Privacy Policy

Nova Gov is a service of Zentarai Labs (LFGTTM LLC, Florida). This Privacy Policy explains how we collect, use, store, and protect personal data — for visitors of this website and for Philippine Local Government Units (LGUs) and partner agencies who use our platform.

Scope and definitions

This policy applies to personal data processed by Nova Gov in the course of providing services to Philippine LGUs, partner government agencies, and visitors to novagov.ph. Terms used in this policy follow the definitions set out in the Philippine Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations.

Who is the Personal Information Controller

The Personal Information Controller (PIC) is:

• Zentarai Labs (operating name of LFGTTM LLC, organized under the laws of the State of Florida, USA)
• Registered office of record: per LFGTTM LLC filings with the Florida Department of State
• For Philippine LGU clients, Nova Gov acts as a Personal Information Processor under contract — the LGU remains the PIC for citizen records.

What personal data we collect

The categories of personal data we may process depend on your relationship with us:

Website visitors

• Email address (if you submit a form, request a demo, or apply to the Founding Partner program)
• Name, role, LGU/organization name (if you complete a contact form)
• Technical information: IP address, browser type, device type, pages visited, referring URL — collected via standard server logs and Cloudflare Analytics

LGU and agency users of the platform

• Account information: name, official email, role, department, LGU affiliation
• Authentication credentials (PIN and/or JWT tokens issued at login)
• Usage logs (what records you access, when, from where)
• Operational data uploaded or generated through your LGU's use of the platform — e.g., CLUP documents, citizen reports, compliance records, GIS layers. This data remains the property and responsibility of the LGU.

Citizens (when LGUs deploy citizen-facing features)

When an LGU deploys Nova Gov to receive citizen reports or process applications, citizens may submit personal data (name, contact, location, photos of issues, identification). In these cases, the LGU is the PIC and Nova Gov is the PIP. Citizens should consult their LGU's specific privacy notice.

How we use personal data

• To provide, maintain, and improve the Nova Gov platform and Operational Applications
• To respond to inquiries, demo requests, and Founding Partner applications
• To send service-related communications (system alerts, account notifications, compliance reminders)
• To detect, prevent, and respond to security incidents and platform abuse
• To comply with legal obligations including RA 10173 reporting, COA audits, and DILG/NEDA compliance requirements
• To enforce our Terms of Service

We do not sell personal data. We do not use personal data for advertising profiling.

Lawful basis for processing

Under RA 10173, we process personal data under one or more of the following lawful bases:

• Contract — processing is necessary to deliver the platform to an LGU under a signed services agreement
• Legal obligation — processing required by Philippine law (e.g., RA 12254 CLUP compliance, COA audit trail requirements, BIR record retention)
• Legitimate interest — improving the platform, security monitoring, business administration, where such interests are not overridden by the data subject's rights
• Consent — for website forms, marketing emails, and any processing falling outside the bases above. You can withdraw consent at any time.
• Vital interest / public function — narrow cases involving emergency response or public health, in coordination with the LGU

Who we share data with

We share personal data with the following categories of recipients, under contracts that bind them to RA 10173-equivalent protections:

• Infrastructure providers: Railway (PostgreSQL hosting), Cloudflare (CDN, Access, DNS), Hostinger (mail), Resend (transactional email). Primary processing is in PH or globally-resilient regions; we work to keep data subject to PH jurisdiction wherever practical.
• AI processing: Groq (primary) and Anthropic (fallback) for language model inference. Prompts and outputs may transit these services. We do not allow our vendors to train models on customer data.
• Government recipients: when an LGU directs us to share data with DILG, NEDA, NPC, COA, or other authorized agencies as part of compliance reporting
• Legal disclosures: in response to a valid Philippine court order, subpoena, or law-enforcement request
• Business transfers: in a merger, acquisition, or asset sale, with notice to data subjects

Retention

• Account data: retained for the duration of the active services agreement plus 5 years (COA audit requirement) or as required by other PH retention rules
• Operational records / LGU data: retained per the LGU's documented retention schedule (e.g., RA 9470 for archives)
• Marketing inquiries: retained for up to 24 months from last interaction
• Server logs: 90 days, then aggregated or deleted
• Backup copies: may persist in encrypted backups for up to 12 months after primary deletion

Security measures

We implement organizational, physical, and technical safeguards aligned with NPC guidance and ISO 27001 control families:

• Encryption at rest (database storage) and in transit (TLS 1.2+ enforced)
• Role-based access controls; principle of least privilege
• Multi-factor authentication for staff with production access
• Cloudflare Access on gated administrative surfaces (email one-time PIN)
• Daily automated secret scanning and access auditing
• Annual penetration testing by qualified third parties (post-pilot)
• Documented incident response process with breach notification timeline

See our Security overview for further detail.

Your rights as a data subject

Under RA 10173 §16, you have the following rights with respect to your personal data:

To exercise any right, contact our Data Protection Officer at the address below. We respond within 15 working days under standard circumstances, or sooner where required by NPC rules.

Cross-border data transfers

Nova Gov primarily processes data within the Philippines and within infrastructure providers that maintain RA 10173-equivalent protections. Some infrastructure (notably AI inference) may process data outside the Philippines. Where this occurs:

• Transfers are made under contracts that bind the receiving party to equivalent protection
• We minimize personal data sent for AI inference (redaction, anonymization where feasible)
• For LGU customers, we will document cross-border processing in the Data Processing Agreement and provide opt-out where technically feasible

Data breach notification

In the event of a personal data breach that is reasonably believed to have or may have caused serious harm to affected data subjects, we will notify the NPC and the affected parties within 72 hours of knowledge of the breach, per NPC Circular 16-03.

Suspected breaches can be reported anonymously to landon@zentarailabs.com.

Children's data

Nova Gov is not directed at children under 13. We do not knowingly collect personal data from children. Where LGUs use Nova Gov for citizen-facing features that may incidentally collect data on minors (e.g., 4Ps beneficiary records), the LGU remains the PIC and is responsible for age-appropriate consent and parental authorization under applicable PH laws.

Changes to this policy

We may update this Privacy Policy to reflect changes in our processing or in applicable law. Material changes will be communicated by email to LGU clients with active agreements and by notice on this page. The "Last updated" date at the top of this document reflects the effective date of the current version.