Privacy Policy

NovoJet AS (hereinafter "Regenesis", "we", "us") is the data controller for personal data collected through this website (www.novojet.uk). Contact: NovoJet AS Email: privacy@novojet.uk If you have questions about our processing of your personal data, you may contact us at the email address above.

We process personal data based on the following legal grounds under GDPR Article 6: a) Consent (Art. 6(1)(a)): When you submit a form on our website (demo booking, pricing request, distributor application), we process your data based on your explicit consent. You may withdraw consent at any time by contacting us. b) Legitimate interest (Art. 6(1)(f)): We may process data for the purpose of improving our website, ensuring security, and preventing fraud. c) Contract performance (Art. 6(1)(b)): When processing is necessary to fulfill a contract or pre-contractual request you have initiated.

We collect personal data that you voluntarily provide through our website forms: Contact forms and demo requests: - Full name - Email address - Phone number (optional) - Clinic name, type, and location - Equipment and product interests - Free-text messages Consultant portal: - Email address and password (for authentication) - Session data (stored in an HttpOnly cookie) We do NOT collect sensitive personal data (special categories under GDPR Art. 9).

This website uses the following cookies: Essential cookies: - portal_session: Authentication cookie for the consultant portal. HttpOnly, Secure, SameSite=Strict. Expires after 24 hours. This cookie is strictly necessary for the portal to function and does not require consent. - cookie_consent: Stores your cookie consent preference. Expires after 365 days. We do NOT use analytics cookies, tracking cookies, or third-party advertising cookies. No data is shared with Google Analytics, Facebook, or any similar third-party tracking service. If we introduce analytics or marketing cookies in the future, we will update this policy and request your consent before activating them.

We use the following data processors to operate this website. Each processor handles personal data only on our documented instructions and under a Data Processing Agreement (DPA) compliant with GDPR Art. 28. Vercel (Vercel Inc., San Francisco, USA) — Website hosting and edge delivery. Processes IP address and request metadata. Operates under EU Standard Contractual Clauses for transfers outside the EEA. Supabase (Supabase Inc., Delaware, USA — EU region: Frankfurt) — Database and authentication for our consultant portal. Stores form submissions (name, email, phone, clinic, country, message) and salesperson account data. Customer data is hosted in the EU region. Operates under EU Standard Contractual Clauses. Resend (Resend, Inc., USA) — Transactional email delivery. Sends internal lead-assignment notifications to our sales team containing the data you submitted via the contact form. Operates under EU Standard Contractual Clauses. Google Fonts — Loaded via Next.js font optimization, which serves fonts from our own domain. No data is sent to Google. We do not use analytics, tracking, or third-party advertising services.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. Your data may be shared with: - Our hosting provider (Vercel) as a data processor - Our internal CRM system for managing demo requests and pricing inquiries Data transfers outside the EEA are protected by Standard Contractual Clauses (SCC) in accordance with GDPR Chapter V.

We retain personal data only as long as necessary for the purpose it was collected: - Form submissions (demo requests, pricing inquiries): 24 months, or until you request deletion - Distributor applications: 36 months, or until you request deletion - Portal session cookies: 24 hours - Cookie consent preference: 365 days After the retention period, data is permanently deleted.

Under GDPR, you have the following rights regarding your personal data: - Right of access (Art. 15): Request a copy of your personal data - Right to rectification (Art. 16): Request correction of inaccurate data - Right to erasure (Art. 17): Request deletion of your personal data - Right to restriction (Art. 18): Request limitation of processing - Right to data portability (Art. 20): Receive your data in a machine-readable format - Right to object (Art. 21): Object to processing based on legitimate interest - Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing To exercise any of these rights, contact us at privacy@novojet.uk. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect your personal data, including: - HTTPS encryption for all data in transit - HttpOnly, Secure, SameSite=Strict cookies for authentication - Rate limiting and timing-safe comparison for login endpoints - No storage of passwords in plaintext - Access controls limiting data access to authorised personnel

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet): Datatilsynet Postboks 458 Sentrum 0105 Oslo www.datatilsynet.no

We may update this privacy policy to reflect changes in our practices or legal requirements. The "last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.