Legal

Privacy Policy

How Norma collects, processes, and protects your data.

Effective 5 September 2025

1. Who we are

Norma is operated by Techuplift, Lda., a company registered in Portugal. We provide a compliance management platform that helps organisations run integrated management systems covering standards such as ISO 27001, ISO 9001, GDPR, SOC 2, and NIS2.

Registered office

Setubal, Portugal

Privacy contact

privacy@norma-compliance.com

2. Data we collect

We collect only the data necessary to deliver and improve the service. The categories below describe what we gather, why, and when.

Account information

Name, work email, hashed password, and company details you provide when you sign up or are invited to a workspace.

Company and onboarding data

Company name, country, industry, size, and business activities collected during workspace setup.

Compliance content

Policies, procedures, risk assessments, audit records, and other documents you create or upload inside the platform.

Usage and technical data

Pages visited, features used, IP address, browser type, and device information collected automatically to maintain and improve the service.

Communication data

Messages sent through our contact form, support requests, and feedback you provide directly.

Billing information

Payment method and billing address, processed and stored by Stripe. We do not store full card numbers.

3. Why we process your data

Every processing activity maps to one of four legal bases under the GDPR. We do not process data without a clear, documented purpose.

Purpose	Legal basis
Deliver the platform and its features	Contract performance
Process payments and manage billing	Contract performance
Send service notifications and updates	Contract performance
Improve performance and fix issues	Legitimate interest
Ensure security and prevent fraud	Legitimate interest
Send marketing communications	Consent
Meet legal and regulatory obligations	Legal obligation

4. Sharing and disclosure

We do not sell personal data.

Norma does not sell, rent, or trade personal information to third parties for commercial purposes, under any circumstance.

We share data with a limited set of processors, each bound by a Data Processing Agreement and subject to annual review.

AWS

Cloud infrastructure and hosting · Ireland (EU)

Stripe

Payment processing and billing · Ireland (EU)

OpenAI

AI-powered content features · United States (SCCs)

Google Gemini

AI-powered content features · United States (SCCs)

5. International transfers

Your data is primarily hosted in the EU (AWS Ireland). Where a sub-processor operates outside the EEA, we rely on EU Standard Contractual Clauses or an adequacy decision to ensure an equivalent level of protection.

6. Security measures

We apply industry-standard technical and organisational controls to protect your data throughout its lifecycle.

Encryption

TLS 1.3 in transit, AES-256 at rest. Secrets managed through dedicated vaults.

Access control

Role-based permissions and multi-factor authentication enforced for all internal access.

Monitoring

Continuous security monitoring, anomaly detection, and automated incident alerting.

Vendor management

All sub-processors bound by DPAs and reviewed annually against our security baseline.

7. Your rights

Under the GDPR and applicable Portuguese law you can exercise the following rights at any time by contacting privacy@norma-compliance.com. We respond within 30 days.

Access

Request a copy of all personal data we hold about you.

Rectification

Ask us to correct inaccurate or incomplete information.

Erasure

Request deletion of your personal data, subject to legal retention obligations.

Portability

Receive your data in a structured, machine-readable format.

Restriction

Ask us to limit processing while a concern is being resolved.

Objection

Object to processing based on legitimate interest at any time.

8. Data retention

We retain data only as long as necessary for the purpose it was collected. When data is no longer needed it is deleted or anonymised within the timeframes below.

Data type	Retention
Account data	Active account + 90 days after closure
Compliance documents	Per workspace settings or 7-year minimum
Audit trails	7 years
Security logs	2 years
Analytics (anonymised)	26 months

9. Cookies and analytics

We use a small number of cookies strictly necessary for the service to function, plus optional analytics cookies that are only set with your consent. Full details are in our Cookie Policy.

10. Changes to this policy

We review this policy annually. If we make material changes we will notify account holders by email at least 30 days before the changes take effect. The date at the top of this page always reflects the latest version.

11. Governing law

This policy is governed by the laws of Portugal. Any dispute that cannot be resolved informally will be submitted to the competent courts of Setubal, Portugal, without prejudice to your right to lodge a complaint with the Portuguese supervisory authority (CNPD) or any other EU data-protection authority.

Version 1.0PublicOwner: Privacy Team