Privacy Policy

The data controller responsible for your personal data is:

We may collect the following categories of personal data:

• Account data: name, work email address, company name, and job title provided during registration.
• Usage data: log data, IP addresses, browser type, pages visited, and actions taken within the platform.
• Integration data: metadata from connected tools (Git repositories, CI/CD systems, ticketing systems) necessary to generate compliance evidence. We do not store source code.
• Communication data: messages you send us by email or through the platform.
• Payment data: billing contact information. Payment card details are processed directly by our payment provider and are not stored by us.

We use personal data to:

• Provide, operate, and improve the Norigen platform.
• Generate audit evidence reports on your behalf.
• Send transactional communications (account confirmations, invoices, service notices).
• Respond to support requests and enquiries.
• Comply with legal obligations and enforce our Terms of Service.
• Send product updates and marketing communications where you have given consent or where we have a legitimate interest (you can opt out at any time).

We rely on the following legal bases under GDPR:

• Contract (Art. 6(1)(b)): processing necessary to perform our contract with you.
• Legitimate interests (Art. 6(1)(f)): improving the platform, fraud prevention, and direct marketing to existing customers.
• Legal obligation (Art. 6(1)(c)): compliance with applicable law.
• Consent (Art. 6(1)(a)): where you have explicitly opted in, e.g. marketing emails.

We do not sell your personal data. We may share data with:

• Service providers: hosting, analytics, payment processing, and customer support tools acting as data processors under appropriate agreements.
• Legal authorities: where required by law, court order, or to protect the rights of Norigen or others.
• Business transfers: in connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations.

Our primary infrastructure is hosted within the EU/EEA. Where we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses approved by the European Commission).

We retain personal data for as long as necessary to provide the services and comply with legal obligations. Account data is deleted within 90 days of account termination unless a longer retention period is required by law. Aggregated, anonymised data may be retained indefinitely.

Under GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") where applicable.
• Restrict processing in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at hello@norigen.dev. We will respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.

We use strictly necessary cookies to operate the platform and, with your consent, analytics cookies to understand how the platform is used. You can manage cookie preferences through your browser settings or our cookie banner.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), access controls, and regular security reviews.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the platform. The "last updated" date at the top of this page reflects the most recent revision.

For any privacy-related questions or requests, please contact: