Privacy Policy

2. Information We Collect

Information you provide to us

• Account registration details (name, email address, company name, job title)
• Billing and payment information (processed securely via Stripe)
• Compliance data you upload to the platform (frameworks, controls, evidence, policies)
• Communications with us (support requests, feedback, enquiries)
• Survey responses and feedback

Information collected automatically

• Device and browser information (IP address, browser type, operating system)
• Usage data (pages visited, features used, time spent on the platform)
• Cookies and similar tracking technologies (see our Cookie Policy)
• Log data and analytics information

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve our AI governance platform
• To process your subscription and manage billing
• To send you service-related communications and updates
• To respond to your enquiries and provide customer support
• To analyse usage patterns and improve our services
• To detect, prevent, and address technical issues and security threats
• To comply with legal obligations and enforce our terms of service

4. Legal Basis for Processing (GDPR)

Under the UK GDPR and EU GDPR, we process your personal data on the following legal bases:

• Contract performance: Processing necessary to fulfil our contract with you (providing the platform, managing subscriptions)
• Legitimate interests: Improving our services, fraud prevention, and security
• Legal obligation: Compliance with applicable laws and regulations
• Consent: Where you have given explicit consent (e.g., marketing communications)

5. Data Sharing

We do not sell your personal data. We may share your information with the following categories of third parties:

• Service providers: Cloud hosting (Neon, Vercel), payment processing (Stripe), email services (Resend), authentication (Clerk)
• AI processing: Anthropic (Claude API) for AI-powered compliance features — data is processed in accordance with our Data Processing Agreement
• Legal requirements: When required by law, regulation, or legal process
• Business transfers: In connection with a merger, acquisition, or sale of assets

6. International Transfers

Some of our service providers are located outside the United Kingdom and the European Economic Area. When we transfer personal data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognised transfer mechanisms under the UK GDPR and EU GDPR.

7. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy, or as required by law. Account data is retained for the duration of your subscription and for up to 12 months after account closure. Compliance data you upload is deleted within 30 days of account termination, unless a longer retention period is required by law or requested by you.

8. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (“right to be forgotten”)
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests or direct marketing
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@getnorivo.com. We will respond within one month of receiving your request.

9. Cookies

We use cookies and similar technologies to enhance your experience on our platform. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, access controls, regular security assessments, and secure development practices. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Children's Privacy

Our platform is designed for business use and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date. We encourage you to review this policy periodically. Continued use of our platform after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated.