Privacy Policy

1. Introduction and Scope

This Privacy Policy is published in compliance with the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDPA"), as applicable.

This Privacy Policy explains how Aeonis Technology Private Limited, a company incorporated under the Companies Act, 2013, with its registered office in Mumbai, Maharashtra, India, operating under the brand name "Novaex" ("we," "us," or "our"), collects, uses, stores, shares, and protects information in relation to our website at novaex.ai (the "Site") and the software platform and services we provide (collectively, the "Services").

This policy applies to information we collect:

On this Site and any associated subdomains.
In email, text, and other electronic messages between you and this Site.
When you interact with our advertising or content on third-party websites and platforms.
Through the use of our software platform by our clients and their authorised users.
When you request early access, submit a contact form, or sign up for communications.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your information as described herein. If you do not agree with this policy, please do not use the Services.

2. Information We Collect

We collect several types of information from and about users of our Services:

a) Personal Data You Provide to Us:

Contact Information: When you request early access, contact us, subscribe to our newsletter, or submit enquiries, we may collect your name, email address, phone number, job title, company name, and business address.
Account Information: For clients using the Novaex platform, we collect user credentials including usernames and encrypted passwords, and information necessary to set up and manage your account.
Communications: If you contact us directly via email, phone, or through the Site, we may retain records of such communications including any information you voluntarily provide.
Feedback and Surveys: Information provided when you participate in surveys, provide feedback, or respond to questionnaires.

b) Information We Collect Automatically:

Usage Data: When you access the Site, we automatically collect information about your device, browser type, operating system, IP address, access times, pages viewed, referring URL, and usage patterns.
Cookies and Tracking Technologies: We use cookies, web beacons, pixel tags, and similar tracking technologies to collect information about your interactions with the Site. You may control cookie preferences through your browser settings. For details, see Section 10 (Cookies Policy).
Log Data: Our servers automatically record information including your request, IP address, browser type, referring/exit pages, and timestamps.

c) Sensitive Personal Data or Information (SPDI):

As defined under the SPDI Rules, 2011, we may collect the following categories of sensitive personal data only with your explicit consent and only to the extent necessary for providing the Services:

Financial information such as bank account or payment instrument details (collected only for billing purposes through secure payment gateways).
Passwords and authentication credentials (stored in encrypted form).

We do not collect biometric data, medical records, sexual orientation, or political opinions through our Services.

d) Client Data (Platform):

Our clients may upload or input data into our platform related to their business operations, including commodity trading data, position information, pricing data, and related analytics ("Client Data"). Novaex processes Client Data strictly as a "Data Processor" on behalf of our clients, who remain the "Data Controllers" or "Data Fiduciaries" (as applicable under the DPDPA) of such data. We process Client Data solely in accordance with the client's instructions and applicable service agreements.

3. Purpose and Lawful Basis for Processing

We use the information we collect for the following purposes, each supported by a lawful basis:

Service Delivery: To provide, operate, maintain, and improve our Services, including processing transactions, managing accounts, and providing customer support.
Contractual Obligation: To fulfil our obligations under service agreements, Master Service Agreements (MSAs), and subscription contracts with clients.
Communication: To communicate with you regarding the Services, respond to enquiries, send service-related notices, and provide updates about the platform.
Marketing: To send promotional communications with your consent. You may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us.
Analytics and Improvement: To understand usage patterns, analyse trends, and improve the functionality and user experience of our Services.
Security and Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, unauthorised access, and other illegal activities.
Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests, including the IT Act, DPDPA, and any directives from SEBI, RBI, or other regulatory authorities.
Legitimate Interests: To protect the rights, property, and safety of the Company, our users, and the public.

4. Consent

In accordance with the DPDPA and SPDI Rules, we obtain your consent before collecting and processing your personal data. By using our Services, submitting forms on the Site, or providing information to us, you expressly consent to the collection, use, storage, and processing of your information as described in this Privacy Policy.

You have the right to withdraw your consent at any time by contacting us at privacy@novaex.ai. Please note that withdrawal of consent may affect our ability to provide certain Services to you, and such withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to delete such information promptly.

5. How We Share Your Information

We do not sell, rent, or trade your personal data. We may share your information only in the following circumstances:

Service Providers: Third-party vendors and processors who perform services on our behalf (e.g., cloud hosting, payment processing, analytics, email delivery). These providers are contractually obligated to protect your data and use it only for the purposes we specify.
Business Transfers: In connection with any merger, acquisition, reorganisation, sale of assets, or bankruptcy proceedings involving Aeonis Technology Private Limited, your information may be transferred as part of the business assets, subject to the obligations of this Privacy Policy.
Legal Requirements: If required by law, regulation, or legal process (such as a court order or subpoena), or in response to valid requests by governmental authorities, including SEBI, RBI, CERT-In, or law enforcement agencies in India.
Protection of Rights: To protect and defend the rights, property, or safety of the Company, our users, or the public, including enforcing our Terms of Service.
With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.

6. Data Storage, Retention, and Security

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. The retention period varies depending on the nature of the data:

Account Data: Retained for the duration of your account and for a period of 3 years after account termination, or as required by applicable law.
Transaction Records: Retained for a minimum of 8 years as required under Indian taxation and financial record-keeping laws.
Communication Records: Retained for 3 years from the date of the last communication.
Usage and Log Data: Retained for up to 2 years for analytics purposes.

We implement reasonable security practices and procedures as mandated under Section 43A of the IT Act and the SPDI Rules, including:

Encryption of sensitive personal data both in transit (TLS 1.2+) and at rest (AES-256).
Access controls and authentication mechanisms to restrict data access to authorised personnel.
Regular security assessments, vulnerability testing, and penetration testing.
Comprehensive information security policies and procedures aligned with ISO/IEC 27001 standards.
Employee training on data protection and security best practices.
Incident response procedures for prompt detection and notification of data breaches.

Despite our best efforts, no method of electronic transmission or digital storage is 100% secure. We cannot guarantee absolute security but are committed to taking all reasonable measures to protect your information.

7. International Data Transfers

Your information may be transferred to and processed on servers located outside India, including in jurisdictions where data protection laws may differ from those in India. We use cloud infrastructure providers whose servers may be located in multiple countries.

In all cases of cross-border data transfer, we ensure that:

Adequate safeguards and contractual protections are in place with the receiving entity.
The transfer complies with applicable provisions of the DPDPA and rules notified thereunder regarding cross-border data transfers.
Your data is not transferred to jurisdictions notified as restricted by the Central Government under the DPDPA.
An equivalent level of protection is applied to your information as required under Indian law.

By using the Services, you consent to the transfer of your information to countries outside India, subject to the protections described above.

8. Your Data Protection Rights

In accordance with the DPDPA, SPDI Rules, and other applicable laws, you have the following rights regarding your personal data:

Right to Access: You have the right to request a summary of the personal data being processed and the processing activities undertaken.
Right to Correction: You have the right to request correction or updating of inaccurate or incomplete personal data.
Right to Erasure: You have the right to request erasure of your personal data, subject to legal retention requirements.
Right to Withdraw Consent: You may withdraw your consent for data processing at any time, subject to applicable legal obligations.
Right to Grievance Redressal: You have the right to register complaints with our Grievance Officer or with the Data Protection Board of India.
Right to Nominate: Under the DPDPA, you have the right to nominate an individual who may exercise your data rights in the event of your death or incapacity.

To exercise any of these rights, please contact our Grievance Officer (see Section 13). We will respond to your request within 30 days of receipt, or within the timeframe prescribed by applicable law.

9. Third-Party Links and Services

The Site may contain links to third-party websites, services, or applications that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy of every site you visit. The inclusion of a link does not imply endorsement by the Company.

10. Cookies Policy

We use the following types of cookies on the Site:

Strictly Necessary Cookies: Essential for the Site to function properly. These cannot be disabled.
Analytics Cookies: Help us understand how visitors interact with the Site by collecting information anonymously.
Functional Cookies: Enable enhanced functionality and personalisation based on your interactions.
Marketing Cookies: Used to track visitors across websites to display relevant advertisements.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Site.

11. Data Breach Notification

In the event of a personal data breach that is likely to affect your rights and interests, we will notify the Data Protection Board of India and affected individuals without unreasonable delay, as required under the DPDPA. We will also comply with any breach notification requirements under the IT Act and directions issued by CERT-In, including reporting cyber security incidents within the timelines prescribed under CERT-In directions.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated Privacy Policy on this page with a revised "Effective Date." For material changes, we may also notify you via email or through a prominent notice on the Site. Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

13. Grievance Officer

In accordance with Section 5(9) of the SPDI Rules, 2011 and the provisions of the IT Act, 2000, the details of the Grievance Officer are as follows:

Grievance Officer: The Designated Grievance Officer

Organisation: Aeonis Technology Private Limited

Email: grievance@novaex.ai

Address: Mumbai, Maharashtra, India

The Grievance Officer shall acknowledge receipt of any complaint within 24 hours and resolve the complaint within 15 days of receipt, in compliance with applicable law. If you are not satisfied with the resolution, you may escalate the matter to the Data Protection Board of India as established under the DPDPA.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Aeonis Technology Private Limited (operating as Novaex)

Email: privacy@novaex.ai

Website: novaex.ai

Registered Office: Mumbai, Maharashtra, India