Home
> Privacy Policy

Privacy Policy

This Privacy Policy explains how Novo Compliance, LLC (“Novo Compliance,” “we,” “us,” “our”) collects, uses, retains, protects, and discloses personal information while providing professional consulting services in regulatory compliance, regulatory intelligence, and life sciences advisory. This Policy applies to information collected through our website, emails, proposals, contracts, engagement tools, events, and other interactions with clients, prospects, vendors, and other stakeholders.

Effective Date: 27-October-2025

We collect Personal Data in the following ways:

When you are a Website User browsing and making use of our Website, we collect the Personal Data submitted by you using the website forms including, without limitation, full name, email address, phone number, position, company name and industry, comments, and messages (including, support requests or any other contact us or chat communication/conversation) and any other Personal Data you submit or provide us with. Personal Data from Other Sources (e.g., Prospects, Candidates). If you are active in areas in which we operate (e.g., the life science space) we may collect publicly available Personal Data about you. We may use this Personal Data to identify and contact you about your area of expertise/role in the industry, for example, to invite you to write a blog or speak at an event. We may also obtain Personal Data about you from other sources, including publicly or commercially available information, and through third-party data platforms, partners, marketing events, conferences, and service providers.

Automatic Data Collection (e.g., Website User). We collect Personal referring website addresses. In some cases, we may combine this automatically collected log information with other information we collect about you and use it to keep a record of our interaction and to enable us to support, personalize, and improve our Website. This may involve the creation of aggregate or other non-personal data. We collect this type of information using cookies and other similar technologies (“Technologies”), please see our cookie policy at Novo Compliance’s Cookie Policy, for further details.

Personal Data you provide to us in person (e.g., Office Visitors and/or Event Attendees). For example, when you visit our offices, one of our exhibition booths, or attend one of our events, you provide us with your contact details. We will use the Personal Data to answer your inquiries or provide additional information to you.

Personal Data we collect from online interactions (e.g., Prospects, Candidates, registration to online events and/or webinars). For example, if you attend a webinar, contact us via social media, or otherwise interact with our business, including as a representative of a current/prospective customer, supplier, or partner, we track and make a record of those interactions, which may contain your contact details, such as full name, email address, messages and any other information that you decide to provide us with.

The lawful bases we rely on for processing Personal Data (PII) are (if and when applicable):
  1. The data subject (you) has given consent to the processing of his or her personal data;
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which the data controller is subject; and/or
  4. Processing is necessary for the purposes of legitimate interests is required for its purpose. Your Personal Data will be stored until we delete our records, and we proactively delete it, or if you send a valid deletion request. Please note that in some circumstances we may store your Personal Data for longer periods of time, for example (i) where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements, or (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges, and/or (iii) if we reasonably believe there is a prospect of litigation relating to your Personal Data or dealings.

How Do We Protect Your Personal Data? We implemented and maintained technical, organizational, and security measures designed to protect your Personal Data, in accordance with industry best practices. As the security of Personal Data depends in part on the security of the computer, device, or network you use to communicate with us and connect to our Website, and the security you use to protect your user IDs and passwords, please make sure to take appropriate measures to protect the Personal Data.

Who Do We Share Your Personal Data With? We do not disclose or share your Personal Data with third parties except to provide you the Website (including, to perform the contract and your instructions) you have requested, or under the following circumstances:

  1. Internal administrative, billing, and other business purposes as well as fulfilling the purposes mentioned above.
  2. We use third-party vendors, service providers, partners, agents, and advisers to operate our Website, conduct, and administer our business, and provide you with our Website. Such third parties include billing companies, website infrastructure management, technology solutions, support platforms, cookies, and other similar technologies vendors, including, analytics, session recording/reply, business intelligence service providers tools, marketing tools, hosting/storage, email distribution, and monitoring, authentication, marketing automation, logging and monitoring, sales engagement and automation, data and cyber security services, billing and payment processing services, fraud detection and prevention services, risk management, session recording, consent management platform, and remote access services, and our legal and financial advisors and document management.
  3. When you attend an event or webinar that is co-sponsored by us and another organization (or our partners), please be aware that we may share your contact details and participation information with such a partner. This sharing of information is aimed at enhancing your event experience and offering you relevant information and opportunities related to the event or webinar. Each co-sponsor may use your information in accordance with their own privacy policies, and we encourage.
  4. We may disclose information with our lawyers, accountants, auditors, and other professional advisors about such information as where it is necessary to obtain legal or other advice or otherwise protect and manage our business interests.
  5. In order to enforce any claims, we are entitled to (e.g., if you breach the contract).
  6. To the extent necessary, with regulators, courts, public authorities (for example, tax authority), banks, or competent authorities, to comply with applicable laws, regulations, and rules (including, without limitation, federal, state, or local laws),and requests of law enforcement, regulatory and other governmental agencies or if required to do so by court order, as well as for internal compliance procedures and to protect the safety, security, and integrity of our Website, services, customers, employees, property, and the public. We may use or disclose the information we collect in order to ensure that our users are complying with all applicable aspects of our policies.
  7. If in the future, we sell or transfer, or we consider selling or transferring, some or all of our business, shares or assets to a third party, we may disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events (including, without limitation, our current or potential investors or purchasers (and their advisers), our advisers, with a need to know). In the event that we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer Personal Data to the acquiring or successor entity and such third party may use, process, or disclose that Personal Data as necessary to operate the business, subject to any contractual or legal restrictions that apply. In such an event we will seek to ensure that the transferee assumes the same privacy obligations that we currently maintain, or that the Personal Data will be processed in a manner consistent with this Privacy Policy. If required by law or where practicable, we will notify affected individuals of the transfer and any change in the purposes for which their Personal Data will be processed and of any new choices available to them.
  8. In circumstances for which you have given your consent.
Scope and categories of personal information collected

Business and contact data: name; business email; business phone; business mailing address; company name; job title; department; contract and billing contacts.

Engagement data: proposals; statements of work; project scope; deliverables; meeting notes; non‑confidential technical summaries; role-specific qualifications.

Financial and transaction data: invoicing details; billing address; limited payment data (we do not store full card numbers except via third‑party payment processors).

Communications and service data: email correspondence; meeting recordings and transcripts where consented; support requests; client-provided contact lists.

Operational and technical data: IP address; browser and device information; website cookies and analytics; access and audit logs.

Compliance and risk data: audit results; risk assessments; regulatory status and licensing details as required by engagements.

Sensitive and health-related data: we do not intentionally collect protected health information (PHI) or special category personal data unless explicitly agreed in writing; if such data is processed it will be processed only under contract with enhanced safeguards.

Purposes of processing and legal bases

Service delivery and contract performance: delivering professional consulting, in regulatory strategies, regulatory compliance, regulatory intelligence, QMSR & cGxP training, and advisory services. Processing is necessary to fulfil all contracts.

Legal and regulatory compliance: to satisfy statutory, regulatory, tax, or audit obligations. Processing is necessary for legal compliance.

Legitimate interests: to manage client relationships, prevent fraud, secure systems, operate and improve our services, and run our business, balanced against individual rights.

Consent: where required (for marketing, recording meetings, processing certain sensitive data), we process on the basis of documented consent.

GDPR lawful bases: performance of contract; legal obligation; legitimate interests; consent where explicitly required.

Sharing, transfers, and safeguards

Third‑party service providers: we disclose personal information to vendors that provide hosting, analytics, payment processing, communications, legal, and professional services under written contracts requiring confidentiality and data protection.

Affiliates and subcontractors: disclosure to affiliates and contractors engaged to deliver services, subject to contractual safeguards.

Client‑directed disclosures: we will disclose information to client-designated parties when required to perform the engagement.

Legal requirements and protection of rights: disclosures to comply with laws, court orders, investigations, and to protect rights, property, or safety.

Business transfers: in a merger, acquisition, or asset sale we may transfer personal information; affected parties will be notified when required.

International transfers: personal information may be processed or stored outside the data subject’s country; we use appropriate safeguards such as Standard Contractual Clauses, Binding Corporate Rules, or other lawful transfer mechanisms and technical measures to protect transferred data.

HIPAA (Health Insurance Portability and Accountability Act)

Business Associate commitments: where processing of PHI is required, we will enter into a Business Associate Agreement (BAA) with the covered entity specifying permitted uses and disclosures, safeguards, reporting, and breach notification obligations.

Minimum necessary and purpose limitation: we limit PHI to the minimum necessary to perform the services contracted by the covered entity.

Administrative, physical, and technical safeguards: role‑based access controls; encryption of PHI in transit and at rest when feasible; audit logging; workforce training; secure disposal methods.

Breach response: we will notify the covered entity without unreasonable delay and in no case later than the timeframes required by applicable law; we will cooperate in mitigation and required reporting.

GDPR (General Data Protection Regulation)

Lawful bases and transparency: we document lawful bases for processing and provide transparent information to data subjects.

Data Processing Agreement (DPA): where Novo Compliance acts as a processor for EU personal data, we execute a DPA with the controller incorporating GDPR-required terms, audit rights, sub processors list, and technical/organizational measures.

Data subject rights: we support controllers in responding to requests for access, rectification, erasure, restriction, portability, and objection; we will respond to controller requests promptly to enable compliance.

Breach notification: where Novo Compliance is a controller or processor with notification obligations, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach when required by law and notify affected data subjects where required.

International transfers: transfers of personal data from the EEA/UK will be protected with appropriate safeguards (SCCs, BCRs, adequacy decisions, or other lawful mechanisms).

CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

Consumer rights: we recognize rights for California residents including the right to know; right to delete; right to opt out of sale or sharing of personal information; right to non-discrimination for exercising privacy rights.

Service provider model: where acting as a service provider to a business, we process personal information under written contract terms limiting use to the business’s instructions and prohibiting sale of personal information.

Consumer requests: we provide mechanisms to receive and verify requests to know, delete, and opt‑out; we respond within statutory timeframes (typically 45 days with possible 45‑day extension upon notice).

Do Not Sell/Share: we do not sell personal information; where any activity could be construed as a sale or sharing under applicable law, we provide clear opt‑out mechanisms and honor user choices.

Data retention, security, and data subject rights

Retention: personal information is retained only as long as necessary for business or legal purposes; typical retention for engagement records is the engagement term plus a recordkeeping period (commonly 7 years) unless otherwise required or agreed.

Security measures: administrative controls (least privilege; employee training), technical controls (encryption in transit and at rest where applicable; secure backups; intrusion detection; regular vulnerability testing), and contractual controls for vendors.

Breach management: incident response plan, forensic investigation, remediation, and notifications to affected parties and regulators as required by law.

Data subject rights and request process: individuals may exercise their rights (access, rectification, deletion, portability, restriction, objection, withdraw consent, opt-out of sale) by contacting our Privacy Officer; we verify identity before fulfilling requests and comply within applicable legal timelines.

Cookies and Similar Technologies.

We, as well as third parties that provide content, relevant, related, or complementary offers, or other functionality on our Website, use Technologies to automatically collect information through the Website. We use Technologies that are essentially small data files placed on your device that allow us to record certain pieces of information whenever you visit or interact with the Website. If you would like to opt out of the cookies and similar technologies we employ on the Website, you may do so by blocking, deleting, or disabling them as your browser or device permits or by changing your settings and preferences in the preference center.

Cookies, third‑party sites, children, changes, and contact:

Cookies and analytics: our website uses cookies and third‑party analytics to improve functionality and measure usage; users can manage cookie preferences via browser settings or provided controls.

Third‑party links: our site and services may link to third‑party sites and use third‑party platforms (meeting tools, payment processors, analytics); we are not responsible for their privacy practices.

Children: our services are business focused; we do not knowingly collect personal information from children under 16.

Policy changes: we may update this Policy to reflect legal, operational, or service changes; material changes will be communicated via our website or directly to affected contacts where required.

Contact and exercising rights:

Email: mailto:privacy@novocompliance.com

Mail: Novo Compliance, LLC, Attn: Privacy Officer, 626 Wilshire Blvd, Ste 410-J30, Los Angeles, CA 90017

For HIPAA matters: request a BAA or report PHI incidents via the above contact.

Verification and response: we will verify requester identity and respond to requests in accordance with applicable law and contractual obligations.

By engaging in our services or using our website you acknowledge that you have read and understood Novo Compliance’s Privacy Policy.