Privacy Policy

“Norruva.org gives you the knowledge. Norruva.com gives you the tools.”

1. Who we are

Norruva is a pilot-stage Digital Product Passport platform. We help brands prepare for the EU 2027 DPP mandates. The brand is operated by Norruva (legal entity TBD pending incorporation; registered office to be confirmed). The data controller for the purposes of GDPR is Norruva. You can reach us at privacy@norruva.com.

2. What we collect

Waitlist signups

When you join the pilot waitlist, we collect: first name, email, company name, your intent (the reason you’re applying), product category, and your timing (when you’re looking to roll out a DPP). Stored in our Supabase database.

Account data

If you sign up for the platform: full name, display name, email, company name, password (hashed), and last login timestamp. Authentication is handled by Supabase. We support Google OAuth — if you use it, Google shares your email, name, and profile picture with us.

Support chat

Our virtual assistant Sena uses Google Genkit. Messages you send to Sena are processed by Google’s AI services. We do not store these messages on our servers.

Cookies and similar technologies

See section 5 below.

IP address (hashed)

We hash your IP address (SHA-256, truncated) when you submit the waitlist form, only to prevent abuse via rate limiting. The hash cannot be reversed to your IP.

3. Why we use it

Our legal bases under GDPR Article 6:

• Performance of a contract — to deliver the platform and pilot program (Art. 6(1)(b))
• Consent — for analytics cookies and marketing communications (Art. 6(1)(a))
• Legitimate interest — to prevent abuse, secure our service, and improve the product (Art. 6(1)(f))
• Legal obligation — where we must respond to lawful requests (Art. 6(1)(c))

4. Who we share it with (sub-processors)

• Supabase (database + auth) — supabase.com. Hosted in their default regions; data may transit through the US.
• Resend (transactional email) — resend.com. US-based.
• Microsoft Clarity (analytics, session recordings, heatmaps) — clarity.microsoft.com. US servers. Captures clicks, scroll behavior, and form interactions on our public pages.
• Google (Genkit AI for the support chat, Google OAuth) — google.com. US-based. Subject to Google’s own privacy terms.
• Vercel (hosting and CDN) — vercel.com. Multi-region.

We do not sell your data. We do not share it with advertising networks.

5. Cookies

6. International transfers

Some of our sub-processors are based in the United States. Where we transfer personal data outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses or, where applicable, an adequacy decision (e.g., the EU-US Data Privacy Framework).

7. How long we keep it

• Waitlist data: until the pilot ends or you ask us to delete it
• Account data: for the life of your account, plus 12 months for legal record-keeping
• Hashed IPs: 30 days for rate-limiting, then deleted
• Analytics data: per Microsoft Clarity’s defaults (typically 13 months)

8. Your rights under GDPR

• Access — get a copy of your data
• Rectification — correct inaccurate data
• Erasure — request deletion
• Restriction — limit how we process your data
• Portability — get your data in a machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — for anything you previously consented to

To exercise any of these, email privacy@norruva.com. We respond within 30 days. You also have the right to complain to your local supervisory authority — for users in Portugal, that’s CNPD.

9. Children

Our service is not directed to anyone under 16. We don’t knowingly collect data from children. If you believe we have, contact us and we’ll delete it.

10. Changes to this policy

If we update this policy, we’ll change the “Last updated” date below and, for material changes, notify you by email.

11. Contact us

Email: privacy@norruva.com
General contact: hello@norruva.com

Last updated: April 30, 2026