Privacy Policy

Controller

Jannik Endress

Resi-Huber-Platz 1

81371 München, Germany

Email: business@noric.ai

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Master data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication and procedural data
• Log data

Categories of Data Subjects

• Service recipients and clients
• Interested parties
• Communication partners
• Users
• Business and contractual partners

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Reach measurement
• Tracking
• Office and organizational procedures
• Audience building
• Feedback
• Marketing
• Profiles with user-related information
• Provision of our online services and user-friendliness
• Information technology infrastructure

Relevant Legal Bases

Legal bases according to GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of personal data relating to him or her for one or more specific purposes.
• Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input, transmission, ensuring availability, and separation of data. We have also established procedures to ensure the exercise of data subjects' rights, deletion of data, and responses to data threats.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transmitted to other bodies, companies, legally independent organizational units, or persons or that it is disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe legal requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

Processors and Service Providers

We use the following categories of processors to operate Noric. We enter into data processing agreements (including the EU Standard Contractual Clauses where required) with them. The exact subprocessors of each vendor may change; we link to their official privacy and subprocessor information.

Infrastructure and application hosting

• Microsoft Azure (Microsoft Corporation / Microsoft Ireland Operations Limited) — hosting of our application (e.g. Azure Container Apps), networking, and related infrastructure. Privacy statement · DPA overview

Authentication, database, and storage

• Supabase (Supabase Inc.) — managed PostgreSQL database, authentication (including optional social login providers you choose, e.g. Google), file storage for user content, and related APIs. Data region depends on your project configuration. Privacy policy · Security

Payments and billing

• Stripe (Stripe Payments Europe Ltd, Dublin, Ireland, and Stripe, Inc., USA as applicable) — payment processing, subscriptions, invoicing metadata, and fraud prevention when you purchase paid plans or credit packs. We do not store full card numbers on our servers; Stripe handles card data. Privacy policy · Service providers

Product analytics (optional)

• PostHog (PostHog Inc.) — only if you consent to the analytics cookie category; see the section "Web Analysis, Monitoring, and Optimization" below.

AI and automation features

When you use AI features (e.g. cell generation, chat, document parsing, or web research tools), content you submit and related metadata may be processed by one or more of the following, depending on configuration (including "bring your own key" where you supply API keys):

• OpenAI (OpenAI, LLC / OpenAI Ireland Ltd) — language models and related APIs. Privacy policy
• Anthropic (Anthropic PBC) — language models and related APIs. Privacy policy
• Mistral AI (Mistral AI SAS) — language and document/OCR APIs where used. Privacy policy
• Parallel (Parallel Web Systems, Inc.) — web research, search, and extraction APIs when those tools are invoked. Privacy policy
• LangSmith (LangChain, Inc.) — optional observability, tracing, and prompt management for AI workflows (may include prompts, tool outputs, and technical metadata). Privacy policy

Social sign-in (e.g. Google) is provided via Supabase Auth; the identity provider receives information according to its own terms when you choose that login method.

International Data Transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of the use of third-party services or the disclosure or transmission of data to other persons, bodies, or companies, this is done only in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission dated July 10, 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers that comply with the requirements of the EU Commission and establish contractual obligations to protect your data.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases where the original processing purpose no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.
• Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted immediately, or alternatively, in accordance with legal requirements, to request restriction of the processing of the data.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transfer to another controller.
• Complaint to supervisory authority: You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Business Services

We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships as well as associated measures and in the context of communication with contractual partners (or pre-contractually), e.g., to answer inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any update obligations, and remedies in the event of warranty and other service disruptions. In addition, we use the data to protect our rights and for the purpose of administrative tasks associated with these obligations and company organization.

Provision of Online Services and Web Hosting

We process user data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Collection of Access Data and Log Files

Access to our online service is logged in the form of so-called "server log files." Server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server capacity and stability. Log file information is stored for a maximum of 30 days and then deleted or anonymized.

Use of Cookies

The term "cookies" refers to functions that store information on users' devices and read from them. Cookies can also be used for various purposes, such as the functionality, security, and convenience of online services, as well as the creation of analyses of visitor flows. We use cookies in accordance with legal regulations. For this purpose, we obtain the consent of users in advance if required (including where applicable under the German Telecommunications Telemedia Data Protection Act, TTDSG). If consent is not necessary, we rely on our legitimate interests.

When you first visit our website or app, we show a cookie banner where you can accept all cookies, reject non-essential cookies, or customize categories. Strictly necessary cookies are required for authentication, security, and core functionality. Analytics (provided by PostHog) is optional and only activated if you opt in. You can change or withdraw your choice at any time via Cookie Settings in the website footer or via Cookie preferences in the in-app Settings screen.

Storage Duration

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved, and preferred content can be displayed directly when the user visits a website again. The storage period can be up to two years.

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, telephone, or via social media) and as part of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to contact inquiries and any requested measures.

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate visitor flows to our online service and may include behavior, interests, or demographic information about visitors as pseudonymous values. With the help of reach analysis, we can recognize, for example, at what time our online service or its functions or content are most frequently used.

PostHog (product analytics)

We use PostHog (PostHog Inc.; processing also via PostHog's regional infrastructure depending on configuration) for product analytics when you have consented to the analytics cookie category. PostHog may process pseudonymous identifiers (such as a distinct ID), event data (for example page views, feature usage, and error events), and technical data from your browser or device. If you are logged in, we may link analytics to your user account identifier for product improvement and support — only while analytics consent is active.

Session replay (recording of interactions within the application for debugging and UX) is used only when you have opted in to analytics and only on routes where we enable it (not on the public marketing homepage or documentation pages). Inputs are masked where technically configured; you should still avoid entering secrets in the app.

The PostHog API endpoint is determined by our configuration (for example NEXT_PUBLIC_POSTHOG_HOST). Using PostHog's EU instance (for example https://eu.i.posthog.com) reduces transfers to the United States compared to the US cloud endpoint; if you use the US endpoint, international transfer safeguards such as Standard Contractual Clauses may apply in addition to any applicable adequacy decision.

PostHog publishes a list of subprocessors at posthog.com/docs/privacy/subprocessors.

Social Media Presence

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, the enforcement of user rights could be made more difficult.

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online service that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or city maps (hereinafter uniformly referred to as "content").

The integration always presupposes that the third-party providers of this content process the IP address of the user, as without the IP address they could not send the content to their browser. The IP address is therefore required for the presentation of this content or functions.

Google Fonts

We use Google Fonts to display fonts. When users visit our online service, their browsers send HTTP requests to the Google Fonts Web API to retrieve the fonts. Google does not log or store IP addresses on Google servers, and they are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent, and referrer URL). Access to this data is restricted and strictly controlled.

YouTube Videos

We embed video content from YouTube. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When users view YouTube videos embedded in our online service, YouTube may set cookies on their devices and collect usage data.