Normis
Start free

Privacy

Privacy Policy

Last updated 9 June 2026

Normis helps European businesses organise and evidence their compliance with the EU AI Act. We take privacy seriously, not least because it is the standard we help our customers meet. This notice explains what personal data we handle, why, and the rights you have. We have tried to write it in plain language.

Who we are

Normis ("Normis", "we", "us") is the controller of the personal data described in this notice, unless we are acting as a processor (see "Two roles" below). Normis is operated by [registered company name], a company registered in Ireland under number [company registration number], with its registered office at [registered address].

For any privacy question, or to exercise your rights, contact us at hello@normis.app.

The short version

  • We collect the minimum we need to run the service: your account details, what you do in the app, and a few technical basics.
  • Our database, authentication and file storage are hosted in the European Union.
  • We do not sell your personal data, and we never have.
  • Analytics only run if you accept them in our cookie banner. See our Cookie notice.
  • You can access, correct, export or delete your data, and complain to a regulator.

Two roles

It matters which "hat" we are wearing when we handle data:

  • As a controller. For personal data about our account holders, website visitors and people who contact us, we decide how and why it is used. This notice covers that processing.
  • As a processor. When you put information into your Normis account (for example, the names of colleagues in your AI register, policy or staff sign-offs), you decide how that data is used, and we process it on your behalf and under your instructions. That processing is governed by our Data processing terms, not this notice.

Personal data we collect

You give us

  • Account and profile: your name and email address.
  • Organisation: your company name, country and similar details you add.
  • Communications: messages you send us for support or enquiries.
  • Billing: the details needed to invoice your organisation, where a paid plan applies.

We collect automatically

  • Authentication: we use passwordless sign-in, so we handle one-time codes and sign-in events rather than passwords.
  • Usage and device: basic logs such as IP address, browser type, and the actions taken in the app, used for security and to keep the service working.
  • Cookies and analytics: only the strictly necessary cookies by default, plus optional analytics if you consent. See our Cookie notice.

Why we use your data, and our legal basis

PurposeLegal basis (UK and EU GDPR)
Create your account and provide the servicePerformance of a contract with you
Send sign-in codes and service emailsPerformance of a contract
Keep the service secure, prevent abuse, keep audit logsOur legitimate interests in a safe, reliable service
Respond to your enquiries and support requestsOur legitimate interests, or performance of a contract
Invoicing and keeping financial recordsPerformance of a contract, and our legal obligations
Analytics to understand and improve the serviceYour consent (you can withdraw it at any time)

Who we share data with

We do not sell your personal data. We share it only with service providers who help us run Normis, under contracts that require them to protect it and use it only on our instructions. Our main providers are:

  • Supabase (database, authentication and storage), hosted in the European Union.
  • Resend (sending sign-in and service emails).
  • Vercel (application hosting and content delivery).
  • Google Analytics (optional, consent-based analytics).

A current list, with locations and purposes, is on our Data processing page. We may also disclose data where the law requires it, or to establish or defend legal claims. If Normis is ever involved in a merger or acquisition, data may transfer as part of that transaction, and we will tell you.

Where your data is processed

Our core systems (database, authentication and storage) are hosted in the European Union. Some providers listed above are based outside the EU, mainly in the United States. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or the EU to US Data Privacy Framework.

How long we keep it

We keep account and usage data for as long as your organisation has an active account, and for a reasonable period afterwards. When an account is closed, we delete or anonymise personal data within a reasonable timeframe, except where we must keep certain records (for example, invoices for tax purposes, or audit logs needed to evidence past activity). Backups are deleted on a rolling cycle.

Your rights

Subject to the conditions in data protection law, you have the right to:

  • access a copy of your personal data;
  • have inaccurate data corrected;
  • have your data erased in certain circumstances;
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent at any time, where we rely on consent.

To exercise any of these, email hello@normis.app. If the data relates to your use of an employer's Normis account, we may direct your request to that organisation, which is the controller of that data. You also have the right to complain to your local data protection authority. In Ireland that is the Data Protection Commission (dataprotection.ie).

Security

We protect personal data with measures appropriate to the risk, including encryption in transit and at rest, strict per-organisation data isolation, audit logging of changes, access controls, and passwordless authentication. No system is perfectly secure, but we work to keep yours safe and to respond quickly if something goes wrong.

Children

Normis is a business tool and is not intended for children. We do not knowingly collect personal data from anyone under 16.

Changes to this notice

We may update this notice from time to time. We will change the date at the top, and for significant changes we will give you reasonable notice, for example by email or in the app.

Contact us

Questions, requests or concerns about privacy: hello@normis.app.