Privacy Policy

Last updated: April 21, 2026

TDX TRANSFORMACION DIGITAL S.A.S. (“TDX”, “we”, “us”, or “our”), operator of NovaDesk ITSM (the “Service”), is committed to protecting the privacy of its users and customers. This Privacy Policy describes how we collect, use, store, share, and protect personal data in accordance with Colombian Law 1581 of 2012, Decree 1377 of 2013, the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable.

1. Data Controller

Legal name: TDX TRANSFORMACION DIGITAL S.A.S.
Tax ID (NIT): 901.650.655-0
Address: Calle 61 #56-51, Medellín, Colombia
Phone: +57 315 304 1548
Data Protection contact: privacy@tdxcore.com

2. Information We Collect

We collect the following categories of personal data:

Account data: name, email, password (hashed), profile picture, language, time zone, and role inside your workspace.
Organization data: company name, workspace URL, subscription plan, and billing information.
Service usage data: tickets, messages, uploaded attachments, knowledge base articles, workflows, and any content you or your end-users submit through the Service.
Technical data: IP address, browser type, device identifiers, pages visited, and timestamps (collected via cookies and server logs).
AI interaction data: prompts and conversations submitted to our AI agents, used only to produce responses and improve the Service. We do not use your data to train third-party foundation models.
Billing data: payment method tokens, invoices, and transaction history. Full card numbers are never stored by us; they are handled by our PCI-DSS-compliant payment processors.

3. Purpose of Processing

We use personal data to:

Provide, maintain, and improve the Service.
Authenticate users and enforce role-based access controls.
Process subscriptions, payments, refunds, and invoicing.
Send service-related communications (security alerts, billing notices, feature updates).
Provide AI-powered features such as ticket classification, reply suggestions, and knowledge search.
Detect, prevent, and respond to fraud, abuse, and security incidents.
Comply with applicable laws, regulations, and lawful requests.

4. Legal Basis

We process personal data based on: (a) your consent, where required; (b) the performance of a contract with you or your organization; (c) our legitimate interests in operating and securing the Service; and (d) compliance with a legal obligation.

5. Data Sharing and Subprocessors

We do not sell your personal data. We share data with trusted subprocessors under written data-protection agreements, strictly for the purposes listed above:

Supabase Inc. — database, authentication, and file storage (United States).
Vercel Inc. — application hosting and edge infrastructure (United States, global CDN).
Anthropic PBC — AI model inference (Claude).
OpenAI, L.L.C. — embeddings for semantic search (RAG).
Resend — transactional email delivery.
Payment processor (Paddle, Stripe, or equivalent Merchant of Record) — subscription billing and tax compliance.

6. International Transfers

Personal data may be transferred to and processed in countries outside Colombia, including the United States and the European Union. We rely on Standard Contractual Clauses and equivalent safeguards to ensure an adequate level of protection consistent with Colombian Law 1581 of 2012.

7. Your Rights

You have the right to: (a) access your personal data; (b) rectify inaccurate data; (c) request deletion (“right to be forgotten”); (d) object to or restrict processing; (e) data portability; and (f) withdraw consent at any time. To exercise any of these rights, email privacy@tdxcore.com. We will respond within 15 business days, as required by Colombian law.

8. Data Retention

We retain personal data for as long as your account is active, plus the retention periods required by applicable tax, accounting, and legal obligations (typically 5–10 years for invoices and transactional records). You may request earlier deletion at any time, subject to legal retention requirements.

9. Security Measures

We protect your data with industry-standard controls, including: encryption in transit (TLS 1.2+) and at rest (AES-256), PostgreSQL Row Level Security for multi-tenant isolation, password hashing with bcrypt, session cookies marked HttpOnly/Secure/SameSite, MFA support, audit logs, least-privilege access, and continuous vulnerability monitoring.

10. Cookies

For details on cookies and similar technologies, please read our Cookie Policy.

11. Minors

NovaDesk is a business-to-business product and is not directed to children under 18. We do not knowingly collect personal data from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email and/or an in-product banner at least 15 days before they take effect.

13. Contact

For privacy-related questions, complaints, or to exercise your rights, contact us at privacy@tdxcore.com or by postal mail at the address listed above.

2. Information We Collect

We collect the following categories of personal data:

Account data: name, email, password (hashed), profile picture, language, time zone, and role inside your workspace.

Organization data: company name, workspace URL, subscription plan, and billing information.

Service usage data: tickets, messages, uploaded attachments, knowledge base articles, workflows, and any content you or your end-users submit through the Service.

Technical data: IP address, browser type, device identifiers, pages visited, and timestamps (collected via cookies and server logs).

AI interaction data: prompts and conversations submitted to our AI agents, used only to produce responses and improve the Service. We do not use your data to train third-party foundation models.

Billing data: payment method tokens, invoices, and transaction history. Full card numbers are never stored by us; they are handled by our PCI-DSS-compliant payment processors.

3. Purpose of Processing

We use personal data to:

Provide, maintain, and improve the Service.

Authenticate users and enforce role-based access controls.

Process subscriptions, payments, refunds, and invoicing.

Send service-related communications (security alerts, billing notices, feature updates).

Provide AI-powered features such as ticket classification, reply suggestions, and knowledge search.

Detect, prevent, and respond to fraud, abuse, and security incidents.

Comply with applicable laws, regulations, and lawful requests.

5. Data Sharing and Subprocessors

We do not sell your personal data. We share data with trusted subprocessors under written data-protection agreements, strictly for the purposes listed above:

Supabase Inc. — database, authentication, and file storage (United States).

Vercel Inc. — application hosting and edge infrastructure (United States, global CDN).

Anthropic PBC — AI model inference (Claude).

OpenAI, L.L.C. — embeddings for semantic search (RAG).

Resend — transactional email delivery.

Payment processor (Paddle, Stripe, or equivalent Merchant of Record) — subscription billing and tax compliance.

7. Your Rights

8. Data Retention

9. Security Measures

Privacy Policy

Our privacy policy and how we use your data

1. Data Controller

2. Information We Collect

3. Purpose of Processing

4. Legal Basis

5. Data Sharing and Subprocessors

6. International Transfers

7. Your Rights

8. Data Retention

9. Security Measures

10. Cookies

11. Minors

12. Changes to This Policy

13. Contact

Privacy Policy

Our privacy policy and how we use your data

1. Data Controller

2. Information We Collect

3. Purpose of Processing

4. Legal Basis

5. Data Sharing and Subprocessors

6. International Transfers

7. Your Rights

8. Data Retention

9. Security Measures

10. Cookies

11. Minors

12. Changes to This Policy

13. Contact