1. Who we are
"Nova System", "we", "us", and "our" refer to Nova System Inc., a corporation incorporated in British Columbia, Canada. Nova System operates the Meridian platform — including the Polaris desktop application, the Aurora mobile companion application, the Island Bar widget, and the public websites at meridianlegal.ca, thenovasystem.com, and thenovasystem.ca.
This Privacy Policy is governed by Canadian privacy law, including the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and British Columbia's Personal Information Protection Act ("PIPA"). It also describes how we comply with applicable extra-territorial laws such as the EU and UK General Data Protection Regulation ("GDPR") and U.S. state privacy laws including the California Consumer Privacy Act ("CCPA"), as amended.
2. Who uses our products and our role
Meridian is a business tool for licensed immigration consulting firms and law firms. The day-to-day users of Polaris and Aurora are owners, RCICs, Quebec immigration consultants, paralegals, lawyers, case workers, and support staff inside those firms.
| Surface | Audience | Our role |
|---|---|---|
| Polaris (desktop CRM) | Firm staff | Service provider / processor for the Firm |
| Aurora (mobile companion) | Firm staff | Service provider / processor for the Firm |
| Island Bar widget | Public visitors on the Firm's website | Service provider / processor for the Firm |
| thenovasystem.com / meridianlegal.ca | Visitors, prospects, applicants | Controller / organization on our own behalf |
| Our recruiting and sales activity | Candidates, prospects | Controller / organization on our own behalf |
When we handle personal information about Firm Clients inside Meridian, we do so on instruction from the Firm under the Data Processing Addendum. When we collect information about a visitor to our own websites or a prospect we are talking to about a subscription, we are the controller.
3. What we collect
3.1 Information you provide
- Account information — name, work email, work phone, role, licensing details (where applicable), Firm name, billing contact.
- Profile and preferences — profile photo, notification preferences, time zone, accessibility settings, signature, working hours.
- Subscription and billing — billing address, payment method tokens (handled by our payment processor; we do not store full card numbers), tax registration numbers, purchase history.
- Sales and onboarding — information you share during demos, trials, RFP responses, or implementation calls, including notes we take, recordings we transcribe (where you consent to recording), and questionnaires you complete.
- Customer Data submitted to the Service — documents, notes, emails, messages, files, case fields, and any other content the Firm or its staff submit through Polaris, Aurora, the Island Bar, or our APIs. This may include personal information about Firm Clients and other individuals. The Firm is the controller for this information.
- Support requests — contents of support tickets, chat conversations with our support team, and attachments.
3.2 Information we collect automatically
- Device and connection — IP address, approximate location derived from IP, device type, operating system, browser, app version, language preference.
- Usage — pages viewed, features used, actions taken, timestamps, click and tap events, error events, performance traces.
- Cookies and similar technologies — see Section 7.
- Authentication and audit — login attempts, sessions, multi-factor challenges, session activity for security and compliance.
- Push notification tokens — for Aurora, an opaque device token issued by Apple or Google that we use to deliver notifications.
3.3 Information from third parties
- Identity verification — where we verify a regulatory licence, we may verify identifiers with the relevant regulator's public register.
- Payment processor — we receive payment confirmation, last four digits, and brand of card from our processor.
- Integrations — when you connect a calendar, email, communications, or storage integration, we receive data from that integration as you configure it.
- Recruiting — for candidates, we may receive information from references and background-check providers, where lawful and where you consent.
4. How we use information
We use information for the following purposes; we identify the legal basis where required by GDPR / UK GDPR.
| Purpose | Examples | Legal basis (where applicable) |
|---|---|---|
| Provide and maintain the Service | Authenticate users, store and retrieve Customer Data, deliver notifications, run the assistant | Contract / legitimate interests |
| Billing | Issue invoices, process payments, collect taxes, send receipts | Contract / legal obligation |
| Customer support | Respond to tickets, troubleshoot issues, train support staff on anonymized examples | Contract / legitimate interests |
| Service improvement | Analyze aggregated usage, identify defects, plan capacity, evaluate features | Legitimate interests |
| Security and abuse prevention | Detect intrusion attempts, prevent fraud, enforce the AUP, investigate incidents, maintain audit logs | Legal obligation / legitimate interests |
| Communications about the Service | Service announcements, security advisories, billing notices, scheduled-maintenance windows | Contract / legitimate interests |
| Marketing | Newsletters, product updates, event invites — only where you have opted in or it is otherwise permitted | Consent / legitimate interests |
| Legal compliance | Tax, accounting, anti-money-laundering, regulatory reporting, responses to lawful requests | Legal obligation |
| Corporate transactions | Due diligence, mergers, acquisitions, financing — under confidentiality | Legitimate interests |
4.1 Automated decision-making and profiling
The Service uses third-party intelligent service providers to offer drafting, classification, summarization, and recommendation features. These features assist Firm staff; they do not make legally significant decisions about Firm Clients on their own. The Firm is responsible for the human-review obligations described in the Third-Party Intelligence Services Terms.
5. How we share information
We do not sell personal information. We share information only in the ways set out below.
- With sub-processors who help us run the Service (for example, hosting, payment processing, communications, error reporting, and third-party intelligence service providers). The current list is at /legal/sub-processors.
- With the Firm when we are processing Firm Client information on the Firm's behalf — that information remains accessible to the Firm and is shared with people the Firm designates inside its Meridian account.
- With professional advisors (lawyers, accountants, auditors) under confidentiality.
- With acquirers in the context of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, provided that the recipient is bound to honour this Privacy Policy.
- In response to lawful requests from law enforcement, regulators, or courts, where we are required to comply and have validated the request.
- To protect rights and safety where disclosure is reasonably necessary to enforce our agreements, prevent fraud, defend legal claims, or protect the rights, property, or safety of Nova System, our customers, or others.
- With your consent for any other purpose, including customer-list mentions and case studies.
6. International transfers
Nova System operates globally distributed infrastructure. Information may be processed in Canada, the United States, the European Economic Area, the United Kingdom, and other regions where our sub-processors operate. Where required, we put in place safeguards such as Standard Contractual Clauses, the UK International Data Transfer Addendum, and our internal cross-border policies. Firms with regional storage requirements should review the regional options described in the DPA.
7. Cookies and similar technologies
We use cookies and similar technologies on our websites and on certain authenticated surfaces of the Service. Categories include:
- Strictly necessary — authentication, security, load balancing, fraud prevention. Always on.
- Functional — preferences such as language and time zone. Can be disabled in your browser but the Service may not work as intended.
- Analytics — aggregated counts of how features are used, error rates, performance.
- Marketing — only on public marketing pages, only with consent where required.
You can manage cookies through your browser. Where required (for example, for visitors in the EU/UK), we present a consent banner with clear opt-in for non-essential categories.
8. Retention
We keep personal information for as long as needed to provide the Service, satisfy our legal and tax obligations, resolve disputes, and enforce agreements. Specifically:
- Customer Data — kept for the duration of the Firm's subscription, plus a thirty-day grace period after termination for export, after which deleted in accordance with our retention schedule (subject to backups, which roll over within a defined window).
- Billing records — retained for the period required by applicable tax and accounting law (typically seven years in Canada).
- Support records — typically two years after the ticket is closed.
- Marketing contacts — until you unsubscribe or we no longer have a lawful basis.
- Security logs — at least one year, typically longer for high-sensitivity events.
9. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to withdraw consent. To exercise rights, contact privacy@thenovasystem.com. If you are a Firm Client whose information sits in a Firm's account, please contact the Firm in the first instance; we will support the Firm in responding.
For Canadian residents, you may also complain to the Office of the Privacy Commissioner of Canada or to your provincial commissioner. For EEA/UK residents, you may complain to your supervisory authority. For California residents, see the section "Notice to California residents" below.
10. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information from loss, theft, misuse, and unauthorized access, disclosure, alteration, or destruction. Highlights are described in the Security Overview. No system is perfectly secure; we encourage you to use strong passwords and multi-factor authentication.
11. Children
Our products are not directed to children under sixteen. We do not knowingly collect personal information directly from children. If you believe a child has provided us with personal information in violation of this policy, contact privacy@thenovasystem.com and we will take appropriate steps to delete it.
12. Notice to California residents
Under the CCPA, California residents have rights to know, delete, correct, and limit use of sensitive personal information, and to opt out of "sale" or "sharing" of personal information for cross-context behavioural advertising. We do not "sell" personal information and do not "share" it for cross-context behavioural advertising. To exercise rights, email privacy@thenovasystem.com; we will verify your identity before responding. Authorized agents may submit requests with written authorization. We will not discriminate against you for exercising rights.
13. Changes
We may update this Privacy Policy from time to time. We will post the updated policy and revise the "Effective" date. If changes are material, we will provide additional notice (for example, by email or in-product banner) before they take effect.
14. Contact
Privacy Officer
Nova System Inc.
British Columbia, Canada
Email: privacy@thenovasystem.com
General contact: info@thenovasystem.com