transfer safeguards.

3. Data Localization

3.1 Cross-Border Processing: As a US-based company, we process EU personal data with appropriate GDPR safeguards including Standard Contractual Clauses.

3.2 Safeguarded Transfers: All EU personal data transfers to the US occur with appropriate safeguards as required by GDPR Chapter V.

3.3 Customer Control: Enterprise customers may specify data localization requirements and processing location preferences.

Data Breach Management

1. Breach Detection

1.1 Monitoring Systems: 24/7 monitoring systems detect potential data breaches automatically.

1.2 Incident Response: Dedicated incident response team activates immediately upon breach detection.

1.3 Assessment Procedures: Rapid assessment determines breach scope, impact, and notification requirements.

2. Notification Requirements

2.1 Supervisory Authority: We notify relevant supervisory authorities within 72 hours of breach awareness.

2.2 Data Subject Notification: Affected individuals are notified without undue delay when required by GDPR.

2.3 Documentation: All breaches are documented with details of causes, effects, and remedial actions.

3. Remedial Actions

3.1 Immediate Response: Immediate steps to contain breaches and prevent further unauthorized access.

3.2 Investigation: Thorough investigation to determine root causes and prevent recurrence.

3.3 Improvement Measures: Implementation of additional safeguards based on breach analysis.

Data Protection Officer

1. Appointment and Role

1.1 DPO Designation: We have appointed a qualified Data Protection Officer to oversee GDPR compliance.

1.2 Independence: Our DPO operates independently and reports directly to senior management.

1.3 Expertise: Our DPO possesses specialized knowledge of data protection law and practices.

2. Contact Information

2.1 Direct Contact: Data Protection Officer can be reached at dpo@novareach.ai

2.2 Response Time: DPO responds to inquiries within 5 business days.

2.3 Escalation: Complex matters are escalated to senior management as appropriate.

Supervisory Authority Relations

1. Cooperation

1.1 Authority Cooperation: We cooperate fully with supervisory authorities and respond promptly to inquiries.

1.2 Lead Authority: Our lead supervisory authority is the Hamburg Commissioner for Data Protection and Freedom of Information.

1.3 Cross-Border Processing: We coordinate with multiple supervisory authorities for cross-border processing activities.

2. Complaint Handling

2.1 Internal Complaints: We maintain internal procedures for handling privacy complaints and concerns.

2.2 Authority Complaints: Individuals may lodge complaints with supervisory authorities regarding our data processing.

2.3 Resolution Process: We work constructively with authorities to resolve any identified compliance issues.

Compliance Monitoring

1. Regular Audits

1.1 Internal Audits: Regular internal audits assess GDPR compliance across all business functions.

1.2 External Audits: Independent third-party audits verify our data protection practices.

1.3 Compliance Reports: Regular compliance reports are provided to senior management and the DPO.

2. Continuous Improvement

2.1 Legal Updates: We monitor changes in data protection law and update procedures accordingly.

2.2 Best Practices: We continuously adopt industry best practices for data protection.

2.3 Training Programs: Regular training ensures staff maintain current knowledge of GDPR requirements.

Contact Information

1. General Inquiries

Email: privacy@novareach.ai
Response Time: 5 business days

2. Data Protection Officer

Email: dpo@novareach.ai
Response Time: 5 business days

3. Data Subject Rights Requests

Email: datasubject@novareach.ai
Response Time: 30 days (may be extended to 60 days for complex requests)

4. Postal Address

Novareach AI LLC
254 Chapman Road, Ste 208
Newark, DE 19702, United States

5. Emergency Contact

For urgent data protection matters, contact us immediately at privacy@novareach.ai with "URGENT" in the subject line.

This GDPR Compliance Statement is reviewed and updated regularly to ensure continued compliance with applicable data protection laws. Last review: January 1, 2025.

Ready to Transform Your Customer Experience?
"Every day you wait is another day your customers experience fragmented touchpoints instead of seamless journeys. Your team deserves technology that amplifies their expertise, and your customers deserve experiences that exceed their expectations."

Discover how Novareach AI's interconnected intelligence platform can eliminate the complexity of managing multiple tools while delivering the enterprise-level customer experience your mid-market company deserves.
Speak with a founder
Speak with a founder
15-minute consultation to explore your customer experience goals
Main logo link that leads to home page
© 2025 Novareach AI LLC. Empowering intelligent customer experiences.
Sitemap
Accessibility
Legal
GDPR Compliance
AI Ethics Statement