Legal
Privacy Policy
This policy explains what data Novix handles, why, who we share it with, and how you control it. We have tried to describe what the product actually does today rather than promise more than we do. Where a practice is planned but not yet in place, we say “will.”
Scope and roles
This policy covers Novix (“Novix,” “we,” “us”): the application, dashboard, and APIs. It covers two kinds of data: information about the people who administer an Novix workspace (our customers), and the content those customers connect so Novix can do its job (tickets, code context, and credentials).
For the content you connect, you are the controller and Novix acts as a processor on your behalf: we handle that data to provide the Service to you, under your instructions. You are responsible for having the right to share it with us and for your own privacy obligations to your end customers.
What we collect
Account information
When you sign up, we store your name, email address, and workspace membership and role. Passwords are never stored in plain text. We keep only a salted scrypt hash, which cannot be reversed back into your password.
Support tickets, including end-customer messages
Novix reads support tickets from the tools you connect. A ticket can include the message text your end customer wrote, a subject and description, the requester’s email address, error logs, code snippets attached to the ticket, and metadata about its source. It can also include internal notes and tags your team adds. This content often contains personal data belonging to your end customers, which you have chosen to route through Novix.
Connected-integration credentials
To read from and write to the tools you connect, we store the API keys, tokens, and secrets you provide. These credentials are encrypted at rest using authenticated encryption, and their values are never returned by our API. The dashboard shows only which credential fields are set, not the secrets themselves.
Code context pulled for diagnosis
When diagnosing a ticket, Novix pulls live evidence from the systems you connect (for example, matching files and recent commits from a connected repository, and error, log, or incident data from observability tools). The relevant excerpts are stored on the ticket so the diagnosis, the drafted fix, and your dashboard can use them.
Audit logs and product data
We keep an append-only audit log of significant actions in a workspace (for example, a ticket being analyzed, a fix being drafted, approved, or rejected, an integration being connected, and membership changes). The audit log records who did what and when; it does not store secrets, tokens, or password data. We also process ordinary operational data such as basic logs and usage counts needed to run and secure the Service.
How we use it
We use the data described above to:
- Provide the Service: classify and diagnose tickets, gather code context, and draft candidate fixes and customer replies for your review.
- Open pull requests and send the notifications you configure (for example a Slack alert when a diagnosis is ready), and maintain the audit trail.
- Operate, secure, debug, and improve the Service, and enforce our Terms.
- Communicate with you about your account and the Service.
We do not sell your data. We do not use the content of your tickets or code to train our own models.
AI processing
Novix uses a large language model to classify, diagnose, and draft fixes. To do this, the relevant ticket content and the code and context pulled for that ticket are sent to our AI provider, Anthropic, and processed by its Claude models. This is the core of how the Service works.
Anthropic processes this data to return a result to us; per Anthropic’s commercial terms, it does not use data submitted through its API to train its models. When no AI provider key is configured, Novix runs in an offline demo mode and this data is not sent anywhere.
Subprocessors
We use a small number of third parties to run the Service. Each acts on our instructions and receives only what it needs.
- Anthropic: AI analysis. Receives ticket content and the code and context pulled for a ticket, in order to classify, diagnose, and draft fixes and replies.
- Hosting and database (to be finalized): the Service runs on managed cloud infrastructure with a managed database. We are finalizing our hosting provider before launch and will name it here. Database connections are made over TLS.
- Email delivery: transactional email only (account, password-reset, and invitation messages). When a delivery provider is enabled, the recipient address and message are shared with it to send the email. Before launch, email may be logged rather than delivered.
- Slack: optional and only if you configure it. If you add a Slack notification webhook, ticket summaries and links are sent to your Slack workspace.
We will maintain a current list of subprocessors and provide a way to be notified of changes before general availability.
How we protect it
- Encrypted credentials. Integration API keys, tokens, and secrets are encrypted at rest with authenticated encryption, and their values are never returned through the API.
- Hashed passwords. Passwords are stored only as a salted
scrypthash, never in plain text. - Encryption in transit. Connections to the managed database are made over TLS.
- Tenant scoping. Data is scoped to your workspace, and access is limited to the members you invite and their roles.
No method of storage or transmission is perfectly secure, and while the Service is in beta we are still hardening our practices. We will continue to strengthen our security controls, and we will describe a formal security program and incident-response commitments before general availability.
Data retention
We keep your workspace data (tickets, diagnoses, drafted fixes, context, and audit logs) for as long as your account is active, so the product stays useful and the audit trail stays intact. We retain data as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. We will publish specific retention windows before general availability.
Deletion and your choices
Disconnecting an integration deletes the stored credentials for that integration right away. You can do this at any time from the dashboard.
Deleting your workspace or account. You can ask us to delete your workspace and its data by emailing privacy@getnovix.ai, and we will delete it, subject to any data we must keep for legal reasons. A self-service deletion control in the dashboard is planned. If you have a question about, or want a copy of, the personal data associated with your account, contact us and we will help.
Because much of the content in Novix belongs to your end customers, requests from those end customers should generally go through you as the controller; we will support you in responding to them.
End-customer data
Support tickets routed through Novix often contain personal data about your end customers: their messages, email addresses, and whatever they included when they reached out. You decide what to connect and route to Novix. You are responsible for having a lawful basis and any notices or consents required to share that data with us and, in turn, with our subprocessors for the purpose of diagnosing and resolving the ticket.
A data processing addendum (DPA) that covers this relationship will be available on request before general availability.
Where data is processed
The Service and our subprocessors, including our AI provider, may process and store data in the United States and other countries. If you are located elsewhere, using the Service means your data may be transferred to and processed in those countries. We will put appropriate transfer safeguards in place as we formalize our subprocessor agreements before general availability.
Children
Novix is a business tool and is not directed to children. It is not intended for anyone under the age of majority in their jurisdiction, and we do not knowingly collect personal data from children through the account-holder side of the Service.
Changes to this policy
We will update this policy as the product and our practices evolve, and we expect to, since this is a draft that will be reviewed by counsel before general availability. When we make a material change, we will update the effective date above and, where appropriate, give notice. Continuing to use the Service after a change takes effect means you accept the updated policy.
Contact
Privacy questions or requests?
Email privacy@getnovix.ai. See also our Terms of Service.