Privacy Policy

NovaCore Systems LLC ("we", "us", "our") operates Astra at astraid.io. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights. It applies to visitors to our website, users of the Astra platform, and prospective customers.

1. Who We Are (Data Controller)

NovaCore Systems LLC is the data controller for personal data collected through this website and the Astra platform. If you have questions or concerns about how we handle your data, contact our privacy team at privacy@astraid.io.

2. What Data We Collect and Why

2.1 Website visitors

When you visit our website we may collect:

• IP address and approximate location (processed by our hosting infrastructure for security and rate-limiting; not retained in analytics logs)
• Browser type, operating system, and referrer URL (in server access logs, retained ≤ 30 days)
• Pages visited and time on page (only if you consent to analytics cookies)

Legal basis (GDPR): Legitimate interests (Art. 6(1)(f)) for security and fraud prevention. Consent (Art. 6(1)(a)) for analytics.

2.2 Demo request form

When you submit a demo request we collect your name, work email, company name, phone number (optional), fleet size (optional), and your message. This data is used to respond to your enquiry and is forwarded to our sales team via SendGrid (see §5).

Legal basis: Legitimate interests (Art. 6(1)(f)) — responding to a business enquiry you initiated. You may request deletion at any time.

2.3 Account registration and use of the platform

If you register as a tenant or are invited as a platform user, we collect:

• Name and email address (required for account creation)
• Organisation name and subdomain (required for tenancy)
• Billing information (processed by Stripe; we do not store payment card details)
• Authentication data (hashed passwords or OAuth tokens; we never store plaintext passwords)
• Usage data (feature interactions, API calls) for support, security, and product improvement
• Agent telemetry submitted by your monitoring agents (network metrics, hostnames, IPs) — you control what agents submit

Legal basis: Contract performance (Art. 6(1)(b)) for account and service delivery. Legitimate interests (Art. 6(1)(f)) for security monitoring and abuse prevention.

2.4 Nova AI chat

If you use the Nova AI assistant within the platform, your chat messages and the live agent-context data included in them are sent to Anthropic for processing. Conversation history is stored locally in your browser (localStorage) and is not retained on our servers after the session response. You may clear conversation history at any time from the Nova panel.

Legal basis: Contract performance / Consent where required.

2.5 Cookies and similar technologies

We use cookies and localStorage for authentication, preferences, and (with consent) analytics. See our Cookie Policy for full details.

3. How We Use Your Data

• Providing and improving the Astra service
• Processing payments and managing subscriptions
• Sending transactional emails (account invitations, invoices, alerts)
• Responding to support, sales, and privacy enquiries
• Security monitoring, fraud prevention, and rate-limiting
• Legal compliance and enforcement of our Terms of Service
• Analytics and product research (only with your consent)

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

4. Data Retention

We retain personal data only as long as necessary for the stated purpose or as required by law:

• Account data: retained for the duration of your account plus 90 days after deletion request
• Billing records: 7 years (tax/legal obligation)
• Server access logs: 30 days
• Consent records: 3 years (regulatory evidence)
• Privacy request records: 3 years
• Demo request data: 12 months, or until you request deletion
• Agent telemetry metrics: according to the data-retention setting configured by the tenant (default 24 h; extendable per plan)

5. Third-Party Data Processors

We engage the following sub-processors. Each has been assessed for compliance and operates under a Data Processing Agreement (DPA) where required by GDPR:

International transfers: Some processors are located in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Addendum to SCCs as the lawful transfer mechanism under GDPR Chapter V and UK GDPR.

6. Your Rights

6.1 EU & UK residents (GDPR / UK GDPR)

You have the right to:

• Access — obtain a copy of the personal data we hold about you (Art. 15)
• Rectification — correct inaccurate data (Art. 16)
• Erasure — request deletion ("right to be forgotten") (Art. 17)
• Restriction — limit how we process your data (Art. 18)
• Portability — receive your data in a machine-readable format (Art. 20)
• Object — object to processing based on legitimate interests (Art. 21)
• Withdraw consent — at any time, without affecting prior processing
• Lodge a complaint — with your national supervisory authority (e.g., ICO in the UK)

To exercise these rights submit a request via our Privacy Request Form or email privacy@astraid.io. We will respond within 30 days.

6.2 California residents (CCPA / CPRA)

California residents have the right to:

• Know what personal information is collected, used, disclosed, or sold
• Delete personal information we hold (with exceptions)
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information
• Limit use and disclosure of sensitive personal information
• Non-discrimination for exercising privacy rights

We do not sell or share personal information as defined by CCPA/CPRA. To exercise your rights use the Do Not Sell or Share page or the Privacy Request Form.

6.3 Other U.S. state residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other U.S. states with enacted privacy laws have similar rights to access, correct, delete, and opt out of certain processing. Submit requests via our Privacy Request Form.

7. Global Privacy Control (GPC)

We honour the Global Privacy Control (GPC) signal. If your browser or extension sends a GPC opt-out signal when you visit our website, we automatically treat this as an opt-out of analytics and advertising cookies and do not prompt you with a consent banner. This applies to California residents per CPRA and is extended as good practice to all visitors.

8. Children's Privacy

Astra is a B2B enterprise service not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us contact us immediately.

9. Security

We implement industry-standard security measures including TLS encryption in transit, hashed passwords, role-based access control, and regular security audits. No transmission over the internet is 100% secure; we cannot guarantee absolute security.

10. Changes to This Policy

We may update this policy periodically. When we make material changes we will update the effective date, post the revised policy on this page, and (for registered users) send an in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy enquiries, rights requests, or complaints, contact us by any of the following means:

UK & EU residents may also contact the relevant supervisory authority:

• UK: Information Commissioner's Office (ICO) — ico.org.uk
• EU: Your national Data Protection Authority — edpb.europa.eu/about-edpb/about-edpb/members