Privacy Policy
Effective 25 June 2026
Template pending review by qualified counsel before publication. Items in square brackets — legal entity, registered address, and governing law — must be confirmed. The remaining text describes how Normproof actually works.
This policy explains how Nomad Crow s.r.o., the controller of Normproof, processes personal data under the EU General Data Protection Regulation (GDPR). It covers our website, the free CRA readiness checker, and the authenticated application.
1. Who we are
The data controller is Nomad Crow s.r.o., Astrová 43, 900 41 Rovinka, Slovakia. For any privacy question or to exercise your rights, contact privacy@normproof.com.
2. What we collect
- Account data: your name, work email, organisation name, role, and hashed credentials when you sign up.
- Customer Data: the product, source/build metadata, SBOMs, vulnerability findings, and dossiers you create in the app. This is business data and usually contains no personal data beyond the names/emails of the people in your workspace.
- Billing data: for paid plans, payment is handled by Stripe. We receive subscription and invoice metadata; we do not receive or store full card numbers.
- Readiness-checker input: the answers you give the public checker. You may optionally provide an email to receive your result. The checker is designed not to leak personal data into shareable result URLs.
- Technical data: IP address and basic request logs, used for security, rate-limiting, and abuse prevention.
3. Why we use it (legal bases)
- To provide the Service (Art. 6(1)(b) — contract): create your account, generate and store dossiers, run assessments.
- To take payment (Art. 6(1)(b)): manage subscriptions via Stripe.
- Security and abuse prevention (Art. 6(1)(f) — legitimate interests): rate-limiting, logging, and protecting tenant isolation.
- Service communications (Art. 6(1)(b)/(f)): account, security, and transactional emails. Any marketing email is sent only with your consent and you can opt out.
4. Cookies
We use only the cookies needed to run the Service — principally a secure, httpOnly session cookie to keep you signed in. We do not use advertising cookies. Because these are strictly necessary, no consent banner is required for them.
5. Sub-processors and where data is stored
We host the Service in the European Union. We share personal data only with processors acting on our instructions:
- Google Cloud (EU region) — hosting, database, and object storage.
- Stripe — payment processing for paid plans.
- Our email provider — sending transactional email.
We draw vulnerability information from public data sources (such as NVD, OSV, GHSA, and the EUVD); these involve no personal data of yours. Where a processor transfers data outside the EEA, that transfer is covered by an adequacy decision or Standard Contractual Clauses.
6. How long we keep it
We keep account and Customer Data for as long as your account is active and as needed to provide the Service, then delete or anonymise it within a reasonable period after closure, unless we must retain certain records (for example invoices) to meet legal obligations. The reproducibility metadata recorded on a dossier (rules-library, SBOM, and engine versions) is retained with that dossier for audit purposes.
7. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, to object to processing based on legitimate interests, and to withdraw consent where processing relies on it. Contact privacy@normproof.com to exercise any of these. You also have the right to lodge a complaint with your local data-protection supervisory authority.
8. Security
We apply technical and organisational measures appropriate to the risk, including strict per-organisation tenant isolation, encryption in transit, hashed credentials and API tokens, role-based access control, and audit logging. No system is perfectly secure, but protecting your data is core to how the Service is built.
9. Children
The Service is a business tool and is not directed to children under 16.
10. Changes
We may update this policy. We will post the new version here and update the effective date; material changes will be notified to account holders.
11. Contact
Nomad Crow s.r.o., Astrová 43, 900 41 Rovinka, Slovakia. Privacy enquiries: privacy@normproof.com. See also our Terms of Service.
Questions? See the Privacy Policy and Terms of Service, or contact support@normproof.com.