Privacy Policy | Novotize — SEO, GEO & Google Ads Agency

📅 Last updated: March 18, 2026

Novotize ("we", "us", "our") respects your privacy and is committed to protecting the personal data you share with us. This privacy policy explains, in plain language, what information we collect, why we collect it, how it is stored, who can access it, and the choices you have over your own data. It applies to every visitor of novotize.com, every person who contacts us via our forms, email or WhatsApp, and every client we work with under a service agreement.

We have written this policy to be readable rather than legalistic. Privacy policies are too often buried in jargon designed to confuse rather than inform, and we believe that is the wrong approach. Instead, we have tried to write something you could read in a single sitting and walk away with a clear understanding of what we do with your information. If anything is unclear, you can always reach out to us directly at hello@novotize.com and we will explain in simple terms.

This document is a living policy. As regulations evolve, as new tools become part of how we deliver our services, and as the digital marketing industry changes, we will revisit this page to keep it accurate. The "Last updated" date at the top reflects the most recent revision. Significant changes will be communicated to active clients directly.

1. Who we are

Novotize is an independent digital marketing agency specializing in SEO, GEO (Generative Engine Optimization) and Google Ads management. We help businesses across Thailand — including hotels, restaurants, clinics, law firms, real estate agencies and other service-based companies — become more visible on Google Search, Google Maps and AI-powered tools such as ChatGPT, Perplexity and Google AI Overviews.

We are based in Bangkok, Thailand, and we operate as a small, focused team rather than a large enterprise. This matters because it influences how we treat your data: there is no anonymous "data department" passing your information through a chain of contractors. The same people who answer your initial email are the people who handle your data day to day, and they answer directly to the founders.

Our values shape this policy as much as the law does. We believe that great digital marketing is built on trust, and trust is impossible without transparent handling of personal information. We treat the data you share with the same level of care we expect from the partners we work with on our own behalf.

For the purposes of applicable data protection laws — including the Thai Personal Data Protection Act (PDPA) and, where relevant, the European Union's General Data Protection Regulation (GDPR) — Novotize is the data controller responsible for the personal information you share with us through this website or during a commercial relationship.

Contact: hello@novotize.com
Website: novotize.com
Location: Bangkok, Thailand
Privacy contact: hello@novotize.com (subject line "Privacy")

2. Scope of this policy

This privacy policy applies to all interactions you have with Novotize through our digital channels, including but not limited to:

Our website at novotize.com, including all sub-pages, blog articles, service pages, the EN and TH language versions, and any landing pages we publish for marketing campaigns.
Our contact forms hosted on this website and processed via Formspree.
Direct communication channels such as email (hello@novotize.com), WhatsApp business messaging, and LinkedIn direct messages.
Client engagements where we work with you under a written service agreement, statement of work, or recurring retainer.
Onboarding processes where we collect information about your business to brief our team on your goals, audience and current marketing setup.

This policy does not apply to third-party websites, social platforms or tools that you may reach via outbound links on our site. Each of those services has its own privacy policy, and we encourage you to read them before sharing personal information there.

3. What data we collect

We only collect the data we genuinely need to respond to you, deliver our services and operate our website. The information we may collect falls into the following categories:

Contact form submissions: name, email address, phone number, company name, website URL, budget range, and your message. These fields are filled in voluntarily by you when you reach out for an audit, a quote or a question. The phone number and website fields are optional.
Analytics data: pages visited, time on site, referral source, device type, browser type, screen resolution, and approximate geographic location (country/city level). This data is aggregated and never used to identify you personally. We do not enable Google Signals, cross-device tracking, or audience export to advertising platforms.
Communication data: emails, WhatsApp messages, LinkedIn messages or any written exchange you initiate with our team. We keep these conversations to maintain context across the relationship and to make sure no question of yours falls through the cracks.
Client data: if you become a client, we may collect business information such as company registration details, billing addresses, invoicing contacts, access credentials to advertising or analytics accounts (delegated access only — never your raw passwords), and any documents you share to brief us on your project.
Engagement notes: internal notes our team takes during meetings, calls, or strategy sessions. These notes describe the project, decisions made, action items and next steps. They are stored in our internal project tools and are accessible only to the team members assigned to your account.
Performance data: if we manage advertising or SEO campaigns for you, we collect campaign performance data (impressions, clicks, conversions, costs, ROI metrics) directly from the platforms we operate on your behalf. This data is technically yours; we use it to optimize, report and demonstrate value.
Technical data: IP address (truncated where possible), language preference and timezone — used solely to deliver the site correctly, route you to the appropriate language version, and detect abnormal traffic patterns.
Voluntary feedback: any testimonials, case-study quotes, reviews or feedback you choose to share with us. We will always ask before publishing your name or business name in connection with such content.

We do not collect sensitive personal data such as financial account numbers, health data, biometric data, religious beliefs, political opinions, sexual orientation, trade union membership or government identifiers. We never ask for passwords, credit card numbers or copies of identity documents through this website. If we ever need a piece of sensitive data for a specific legal or contractual reason, we will request it through a secure channel and explain exactly why we need it.

4. How we use your data

The data we collect is used strictly for the purposes you would expect from an agency-client relationship and a professional website:

To respond to your inquiries — when you submit our contact form or reach out via email, we use your data to get back to you with a tailored, relevant response. We may follow up once or twice if we do not hear back, then close the file. We never add unsolicited contacts to a sales sequence.
To improve our website — anonymous analytics help us understand which articles and pages are useful, where visitors drop off, and how to make the site better for the next visitor. We never use this data to build advertising profiles or to retarget you across the web.
To deliver our services — if you become a client, we use your contact details to schedule meetings, send reports, share campaign updates, request approvals and issue invoices. Communication is the backbone of a healthy agency-client relationship, and good records make that easier.
To run campaigns on your behalf — when we manage advertising or SEO for you, we use your account access and creative assets to set up campaigns, analyze performance, generate reports, and recommend optimizations.
To meet legal and accounting obligations — Thai law requires us to keep certain financial records (invoices, contracts, tax-related documents) for several years. We comply with these retention rules even if you ask us to delete other data.
To protect the website — we may temporarily review server logs to investigate spam attempts, abuse, automated scraping, or suspicious traffic that could compromise availability for genuine visitors.
To prepare anonymized case studies — when we publish a case study, we use only data that has been pre-approved in writing by the client. We may also share aggregated, fully anonymous benchmarks (for example, "average cost per lead in the Bangkok hospitality sector") that cannot be linked back to any individual client.

We never sell, rent, license or trade your personal data to third parties for marketing purposes. We do not feed your information into AI training datasets, and we do not share client lists with other agencies, vendors or affiliates. The only situation where we would disclose your data outside our team is if we are legally compelled to do so by a competent authority — and even in that case, we would only share what is strictly required.

5. Legal basis for processing

Where applicable, our processing of personal data is based on one or more of the following legal grounds:

Consent — you give us your information voluntarily by submitting a form, sending us a message, or agreeing to a campaign brief. Consent is freely given, specific, informed and unambiguous, and you can withdraw it at any moment without explanation.
Contract — we need certain information to deliver the services you have hired us for, to set up your campaigns, to issue accurate invoices, and to honor the obligations of our service agreement. Without this data, we simply cannot deliver the service.
Legitimate interest — we use minimal analytics data to understand how visitors use our site, to improve content quality, and to keep the site secure against abuse. We have weighed our interest against your fundamental rights and concluded that this minimal processing does not override them.
Legal obligation — we keep accounting records as required by Thai tax and corporate law, including invoices, contracts and proof of payment. These obligations apply even after a client relationship ends.
Vital interests — in extremely rare cases (for example, a security incident affecting many people), we may process data to protect the vital interests of individuals.

You can withdraw consent at any time by contacting us, and we will stop processing the relevant data unless we are required to keep it for legal reasons. Withdrawing consent does not affect the lawfulness of any processing that took place before you withdrew it.

6. Data minimization principle

One of our core operating principles is data minimization: we collect only the smallest amount of personal data needed to do what you are asking us to do. If a field is not strictly necessary to respond to you or to deliver a service, we either make it optional or do not include it at all.

For example, our contact form does not require a phone number. If you send us your phone number anyway, we will not use it for SMS marketing — we will only use it to call you if email turns out to be inefficient and only after we have agreed on phone contact. Similarly, when onboarding a new client, we only request access to the specific advertising or analytics accounts that are within scope of our engagement; we do not ask for blanket admin rights to your entire toolset.

This principle also drives the choices we make about analytics. We could collect far more behavioral data than we currently do — heat maps, session replays, scroll depth, individual user journeys — but most of that data is not necessary for the editorial decisions we make about the website. Less data means less risk for you and less liability for us.

7. Third-party services

Our website uses a limited number of third-party services. Each one has been chosen because it is widely trusted, transparent about its own privacy practices, and necessary to deliver the website you are using:

Formspree — processes contact form submissions securely via encrypted HTTPS. Submissions are forwarded to our internal email and stored briefly on Formspree's servers (typically 30 to 90 days, depending on the plan). Formspree's Privacy Policy
Google Fonts — loads the typography used across the site. Google may receive your IP address when fonts are requested. We use Google Fonts because they are free, widely cached across the web, and load faster than self-hosted alternatives. Google's Privacy Policy
Google Analytics 4 — provides aggregated, anonymous traffic statistics. We have configured GA4 to anonymize IP addresses, disable advertising features, disable Google Signals, and shorten data retention to the minimum supported by the platform. Google's Privacy Policy
Google Tag Manager — used only as a container for the Analytics tag described above. No advertising or remarketing pixels are deployed via GTM. Google's Privacy Policy
Hostinger — our hosting provider. Server logs are kept for technical purposes (uptime, security) and rotated regularly. The website is served from data centers selected by Hostinger based on global routing performance. Hostinger's Privacy Policy
WhatsApp Business — when you choose to contact us via WhatsApp, your messages are delivered through Meta's messaging infrastructure. We use WhatsApp Business solely to converse with prospects and clients, never for broadcast marketing. WhatsApp's Privacy Policy
LinkedIn — we maintain a professional company page on LinkedIn. If you message us on LinkedIn, that conversation is governed by LinkedIn's policies in addition to ours. LinkedIn's Privacy Policy

We do not use tracking cookies for advertising, retargeting, or selling audiences. We do not embed Facebook Pixel, TikTok Pixel, X (Twitter) tags, or any other behavioral advertising tracker. If we add a new third-party service in the future, this policy will be updated and the change will be reflected in the "Last updated" date at the top of this page.

8. Data storage and security

Your data is stored securely using industry-standard measures. Contact form submissions are transmitted via encrypted HTTPS connections. Our server enforces HSTS, modern TLS, and strict security headers (X-Frame-Options, Content-Security-Policy, Referrer-Policy, X-Content-Type-Options) to reduce the risk of interception or abuse.

Internally, access to client data is limited to the people who genuinely need it to deliver the work you have hired us for. We use strong, randomly generated passwords stored in a reputable password manager, two-factor authentication on every business account that supports it, and we periodically review which third-party tools have access to which information. Stale access is removed when team members move on or when projects end.

Workstations used by our team are encrypted at rest, locked automatically after short periods of inactivity, and kept up to date with the latest security patches. We do not store client credentials in plain text in chat tools, email drafts, or shared documents — sensitive credentials are exchanged through password manager sharing features designed for that purpose.

We perform periodic backups of essential business data. Backups are encrypted, stored separately from the production environment, and rotated according to a defined schedule. They are intended to recover from data loss caused by hardware failure, accidental deletion or ransomware, not to extend the retention of your personal data beyond the periods described below.

9. Data retention periods

We do not keep your data forever. Here is how long, on average, we retain each category of information we collect:

Contact form submissions (no follow-up): 12 months from the date of submission, then deleted.
Active prospect inquiries: kept for the duration of the conversation plus up to 24 months of follow-up, then archived or deleted.
Client engagement records: retained throughout the engagement and for as long as required by law for accounting (typically 5 to 10 years for invoices and contracts under Thai law).
Analytics data: aggregated, anonymized statistics are retained for up to 14 months by default in Google Analytics 4. Raw event-level data is retained for the shortest period the platform allows.
Server logs: rotated and overwritten on a rolling basis, typically within 7 to 30 days unless required for an active security investigation.
Newsletter or marketing list (if any): kept until you unsubscribe, plus a brief grace period to honor the unsubscribe.
WhatsApp and email conversations: kept as long as the relationship is active. After 24 months of inactivity, conversations are archived and may be deleted.

If you ask us to delete your data sooner, we will do so unless we are legally required to keep it. We never extend retention silently for marketing reasons.

10. International data transfers

Some of the third-party services we rely on (Google, Formspree, Meta) may store data on servers located outside Thailand, including in the European Union and the United States. These providers commit to protecting your data through appropriate safeguards such as Standard Contractual Clauses and certifications under recognized privacy frameworks like the EU-U.S. Data Privacy Framework.

By using our website or contacting us, you understand that your data may be processed in those jurisdictions to the extent strictly necessary to deliver the requested service. We have selected providers that take data transfers seriously, publish their safeguards transparently, and offer documented mechanisms for data subjects to exercise their rights regardless of jurisdiction.

If you have specific concerns about international transfers — for example, you operate in a regulated industry where cross-border data flow is restricted — please contact us before sharing personal data so we can discuss appropriate measures.

11. Your rights

You have full control over the personal data we hold about you. Under applicable data protection laws (including the Thai PDPA and the European GDPR where relevant), you have the right to:

Access the personal data we hold about you and request a copy in a portable, commonly used format such as CSV, JSON or PDF.
Correct any inaccurate or outdated information. If your job title, company name, email address or phone number changes, just let us know and we will update our records.
Delete your personal data from our records ("right to be forgotten"), subject to any legal obligation that requires us to keep it (such as accounting records). Deletion is typically completed within a few business days of receiving the request.
Restrict or object to processing of your data in specific circumstances, including where you contest the accuracy of the data, where the processing is unlawful, or where you simply object to a particular use.
Withdraw consent at any time, with no penalty, and without justification. We will stop processing the relevant data immediately unless we are legally required to keep it.
Port your data to another service provider where technically feasible. If you are migrating to another agency, we will provide your campaign data and key documents in a format that can be reused.
Lodge a complaint with the relevant data protection authority — in Thailand, that is the Personal Data Protection Committee (PDPC) — if you believe we have not handled your data properly.
Be informed about how your data is processed. This policy is the primary instrument for that, but we will also answer specific questions on request.

To exercise any of these rights, simply email us at hello@novotize.com with the subject line "Privacy Request". We will respond within 30 days, and the request is free of charge. If we need to verify your identity to protect your data from unauthorized requests, we will ask you for the minimum information necessary to confirm you are who you say you are.

12. Marketing communications

We do not run aggressive marketing programs. If you have contacted us once, we will not enroll you in a long-running drip sequence by default. Any marketing communication we send falls into one of these narrow categories:

Direct replies to your inquiry, including up to two follow-ups if we do not hear back.
Newsletters and articles, only if you have explicitly opted in by subscribing on the website or asking to be added.
Service updates sent to active clients about their own campaigns, account performance, or changes to the platforms we manage on their behalf.
Important policy updates sent to active clients when this privacy policy or our terms of service change in a meaningful way.

Every email of a marketing or newsletter nature includes a one-click unsubscribe link. Unsubscribing is permanent and does not require justification. We do not maintain "soft opt-out" lists where unsubscribed contacts are re-added under a different angle.

13. Cookies and similar technologies

Our website does not currently use cookies for tracking or advertising. The only client-side storage we may use is strictly functional — for example, remembering your language preference between EN and TH versions of the site, or keeping your form data while you switch between fields. Functional storage is essential for the site to work and is not used to profile you.

The Google Analytics 4 implementation we use stores a small first-party identifier on your device to allow basic session continuity. This identifier is anonymized, not linked to any personal record, and only used to count unique sessions in aggregate.

If we ever introduce non-essential cookies (such as cross-platform analytics, retargeting or A/B testing), we will display a clear consent banner first and update this section with details about each cookie, its purpose, and its duration. You will be able to accept, decline, or fine-tune your preferences before any non-essential cookie is set.

14. Anti-spam and abuse protection

To keep our forms and inboxes useful for genuine prospects and clients, we apply a small set of anti-abuse measures:

Basic rate limiting on form submissions to prevent bots from flooding our inbox.
Server-side validation of email addresses and other fields to filter obvious spam patterns.
Periodic review of submission patterns to detect coordinated abuse.

These measures are designed to protect our team's ability to serve real users. They never use your data for any purpose beyond detecting and preventing abuse, and they do not generate profiles that follow you across the web.

15. Automated decision-making and profiling

We do not subject visitors or clients to automated decision-making that produces legal effects on them or significantly affects them in a similar way. We do not use algorithmic scoring to decide whether to engage with a prospect, whether to accept a client, or how to price our services. Every decision of consequence is made by a human being who can explain the reasoning behind it.

The optimization algorithms inside Google Ads, Meta Ads or other advertising platforms — which we may use on behalf of clients to manage their campaigns — operate on the platforms' own infrastructure and are governed by those platforms' privacy policies. We use those algorithms strictly for campaign management, never to make decisions about you as a website visitor.

16. Children's privacy

Our website and services are designed for business owners, marketers and decision-makers, and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has submitted information through our website, please contact us at hello@novotize.com and we will delete the data promptly.

If our services are used in the context of a business that markets to minors (for example, an educational platform), we work with the client to ensure that any data flow involving minors is properly governed at the source — typically by collecting parental consent before data reaches our analytics or advertising tools.

17. Confidentiality of client data

For active clients, the data and documents you share with us — strategy briefs, brand guidelines, customer lists, internal performance metrics, financial information needed to set ROI targets — are treated as confidential information. They are never shared with other clients, never used for benchmarking without explicit anonymization, and never disclosed to third parties without written authorization.

Confidentiality continues to apply after the engagement ends. The fact that someone was once a client does not give us the right to discuss their internal information publicly. When we publish a case study, we ask for written approval on the exact figures, screenshots and quotes that will appear, and we are happy to keep an engagement entirely off the record if that is what the client prefers.

18. Server infrastructure

This website is hosted by Hostinger on shared infrastructure that is part of their global hosting network. The choice of physical data center is made by Hostinger based on routing efficiency. Backups, traffic monitoring and basic security at the infrastructure layer are managed by Hostinger under their own data protection commitments.

We have selected Hostinger because of their transparent privacy stance, their support for modern security standards, their performance in Southeast Asia, and their established track record of compliance with European and Thai regulations. We periodically review whether our hosting setup remains the best option in terms of privacy, performance and reliability.

19. Social media and external links

Our website contains outbound links to LinkedIn, WhatsApp and other external platforms where you can interact with us. When you click on those links, you leave our website and enter an environment governed by the privacy policy of the destination platform. We have no control over what those platforms collect or how they use your data once you arrive there.

Similarly, blog articles and case studies on this website may link to industry studies, government resources, partner services or news articles. These links are provided for your convenience and to support the points we make. We do not control or endorse the privacy practices of the websites we link to, and we encourage you to read their policies before sharing any personal information.

20. Data breach notification

Despite our security measures, no system is perfectly immune to incidents. In the unlikely event that a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the relevant authority and the affected individuals without undue delay, in line with applicable data protection regulations.

Our breach response procedure includes the following steps:

Containment — immediate isolation of the affected systems to limit the scope of the incident.
Assessment — identifying which categories of data are affected, how many people are concerned, and what concrete risks the breach creates.
Notification — informing the relevant data protection authority within the legally required timeframe (typically 72 hours under PDPA and GDPR rules).
Communication to affected individuals — clear, plain-language notification with practical steps people can take to protect themselves, where applicable.
Remediation and review — fixing the root cause and updating our procedures to reduce the chance of recurrence.

We document every incident, even minor ones that do not require external notification, so we can learn and improve.

21. Disputes and complaints

If you ever feel that we have not handled your personal data properly, the first and quickest step is to contact us directly at hello@novotize.com. We genuinely prefer to hear concerns directly so we can address them quickly. Most issues turn out to be misunderstandings that can be resolved within a few business days.

If the issue is not resolved to your satisfaction, you have the right to lodge a complaint with the competent data protection authority. In Thailand, that is the Personal Data Protection Committee (PDPC). In the European Union, you may contact the supervisory authority of your country of residence. We will cooperate fully with any investigation conducted by a competent authority.

22. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, in the tools we use, or in applicable law. Any changes will be reflected on this page with an updated "Last updated" date at the top. For substantial updates — such as adding a new third-party service, changing retention periods, or expanding the categories of data we collect — we may also notify active clients by email, and where appropriate, display a banner on the homepage for a limited period.

We encourage you to review this page periodically so you stay informed about how we handle your information. Continued use of our website or services after a change to this policy constitutes acceptance of the updated terms, although for material changes affecting client engagements, we will request explicit acknowledgement.

23. Definitions

To make this policy easier to read, here are short definitions of the main terms we use:

Personal data: any information relating to an identified or identifiable individual. Examples include your name, email, phone number, IP address, or job title.
Processing: any operation performed on personal data, such as collecting, storing, using, sharing, anonymizing or deleting it.
Data controller: the entity that decides why and how personal data is processed. In this policy, that is Novotize.
Data processor: a third party that processes personal data on behalf of the controller, under documented instructions. Formspree, Google and Hostinger act as our processors for specific, narrow purposes.
Data subject: the individual whose personal data is being processed. In other words, you.
Cookie: a small piece of data stored in your browser by a website. Cookies can be used for many purposes, from remembering preferences to tracking behavior.
Aggregated data: data combined from many users in a way that no individual can be identified anymore.
Anonymization: the process of removing identifying information from data so that individuals cannot be re-identified, even by combining the data with other sources.

24. Contact us

If you have any questions about this privacy policy, want to exercise one of your rights, or simply want to know more about how we handle your data, please contact us:

Email: hello@novotize.com
WhatsApp: +66 083 906 0774
LinkedIn: Novotize Agency
Postal correspondence: available on request via email

We aim to respond to every privacy-related question within two business days. Transparency is one of our core values, and we treat questions about your data with the same care we apply to client work. We would much rather have a clear conversation about a small concern than discover, six months later, that someone walked away unhappy because they did not know how to reach us.

Thank you for taking the time to read this policy. We know it is long, but the alternative — vague language and hidden practices — is worse for everyone involved. If anything in this document does not match your experience with us, please let us know so we can either fix the policy or fix our practices, whichever needs adjusting.