GDPR Compliance

Effective Date: April 28, 2026

This page explains how Pro Nova Technologies Inc. ("we," "us," or "our") complies with the General Data Protection Regulation (GDPR) and outlines your rights regarding your personal data when you use our website at https://rmms.pronovatech.com and our PNT Remote Monitoring & Management Services ("PNT-RMMS") desktop client.

1

Data Controller Information

For the purposes of GDPR, the data controller is:

Company Name: Pro Nova Technologies Inc.
Website: https://rmms.pronovatech.com
Email: support@pronovatech.com
2

Legal Basis for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

Consent

When you explicitly agree to the processing (e.g., marketing emails, cookies)

Contract

When processing is necessary to fulfill a contract with you (e.g., software purchase, RMMS subscription, device licensing)

Legal Obligation

When processing is required to comply with legal requirements (e.g., tax records)

Legitimate Interests

When processing serves our legitimate business interests (e.g., fraud prevention, analytics, security monitoring, remote device management)

3

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing

Request limitation on how we use your data.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests or direct marketing.

Rights Related to Automated Decision-Making

Right not to be subject to decisions based solely on automated processing.

Right to Withdraw Consent

Withdraw consent at any time for processing based on consent.

4

How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

Email Us

Send a request to support@pronovatech.com with "GDPR Request" in the subject line.

Account Settings

Log into your account and visit the Profile section to download or delete your data.

Response Timeline

We will respond to your request within 30 days. In complex cases, this may be extended by an additional 60 days, and we will notify you of the extension.

We may need to verify your identity before processing your request to protect your personal data from unauthorized access.
5

Data We Collect

We collect the following categories of personal data:

Identity Data

Email address, first and last name, hashed password (PBKDF2-SHA512), TOTP secret if 2FA is enabled, company memberships and per-company role.

Transaction Data

Stripe customer ID, subscription ID, current plan and seat count. Card numbers and full billing details are held by Stripe — we never see or store them.

Technical Data

HTTP server access logs (IP, user-agent, request path, timestamp) generated by the portal for security and abuse prevention.

Communication Data

Support ticket content, attachments, and any email correspondence you send us.

RMMS Device Data

Hostname, system manufacturer / model / serial, CPU and RAM specs, drive list and free space, Windows edition / build, time-zone, domain-join status, current CPU and memory utilization, primary MAC address, last-reported public IP, agent version, and DPAPI-protected device-token reference.

Remote Session Data

Per-session summary written at end-of-session: start/end timestamps, the path that connected (LAN-direct / direct over WAN / relay), bytes transmitted on each path, and the operator's public IP. Screen content is never stored. Session recordings are not implemented.

Diagnostic Data

Warning-level and above application logs forwarded from the Agent for centralized troubleshooting. No personal data is included.

6

International Data Transfers

As a company that may process data outside the EEA, we ensure that any international transfers of personal data comply with GDPR requirements through:

  • Adequacy Decisions: Transferring data only to countries with adequate data protection laws.
  • Standard Contractual Clauses (SCCs): Using EU-approved contract terms with data recipients.
  • Data Processing Agreements: Binding agreements with third-party processors.
7

Data Retention

We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy:

7 years Financial and transaction records (legal requirement)
3 years Support tickets and communications
90 days Diagnostic logs forwarded from agents; Stripe webhook records
12 months Remote-session summaries (path + bytes only — no screen content) and portal audit logs
90 / 180 days after deactivation Device tokens preserved after a subscription lapse (90d) or manual deactivation (180d), then automatically wiped by the orphaned-token sweeper
Active subscription RMMS device registration and hardware inventory while the device is part of an operational subscription
Until deletion Account data (deleted upon account-closure request)
8

Data Security

The technical measures we currently apply:

  • TLS in transit for all portal traffic (HTTPS), all relay WebSocket traffic (WSS), and all device-to-portal heartbeats.
  • WebRTC DTLS-SRTP for direct (P2P) remote-session data channels.
  • AES-256-GCM at rest for sensitive portal-side configuration values stored in the SecureSettings table (such as SMTP credentials and integration API keys).
  • DPAPI-encrypted device tokens on managed devices, with file ACLs restricting access to SYSTEM and Administrators.
  • PBKDF2-SHA512 password hashing at 600,000 iterations, per current OWASP guidance.
  • TOTP-based two-factor authentication available for any portal account, with one-time recovery codes.
  • Authenticated heartbeats — every device-to-portal request carries an X-Device-Token bound to the device's identity and subscription state.
  • Authenticode-signed installers and binaries via a hardware-token-protected signing key (DigiCert).
  • Rate limiting and account lockout on authentication endpoints.
  • Role-based access controls at portal level (SuperAdmin / Technician) and per-company level (CustomerOwner / CustomerMember / CustomerViewer).
  • Audit logging for authentication events, role changes, subscription events, and device activations.
9

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Document all breaches, including facts, effects, and remedial actions taken.
10

Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your local data protection supervisory authority.

We encourage you to contact us first at support@pronovatech.com so we can address your concerns directly.

Finding Your Supervisory Authority

A list of EU data protection authorities can be found at: European Data Protection Board

11

Contact Us

For any GDPR-related inquiries or to exercise your rights, please contact us:

Pro Nova Technologies Inc.
https://rmms.pronovatech.com
support@pronovatech.com
An unhandled error has occurred. Reload X