Privacy Policy

Last updated 10 July 2026

Novato is a product of Nadar & Co. (ACN 671116091, ABN 36671116091) ("Novato", "we", "us", "our"), registered at 195 Miller, North Sydney NSW 2060, Australia. This policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to everyone who interacts with Novato: account holders who manage projects ("customers"), and the subcontractors and tradies those customers invite onto the platform ("workers").

1. Information we collect

We collect only what we need to verify compliance documents and run the platform:

  • Account information — name, email address, phone number, business name and role, collected when you or your organisation sign up.
  • Worker information — name, email, phone number, and trade details, collected when a customer invites a subcontractor, or when a worker registers themselves after being invited.
  • Compliance documents — licences, insurance certificates, induction cards (e.g. White Cards) and similar documents uploaded for verification, along with metadata we extract from them (document type, issuer, expiry date).
  • Billing information — plan selection and transaction records. Card details are collected and processed directly by our payment processor, Stripe — we do not store full card numbers ourselves.
  • Usage and device information — log data, IP address, browser type, and how you interact with the platform.

We generally avoid collecting sensitive information as defined by the Privacy Act. Where a compliance document incidentally contains sensitive information, we only use it for the verification purpose it was provided for.

2. How we use information

  • To verify that uploaded documents are genuine, current, and match the person or project they relate to.
  • To track expiries and send renewal reminders and compliance notifications.
  • To operate accounts, process subscription billing, and provide customer support.
  • To maintain audit trails that our customers may need to demonstrate compliance to insurers, principal contractors, or regulators.
  • To improve the reliability and accuracy of our verification process.

3. Automated document verification

Uploaded documents are processed using Anthropic's Claude AI models to automatically extract and check details such as document type, licence numbers, and expiry dates. Document content is transmitted to Anthropic solely to perform this verification and is handled under Anthropic's own data processing terms. We do not use your documents to train third-party AI models.

4. Who we share information with

We share personal information only where necessary to run the service:

  • Supabase — our database, authentication, and file storage provider.
  • Stripe — for subscription billing and payment processing.
  • Anthropic — for AI-assisted document verification, as described above.
  • SMS notification provider— where a customer enables SMS notifications on their plan. We have not yet finalised this provider; this policy will be updated with the provider's name before the feature is enabled for any customer.
  • Your own organisation— a worker's compliance status and documents are visible to the customer (project or business) that invited them, since that is the purpose the information was collected for.

We do not sell personal information, and we do not share it with third parties for their own marketing purposes.

5. Overseas disclosure

Some of the providers listed above, including Anthropic, Stripe, and our cloud infrastructure providers, may store or process information on servers located outside Australia. Where this occurs, we take reasonable steps to ensure the overseas recipient handles personal information consistently with the Australian Privacy Principles.

6. Data retention

We retain compliance documents and worker records for as long as the related account or project is active, and for a reasonable period afterwards to support audit and legal record-keeping needs (typically up to 7 years, consistent with standard business record-keeping practice). You can request earlier deletion — see section 8.

7. Security

We apply access controls, encryption, and database-level row security to protect personal information from misuse, loss, or unauthorised access. Full detail is available on our Security page.

8. Access, correction, and complaints

You can request access to, or correction of, the personal information we hold about you at any time by contacting us at support@novato.com.au. If you believe we have mishandled your personal information, you can lodge a complaint with us at the same address, and we will respond within a reasonable time. If you're not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Cookies

We use essential cookies to keep you signed in and to remember your preferences. We do not currently use third-party advertising or tracking cookies.

10. Changes to this policy

We may update this policy from time to time as our practices or the law change. Material changes will be notified to account holders by email or an in-app notice.

11. Contact us

Nadar & Co. (trading as Novato)
195 Miller, North Sydney NSW 2060, Australia
ABN 36671116091
support@novato.com.au