norppa.io

Privacy Policy

Last updated: 11 April 2026

norppa.io ("we", "us", "our") is committed to protecting personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Finnish data protection law. This Privacy Policy describes what personal data we collect, why we collect it, how we use it, and your rights as a data subject.

norppa.io is a business-to-business (B2B) service. We do not knowingly collect data from or about consumers.

Questions or requests regarding this policy: info@norppa.io

1. Data Controller

The data controller for personal data processed in connection with the norppa.io service is:

  • Trading name: norppa.io
  • Country of establishment: Finland
  • Contact: info@norppa.io

2. Personal Data We Process

2.1 Customer account data

When you subscribe to norppa.io we process:

  • Business email address (used for authentication and alerts)
  • Company name and VAT / business ID (for invoicing and sanctions screening of your own organisation)
  • Billing contact details (processed by our payment provider Paddle on our behalf)

2.2 Service usage data

  • Supplier domain names and business identifiers you submit for monitoring
  • Findings generated by our intelligence pipeline relating to submitted domains
  • Self-assessment questionnaire (SAQ) answers
  • Report download history and portal activity logs

2.3 Technical data

  • IP address and browser metadata collected at login (session security)
  • Session tokens stored in Cloudflare KV (short-lived, not linked to browsing behaviour)

2.4 Data found during scanning

Our intelligence pipeline may retrieve publicly available data that incidentally contains personal data — for example, email addresses published in WHOIS records, data breach compilations, or paste sites. This data is processed solely to generate security findings for your account and is not used for any other purpose. We do not build profiles of individuals.

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR): processing necessary to deliver the service you have subscribed to.
  • Legal obligation (Art. 6(1)(c) GDPR): invoicing, tax records, and responding to lawful authority requests.
  • Legitimate interests (Art. 6(1)(f) GDPR): service security, abuse prevention, and aggregated analytics to improve our platform. We have assessed that these interests do not override your fundamental rights.

4. Data Retention

  • Active subscription: all account and finding data retained for the duration of your subscription.
  • After cancellation: data retained for 90 days to allow you to retrieve reports, then deleted.
  • Billing records: retained for 7 years in accordance with Finnish accounting law (Kirjanpitolaki 1336/1997).
  • Security logs: retained for 12 months.

5. Sub-processors and Data Transfers

We use the following sub-processors. Where a sub-processor is located outside the EU/EEA, transfers are covered by European Commission Standard Contractual Clauses (SCCs) or an adequacy decision.

  • Cloudflare, Inc. (USA): content delivery, session management, and PDF storage — EU infrastructure region configured. SCCs in place.
  • Paddle.com Market Ltd (UK): payment processing and subscription management. UK adequacy decision applies.
  • Resend, Inc. (USA): transactional email delivery (magic links, alert notifications). SCCs in place.

All customer finding data, scan results, and reports are stored on our own infrastructure in Finland and are not transferred to any sub-processor beyond what is described above.

6. Your Rights

Under GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure ("right to be forgotten") where no legal obligation requires retention (Art. 17)
  • Restriction of processing in certain circumstances (Art. 18)
  • Data portability in a machine-readable format (Art. 20)
  • Objection to processing based on legitimate interests (Art. 21)

To exercise any of these rights, contact us at info@norppa.io. We will respond within 30 days. If you believe your rights have been violated, you may lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

7. Security

We implement appropriate technical and organisational security measures including access controls, encryption of data in transit (TLS), and infrastructure isolation. Our scanning systems operate behind a VPN exit node and are not directly reachable from the internet. We conduct internal security reviews regularly.

8. Changes to This Policy

We may update this policy. Material changes will be communicated by email to active subscribers at least 30 days before taking effect. The current version is always available at norppa.io/privacy.