How we handle your data

Norcube is a brand operated by:

• Jetlio, s.r.o.
• IČO: 09967231
• Registered office: Voroněžská 2547/1, 616 00 Brno, Czech Republic
• Registered in the Commercial Register kept by the Regional Court in Brno (Krajský soud v Brně), file C 121887
• Not currently registered for VAT

For data-protection purposes, we are the controller of personal data that you provide directly to us (account information, billing details, support correspondence, marketing-site analytics if you opt in).

When you use Norcube to process your customers' data (for example, storing translations or backup files), we act as a processor on your behalf — you remain the controller of your end-users' data. The terms of that processor relationship are set out in our Data Processing Agreement.

We have not appointed a Data Protection Officer because we are not legally required to (we do not carry out large-scale monitoring of data subjects, do not process special categories of data at scale, and are not a public authority). Our privacy lead is the company director, Jan Švábík.

Contact for privacy matters:

• Email: [email protected]
• Postal: Jetlio, s.r.o., Voroněžská 2547/1, 616 00 Brno, Czech Republic

We try to collect as little as possible. Concretely:

You give us directly:

• Account data — email address, name, password (hashed with bcrypt, never stored in plain text)
• Organization data — the name and slug of your organization
• Billing data — when you subscribe, our payment provider (Stripe) collects card details. We never see card numbers; we only store identifiers like cus_xxx and pm_xxx
• Support correspondence — emails you send us
• Content you upload — translations, backup files, prompt templates, domain queries — whatever the products you use are designed to store

We collect automatically:

• Service logs — API request paths, response codes, timestamps, IP addresses. We need these to operate and debug the service. Logs do not include request bodies, so your credentials and content do not appear in them.
• Security audit logs — when sensitive actions happen (login, key rotation, billing changes), we record who did what when, for security investigation purposes
• Marketing-site analytics — only if you accept the cookie banner on norcube.com. We then capture page views and basic device info (browser family, country at the city level) through PostHog (EU-hosted in Frankfurt). No advertising profile, no cross-site tracking. Details on the cookies page
• Product analytics — when you are logged into app.norcube.com, we capture feature-usage events (e.g. "translation synced", "backup created"). This is operated through the same PostHog EU instance under our processing contract with you. No event is sent to PostHog before you log in.

We do not collect:

• Advertising or retargeting identifiers
• Cross-site tracking signals
• Anything from data brokers or other third parties about you
• Special categories of personal data (health, religion, biometrics, …) unless you choose to put them into content you upload, in which case we process them only as needed to deliver the service

Under GDPR, every processing activity needs a legal reason. Here are ours:

We do not rely on legitimate interest for any advertising or marketing-profile use case.

All product data is stored in AWS Frankfurt (eu-central-1). We do not replicate data outside the European Union.

Some third parties we use are headquartered outside the EU (mostly in the United States). When your data passes through them, it is governed by one or more of:

• The EU-US Data Privacy Framework (for US recipients that have certified, including AWS, Stripe, and Mailgun)
• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions (for Canada, etc.)

Our full subprocessor list, including the legal basis for each transfer, is on the subprocessors page.

• Account and content data — for as long as your account is active. You can delete your account at any time, which permanently removes the data within 30 days (some encrypted backups may persist briefly in our infrastructure backups before they age out).
• Billing records — kept for 10 years to comply with Czech accounting and tax law.
• Service logs — up to 1 year, then automatically deleted by AWS CloudWatch retention policy. Services that handle higher-stakes data (auth, billing, langsync, snapdb) keep their logs for the full year so we have a forensic trail if a security incident is discovered late; lower-stakes services (domainradar, limits) keep 90 days.
• Security audit logs — 1 year inside the product database (snapdb.audit_log, enforced by a daily retention worker), then deleted unless retained for an active investigation.
• Support emails — 2 years from last contact, then deleted unless related to an open contract or dispute.

We share data only with the third parties we need to run the service. We do not sell data, period. We do not share data with advertisers, data brokers, or any third party for marketing purposes. We also don't send marketing email today. If we ever start, we'll do it via a dedicated marketing-email platform (e.g. Mailchimp), update this policy in advance, and require explicit opt-in with a one-click unsubscribe in every message.

The current list of subprocessors — companies that process data on our behalf — is on our subprocessors page. It includes AWS (hosting), Stripe (payments), OpenAI (AI features), Mailgun (transactional email), and PostHog (EU-hosted product analytics).

Some Norcube products also offer optional integrations with third parties where you connect your own account (for example, a knowledge-base API or a chat tool). Your data then flows to that vendor under your contract with them, not ours — we are not their customer, we just relay your instructions. Those vendors are not Norcube sub-processors.

We notify you when we add a new subprocessor by updating the subprocessors page. If you have an enterprise contract with a right-to-object clause, we will email you in advance.

You can do all of the following at any time. We aim to respond within 30 days (often much sooner).

• Access — request a copy of all data we hold about you. Self-service: sign in and visit Account → Data & privacy → Request export. We email you a downloadable ZIP within minutes (formally within the 30-day GDPR deadline). For partial access requests, email us
• Rectify — fix incorrect data. All of this is self-service: sign in and visit Account → Profile to update your name, avatar, or email; Account → Security to change your password. Email and password changes ask you to confirm your current password first; for email changes we additionally send a 6-digit code to the new address before swapping it
• Delete — remove your data permanently. Self-service: sign in and visit Account → Delete account. We mark your account for deletion immediately and permanently anonymise it after a 30-day cooling-off window (you can cancel any time within those 30 days from the same page). Your account UUID is preserved so audit trails in other systems remain consistent, but every personal-data field (name, email, password, avatar) is set to NULL. Sole-member organization closure is also self-service from the same page — closing it triggers a cross-service cleanup that settles billing and deletes the org's data across our products automatically. For organizations with other members or any other case we should handle manually, email [email protected]
• Restrict — pause processing of your data (for example, during a dispute) — email us
• Portability — get your data in a structured, machine-readable format (JSON inside a ZIP). Same self-service path as Access: Account → Data & privacy → Request export
• Object — tell us to stop processing your data for a specific purpose. The concrete case today is in-app product analytics (legitimate interest, Art. 6(1)(f)) — you can object at any time using the "Disable product analytics" toggle in account settings. If we ever start sending marketing email, we will rebuild this section to cover the opt-out path for those too.
• Avoid automated decisions — if we ever make decisions about you using AI alone, you can ask for human review
• Complain — to your local data protection authority. For Czech residents, that is the Office for Personal Data Protection (ÚOOÚ). For other EU/EEA countries, find your authority here.

To exercise any of these rights, email [email protected].

The same rights above apply to you — Norcube treats privacy as a universal commitment, not a regional checkbox. Specifically, if you live in California:

• We do not sell your personal information, as defined by the CCPA
• We do not share your personal information for cross-context behavioural advertising
• You have the right to know, delete, correct, and not be retaliated against for exercising these rights

If you live in another US state with a privacy law (Virginia, Colorado, Connecticut, Texas, etc.), the same protections apply. Email [email protected] to exercise any state-specific right.

Some of our products use AI to process content you upload:

• LangSync translates text via OpenAI
• DomainRadar classifies brand-monitor results using AI
• PromptHub lets you build AI workflows directly

When AI processes your data, it goes to OpenAI under a data-processing agreement that prohibits OpenAI from training their models on your content. We will always show a small indicator in the UI when AI is involved in generating an output you see — typically a label like "AI-assisted."

You will not be subject to a decision based solely on AI that significantly affects you. If we ever build a feature that does, we will tell you and offer human review.

The technical details are on the security page. The short version:

• All data is encrypted at rest (AWS-managed AES-256)
• All connections use TLS 1.2+; internal service-to-service traffic uses mutual TLS
• Sensitive credentials (database passwords, API keys) are encrypted with AWS KMS or hashed with HMAC-SHA256 before storage
• We do not log request bodies (so your content does not appear in operational logs)
• Access to production data is restricted to a small number of engineers and audited
• We verify the email address you sign up with by sending a 6-digit code; the same mechanism re-confirms control when you change your email later. Codes expire after 15 minutes and are bcrypt-hashed at rest

We have not yet completed formal certifications like SOC 2 or ISO 27001 — we are a small team building the operational discipline first. We will pursue those when our customers ask for them.

If we discover a breach of personal data, we will:

1. Contain the incident immediately
2. Notify the Czech Office for Personal Data Protection within 72 hours, as required by GDPR
3. Notify affected users without undue delay if the breach is likely to result in high risk to your rights
4. Publish a transparent post-mortem after resolution

We will tell you the truth about what happened, what data was affected, and what we are doing about it.

On norcube.com we set strictly-necessary cookies always (your consent choice + CDN security) and an analytics cookie from PostHog (EU-hosted in Frankfurt) only if you click Accept on the banner. On app.norcube.com we set one strictly-necessary HttpOnly cookie to keep you signed in. No advertising cookies, no cross-site tracking, no fingerprinting. Full list with names, providers and expiry on the cookies page.

Norcube is a tool for developers and product teams, including students and hobbyists of any age. If you are below the age of digital consent in your jurisdiction (usually 16 in the EU, 15 in Czechia, 13 in the US under COPPA), a parent or legal guardian needs to agree to these terms and to the data processing described in this policy on your behalf. The same applies to the contract itself if you are also below the age of legal capacity for entering into agreements.

We do not knowingly process personal data of children without the proper parental consent. If you become aware that a young user is using Norcube without that consent, email us and we will work with you to address it.

When we make material changes, we will notify you by email (for account holders) and update the "Last updated" date at the top. Continued use of the service after a material change constitutes acceptance.

Email us at [email protected]. We answer.