Privacy Policy
1. Who We Are
Noryn System Ltd ("we", "us", "our") operates the Noryn virtual employees platform. We are registered in England and Wales (Companies House number: 17335896). ICO Registration: [ICO reg. no.].
Data protection contact: privacy@norynsystem.com
This Privacy Policy governs the data we collect and control directly — your account data, billing information, and platform usage. For data about your customers' leads and contacts that flows through the platform, see our Data Processing Agreement (/legal/dpa).
2. What Data We Collect
2.1 Account data
- Name, email address, and password (hashed)
- Business name, registered address, and industry
- Account preferences and settings
2.2 Billing data
- Subscription tier and billing history
- Payment method details (tokenised by Stripe — we never see full card numbers)
- Invoice records
2.3 Usage data
- Login timestamps and IP addresses
- Pages visited and features used within the dashboard
- Error logs and performance data
2.4 Conversation and employee data
- AI employee configurations, system prompts, and voice samples you provide
- Conversation logs between your virtual employees and your customers' contacts
- Integration connection metadata (which services you have connected)
2.5 Support communications
- Emails and messages you send to our support team
- Privacy rights request records
3. Why We Collect It and Our Lawful Basis
| Purpose | Data used | Lawful basis |
|---|---|---|
| Providing and operating the Service | Account, employee config, conversations | Contract (Art. 6(1)(b)) |
| Processing payments and issuing invoices | Billing data | Contract (Art. 6(1)(b)) |
| Account security and fraud prevention | Login data, IP addresses | Legitimate interests (Art. 6(1)(f)) |
| Customer support | Account data, support communications | Contract / Legitimate interests |
| Product improvement and analytics | Anonymised usage data | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance (HMRC, ICO, courts) | Invoice records, audit logs | Legal obligation (Art. 6(1)(c)) |
| Marketing emails (opt-in only) | Email address, name | Consent (Art. 6(1)(a)) |
4. Who We Share Data With
We share data with sub-processors (third-party services that process data on our instructions). Our full, up-to-date sub-processor list is at /legal/sub-processors. Key sub-processors include:
- Anthropic — AI model inference (conversation content, system prompts)
- Supabase — database and authentication
- Stripe — payment processing
- Vercel — application hosting
- Resend — transactional email delivery
We do not sell your data. We do not share it for advertising purposes.
5. International Transfers
Most of our sub-processors are based in the United States. We rely on Standard Contractual Clauses (SCCs) with the UK Addendum as the transfer mechanism for all US-based sub-processors, in line with UK GDPR requirements. A copy of the SCCs can be requested by emailing privacy@norynsystem.com.
6. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Account info | While subscription active + 30 days export window | Service delivery |
| Conversation logs | 12 months rolling; 30 days post-cancellation if shorter | Support and analytics |
| Audit logs | 24 months, then anonymised | Security and compliance |
| Invoice records | 6 years | HMRC legal requirement |
| Marketing consents | Until withdrawn + 1 year | Regulatory accountability |
| Privacy requests | 6 years | ICO accountability |
| Support communications | 2 years | Legitimate interests |
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Access: Request a copy of the data we hold about you
- Rectification: Ask us to correct inaccurate data
- Erasure: Ask us to delete your data (subject to legal retention requirements)
- Restriction: Ask us to pause processing while a dispute is resolved
- Portability: Receive your data in a structured, machine-readable format
- Object: Object to processing based on legitimate interests or for marketing
- Withdraw consent: Withdraw marketing consent at any time
Exercise any of these rights at /dashboard/privacy/requests or by emailing privacy@norynsystem.com. We will respond within 30 days.
8. Cookies
We use cookies and similar technologies. See our full Cookie Policy at /legal/cookies.
9. Children
The Service is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, contact privacy@norynsystem.com and we will delete it promptly.
10. Changes to This Policy
We will give 30 days' notice of material changes by email and in-dashboard notification. The current version is always available at /legal/privacy.
11. Complaints
If you are unhappy with how we handle your data, please contact us first at privacy@norynsystem.com. If you remain dissatisfied, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
Noryn · Noryn System Ltd · ICO Reg [ICO reg. no.] · privacy@norynsystem.com