# What we comply with today
GDPR (EU 2016/679)
Status: compliant.
As an EU-incorporated company processing EU residents' data, GDPR applies to us by law. We have:
- A documented privacy policy covering all Article 13/14 disclosures
- A public DPA that auto-applies to every customer
- A list of subprocessors with transfer mechanisms for each
- A documented incident response process with 72-hour notification commitment
- Self-service data export in the product (Art. 15 right of access + Art. 20 right to data portability): signed-in users request a ZIP of their account data from Account → Data & privacy; the system emails a download link, typically within minutes, formally within the 30-day GDPR deadline
- Self-service profile editing (Art. 16 right to rectification): name, avatar, and email editable in Account → Profile; password changes in Account → Security. Email + password changes both require the current password; email additionally requires a 6-digit code emailed to the new address before the swap
- Self-service account deletion (Art. 17 right to erasure): Account → Delete account schedules the deletion with a 30-day cooling-off window. After 30 days the system permanently anonymises every personal-data field on the account row (name, email, password, avatar) and removes all organization memberships. The account UUID itself is preserved so audit trails in other services keep resolving (rendered as "Former user"); pseudonymisation that prevents re-identification satisfies Art. 17. Users can cancel from the same page any time before the 30 days elapse
- Self-service organization deletion (also Art. 17, for org-scoped data): closing an organization you're the only member of removes it from your dashboard immediately and triggers a cross-service cleanup cascade — open billing usage is finalised first, then snapdb backups, langsync namespaces, domainradar watchers, and usage-limit overrides are all deleted across the products. Backup blobs in S3 are removed asynchronously by a sweep worker. The whole sequence typically finishes within a minute
- Right to object to in-app product analytics is exposed as a toggle in Account → Profile (we process in-app analytics under legitimate interest, GDPR Art. 6(1)(f), and document the assessment internally)
- Data subject requests outside the self-service flow (restriction, partial access, multi-member org deletion) go to [email protected]
- Email verification (Art. 32 security measure): on signup we send a 6-digit code to the address you provided and ask you to enter it from inside the app to confirm control. The same mechanism re-confirms control when you change your email later. Codes are bcrypt-hashed at rest, expire after 15 minutes, and are limited to 5 attempts
ePrivacy / cookies
Status: compliant.
On norcube.com we set strictly-necessary cookies (your consent choice, CDN security) without consent, and one analytics cookie (PostHog, EU-hosted) only after you click Accept on the banner. You can reverse your decision at any time via the "Cookie preferences" link in the footer. No advertising cookies, no cross-site tracking, no fingerprinting. Full details on the cookies page.
Czech / EU consumer law
Status: compliant.
Our Terms of Service preserves all consumer-protection rights for EU customers and complies with Czech contract law.
EU AI Act (in force 2 August 2026)
Status: ready for the deadline.
We use AI as a deployer (calling OpenAI), not as a provider of foundation models. Our obligations are limited to transparency:
- We mark AI-generated outputs in the UI
- We disclose AI processing in our privacy policy
- We do not deploy any "high-risk" AI systems under the Act's classification
- Our DPA covers AI sub-processing
PCI DSS (Stripe handles cards)
Status: SAQ A scope (the lightest tier).
Stripe handles all card data; our servers never touch raw card numbers. We self-attest annually via Stripe's compliance dashboard.