Privacy & Data Protection Policy | Novosan

Last Updated: March 4, 2026

At Novosan, we are committed to protecting your personal data and respecting your privacy. This Privacy & Data Protection Policy explains how we collect, use, store, and safeguard personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.

1. Data Controller & Contact Information

Novosan is the data controller responsible for the processing of personal data as described in this policy. For any privacy-related questions or requests, please contact us using the details above stated in the footer.

2. Categories of Personal Data We Collect

We may collect and process the following categories of personal data:

• First and last name
• Company name
• Address and billing address
• Email address
• Phone number
• Payment details
• IP address
• Correspondence and communication data
• Any other information voluntarily provided via our website, contact form, email, phone, or social media

We only process personal data that is necessary for clearly defined purposes.

3. Contact Details & Registration

When you use our services, request information, or contact us via email, phone, or website, we may create a digital contact record in our administration system.

Data collected:
Name, company name, address, phone number, email address, billing information, and where applicable, payment details.

Legal basis:

• Performance of a contract (Art. 6(1)(b) GDPR)

• Legal obligation (Art. 6(1)(c) GDPR)

• Legitimate interest (Art. 6(1)(f) GDPR) for business administration and fraud prevention

Retention period:
We retain contractual and financial data for the duration of our cooperation plus the statutory retention period of 7 years (in accordance with tax legislation). Other contact data is retained as long as reasonably necessary for business purposes unless a deletion request is submitted.

4. User Accounts

If you create an account on our website:

• Your account is protected by a username and a self-selected password.

• You have access to update, correct, or delete your information at any time.

Purpose:

• To facilitate efficient communication

• To simplify future transactions

• To manage services provided

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

5. Handling Orders & Payments

When you place an order or enter into a service agreement with us, we process personal and payment information to execute the agreement.

Purpose:

• Order processing

• Payment handling

• Customer support

• Fraud prevention

• Legal compliance

Third parties:
We may share necessary data with carefully selected third parties such as:

• Payment service providers

• Accounting providers

• IT hosting providers

• Logistics partners (if applicable)

We enter into Data Processing Agreements (DPAs) where required to ensure GDPR compliance. Data is never sold to third parties.

A list of processing partners can be requested where legally required or in cases involving suspected fraud.

6. Contact Form

Our website contains an online contact form.

When you submit a request via the contact form, we collect the information you provide (such as name, email address, phone number, company name, and message content).

Purpose:

• To respond to your inquiry

• To provide requested information or quotations

• To establish potential business relations

Legal basis:

• Legitimate interest (Art. 6(1)(f) GDPR) in responding to business inquiries

• Performance of pre-contractual measures (Art. 6(1)(b) GDPR)

Retention:
Contact form submissions are retained as long as necessary to handle your request and, where applicable, incorporated into our business administration subject to statutory retention periods.

We implement technical safeguards to prevent misuse of the contact form and protect transmitted data via encrypted connections (SSL/TLS).

7. Mailing, Newsletters & Marketing Communication

7.1 Voluntary Newsletter Subscription

You may subscribe to our newsletter via our website or through social media channels (e.g., Facebook or Instagram).

Purpose:

• Sharing news, updates, product information, and industry insights

Legal basis:

• Consent (Art. 6(1)(a) GDPR)

You may withdraw your consent at any time via:

• The unsubscribe link included in each email

• Contacting us directly

• Adjusting your settings on relevant platforms

Withdrawal does not affect the lawfulness of processing prior to withdrawal.

7.2 Business Mailings & B2B Outreach

We may send targeted mailings to:

• Companies and professionals whose activities align with our services

• Business email addresses obtained through previous cooperation

• Contact details provided to us over the years in a professional context

Legal basis:

• Legitimate interest (Art. 6(1)(f) GDPR)

Our legitimate interest consists of promoting our services to relevant business contacts in a professional (B2B) environment. Before sending communications, we assess whether our interest is not overridden by the rights and freedoms of the recipient.

We ensure that:

• Communications are relevant and proportionate

• Recipients can easily opt out at any time

• Every mailing contains a clear unsubscribe option

If you object to receiving marketing communications, we will immediately cease such processing unless compelling legitimate grounds exist.

We do not conduct automated decision-making or profiling that produces legal or similarly significant effects.

8. Data Security

We take appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, or alteration.

These measures include:

Encryption:
Secure Sockets Layer (SSL/TLS) encryption for data transmission.

Access Control:
Access to personal data is limited to authorized personnel only and protected by secure authentication mechanisms.

System Protection:
Use of secure servers, firewalls, and regularly updated software.

Organizational Measures:
Confidentiality agreements and internal data protection policies.

While we implement industry-standard security measures in line with current technology and cost considerations (Art. 32 GDPR), absolute security cannot be guaranteed.

9. International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs)

• Adequacy decisions by the European Commission

• Other legally approved transfer mechanisms

10. Visual Material & Website Content

No rights may be derived from images, videos, illustrations, or visual representations of products or services displayed on this website. Such materials are for illustrative purposes only.

11. Your Rights Under GDPR

You have the following rights:

• Right to Information – To understand how and why we process your data.

• Right of Access – To obtain a copy of your personal data.

• Right to Rectification – To correct inaccurate or incomplete data.

• Right to Erasure (“Right to be Forgotten”) – Subject to legal limitations.

• Right to Restriction of Processing

• Right to Data Portability

• Right to Object – Particularly to marketing communications.

• Right to Withdraw Consent (where processing is based on consent).

Requests can be submitted via email. To protect your privacy, we may request verification of your identity before processing your request.

We will respond within one month, as required under GDPR.

12. Complaints

If you believe we are not handling your personal data correctly, please contact us first so we can resolve the issue.

You also have the right to lodge a complaint with your local Data Protection Authority. For example, in the Netherlands this is the Autoriteit Persoonsgegevens.

13. Changes to This Policy

We reserve the right to amend this Privacy & Data Protection Policy. The most recent version will always be published on our website with the updated date.