Novi (Consumer) Novi for Schools

Novi for Schools — Privacy Policy

Last updated: April 2026

1. Who We Are

Novi Innovations Ltd (Company Number: 16865816), registered at 16 Allandale Avenue, London, N3 3PJ ("Novi", "we", "us"), provides a focus mode management solution for UK secondary schools.

2. Controller & Processor Roles

The school is the Data Controller — it determines the purposes and means of processing student data. Novi is the Data Processor — we process personal data only on behalf of the school, under a signed Data Processing Agreement (Article 28 UK GDPR).

3. What Data We Process

Data Type	Purpose	Retention
Student name	Identification by teachers	Duration of enrolment
Student email	Authentication	Duration of enrolment
School ID	School association	Duration of enrolment
Focus mode status	Core functionality	Real-time only
Presence status	Core functionality	Real-time only
Last seen timestamp	Activity monitoring	30 days rolling

4. Age & the Children's Code

Novi for Schools has no age restriction — it is available to all students as directed by the school. As the app processes data of children, Novi is designed in accordance with the ICO's Age Appropriate Design Code (Children's Code). We do not use nudge techniques, profiling, or behavioural tracking.

5. Lawful Basis

Schools may rely on Legitimate Interests (Article 6(1)(f)) or Public Task (Article 6(1)(e)) to process student data. Novi does not rely on student consent as the lawful basis. Schools are responsible for informing parents/students about data processing.

6. Data Sharing & Sub-processors

Sub-processor	Purpose	Location
Google Cloud Platform	Infrastructure	London, UK
Firebase Firestore	Database	europe-west2, UK
Firebase Authentication	User auth	EU
Wonde	Timetable and student data sync	UK

We do not sell data, share with advertisers, or transfer data outside the UK/EEA (except Firebase Authentication, a global Google service; all other data is stored in UK data centres).

7. Data Security

• All data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Hosted in UK data centres (europe-west2, London)
• Firebase security rules restrict each user to their own data
• Passwords never stored in plain text
• Data breaches notified to the school within 24 hours

8. Data Subject Rights (UK GDPR)

Students and parents have the right to: Access, Rectify, Erase, Restrict processing, Data portability, and Object to processing. Rights requests should be directed to the school, who will instruct Novi as needed.

9. Data Deletion

All personal data is deleted or returned upon contract termination. Students can be removed from the system at any time by school administrators.

10. Complaints

1. Contact us: privacy@getnovi.co.uk
2. Contact your school's Data Protection Officer
3. Contact the ICO: ico.org.uk

Novi (Consumer) — Privacy Policy

Last updated: April 2026

1. Who We Are

Novi Innovations Ltd (Company Number: 16865816), registered at 16 Allandale Avenue, London, N3 3PJ ("Novi", "we", "us"), provides a digital wellbeing application that helps users manage screen time through NFC-powered focus sessions.

Novi is the Data Controller of personal data collected via the consumer app.

2. What Data We Collect

Data Type	Purpose	Legal Basis
Name	Account identification	Legitimate interests
Email address	Account identification, verification, communication	Legitimate interests
Password (hashed)	Account security	Legitimate interests
Focus session records	Track session start/end times and durations	Legitimate interests
Focus goal preferences	Allow users to set daily/weekly targets	Legitimate interests

If you sign in via Google or Apple, your name and email are obtained from that provider.

We do NOT collect:

• Location data
• Device identifiers or IP addresses
• Browsing history or app usage data
• Biometric data
• Health data
• Photos, videos, or messages
• Social media account information

3. Age

Novi has no age restriction. The app is available to all users. We do not use nudge techniques, profiling, or behavioural tracking.

4. Legal Basis for Processing

We process personal data under Article 6(1)(f) of UK GDPR (legitimate interests). Our legitimate interest is to provide the focus management service that users have voluntarily opted in to. Users may withdraw at any time by deleting their account.

5. How We Use Your Data

• Provide and operate the focus session functionality
• Send account verification and password reset emails
• Track focus session history and progress towards goals you set
• Generate anonymised, aggregated usage statistics

We do not use your data for marketing, profiling, or automated decision-making.

6. Data Sharing

Third Party	Purpose
Google Cloud / Firebase	Data storage and processing (UK, europe-west2)
Google OAuth (if selected)	Authentication only
Apple Sign-In (if selected)	Authentication only
Gmail SMTP	Verification and password reset emails

We do not sell your data, share with advertisers, use data for marketing to third parties, or transfer data outside the UK/EEA (except Firebase Authentication, a global Google service; all other data is stored in UK data centres).

7. Data Security

• All data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Hosted in UK data centres (europe-west2, London)
• Firebase security rules restrict each user to their own data
• Passwords never stored in plain text (handled by Firebase Authentication)
• Focus session data stored against pseudonymised user IDs, not names or emails

8. Data Retention

• Active accounts: Data retained while the account remains active.
• Inactive accounts: Personal data anonymised after 90 days of continuous inactivity.
• Account deletion: Users may delete their account at any time via Settings → Delete Account. All personal data and session records are permanently removed.

9. Your Rights (UK GDPR)

You have the right to:

• Access your data
• Rectify incorrect data
• Erase your data ("right to be forgotten")
• Restrict processing
• Data portability (receive your data in a portable format)
• Object to processing

Contact privacy@getnovi.co.uk to exercise any right. We will respond within 30 days.

10. NFC Tags

Novi NFC tags are passive devices containing no power source, battery, or personal data. They simply trigger the app to start or stop a focus session. No data is written to or stored on the tags.

11. Cookies and Analytics

The Novi app does not use cookies or third-party analytics. No tracking pixels, advertising identifiers, or behavioural analytics are employed.

12. Complaints

1. Contact us: privacy@getnovi.co.uk
2. Contact the Information Commissioner's Office: ico.org.uk

13. Changes to This Policy

We may update this policy from time to time. Users will be notified of material changes via the app or email.