Privacy policy
Last updated: 21 May 2026
This policy explains what personal data we collect when you use Normiq, why we collect it, and what you can do about it. It covers your rights under the EU General Data Protection Regulation (GDPR) and the EU Data Act. Our processors are EU or EU-adequate only — we do not transfer personal data to the United States.
1. Who we are
The controller for personal data processed through Normiq is Abiton Ventures AB, a Swedish aktiebolag. Registered office and organisation number are available on request. Privacy contact: privacy@normiq.eu. We act as controller for account, billing, and authentication data, and as processor for the content customers put into the product on behalf of their organisations.
We have not appointed a Data Protection Officer because we do not meet the thresholds in Article 37 GDPR. Privacy-related enquiries go to the privacy contact above.
2. What personal data we collect
- Account data: name, email, organisation, role.
- Authentication data: received via Zitadel — subject identifier, email, name, and profile attributes.
- Billing data: Stripe customer and subscription identifiers only. We never store card numbers, CVVs, or bank details. Following the GDPR principle of data minimisation (Art. 5(1)(c)), we send Stripe only what it needs to bill you: organisation name, country, VAT number, billing email (for receipts and dunning notices), and your interface language. We do not send your personal name to Stripe.
- Product data: the organisations you represent, the AI systems you describe, the evidence files you upload, your learning progress, and the risk classifications you draft and accept.
- Communications: support emails and in-product feedback.
- Technical data: access logs (IP used only for rate-limiting and abuse detection) and server logs (metadata only, 90-day retention).
3. Why we collect it, and on what legal basis
- Contract (Art. 6(1)(b)): to deliver the Service your organisation subscribed to.
- Legitimate interest (Art. 6(1)(f)): security, abuse prevention, and aggregate product analytics (Plausible — cookieless).
- Legal obligation (Art. 6(1)(c)): tax and accounting record retention, responding to supervisory-authority requests.
- Consent (Art. 6(1)(a)): only where we ask for it explicitly — currently unused in the product.
4. Who we share data with
We share personal data only with the processors below, each acting under a signed data processing agreement. We do not sell personal data and we do not share it for advertising.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Zitadel Cloud | Identity provider, SSO, MFA | Switzerland | EU adequacy decision (CH–EU) |
| Stripe Payments Europe Ltd | Billing and payment processing | Ireland (EU) | DPA + SCCs for onward transfers |
| Brevo (Sendinblue SA) | Transactional email and newsletter | France (EU) | DPA, EU data storage |
| Mistral AI SAS | AI classification and content generation | France (EU) | DPA, no training on submitted data |
| UpCloud Ltd | Managed PostgreSQL (production database) | Finland (EU) | DPA |
| Hetzner Online GmbH | Compute and object storage | Germany / Finland (EU) | DPA |
| Plausible Insights OÜ | Aggregate, cookieless analytics | Estonia (EU, hosted on Hetzner DE) | DPA — no personal data transmitted |
| BunnyCDN | Website content delivery (normiq.eu) | Slovenia (EU edge nodes only) | DPA, EU-only edge configuration |
Stripe data minimisation. Stripe is our billing processor. We share with Stripe only the data it needs to operate billing: organisation name (the legal entity on the invoice), billing email, country, VAT number, and your interface language. Your personal name is not transmitted to Stripe. We hold it inside Normiq's own database and share it only with the EU-headquartered processors that need it (Zitadel for authentication, Brevo for transactional email).
5. International transfers
Only Zitadel is located outside the EU/EEA (Switzerland), which benefits from a European Commission adequacy decision — so no additional safeguards are needed for that transfer. All other processors are located in the EU/EEA. We do not transfer personal data to the United States or to any other third country lacking an adequacy decision.
6. Retention
We keep account data while your subscription is active and for 30 days after cancellation so that export and recovery remain possible. Audit and security logs are retained for at least 90 days. Email delivery metadata (Brevo message IDs) is retained until you delete your account. Soft-deleted records are permanently purged after 30 days. You can trigger immediate deletion at any time (see below).
7. Your rights
You have the right to access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time. You can also lodge a complaint with a supervisory authority. Our product includes self-serve endpoints for the two most common requests:
- Access and portability: Settings → Data & privacy → "Export all personal data (GDPR)" covers Articles 15 and 20. A second export covers all organisation data under the EU Data Act.
- Erasure: Settings → Delete account. Your account is anonymised immediately and organisational data is permanently removed within 30 days.
- Rectification, restriction, objection: email privacy@normiq.eu. We respond within 30 days.
8. Cookies
Normiq does not set tracking or advertising cookies. Only strictly-necessary session cookies are used during authentication and payment. See the Cookie policy for the full list.
9. AI processing
The Service uses AI to generate draft risk classifications, document templates, and learning content. When you trigger an AI action, the relevant content from your organisation is sent to Mistral AI SAS (France, EU) to produce the draft. Mistral does not train on submitted data (per the DPA). All AI outputs are drafts until a named user of your organisation explicitly accepts them — see the Terms of service, section 4.
The AI features of Normiq prepare drafts for human review. The Service does not take any automated decision producing legal or similarly significant effects on an individual — Article 22 GDPR does not apply. Each draft is bound to the named user who accepts it inside the Service, and that acceptance — not the AI output — is the legally relevant act. This positioning aligns with the preparatory-task carve-out in Article 6(3)(d) of Regulation (EU) 2024/1689 (the EU AI Act).
10. Children
Normiq is a business-to-business service and is not directed at users under 16.
11. Security
We use TLS in transit, encryption at rest, Zitadel-managed authentication with MFA available, structured audit logging, and 90-day security-log retention. Incident response is documented internally and affected customers are notified within 72 hours of a confirmed personal-data breach.
12. Changes to this policy
Material changes are notified by email to the billing contact at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact and supervisory authority
Privacy enquiries: privacy@normiq.eu. General support: support@normiq.eu.
Our lead supervisory authority is the Swedish Authority for Privacy Protection (IMY — Integritetsskyddsmyndigheten). You may also lodge a complaint with the supervisory authority in your own EU/EEA country of residence or workplace.