Skip to main content
Back to Novarak

Legal

Privacy Policy

Last updated: 15 April 2026

Novarak (“Novarak”, “we”, “us”, or “our”) operates the Novarak habit accountability application and related services (the “Service”). We are based in Sydney, New South Wales, Australia.

This Privacy Policy explains how we collect, use, disclose, store, and otherwise handle your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the European Union General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

By using the Service, you acknowledge that you have read and understood this Privacy Policy. Questions? Email support@novarak.com.

1. Information We Collect

  • Account information: When you sign up for Novarak or join our waitlist, we collect your email address, display name, and password (stored in hashed form). If you sign up via a third-party authentication provider, we receive your name and email address from that provider.
  • Habit data: The habits you create, your daily completion status, streak data, and any personal notes you attach to habits. Your completion status may be visible to members of your accountability group. Personal notes are never shared.
  • Accountability group data: Information about the groups you create or join, including group membership, invitations sent and received, and the identifiers of other users in your groups.
  • Health and fitness integration data: If you choose to connect Apple Health, Google Health Connect, or Strava, we collect data from those services on a read-only basis through OAuth-authorised connections. This may include activity data, step counts, and workout records. We only access the specific data categories you authorise, and we never write data back to these services.
  • AI insights data: We process your habit completion patterns, timing data, and streaks to generate personalised insights. This processing is performed solely for your personal benefit. AI-generated insights are not shared with your accountability group or any third party.
  • Device and usage data: Technical information collected when you access the Service, including IP address, browser type and version, operating system, device type, pages visited, and visit timestamps. We collect this through Vercel Analytics, which is privacy-friendly, uses no cookies, and processes data in aggregated form only.
  • Communications: If you contact us at support@novarak.com or otherwise communicate with us, we collect the content of those communications along with your contact details.

2. How We Use Your Information

  • Providing and operating the Service: creating and managing your account, recording your habit data, facilitating your accountability groups, and delivering personalised AI-powered insights.
  • Improving the Service: understanding how users interact with the Service in aggregate, identifying bugs and performance issues, and developing new features.
  • Communicating with you: sending service-related notices, responding to your support requests, and, where you have consented, sending product updates and announcements.
  • Ensuring security: detecting, preventing, and addressing fraud, abuse, and security incidents.
  • Complying with legal obligations: meeting our obligations under applicable law, responding to lawful requests from authorities, and establishing, exercising, or defending legal claims.

We do not use your personal information to serve advertisements. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

3. Lawful Basis for Processing (GDPR)

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following lawful bases under Article 6 of the GDPR:

  • Performance of a contract: Processing your account information, habit data, group membership, and integration data is necessary to provide the Service you have requested.
  • Legitimate interests: Processing device and usage data for security, fraud prevention, and service improvement, where those interests are not overridden by your fundamental rights.
  • Consent: Where you connect third-party health and fitness integrations, or where required for optional communications. You may withdraw consent at any time.
  • Legal obligation: Where we are required to process your data to comply with applicable law.

4. AI Processing

Novarak uses artificial intelligence to analyse your habit completion data and generate personalised insights, including pattern detection, optimal timing suggestions, and streak analysis.

Your data is not used to train machine learning models. AI processing is performed solely to deliver insights to you as an individual user. AI-generated insights are derived from your personal data only and are not shared with other users, including members of your accountability groups.

We apply data minimisation principles: we use only the minimum data necessary to generate useful insights and do not retain intermediate processing outputs beyond what is needed to deliver the insight to you.

5. Accountability Groups and Shared Data

When you are a member of a group, other members can see:

  • Your display name
  • Which habits you are tracking within that group
  • Whether you completed each habit on a given day (completion status only)

Other members cannot see your personal notes, AI-generated insights, health and fitness integration data, email address, usage data, or device information.

You control which habits are shared with which groups. You may leave a group at any time, which will remove your ongoing data from that group's view.

6. Third-Party Service Providers

We engage a limited number of third-party service providers (subprocessors) to help us operate the Service. These providers process personal information on our behalf and under our instructions. Our current subprocessors include:

  • Vercel Inc. (United States): hosting, deployment, and privacy-friendly analytics
  • Authentication provider: account creation and sign-in
  • Cloud infrastructure provider: data storage and compute
  • Email service provider: transactional and service-related emails

We maintain contracts with each subprocessor that require them to protect personal information to a standard consistent with this Privacy Policy. We do not share your personal information with third parties for their own independent purposes, except where required by law.

7. Health and Fitness Data

  • We access health and fitness data on a read-only basis only after you explicitly authorise the connection via OAuth.
  • We use this data solely to enrich your personal habit insights. It is never shared with other users or your accountability group.
  • We do not sell, licence, or otherwise commercialise health and fitness data.
  • You may disconnect any integration at any time through your account settings.
  • Upon disconnection, previously collected health integration data will be deleted within 30 days, unless you request earlier deletion.

8. Cookies and Tracking Technologies

  • Session cookies: Strictly necessary cookies used to maintain your authenticated session. These expire when you close your browser or after a reasonable inactivity period.
  • Vercel Analytics: Aggregated, privacy-friendly usage analytics. Vercel Analytics does not use cookies, does not collect personally identifiable information, and does not track individual users across sessions or websites.

We do not use advertising cookies, retargeting pixels, or any third-party tracking technologies. We do not participate in cross-site tracking.

9. Data Retention

  • Account information: Retained for the duration of your account and deleted within 90 days of account closure, except where retention is required for legal or compliance purposes.
  • Habit data and completion records: Retained for the duration of your account. Permanently deleted within 90 days of account deletion.
  • Health and fitness integration data: Retained while the integration is active. Deleted within 30 days of disconnection or account closure.
  • AI insights: Retained for the duration of your account. Deleted upon account closure.
  • Device and usage data: Collected in aggregated form by Vercel Analytics and not stored in a personally identifiable manner.
  • Communications: Support correspondence retained for up to 24 months after the last interaction, unless a longer period is required for legal purposes.
  • Waitlist data: If you joined our waitlist but did not create a full account, we retain your email address until you unsubscribe or for 24 months after collection, whichever is earlier.

10. International Data Transfers

Novarak is based in Sydney, Australia. Your personal information may be transferred to, stored in, and processed in countries other than your own, including the United States, where our service providers operate.

For transfers from the EEA, UK, or Switzerland, we rely on European Commission adequacy decisions where applicable, and Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organisational measures where necessary. For transfers from Australia, we comply with APP 8 by taking reasonable steps to ensure overseas recipients handle your personal information consistently with the APPs.

11. Data Security

We implement technical and organisational measures designed to protect your personal information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Hashing of passwords using industry-standard algorithms
  • Access controls limiting employee and contractor access to personal information on a need-to-know basis
  • Regular review of our security practices and infrastructure
  • Secure OAuth flows for third-party integrations: we never receive or store your third-party passwords

No method of transmission over the internet is completely secure. If we become aware of a data breach that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority in accordance with applicable law.

12. Your Rights

All users

You may access, update, or delete your account information through your account settings at any time. You may disconnect third-party integrations at any time. Contact us at support@novarak.com to exercise any of the rights described below. We will respond within 30 days.

Australian users (Privacy Act 1988)

Under the APPs, you have the right to access the personal information we hold about you (APP 12) and request correction of inaccurate, incomplete, or misleading information (APP 13). If you are not satisfied with our response to a complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

EEA, UK, and Swiss users (GDPR / UK GDPR)

  • Access your personal data and receive a copy of it
  • Rectify inaccurate or incomplete personal data
  • Erase your personal data ("right to be forgotten"), subject to legal exceptions
  • Restrict processing of your personal data in certain circumstances
  • Data portability: receive your personal data in a structured, machine-readable format
  • Object to processing based on legitimate interests or for direct marketing
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your local data protection supervisory authority

We will respond to requests within one month. In complex cases, we may extend this by a further two months and will inform you within the first month. For GDPR inquiries, email us with the subject line “GDPR Request”.

California users (CCPA/CPRA)

  • Know what personal information we collect, use, and disclose
  • Delete personal information we have collected, subject to legal exceptions
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information (we do not sell or share personal information, so there is nothing to opt out of)
  • Non-discrimination: we will not discriminate against you for exercising your CCPA rights

13. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without appropriate parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 16, please contact us at support@novarak.com.

14. Australian Privacy Principles: Additional Detail

For the avoidance of doubt and in compliance with the Privacy Act 1988 (Cth):

  • APP 1 (Open and transparent management): This Privacy Policy sets out how we manage personal information and is available on our website at all times.
  • APP 2 (Anonymity and pseudonymity): You may use a display name rather than your real name. However, a valid email address is required for account creation.
  • APP 3 (Collection of solicited personal information): We collect only personal information reasonably necessary for the functions of the Service. We collect sensitive health data only with your explicit consent.
  • APP 5 (Notification of collection): This Privacy Policy serves as our collection notice.
  • APP 6 (Use or disclosure): We use and disclose personal information only for the primary purpose for which it was collected, or a related secondary purpose you would reasonably expect.
  • APP 7 (Direct marketing): We will only send marketing communications where you have consented. Every marketing communication includes an unsubscribe mechanism.
  • APP 8 (Cross-border disclosure): See Section 10 (International Data Transfers).
  • APP 10 (Quality): We take reasonable steps to ensure personal information is accurate, up-to-date, complete, and relevant.
  • APP 11 (Security): See Section 11 (Data Security). We destroy or de-identify personal information when it is no longer needed.
  • APP 12 & 13 (Access and correction): See Section 12 (Your Rights).

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after changes become effective constitutes your acknowledgement of the updated Privacy Policy.

The “Last updated” date at the top of this Privacy Policy indicates when it was most recently revised.