Privacy Policy

1. Who we are

Novalure CRM is operated by Novalure CLG, Ireland. This Privacy Policy explains how Novalure CLG processes personal data in connection with the Novalure CRM website, application, customer relationship management platform, AI communication tools and integrations with Meta technologies such as WhatsApp Business, Instagram and Facebook Messenger.

For privacy questions, data subject requests or deletion requests, contact us at hello@novalure.eu with the subject line Privacy Request.

2. Applicable law

Novalure CLG is established in Ireland and processes personal data in accordance with the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018 and, where relevant, Irish and EU rules on electronic communications and marketing.

The Irish Data Protection Commission is the lead supervisory authority for Irish data protection matters. Individuals may also contact the supervisory authority in their EU Member State of residence.

3. Controller and processor roles

For our own website, account administration, security, billing, product improvement, support, marketing and platform operation, Novalure CLG acts as a data controller.

For CRM records, lead data, customer communications, contact histories, uploaded knowledge documents and messages that our business customers enter into or connect to Novalure CRM, Novalure CLG generally acts as a processor on behalf of the relevant workspace customer. The workspace customer remains responsible for deciding why and how their own customer and lead data is processed.

If you are a lead, buyer, seller, tenant, landlord or other contact of one of our workspace customers, you may also need to contact that workspace customer directly because they may be the primary controller for your CRM record.

4. Personal data we process

• Account and workspace data: name, email address, role, organisation, workspace membership, authentication and permission data.
• CRM and real estate data: contact details, lead interests, project assignments, property preferences, deal stages, tasks, notes, communication history and appointment information.
• Messaging data: WhatsApp, Instagram, Facebook Messenger, email and form messages, message metadata, channel identifiers, timestamps, delivery status and conversation context.
• Meta integration data: app-scoped IDs, Page IDs, Instagram business account IDs, WhatsApp business account IDs, phone number IDs, access tokens and permissions needed to connect customer-owned Meta assets. Access tokens are stored encrypted where stored by Novalure CRM.
• Calendar and meeting data: availability settings, booking details, meeting links, reminders and connected Microsoft 365 or Google calendar information where enabled.
• Newsletter and consent data: subscription status, opt-in and opt-out records, segments, campaign delivery information and consent evidence.
• Technical and security data: IP address, browser and device data, logs, audit trails, webhook events, security events and diagnostic information.
• AI and bot data: bot instructions, approved knowledge sources, knowledge chunks, conversation summaries, policy decisions, audit logs and generated draft or final responses.

5. Purposes of processing

• To provide, secure and maintain the Novalure CRM platform.
• To enable customers to manage workspaces, roles, projects, contacts, deals, tasks, funnels, communication and analytics.
• To connect customer-approved WhatsApp Business, Instagram, Facebook Messenger, Microsoft 365, calendar, email and newsletter integrations.
• To receive, route and respond to customer communications through configured bots and communication channels.
• To store and update leads, contacts, deals, tasks, appointments and audit logs.
• To enforce bot policy rules, knowledge restrictions, manual override, test mode, opt-out rules, document sending rules and safety controls.
• To provide support, troubleshoot problems, prevent abuse, improve reliability and comply with legal obligations.
• To send service messages and, where permitted, marketing or newsletter messages.

6. Legal bases

• Contract: processing necessary to provide Novalure CRM and related services to customers and users.
• Legitimate interests: platform security, fraud prevention, product reliability, internal analytics, support, audit logging and business-to-business communication, balanced against individual rights.
• Consent: optional marketing, newsletter subscriptions, certain cookies, optional integrations and other processing where consent is required.
• Legal obligation: accounting, tax, regulatory, dispute, compliance and data protection obligations.
• Customer instructions: where Novalure CLG acts as processor, processing is carried out under the relevant customer agreement and lawful instructions.

7. AI bots, automation and approved knowledge

Novalure CRM may use AI-supported bots to classify enquiries, prepare replies, answer routine questions, update CRM records, prepare appointment workflows, suggest next actions and create audit records. Bots are designed to use approved workspace knowledge and configured tools rather than unrestricted internet search.

Bot actions are subject to policy controls such as blocked statements, document approval rules, knowledge restrictions, test mode, kill switch, manual override and audit logging. Customers remain responsible for configuring their bots lawfully and for monitoring automated customer communication.

Novalure CRM does not intend to make solely automated decisions that produce legal effects or similarly significant effects for individuals. AI output should be treated as operational support unless a customer separately configures and lawfully validates a specific automated decision process.

8. Sharing and recipients

We share personal data only where necessary for the purposes described in this Policy, with customer-authorised recipients, service providers, professional advisers, authorities where legally required and integration providers selected by the customer.

• Hosting, database, storage, security and deployment providers.
• Communication providers such as Meta/WhatsApp/Instagram/Facebook, email providers and calendar providers when integrations are enabled.
• AI, embedding or language model providers used to generate responses, summaries, classifications or knowledge search results.
• Payment, support, analytics, monitoring, legal, accounting and compliance providers where applicable.

9. International transfers

Some providers may process personal data outside Ireland or the European Economic Area. Where this happens, we rely on an adequacy decision, Standard Contractual Clauses, supplementary safeguards or another transfer mechanism permitted by GDPR.

10. Retention

We keep personal data only for as long as needed for the purposes described in this Policy, for the duration of the customer relationship, as instructed by the workspace customer, or as required by law.

CRM data is generally retained while the relevant workspace account remains active or until the customer deletes or exports it. Security and audit logs may be retained for a reasonable period to protect the platform and prove compliance. Backups may remain for a limited technical retention period before deletion or overwrite.

Marketing consent records and opt-out records may be retained to respect preferences and demonstrate compliance.

11. Your rights

Subject to legal conditions and exceptions, individuals may have the right to be informed, access their data, correct inaccurate data, request erasure, restrict processing, object to processing, receive data portability, withdraw consent and complain to a supervisory authority.

Requests can be sent to hello@novalure.eu. If your data was processed by one of our workspace customers, we may forward or refer your request to that customer as the relevant controller.

12. Security

We use technical and organisational measures designed to protect personal data, including role-based access, workspace boundaries, encryption where appropriate, audit logs, webhook validation, access token protection and operational monitoring. No system is completely secure, but we work to reduce risk and respond to incidents appropriately.

13. Cookies and similar technologies

Novalure CRM may use necessary cookies or similar technologies for login, security, session management and platform operation. Optional analytics or marketing cookies will be used only where legally permitted and, where required, with consent.

14. Children

Novalure CRM is a business platform and is not intended for children. Customers should not intentionally submit personal data of children unless they have a lawful basis and appropriate safeguards.

15. Changes to this Policy

We may update this Privacy Policy to reflect legal, operational or product changes. The latest version will be published on this page with an updated date.