Privacy Policy — Novis Pay

Last updated: 10 March 2026

CaribLinkPay Ltd ("we", "us", "our") operates the Novis Pay mobile application (the "App"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our App.

CaribLinkPay Ltd is a company registered in England and Wales. If you have questions about this policy, contact us at privacy@novispay.co.uk.

1. Information We Collect

Information you provide directly

• Account information: name, email address, phone number, and password when you register
• Business information: business name, business type, and country of operation
• Payment information: we do not store card numbers, CVVs, or bank account details — these are handled entirely by Stripe (our payment processor)

Information collected automatically

• Transaction data: payment amounts, dates, payment methods used, and transaction statuses
• Device information: device type, operating system version, and unique device identifiers
• Usage data: how you interact with the App, including screens viewed and features used
• Location data: approximate location when using Tap to Pay, as required by the Stripe Terminal SDK

Information from third parties

• Stripe: account verification status, payout status, and charges enabled status for your connected Stripe account

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Novis Pay service
• Process payments and record transactions
• Create and manage your Novis Pay and connected Stripe account
• Communicate with you about your account, transactions, and service updates
• Comply with legal obligations, including anti-money laundering and fraud prevention
• Provide customer support

We do not use your information for:

• Selling to third parties
• Targeted advertising
• Automated decision-making that produces legal effects

3. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

• Contract: processing necessary to provide our payment services to you
• Legal obligation: compliance with financial regulations and anti-money laundering requirements
• Legitimate interests: improving our services, preventing fraud, and ensuring security

4. How We Share Your Information

We share your information only with:

• Stripe: our payment processor, which handles all card and bank transactions. Stripe's privacy policy applies to data they process: https://stripe.com/privacy
• Supabase: our infrastructure provider, which hosts our database and backend services
• Google: as required for distributing the App via Google Play Store
• Law enforcement or regulators: when required by law or to protect our legal rights

We do not sell your personal data to any third party.

5. Data Storage and Security

• Your data is stored on servers in the EU/UK region via Supabase (hosted on AWS)
• All data is encrypted in transit (TLS/SSL) and at rest
• Card and bank details are handled exclusively by Stripe and never touch our servers
• We use Row Level Security to ensure users can only access their own data
• Access to production systems is restricted to authorised personnel only

6. Data Retention

• Account data: retained for as long as your account is active, plus 6 years after closure (as required by UK financial regulations)
• Transaction data: retained for 6 years from the date of the transaction (as required by HMRC)
• Usage data: retained for 12 months, then anonymised

You may request deletion of your account at any time by contacting privacy@novispay.co.uk. We will delete or anonymise your data within 30 days, except where retention is required by law.

7. Your Rights (UK GDPR)

You have the right to:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate data
• Erasure: request deletion of your data (subject to legal retention requirements)
• Restriction: request that we limit processing of your data
• Portability: receive your data in a structured, machine-readable format
• Object: object to processing based on legitimate interests
• Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@novispay.co.uk. We will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/

8. International Transfers

Your data is processed within the UK and EU. If any data is transferred outside the UK/EU, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO.

9. Children

Novis Pay is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top of this policy indicates when it was last revised.

11. Contact Us

CaribLinkPay Ltd
Email: privacy@novispay.co.uk
Website: https://novispay.co.uk