Skip navigation
    • Request a Meeting

    NOVA CREDIT INC. APPLICANT PRIVACY NOTICE

    Last Updated: November 4, 2025

    Quick Summary: When you apply for a job with Nova Credit Inc., we collect information like your resume, contact details, and work history to evaluate your application. We keep this information for 6 months to 5 years, depending on your location (to comply with employment laws). We never sell your data. Depending on your place of residency, you may have rights to access, correct, or delete your information. Contact us at privacy@novacredit.com with questions.

    This Applicant Privacy Notice ("Notice") applies to individuals who apply for employment with Nova Credit Inc. (“Nova”, "Company," "we," "us," "our"). This Notice describes how we collect, use, disclose, and protect personal information and personal data (collectively, "personal information") in accordance with the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), the UK General Data Protection Regulation ("UK GDPR"), the Personal Information Protection and Electronic Documents Act ("PIPEDA"), Quebec Law 25, and other applicable privacy laws.

    1. Personal Information We Collect and Process. 

    We collect and process personal information reasonably necessary for recruitment: 

    (a) Identifiers and Contact Information: Name, email, address, phone, date of birth (where required), Social Security/national ID number (upon hire or for background checks only)

    (b) Professional and employment information: Resume, cover letter, work history, education, qualifications, licenses, certifications, references, skills, salary expectations

    (c) Application Process Information: Positions applied for, application date, interview notes and evaluations (created by our interviewers), assessment results, work samples, communications with us

    (d) Technical Information: IP address, device information, and application system activity; 

    (e) Verification Information Collected With Your consent: Employment/education verification, reference checks, background screening, right to work documentation, criminal history (where legally permitted, with explicit consent)

    (f) Equal Opportunity Information Collected Voluntarily: Gender, race, ethnicity, veteran status, disability status, Indigenous identity, visible minority status. This is collected separately, anonymized for statistical purposes only, and never used in hiring decisions.

    Sensitive Information: Certain information (Social Security numbers, health data for accommodations, biometric data, criminal history, demographic data) requires enhanced protection and explicit consent under UK GDPR, CCPA, and Law 25.

    2. Sources of Information and How We Use It:

    We Collect Information for These Purposes

    Purpose

    Sources

    Legal Basis (UK GDPR)

    Legal Basis (CCPA/PIPEDA/Law 25)

    Evaluate applications, conduct interviews, make hiring decisions

    You (application, interviews); References; Recruitment agencies; Publicly available sources (LinkedIn)

    Steps prior to contract (Article 6(1)(b))

    Necessary for recruitment

    Verify credentials and background

    Educational institutions; Previous employers; Background check providers (with consent)

    Steps prior to contract (Article 6(1)(b)); Consent (Article 6(1)(a))

    Necessary for recruitment; express consent

    Comply with employment laws, recordkeeping

    You (application materials); Internally generated records

    Legal obligation (Article 6(1)(c))

    Legal compliance

    Defend against discrimination/employment claims

    All sources above

    Legitimate interest (Article 6(1)(f))

    Reasonable for legal defense

    Improve recruitment processes

    Internally generated analytics

    Legitimate interest (Article 6(1)(f))

    Reasonable business purpose

    Contact you about future positions (talent pool)

    You (application, consent)

    Consent (Article 6(1)(a))

    Express consent

    For special category/sensitive data under UK GDPR Article 9, we rely on explicit consent, employment law necessity, or legal claims provisions; under CCPA and Quebec Law 25, we obtain explicit consent or rely on legal authorization.

    3. Disclosure and Sharing. 

    We disclose personal information to: 

    (a) Internal recipients including the People Team, hiring managers, and interview panels; 

    (b) Service providers bound by contract including applicant tracking system provider, background check providers,  assessment platforms,  and cloud storage providers; and 

    (c) Legal recipients including government agencies as required, courts responding to lawful process, and professional advisors under confidentiality duties.

    We do not sell or share personal information for advertising or other commercial purposes.

    4. International Transfers.

    Your information may be transferred outside your country of residence:

    For UK GDPR compliance: We transfer personal data outside the United Kingdom using Standard Contractual Clauses approved pursuant to Article 46 UK GDPR.

    For Canadian law compliance: We use contractual safeguards to ensure comparable protection when transferring data outside Canada. For Quebec applicants, we conduct Privacy Impact Assessments for cross-border transfers.

    Current international transfers:

    • Applicant tracking system (Greenhouse) hosted in United States under Standard Contractual Clauses.

    • Cloud storage (AWS) with data centers in United States under Standard Contractual Clauses and contractual safeguards.

    5. Retention Periods.

    Retention periods by jurisdiction:

    Your Location

    Retention Period

    Legal Basis

    California

    3 years from hiring decision

    California discrimination claim limitation period (FEHA); federal record keeping requirements (29 CFR Part 1602)

    United Kingdom

    6 months from hiring decision

    Employment discrimination limitation period (UK Equality Act 2010)

    Canada (BC, Alberta, other provinces)

    2 years

    Discrimination complaint limitation periods (Canadian Human Rights Act; provincial human rights codes)

    Quebec

    2 years

    Quebec Charter of Human Rights and Freedoms

    • Talent pool (with your consent): Up to 2 years with annual reconfirmation via email. If you don't respond to our annual email, we'll remove your information.

    • Legal claims or investigations: We may retain information longer if required for ongoing legal proceedings or regulatory investigations.

    6. Your Rights. 

    The rights available to you depend on your location and applicable privacy law:

    Rights for UK Applicants (UK GDPR):  

    (a) Right to Access: Request what personal information we have collected;

    (b) Right to Rectify: Request correction of inaccurate information; 

    (c) Right to Erase: Request deletion (subject to limitations in Section 8); 

    (d) Right to Restrict Processing: Limit processing in certain circumstances; 

    (e) Right to Data Portability: Receive information in machine-readable format; 

    (f) Right to Object: Object to processing based on legitimate interests;

    (g) Right to Withdraw Consent: Where processing is based on consent;

    (h) Rights Regarding Automated Decisions: Not to be subject to solely automated decisions (all hiring decisions involve human review).

    Rights for California Applicants (CCPA): 

    (a) Right to Know: Request what personal information we have collected;   

    (b) Right to Correct: Request correction of inaccurate information; 

    (c) Right to Delete: Request deletion (subject to limitations in Section 8); 

    (d) Right to Limit Use: We use sensitive personal information only for necessary hiring and compliance purposes; 

    (e) Right to Non-Discrimination: No discrimination for exercising privacy rights; 

    (f) Right to Withdraw Consent: Where processing is based on consent.

    Rights for Quebec Applicants (Law 25):  

    (a) Right to Access: Request what personal information we have collected;  

    (b) Right to Rectification: Request correction of inaccurate information; 

    (c) Right to Erasure: Request deletion (subject to limitations in Section 8); 

    (d) Right to Data Portability: Receive information in machine-readable format; 

    (e) Right to Withdraw Consent: Where processing is based on consent.  

    Rights for Other Canadian Applicants (PIPEDA):  

    (a) Right to Access: Request what personal information we have collected;   

    (b) Right to Correct: Request correction of inaccurate information; 

    (c) Right to Withdraw Consent: Where processing is based on consent.  

    Note: PIPEDA does not provide a right to delete personal information.  Rights for Applicants in Other Locations:  If you are applying from a location not listed above, the specific rights available to you will depend on the privacy laws applicable in your jurisdiction. Contact us at privacy@novacredit.com to inquire about your rights.

    7. Exercise of Rights. 

    To exercise any rights available to you under applicable law, contact us: 

    • Email: privacy@novacredit.com

    • Phone: 1 (844) 423-1345 and leave a message; 

    • Mail: Nova Credit Inc., Attn: Privacy Department, 12 W 21st, 5th Floor, New York, NY 10010.

    Identity Verification: We will verify your identity by requesting: your name, email address used in application, approximate application date. If you cannot provide this information (e.g., used a different email), please explain your situation and we'll work with you to verify your identity through alternative means. 

    Authorized Agents: You may designate an authorized agent to submit requests on your behalf by providing proof of authorization.

    8. Limitations on Deletion. 

    For UK, California, and Quebec applicants who have the right to request deletion, we may refuse deletion requests where retention is necessary:

    (a) To Comply with legal obligations including EEOC requirements under 29 CFR Part 1602 (three year retention for U.S. applicants), Equality Act 2010 (six months for UK applicants), and Canadian human rights legislation (two years for Canadian applicants); 

    (b) To establish, exercise, or defend legal claims during statutory limitation periods for discrimination or employment-related claims; 

    (c) To complete transactions, provide services, or perform contracts; 

    (d) For security and fraud detection; 

    (e) For legal proceedings or regulatory compliance; or 

    (f) For other purposes permitted under CCPA Section 1798.105(d), UK GDPR Article 17(3), or Canadian privacy law. 

    If we refuse deletion, we will explain the legal basis, state when information will be deleted and inform you of your right to file a complaint with the relevant supervisory authority or privacy commissioner.

    9. Security and Breach Notification. 

    We implement appropriate technical and organizational security measures including encryption, access controls, authentication, regular security assessments, staff training, and incident response procedures. In the event of a data breach creating risk of harm, we will notify affected individuals and relevant authorities as required by applicable law, including notification to supervisory authorities within 72 hours under UK GDPR, notification to the California Attorney General for breaches affecting 500 or more California residents, and notification to the Office of the Privacy Commissioner of Canada or provincial commissioners as required.

    10. Consent.

    We obtain your explicit consent for background checks and criminal history verification, talent pool retention beyond standard periods, processing sensitive/special category personal information where consent is the legal basis, cross-border data transfers where required. 

    Consent Standards:

    • UK GDPR: Freely given, specific, informed, unambiguous, and separate from other terms;

    • CCPA: Explicit opt-in for sensitive personal information beyond necessary hiring purposes;

    • Quebec Law 25: Clear, free, informed, specific, and time-limited;

    • Canadian (implied): Submitting your application provides implied consent for application evaluation and contacting references.

    Note: Withdrawal doesn't affect prior lawful processing or our legal obligation to retain information during mandated retention periods (see Section 5). For most recruitment activities, we rely on legal bases other than consent (see Section 2).

    11. Complaints and Supervisory Authorities. 

    If you have concerns about how we handle your information, you can contact us first at privacy@novacredit.com. We are committed to resolving complaints internally where possible.

    You also have the right to lodge complaints with supervisory authorities:

    California:

    UK GDPR:

    Canada:

    • Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca or 1-800-282-1376

    • Quebec Commission d'accès à l'information: https://www.cai.gouv.qc.ca or 1-888-528-7741

    • Alberta Office of the Information and Privacy Commissioner: 1-888-878-4044

    • British Columbia Office of the Information and Privacy Commissioner: 250-387-5629

    12. Updates to the Notice 

    We may change this notice from time to time. Any changes to this notice go into effect upon the effective date of the revised notice.