NOVARA Privacy Policy

Novara Performance Limited  •  joinnovara.com  •  Version 1.0  •  March 2026

1.  WHO WE ARE

Novara Performance Limited ("NOVARA", "we", "us", "our") is the data controller responsible for your personal information. We are a lifestyle health company registered in Ireland, operating the Vitality-CMD programme for women with coronary microvascular dysfunction.

Registered address: The Mill Enterprise Hub, Newtown Link Road, Drogheda, Co. Louth A92 C450 Ireland.

Data controller contact:  Ciarán Byrne, Founder.

Privacy enquiries: hello@joinnovara.com

2.  WHAT PERSONAL DATA WE COLLECT

We collect the following categories of personal data:

(i) Identity & contact: Full name, date of birth, email address, phone number, home address.

(ii) Health & medical information*: Cardiac diagnosis, current symptoms, medications, cardiologist details, GP details, health questionnaire responses.

(iii) Payment information: Transaction records processed via Stripe or equivalent payment processor. We do not store full card details.

(iv) Programme data: Attendance records, session participation, programme completion summary.

(v) Website & communications: Analytics data collected via cookies on joinnovara.com; email engagement via proton mail.

* Health data is a Special Category of personal data under UK GDPR and Irish data protection law. We collect it only where necessary for your safety and programme delivery, and we handle it with additional care as required by law.

3.  HOW WE COLLECT YOUR DATA

•     Directly from you — via the Participant Intake Form, joinnovara.com registration forms, and email or phone contact.

•     Via our website — joinnovara.com collects analytics data through cookies when you visit (see Section 8).

•     Via Zoom — when you attend virtual sessions, Zoom may collect technical data such as IP address and device information in accordance with Zoom's own privacy policy.

•     Via Stripe — payment data is collected and processed directly by Stripe; we receive confirmation of payment only.

•     Via Mailchimp — if you subscribe to NOVARA communications, your email address and engagement data are held by Mailchimp on our behalf.

This website is hosted on Squarespace. Squarespace acts as a data processor on NOVARA's behalf and processes visitor data (including IP addresses, browser data, and form submissions) in accordance with its own Privacy Policy and Data Processing Addendum (DPA). Squarespace, Inc. is certified under the EU-US Data Privacy Framework, providing a lawful basis for transfers of personal data to the US. For more information, see squarespace.com/privacy.

3A. CLINICIAN REFERRAL EMAIL PROCESS

NOVARA accepts patient referrals directly from cardiologists and GPs via secure email. This section explains how that data is handled.

HOW REFERRALS ARE SUBMITTED

Referring clinicians email minimum necessary patient information to ciaran@joinnovara.com. This email address is hosted on Proton Mail — a Swiss-based, end-to-end encrypted, zero-knowledge email platform. Proton Mail is specifically designed for sensitive data and applies encryption at rest to all received messages. No third-party processor has access to this inbox.

WHAT MINIMUM INFORMATION WE REQUEST FROM REFERRING CLINICIANS

- Patient first name and initial only (not full surname at referral stage)

- Date of birth

- Relevant diagnosis or suspected diagnosis (CMD, INOCA, ANOCA)

- Confirmation that the patient has been cleared for programme participation

- Referring clinician name, hospital or practice, and contact email for follow-up

We do not request full patient address, medication lists, or full medical history at the referral stage. Additional health information is collected directly from the participant via our Participant Intake Form, which is subject to explicit consent.

LEGAL BASIS FOR PROCESSING CLINICIAN REFERRAL DATA

Referral data is processed under Article 6(1)(b) GDPR (contract performance — assessing participant suitability) and Article 9(2)(h) GDPR (processing necessary for the provision of health-related services, subject to appropriate safeguards). The referring clinician acts as a data controller in their own right and is responsible for ensuring they have a lawful basis to share patient information with NOVARA for the purpose of referral.

HOW REFERRAL DATA IS STORED

Referral emails are retained in the Proton Mail inbox and transferred to our secure participant management system upon enrolment. Once transferred, the original referral email is deleted from the inbox. Access is restricted to Ciarán Byrne as data controller. Referral data is retained for 7 years from programme completion in line with Irish healthcare records best practice.

DIRECT PATIENT ENQUIRIES VIA EMAIL

Patients who contact NOVARA directly via hello@joinnovara.com or ciaran@joinnovara.com are communicating with Proton Mail accounts. Any health-related information shared in direct patient emails is handled under the same security standards as referral data. We recommend patients do not include more information than necessary in initial contact emails. Full health data collection occurs via our secure Participant Intake Form.

NOTE: NOVARA does not use unencrypted general webmail for the receipt or storage of Special Category health data. All patient and referral communications are received via Proton Mail (end-to-end encrypted, Swiss-hosted) or processed via our secure intake forms.

4.  WHY WE USE YOUR DATA & OUR LEGAL BASIS

We only use your personal data where we have a lawful basis to do so under UK GDPR and the Irish Data Protection Acts 1988–2018.

Purpose & Legal Basis Information

(i) Assessing your suitability for the programme: Legitimate interests; explicit consent for health data.

(ii) Delivering the Vitality-CMD programme safely: Contract performance; vital interests (safety).

(iii) Communicating with your cardiologist / GP (programme summary at completion only): Explicit consent obtained at intake.

(iv) Processing your payment: Contract performance.

(v) Sending programme-related communications: Contract performance.

(vi) Sending NOVARA news and updates (if opted in): Consent (you may withdraw at any time).

(vii) Website analytics and improving our service: Legitimate interests; consent for non-essential cookies.

(viii) Maintaining records for safety and governance purposes: Legitimate interests; legal obligation.

5.  WHO WE SHARE YOUR DATA WITH

We do not sell your personal data. We share it only in the following limited circumstances:

Recipient, Purpose & Safeguards

(i) Your cardiologist / GP: A brief programme summary letter at completion only, shared with your explicit consent. No ongoing data sharing.

(ii) Stripe: Payment processing. Stripe is PCI DSS compliant. We do not store your payment card details.

(iii) Proton Mail: Email communications where you have opted in. Mailchimp operates under Standard Contractual Clauses for EU/UK data transfers.

(iv) Zoom: Virtual session delivery. Zoom processes technical data in accordance with its own privacy policy and EU Standard Contractual Clauses.

(v) Legal or regulatory authorities: Only where required by law or to protect the safety of a participant.

All third-party processors are subject to data processing agreements and are required to handle your data securely and in accordance with applicable law.

6.  HOW LONG WE KEEP YOUR DATA

Data Type & Retention Period

(i) Intake form & health questionnaire: 7 years from programme completion (in line with Irish healthcare records best practice).

(ii) Programme attendance & session records: 7 years from programme completion.

(iii) Payment records: 7 years (required for Irish and UK tax and accounting purposes).

(iv) Email marketing data: Until you unsubscribe or request deletion.

(v) Website analytics: 26 months (standard analytics retention).

After the applicable retention period, your data is securely deleted or anonymised.

7.  YOUR DATA PROTECTION RIGHTS

Under UK GDPR and Irish data protection law, you have the following rights:

Right & What It Means

(i) Access: Request a copy of the personal data we hold about you.

(ii) Rectification: Ask us to correct inaccurate or incomplete data.

(iii) Erasure: Ask us to delete your data where there is no compelling reason to retain it.

(iv) Restriction: Ask us to limit how we use your data in certain circumstances.

(v) Portability: Receive your data in a structured, machine-readable format.

(v) Object: Object to processing based on legitimate interests.

(vi) Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at: hello@joinnovara.com. We will respond within 30 days.

If you are based in Ireland and are not satisfied with our response, you may lodge a complaint with the Data Protection Commission (DPC): www.dataprotection.ie

If you are based in the UK, you may contact the Information Commissioner’s Office (ICO): www.ico.org.uk

8.  COOKIES & WEBSITE ANALYTICS

joinnovara.com uses cookies to help us understand how visitors use the site and to improve your experience. Cookies are small text files stored on your device.

Cookie Type & Purpose

(i) Essential cookies: Required for the website to function. Cannot be disabled.

(ii) Analytics cookies: Help us understand website traffic and usage patterns (e.g. Google Analytics or equivalent). Only activated with your consent.

(iii) Marketing cookies: Used to track the effectiveness of any advertising campaigns. Only activated with your consent.

You can manage your cookie preferences at any time via the cookie consent banner on joinnovara.com. You can also clear cookies through your browser settings.

9.  HOW WE PROTECT YOUR DATA

We take the security of your personal data seriously, particularly given that health information is involved. Our measures include:

•     Participant intake forms and health data stored in password-protected, access-controlled systems

•     Health data not transmitted by unencrypted email.

•     Payment data handled entirely by PCI DSS-compliant Stripe — we do not store card details.

•     Access to personal data limited to Ciarán Byrne as data controller and, where strictly necessary, programme delivery staff bound by confidentiality obligations.

•     Regular review of data security practices as the company scales.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority (DPC / ICO) within 72 hours and, where required, notify affected individuals without undue delay.

10.  INTERNATIONAL DATA TRANSFERS

Your data is primarily processed within Ireland and the UK. Where third-party processors (Zoom, Mailchimp, Stripe) transfer data outside the UK/EEA, they do so under appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO. You can request further information about these safeguards by contacting us.

11.  CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The current version will always be available at joinnovara.com. Where changes are material, we will notify current programme participants directly by email.

This policy was last reviewed: March 2026.

12.  CONTACT US

Data Controller:  Ciarán Byrne, NOVARA Performance Limited

Address:  The Mill Enterprise Hub, Newtown Link Road, Drogheda, Co. Louth A92 C450 Ireland

Email:  hello@joinnovara.com

Website:  joinnovara.com