N+NPRAplus

Privacy Policy

Last updated: April 2026 · Version 1.0

NOVA Labuan Limited (“we”) operates the NPRAplus service. This policy explains what personal data we collect, how we use it, and the rights you have. If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your data in line with the General Data Protection Regulation (GDPR) and equivalent local law.

1. Controller

NOVA Labuan Limited, Federal Territory of Labuan, Malaysia.
Data-protection contact: npra@novalabuan.com

2. What we collect

  • Account data: name, email address, hashed authentication tokens.
  • Workspace data: brand name, CNH details you choose to record, product formulas, ingredient lists, submission outputs.
  • Usage data: pages visited, API routes called, timestamps, IP address, browser user-agent. Used to keep the service stable and secure.
  • Waitlist data: email, optional brand name, SKU bracket, and role, submitted via the public waitlist form.
  • Support communication: emails you send us and our replies.

3. Why we process it

  • Contract performance (GDPR Art. 6(1)(b)): providing the Service you subscribed to.
  • Legitimate interest (Art. 6(1)(f)): securing the service, preventing abuse, improving the product.
  • Legal obligation (Art. 6(1)(c)): keeping tax, accounting, and anti-fraud records.
  • Consent (Art. 6(1)(a)): the waitlist form and optional product updates.

4. Sub-processors

We use the following sub-processors; each is contractually bound to treat your data confidentially and to offer equivalent protection:

  • Supabase — managed Postgres, authentication, and file storage. Data centre region: Asia Pacific (Singapore). Supabase acts as a processor under a DPA covering SCC (Standard Contractual Clauses).
  • Netlify — application hosting and edge delivery. Data processed in the EU/US region with SCC protection for international transfers.
  • DeepSeek — AI-assisted ingredient matching. Used only on demand; we never transmit personally identifying information (PII) to DeepSeek, only ingredient strings.

5. International transfers

Your data may be processed in Malaysia, the European Economic Area, and the United States, depending on the sub-processor. Where data leaves the EEA/UK we rely on Standard Contractual Clauses as the transfer mechanism.

6. Retention

  • Account and workspace data: for the duration of your subscription and up to 90 days after cancellation.
  • Invoices and tax records: up to 7 years as required by Labuan and applicable tax law.
  • Waitlist data: until you request deletion or up to 24 months of inactivity.
  • Security and audit logs: up to 12 months.

7. Your rights

Depending on where you are, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Request erasure (“right to be forgotten”).
  • Restrict or object to certain processing.
  • Port your data to another provider (structured, machine-readable format).
  • Withdraw consent at any time, where we rely on it.
  • Lodge a complaint with a supervisory authority.

To exercise any right, email npra@novalabuan.com. We respond within 30 days.

8. Cookies

NPRAplus uses only essential cookies for authentication (Supabase session cookies) and fraud prevention. We do not use tracking or advertising cookies. A cookie banner is therefore not shown.

9. Security

All traffic is encrypted in transit (TLS). Workspace data is protected at rest by Supabase’s AES-256 storage encryption. Row-level security policies restrict every database query so that one tenant cannot read another tenant’s data. Administrative access is protected by invitation-only accounts and audit logs.

10. Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children.

11. Changes

We may update this policy. Material changes will be announced by email or in-app notice at least 14 days before they take effect.

12. Contact

Data-protection questions: npra@novalabuan.com.