How NMT Security collects, uses, shares, and protects personal data, and the choices and rights available to you. This policy applies to everyone we deal with, including website visitors, business contacts, and platform account holders, wherever they are located.
Effective Date: July 2026 (v. 2026-07, supersedes v. 2025-11)
Publisher: NMT Security (NMT Security LLC & NMT Security Innovations Pvt Ltd)
Applies to: Website visitors, business-relationship contacts, and platform-account personal data, in every jurisdiction
Our role: Controller for the data described here; processor for customer data we handle on a customer's behalf
Data residency: Customer data is stored in the customer's own region (for example, United States data in the United States, India data in India, and UK and Europe data in the United Kingdom)
Contact: privacy@nmtsecurity.com
Version: v. 2026-07 (supersedes v. 2025-11)
This Privacy Policy explains how NMT Security collects, uses, discloses, and protects personal data, and the rights available to individuals whose data we hold. It applies to our public website at nmtsecurity.com, to the NOVA AI platform and related products and services (the "Platform"), and to our sales, marketing, support, and business operations.
This policy applies to every individual we deal with, wherever they are located. Where a specific law gives you additional or different rights (for example in the European Economic Area, the United Kingdom, the United States, or India), those region-specific terms are set out in Section 15 and prevail over the general terms for individuals covered by them.
Controller and processor roles. NMT Security acts as a controller for the personal data described in this policy, meaning we decide why and how it is processed. When we process personal data on a customer's behalf to deliver the Platform (for example, data that a customer loads or that the Platform ingests about the customer's own users and assets), we act as a processor under a data processing agreement. For that data, the customer is the controller and the customer's own privacy policy governs.
"NMT Security", "we", "us", and "our" refer together to:
These affiliated entities share common ownership and operate the NMT Security business and the NOVA AI platform jointly. The entity that acts as controller for a given individual is normally the entity that holds the business relationship or that operates the tenant serving that individual. For any privacy question, you may contact us at the single address in Section 19 and we will route your request to the correct entity.
The categories of personal data we collect as a controller are set out below. We collect only what we need for the purposes in Section 6.
We do not seek to collect special category or sensitive personal data (such as health, biometric, or government identifiers) through our website or business relationships. Please do not send us sensitive data unless we specifically ask for it.
We use cookies and similar technologies on our website to make it work, to remember your preferences, to understand how the site is used, and to support our marketing. We group them as:
Where the law requires consent for non-essential cookies, we ask for it through our cookie banner and you can change your choices at any time there. You can also control cookies through your browser settings. We honour recognised opt-out signals, including Global Privacy Control (GPC), where applicable law requires us to treat them as a request.
We process personal data for the purposes below. Where the EEA or UK GDPR applies, the legal basis for each purpose is shown; individuals elsewhere have equivalent protections under this policy and the region-specific terms in Section 15.
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may ask us for information about that balancing, and you may object as described in Section 13.
The Platform uses NOVA AI to analyse security and risk data and to generate insights and recommendations. In relation to the personal data covered by this policy:
We send business marketing only in line with applicable law. Every marketing email includes an unsubscribe link, and you can opt out at any time by using it or by contacting us at privacy@nmtsecurity.com. Opting out of marketing does not stop essential service messages, such as security, billing, or account notices, which we send as part of the relationship.
We do not sell personal data, and we do not share it for cross-context behavioural advertising as those terms are defined under United States state privacy laws. We disclose personal data only as follows:
Sub-processors. Our core infrastructure and AI inference run on established cloud and model providers within the same region where the customer's data is stored. A current list of the sub-processors we use is available on request.
We store customer data in the customer's own region and keep it there for processing, including NOVA AI inference. For example, data from customers in the United States is stored in the United States, data from customers in India is stored in India, and data from UK and European customers is stored in the United Kingdom. Business-relationship and website data may be processed in the United States and India, where our entities operate.
Where personal data protected by EEA, UK, or other transfer-restricting laws is accessed from another country by our affiliates or sub-processors (for example for support), we put in place a lawful transfer mechanism, which may include:
You may request a copy of the relevant safeguard using the contact details in Section 19.
We keep personal data only for as long as we need it for the purposes in this policy and to meet legal, tax, and regulatory obligations, after which we delete or anonymise it. In practice:
Where we cannot delete data immediately (for example when it sits in secure backups), we isolate it from active use and delete it on our normal backup cycle.
We apply the technical and organisational measures described in our Technical and Organizational Measures (TOMs) document, including encryption in transit and at rest, role-based access control and least privilege, network and application security controls, logging and monitoring, secure development practices, vendor due diligence, and a documented incident-response process. NMT Security maintains an information-security programme aligned to recognised standards. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect personal data and to notify affected parties and regulators of incidents where the law requires.
Subject to your local law, you may have the following rights over your personal data. We honour these rights for all individuals to the extent the law allows, and additional or different rights for specific regions are set out in Section 15.
To exercise any right, contact us at privacy@nmtsecurity.com. We will respond within the timeframe your law requires, and we will not charge a fee unless the law permits it (for example for manifestly unfounded or excessive requests). To protect your data, we may ask you to verify your identity before we act, and we will only ask for information reasonably necessary to do so.
If you are an employee or user of one of our customers and your data is in the Platform as customer data, we act as a processor for that data. Please direct your request to that customer (the controller), and we will assist them in responding.
You may use an authorised agent to submit a request where the law allows, provided the agent gives proof of authorisation and we can verify your identity.
The following terms add to the rest of this policy for individuals in the named regions. Where they conflict with the general terms, these region-specific terms prevail for those individuals.
Our legal bases are set out in Section 6. You have the GDPR and UK GDPR rights listed in Section 13, including the right to lodge a complaint with a supervisory authority. In the United Kingdom this is the Information Commissioner's Office (ICO). International transfers are handled as described in Section 10. Where we rely on legitimate interests or, for special cases, other bases, you may ask us for further detail. We do not use solely automated decision-making that produces legal or similarly significant effects, as noted in Section 7.
We do not sell your personal information and we do not share it for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act as amended (CCPA/CPRA) and comparable state laws. Depending on your state (for example California, Virginia, Colorado, Connecticut, Utah, and others with comprehensive privacy laws), you may have rights to know or access, to correct, to delete, to obtain a portable copy, to opt out of sale, sharing, and certain targeted advertising and profiling, and to non-discrimination for exercising your rights. Sensitive personal information, where collected, is used only for permitted purposes. To exercise these rights, use the contact details in Section 19; we will verify your request and may permit an authorised agent to act for you. We honour Global Privacy Control (GPC) signals where required.
Categories collected, purposes, and disclosure recipients are described in Sections 3, 6, and 9 and, together with this section, form the notice required by California and comparable state laws.
For individuals in India, we process personal data as a Data Fiduciary under the Digital Personal Data Protection Act, 2023, where it applies to us. You may access and correct your data, request erasure, nominate another person to exercise your rights in the event of death or incapacity, withdraw consent where processing is based on consent, and raise a grievance with us. We provide a readily available means to withdraw consent and to make a grievance, and we will respond within the period the law requires. Our grievance contact is set out in Section 19.
For individuals in Brazil (LGPD), Canada (PIPEDA), and other jurisdictions with data-protection laws, we honour the equivalent rights available under your local law. Contact us using the details in Section 19 and we will handle your request in accordance with that law.
Our website, Platform, and services are intended for businesses and are not directed to children. We do not knowingly collect personal data from children under the age applicable in their jurisdiction (for example, under 18 in the United States context of this policy, and the relevant threshold under GDPR and the India DPDP Act). If you believe a child has provided us with personal data, contact us and we will delete it.
Our website and communications may contain links to third-party sites and services that we do not control. This policy does not apply to those third parties, and we are not responsible for their privacy practices. Please review the privacy notices of any third-party site you visit.
We may update this policy from time to time to reflect changes in our practices, technology, or the law. We will post the current version with its version number and effective date on nmtsecurity.com/privacy. Where a change is material, we will provide additional notice as the law requires. Your continued use of our website or the Platform after an update means you are aware of the current policy.
For any privacy question or to exercise your rights, contact our data-protection team:
Privacy and data-protection contact: privacy@nmtsecurity.com
India grievance contact (DPDP Act): privacy@nmtsecurity.com (marked "DPDP grievance")
Postal address: NMT Security, at the registered offices of NMT Security LLC (Delaware, USA) and NMT Security Innovations Pvt Ltd (India); full postal details available on request
Supervisory authority (UK): Information Commissioner's Office (ICO), ico.org.uk
If you are in the EEA or the UK and wish to reach us about EEA or UK personal data, contact us at the address above and we will direct your request to the responsible entity and, where required, our representative for that region.
This policy is provided by NMT Security (NMT Security LLC and NMT Security Innovations Pvt Ltd). It supersedes version 2025-11.