Skip to content
Get started

Privacy Policy

Effective Date: January 28, 2026

1. Introduction

This Privacy Policy explains how Noru (“we”, “us”, or “our”) collects, uses, shares, and protects personal data when individuals interact with our websites, services, and communications. It also describes the rights individuals have in relation to their personal data and how those rights can be exercised.

Noru is an AI-powered governance, risk, and compliance (GRC) platform that helps businesses manage their compliance obligations. We help modern businesses get and stay compliant with frameworks such as SOC 2, ISO 27001, GDPR, NIS2, and others. Our services are primarily provided to business customers, but in delivering those services we may process personal data about individuals who visit our website at https://noru.tech, use our platform, or otherwise interact with us.

Scope of this Privacy Policy

This Privacy Policy applies to personal data processed by Noru in its capacity as a data controller, including in relation to website visitors, prospective customers, existing customers’ representatives and users, partners, vendors, and other external parties who interact with us. It does not apply to situations where we process personal data strictly on behalf of our customers as a data processor; in such cases, the customer’s privacy policy governs.

2. Data Controller and Contact Details

For the purposes of applicable data protection laws, Noru is the controller of personal data described in this Privacy Policy. If you have any questions or requests relating to this Privacy Policy or our handling of personal data, you can contact us using the following details:

  • Controller: Noru

  • Email: privacy@noru.tech

If required by applicable law, we may appoint a Data Protection Officer (DPO) or equivalent contact person. Details, if applicable, are available on our website or on request.

3. How We Obtain Personal Data

We obtain personal data about individuals from the following sources, depending on how they interact with us:

  • Directly from you, for example when you fill in forms on our website, register for our services or communications, attend events or webinars, or communicate with us via email or other channels.

  • From our business customers and partners, where they provide contact information for their personnel or representatives so we can deliver our services and manage the relationship.

  • Automatically, when you use our websites, applications, or services, for example through cookies and similar technologies, system logs, and usage analytics tools integrated with our platform and website.

  • From third parties, such as marketing and sales platforms, event organizers, referral partners, or publicly available sources, in accordance with applicable law and, where required, with your consent.

4. Categories of Personal Data We Process

The types of personal data we process depend on your relationship and interaction with Noru, but may include the following categories:

4.1 Identity and Contact Data

  • Name, job title, role or position, employer or organization, and professional biography information you provide to us.

  • Contact details such as business email address, phone number, and postal address.

4.2 Account and Service Data

  • User account information, including credentials managed via single sign-on with Google Workspace, user role assignments, and related configuration data.

  • Information related to the use of the Noru platform and services, such as actions performed within the platform, preferences, and support interactions.

4.3 Usage, Technical, and Device Data

When you access our websites or platform, we may collect technical information about your device and usage, which may include:

  • IP address, browser type and version, time zone setting, and browser plug-in types and versions.

  • Operating system and device type for company-provided and personal devices used for work, including laptops, desktops, and mobile phones, to the extent necessary for security, access, and compatibility purposes.

  • Log information such as access times, pages viewed, clickstream data, and other diagnostic and performance data relating to our websites and services.

4.4 Marketing, Communications, and Interaction Data

  • Preferences in receiving marketing from us and from our third-party partners, and communication preferences (for example, email subscriptions, opt-in/opt-out choices).

  • Records of communications and interactions with us, including inquiries, support tickets, feedback, and participation in events, webinars, or surveys.

4.5 Payment and Transaction Data

For certain transactions, we may receive limited billing and subscription information, such as transaction identifiers, subscription details, and billing contact data. Payment processing is typically facilitated through third-party providers such as Stripe, which may process personal data as independent controllers or processors in accordance with their own privacy policies. We do not store full payment card details within Noru systems.

4.6 Partner and Vendor Data

In the course of working with partners and vendors, we may handle confidential data provided by such organizations. This may include contact details of representatives, contractual information, and other business-related data necessary to manage the relationship, subject to applicable confidentiality and data protection requirements.

5. Purposes and Legal Bases for Processing (GDPR and Similar Laws)

Where data protection laws such as the EU General Data Protection Regulation (GDPR) apply, we rely on specific legal bases to process personal data. The purposes for which we process personal data and the corresponding legal bases typically include the following:

Purpose of Processing

Examples of Activities

Legal Basis (where applicable)

Providing and operating our services

Setting up and managing user accounts; enabling access to the Noru platform; integrating with tools such as Slack, GitHub, Figma, HubSpot, and Stripe as part of service delivery; and handling service-related communications and support.

Performance of a contract or taking steps prior to entering into a contract; legitimate interests in delivering and improving our services for our customers.

Managing customer, partner, and vendor relationships

Communicating with customer representatives, potential customers, partners, and vendors; negotiating and performing contracts; and maintaining contact lists and records of interactions.

Performance of a contract; legitimate interests in operating and growing our business.

Security, compliance, and risk management

Monitoring access and usage to detect, prevent, and respond to security incidents; managing authentication via Google Workspace; safeguarding confidential partner and vendor data; and complying with legal, regulatory, and audit requirements related to GDPR and other applicable laws.

Legitimate interests in ensuring the security and integrity of our services and business; compliance with legal obligations.

Improving and developing our platform and services

Analyzing usage data and feedback to enhance features and performance; training and improving AI models and GRC automation capabilities, using appropriate safeguards and, where possible, aggregated or de-identified data.

Legitimate interests in maintaining, optimizing, and innovating our platform and services.

Marketing, communications, and events

Sending newsletters and updates about Noru, our GRC platform, and compliance frameworks; managing email campaigns through tools such as HubSpot; organizing webinars and events; and measuring the effectiveness of our marketing activities.

Consent where required by law (for example, for certain electronic marketing communications); otherwise legitimate interests in promoting and growing our business. You can opt out of marketing at any time.

Operating our website and online services

Using cookies and similar technologies to enable core functionality, remember preferences, and generate aggregate analytics for our website and platform performance.

Legitimate interests in providing a secure and effective website and platform; consent where required by law for non-essential cookies or tracking technologies.

Legal, regulatory, and dispute management

Complying with applicable laws, regulations, and industry standards; responding to lawful requests and legal process; and establishing, exercising, or defending legal claims.

Compliance with legal obligations; legitimate interests in protecting our rights, property, and interests, and those of our customers and others.

Where we rely on consent, you are free to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Where we rely on legitimate interests, we balance those interests against your rights and expectations and apply appropriate safeguards.

6. Cookies and Similar Technologies

Our websites and online services use cookies and similar technologies (such as web beacons, pixels, and local storage) to enable functionality, understand usage patterns, and support marketing and analytics. Depending on the jurisdiction, certain cookies may require your consent before being set or read on a device.

We generally group these technologies into the following categories:

  • Strictly necessary technologies: used to provide core website and platform functionality, security, and network management. These are essential for the services to work.

  • Functional technologies: used to remember your preferences and settings, such as language or login details (where applicable).

  • Analytics and performance technologies: help us understand how our websites and services are used and support improvements over time, often through aggregated statistics.

  • Marketing and advertising technologies: support the delivery of relevant content and allow us to measure the effectiveness of our marketing campaigns, where permitted.

Additional details about the specific technologies we use and the choices available to you may appear in a separate cookies notice or banner where required by law.

7. How We Share Personal Data

We do not sell personal data. We share personal data with the following categories of recipients, in line with applicable law and with appropriate safeguards and contractual protections:

  • Group entities: other Noru entities, where relevant, to support service delivery, operations, and internal administration consistent with this Privacy Policy.

  • Service providers and subprocessors: trusted third parties that provide services to us, such as hosting and infrastructure (Google Cloud Platform), collaboration and communication tools (such as Slack), development platforms (such as GitHub), design tools (such as Figma), customer relationship management and marketing platforms (such as HubSpot), and payment processing services (such as Stripe). These providers process personal data only on our instructions and under appropriate contractual terms, including data protection commitments aligned with GDPR where applicable.

  • Business partners and advisors: partners with whom we jointly offer or promote services or events, and professional advisers such as legal, financial, or security consultants, to the extent needed to provide their services to us or to you.

  • Customers and their authorized users: where needed to administer the relationship, we may share information such as account or usage information with authorized contacts within a customer organization.

  • Authorities and legal recipients: law enforcement agencies, regulators, courts, and other public authorities where the disclosure is legally required or where it helps protect our rights, the rights of our customers, or the rights and safety of others.

  • Corporate transactions: actual or potential buyers (and their agents and advisers) in connection with any proposed acquisition, merger, restructuring, or other corporate transaction involving Noru, subject to appropriate confidentiality and data protection safeguards. Personal data may transfer to a successor or affiliate as part of such a transaction, with protections consistent with this Privacy Policy.

8. International Data Transfers

Noru’s applications and data are hosted on Google Cloud Platform (GCP), with primary storage in data centers located in the European Union. Processing also takes place in the United States and the European Union, and in some cases in other locations where GCP or certain service providers operate, so personal data can be accessed from or transferred between the United States and the European Union.

Because we work with a hybrid team (office and remote) and with global providers, personal data may in some cases be accessed from or transferred to countries outside the country where it was originally collected. Where those countries are not considered to provide an adequate level of data protection under applicable law, we rely on appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or other relevant authorities, included in our agreements with service providers and partners where needed for cross-border transfers.

  • Technical and organizational measures such as encryption, access controls, data minimization, and logging to protect personal data during and after transfer.

Where local law requires it, you can contact us for more information about international transfers relating to your personal data and the safeguards we rely on, including the use of Standard Contractual Clauses (SCCs).

9. Data Security and Protection Measures

We apply technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures align with relevant security and privacy practices under GDPR, and we review them at defined intervals.

Our security and privacy controls may include, in line with the risks and the nature of the data processed:

  • Use of secure infrastructure on Google Cloud Platform, supported by its security controls and certifications, for hosting Noru’s applications and data in the European Union and for processing in the United States and European Union.

  • Access controls, authentication mechanisms (including single sign-on via Google Workspace), role-based access, and logging of relevant activity within our systems and tools used by our hybrid team.

  • Encryption and secure communication channels where appropriate, particularly for confidential partner and vendor data handled within our services.

  • Policies and practices covering acceptable use of company-provided and personal (BYOD) devices used for work, including laptops, desktops, and mobile phones, and controls adapted to hybrid office and remote working arrangements.

  • Security and privacy awareness initiatives and contractual confidentiality obligations for personnel handling personal data.

No system or method of transmission over the internet is completely secure. You are encouraged to take steps to help protect your data, such as using strong and unique passwords, securing your devices, and contacting us promptly if you suspect any unauthorized access to your account or data in connection with Noru.

10. Data Retention

We keep personal data only for as long as needed to achieve the purposes described in this Privacy Policy, including providing services, meeting legal, regulatory, or reporting obligations, resolving disputes, enforcing our agreements, and protecting our rights.

Retention periods vary depending on the type of data, the context in which it was collected, and legal or regulatory requirements in the relevant jurisdiction. When personal data is no longer needed for the purposes for which it was collected and there is no legal obligation or business need to keep it, we either delete it, anonymize it, or otherwise irreversibly de-identify it. Where we rely on consent and you withdraw that consent, we may keep a record of the withdrawal and minimal necessary information to show compliance with applicable laws and to respect your preferences.

11. Individual Rights and Choices

Subject to applicable data protection laws and any relevant limitations, when Noru acts as a controller you have the following rights over your personal data:

  1. Access: you can ask if we process your personal data and, if so, request a copy along with certain related information.

  2. Rectification: you can ask us to correct or update personal data that is inaccurate or incomplete.

  3. Erasure: you can ask us to delete personal data in certain situations, for example where it is no longer needed for the original purposes or where you withdraw consent and no other legal basis applies.

  4. Restriction: you can ask us to limit the processing of your personal data in certain circumstances, for example while we check its accuracy or our reasons for processing it.

  5. Portability: you can ask to receive personal data you provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible and supported by law.

  6. Objection: you can object to processing based on our legitimate interests on grounds related to your particular situation, and you can object at any time to the use of your personal data for direct marketing (including any related profiling).

Where we rely on consent to process your personal data, you can withdraw that consent at any time. This does not affect the lawfulness of processing carried out before you withdrew consent.

To exercise any of these rights or to raise a question or concern about how we handle personal data, you can contact us using the details in the “Data Controller and Contact Details” section. We may need to verify your identity before responding to certain requests and, in some cases, we may not be able to fully comply with a request where this would conflict with legal obligations or the rights of others. In all cases, we respond in line with applicable law.

12. Marketing Communications and Preferences

We send marketing and promotional communications about Noru, our AI-powered GRC platform, and related services where the law allows this. Where required, we obtain your consent before sending electronic marketing communications.

You can opt out of marketing communications at any time by using the unsubscribe link in the communication or by contacting us using the details in this Privacy Policy. Opting out of marketing does not affect important service-related or transactional messages, such as service announcements, security alerts, or billing communications, which we continue to send when they are relevant to your use of Noru.

13. Children’s Privacy

Our websites, platform, and services are designed for business users and are not directed at children. We do not knowingly collect personal data from children in connection with our external-facing services. If we become aware that we have collected personal data from a child in violation of applicable law, we take appropriate steps to delete that information. If you believe a child has provided personal data to us, please contact us using the details in this Privacy Policy so we can review and address the situation.

14. Third-Party Websites and Services

Our websites and services may include links to, or integrations with, third-party websites, applications, and services, including tools such as Slack, GitHub, Figma, HubSpot, Stripe, and other external platforms. This Privacy Policy does not cover how those third parties handle personal data. Their own privacy policies and terms apply, and we encourage you to review that information before using their services or providing personal data to them.

15. Complaints and Regulatory Rights

If you have questions or concerns about how we handle personal data, you are encouraged to contact us first so we can try to resolve the issue. Depending on where you live or work, or where you believe an issue has arisen, you may also have the right to lodge a complaint with a data protection authority or other relevant regulator.

Information about how to contact supervisory authorities is usually available on their official websites. On request, we can provide information about the supervisory authority that is relevant to Noru’s main establishment, where applicable, and about other options for raising concerns.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, our data practices, or legal requirements. When we make material changes, we inform you in a way that reflects how significant the changes are, for example by sending an email notification and/or displaying a prominent banner or similar notice on https://noru.tech.

The latest version of this Privacy Policy is always available on https://noru.tech and shows the date it was last updated. Where the law treats your continued use of our websites or services after an update as acceptance of the changes, doing so indicates that you have read and understood the updated policy.

17. Contact

If you have questions about this Privacy Policy, our use of your personal data, or how to exercise your rights, you can contact Noru at privacy@noru.tech or use the contact details set out in the “Data Controller and Contact Details” section above.