NOVARA Privacy Policy

Novara Performance Limited  •  joinnovara.com  •  Version 1.0  •  March 2026

Items marked [LIKE THIS] require completion before this policy is published. These are placeholders only.

1.  WHO WE ARE

Novara Performance Limited ("NOVARA", "we", "us", "our") is the data controller responsible for your personal information. We are a lifestyle health company registered in Ireland, operating the Vitality-CMD programme for women with coronary microvascular dysfunction.

Registered address: The Mill Enterprise Hub, Newtown Link Road, Drogheda, Co. Louth A92 C450 Ireland

Data controller contact:  Ciarán Byrne, Founder

Privacy enquiries: hello@joinnovara.com

2.  WHAT PERSONAL DATA WE COLLECT

We collect the following categories of personal data:

Category

Examples

Identity & contact

Full name, date of birth, email address, phone number, home address

Health & medical information*

Cardiac diagnosis, current symptoms, medications, cardiologist details, GP details, health questionnaire responses

Payment information

Transaction records processed via Stripe or equivalent payment processor. We do not store full card details.

Programme data

Attendance records, session participation, programme completion summary

Website & communications

Analytics data collected via cookies on joinnovara.com; email engagement via Mailchimp

* Health data is a Special Category of personal data under UK GDPR and Irish data protection law. We collect it only where necessary for your safety and programme delivery, and we handle it with additional care as required by law.

3.  HOW WE COLLECT YOUR DATA

•     Directly from you — via the Participant Intake Form, joinnovara.com registration forms, and email or phone contact

•     Via our website — joinnovara.com collects analytics data through cookies when you visit (see Section 8)

•     Via Zoom — when you attend virtual sessions, Zoom may collect technical data such as IP address and device information in accordance with Zoom's own privacy policy

•     Via Stripe — payment data is collected and processed directly by Stripe; we receive confirmation of payment only

•     Via Mailchimp — if you subscribe to NOVARA communications, your email address and engagement data are held by Mailchimp on our behalf

This website is hosted on Squarespace. Squarespace acts as a data processor on NOVARA's behalf and processes visitor data (including IP addresses, browser data, and form submissions) in accordance with its own Privacy Policy and Data Processing Addendum (DPA). Squarespace, Inc. is certified under the EU-US Data Privacy Framework, providing a lawful basis for transfers of personal data to the US. For more information, see squarespace.com/privacy.

4.  WHY WE USE YOUR DATA & OUR LEGAL BASIS

We only use your personal data where we have a lawful basis to do so under UK GDPR and the Irish Data Protection Acts 1988–2018.

Purpose

Legal Basis

Assessing your suitability for the programme

Legitimate interests; explicit consent for health data

Delivering the Vitality-CMD programme safely

Contract performance; vital interests (safety)

Communicating with your cardiologist / GP (programme summary at completion only)

Explicit consent obtained at intake

Processing your payment

Contract performance

Sending programme-related communications

Contract performance

Sending NOVARA news and updates (if opted in)

Consent (you may withdraw at any time)

Website analytics and improving our service

Legitimate interests; consent for non-essential cookies

Maintaining records for safety and governance purposes

Legitimate interests; legal obligation

5.  WHO WE SHARE YOUR DATA WITH

We do not sell your personal data. We share it only in the following limited circumstances:

Recipient

Purpose & Safeguards

Your cardiologist / GP

A brief programme summary letter at completion only, shared with your explicit consent. No ongoing data sharing.

Stripe

Payment processing. Stripe is PCI DSS compliant. We do not store your payment card details.

Mailchimp

Email communications where you have opted in. Mailchimp operates under Standard Contractual Clauses for EU/UK data transfers.

Zoom

Virtual session delivery. Zoom processes technical data in accordance with its own privacy policy and EU Standard Contractual Clauses.

Legal or regulatory authorities

Only where required by law or to protect the safety of a participant.

All third-party processors are subject to data processing agreements and are required to handle your data securely and in accordance with applicable law.

6.  HOW LONG WE KEEP YOUR DATA

Data Type

Retention Period

Intake form & health questionnaire

7 years from programme completion (in line with Irish healthcare records best practice)

Programme attendance & session records

7 years from programme completion

Payment records

7 years (required for Irish and UK tax and accounting purposes)

Email marketing data

Until you unsubscribe or request deletion

Website analytics

26 months (standard analytics retention)

After the applicable retention period, your data is securely deleted or anonymised.

7.  YOUR DATA PROTECTION RIGHTS

Under UK GDPR and Irish data protection law, you have the following rights:

Right

What It Means

Access

Request a copy of the personal data we hold about you

Rectification

Ask us to correct inaccurate or incomplete data

Erasure

Ask us to delete your data where there is no compelling reason to retain it

Restriction

Ask us to limit how we use your data in certain circumstances

Portability

Receive your data in a structured, machine-readable format

Object

Object to processing based on legitimate interests

Withdraw consent

Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at: hello@joinnovara.com. We will respond within 30 days.

If you are based in Ireland and are not satisfied with our response, you may lodge a complaint with the Data Protection Commission (DPC): www.dataprotection.ie

If you are based in the UK, you may contact the Information Commissioner’s Office (ICO): www.ico.org.uk

8.  COOKIES & WEBSITE ANALYTICS

joinnovara.com uses cookies to help us understand how visitors use the site and to improve your experience. Cookies are small text files stored on your device.

Cookie Type

Purpose

Essential cookies

Required for the website to function. Cannot be disabled.

Analytics cookies

Help us understand website traffic and usage patterns (e.g. Google Analytics or equivalent). Only activated with your consent.

Marketing cookies

Used to track the effectiveness of any advertising campaigns. Only activated with your consent.

You can manage your cookie preferences at any time via the cookie consent banner on joinnovara.com. You can also clear cookies through your browser settings.

9.  HOW WE PROTECT YOUR DATA

We take the security of your personal data seriously, particularly given that health information is involved. Our measures include:

•     Participant intake forms and health data stored in password-protected, access-controlled systems

•     Health data not transmitted by unencrypted email

•     Payment data handled entirely by PCI DSS-compliant Stripe — we do not store card details

•     Access to personal data limited to Ciarán Byrne as data controller and, where strictly necessary, programme delivery staff bound by confidentiality obligations

•     Regular review of data security practices as the company scales

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority (DPC / ICO) within 72 hours and, where required, notify affected individuals without undue delay.

10.  INTERNATIONAL DATA TRANSFERS

Your data is primarily processed within Ireland and the UK. Where third-party processors (Zoom, Mailchimp, Stripe) transfer data outside the UK/EEA, they do so under appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO. You can request further information about these safeguards by contacting us.

11.  CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The current version will always be available at joinnovara.com. Where changes are material, we will notify current programme participants directly by email.

This policy was last reviewed: March 2026.

12.  CONTACT US

Data Controller:  Ciarán Byrne, NOVARA Performance Limited

Address:  The Mill Enterprise Hub, Newtown Link Road, Drogheda, Co. Louth A92 C450 Ireland

Email:  hello@joinnovara.com

Website:  joinnovara.com

Note:  This Privacy Policy has been prepared in good faith to reflect Novara Performance Limited data practices. It is recommended that this document be reviewed by a qualified data protection or legal professional before publication, particularly given the processing of Special Category health data.