1.INTRODUCTION
1.1 About This Privacy Policy
This Privacy Policy explains how Normain AB, reg. no 559464-9526, Luntmakargatan 26,111 37 Stockholm, Sweden ("Normain,""we,""us," or"our") collects, uses, stores, and protects personal data when you use our Services available at https://app.normain.com (the "Platform").
This Privacy Policy applies to personal data that we collect and process as a data controller. It should be read together with our Terms of Service and, where applicable, our Data Processing Agreement.
1.2 Data Controller
Normain AB is the data controller for the personal data described in this Privacy Policy. We are responsible for ensuring that your personal data is processed in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Swedish Data Protection Act(Sw. Dataskyddslagen 2018:218).
1.3 Customer Data - When We Act as Data Processor
When you use our Services, you may upload, submit, or otherwise provide data to the Platform ("Customer Data"). To the extent Customer Data contains personal data, you are the data controller and Normain acts as a data processor on your behalf. The processing of such personal data is governed by our Data Processing Agreement, not this Privacy Policy.
Our Data Processing Agreement is available here and must be accepted before uploading any Customer Data containing personal data. Please refer to our Data Processing Agreement for details on how we process Customer Data.
2. PERSONAL DATA WE COLLECT AND PROCESS We collect and process the following categories of personal data about you:
2.1 Account and Registration Data
When you create an account to use our Services, we may collect:
● Full name
● Email address
● Company name and organizational information
● Job title or role
● Account credentials (username and encrypted password)
● Account preferences and settings
Purpose: To create and manage your account, authenticate you, provide access to the Services, communicate with you about your account, and fulfill our contractual obligations.
Legal Basis: Performance of contract(GDPR Art. 6(1)(b)).
2.2 Payment and Billing Data
When you subscribe to a paid plan, we collect:
● Billing name and address
● Payment method information (credit card type and lastfour digits; full payment card data is processed by our payment processor and not stored by us)
● Transaction history
● Invoicing details
● VAT/tax identification numbers
Purpose: To process payments, issue invoices, manage your subscription, prevent fraud, and comply with tax and accounting obligations.
Legal Basis: Performance of contract(GDPR Art. 6(1)(b)) and compliance with legal obligations (GDPR Art. 6(1)(c)).
2.3 Usage and Analytics Data
When you use the Platform, we automatically collect:
● Log data (IP address, browser type and version, device type, operating system)
● Usage data (features accessed, actions taken, time spent, session duration)
● Performance data (load times, errors, crashes)
● Timestamps and date/time information
● Geographical location data (derived from IP address, at country level only)
● Interaction data (clicks, navigation paths, user flows)
Purpose:
Essential Analytics: To operate, maintain, and secure the Services; diagnose technical issues; prevent fraud and abuse; ensure service availability and performance.
Non-Essential Analytics: To analyze usage patterns; improve functionality and user experience; develop new features; conduct product research.
Legal Basis:
● Essential analytics: Legitimate interest(GDPR Art. 6(1)(f)) - our legitimate interest is to ensure the security, stability, and proper functioning of the Services. We have assessed that this interest outweighs any potential impact on your privacy rights.
● Non-essential analytics: Legitimate interest(GDPR Art. 6(1)(f))for understanding how users interact with our Services to improve functionality and user experience, or consent(GDPR Art. 6(1)(a)) where required.
2.4 Communications Data
When you communicate with us (via email, support tickets, or in-app messaging), we collect:
● Your name and email address
● Content of your communications
● Attachments you provide
● Support ticket history
Purpose: To respond to your inquiries, provide customer support, troubleshoot issues, and improve our Services based on your feedback.
Legal Basis: Performance of contract(GDPR Art. 6(1)(b)) and legitimate interest(GDPR Art. 6(1)(f)) in providing effective customer support and improving our Services.
2.5 Marketing and Communication Preferences
If you optin to receive marketing communications:
● Email address
● Communication preferences
● Engagement data (emails opened, links clicked)
● Event attendance information
Purpose: To send you marketing communications including newsletters, product updates, promotional materials, and event invitations.
Legal Basis:
● For new subscribers and non-customers: Consent(GDPR Art. 6(1)(a)). You may withdraw consent at any time by clicking "unsubscribe"in any marketing email or contacting support@normain.com.
● For existing B2B customers: Legitimate interest(GDPR Art. 6(1)(f))to inform you about similar products and services, in accordance with Swedish marketing law (Marknadsföringslagen). You may opt out at any time.
Opt-Out: You may opt out of all marketing communications at any time by clicking "unsubscribe"in any marketing email or by contacting support@normain.com.
2.6 Data Minimization
We adhere to the principle of data minimization and collect only the personal data that is necessary for the specific purposes described in this Privacy Policy. We regularly review the data we collect to ensure it remains necessary and proportionate.
3. HOW WE USE YOUR PERSONAL DATA
We use your personal data for the following purposes:
3.1 Service Provision
● Creating and managing your account
● Authenticating your access to the Platform
● Providing the features and functionality of the Services
● Processing and fulfilling transactions
● Sending service-related communications (account notifications, system updates, security alerts)
3.2 Service Improvement and Development
● Analyzing usage patterns and trends to improve the Services
● Developing new features and functionality
● Conducting research and product optimization
● Testing and quality assurance
Important: We do not train our AI models or algorithms on Customer Data. We may use aggregated and anonymized usage statistics that have been processed in accordance with GDPR Article 29 Working Party anonymization standards (Opinion 05/2014) such that the data can no longer be attributed to any individual or organization.
3.3 Security and Fraud Prevention
● Detecting and preventing fraud, abuse, and unauthorized access ● Monitoring for security threats and vulnerabilities
● Investigating and responding to security incidents
● Ensuring the integrity and availability of the Services
3.4 Customer Support
● Responding to your inquiries and support requests
● Troubleshooting technical issues
● Providing guidance on how to use the Services
3.5 Legal Compliance
● Complying with applicable laws, regulations, and legal processes
● Responding to lawful requests from public authorities
● Enforcing our Terms of Service
● Protecting our rights, property, and safety, and that of our users and the public
3.6 Marketing and Communications
● Sending you newsletters and product updates (with your consent where required)
● Informing you about new features, services, and promotions
● Inviting you to events and webinars
● Conducting customer satisfaction surveys
3.7 Profiling
We may analyze your usage patterns to provide personalized recommendations and improve your experience with the Services. This profiling does not produce legal effects concerning you or similarly significantly affect you. You have the right to object to this profiling at any time by contacting support@normain.com.
4. USE OF ARTIFICIAL INTELLIGENCE
4.1 AI Processing in the Services
Our Services utilize artificial intelligence (AI)technologies to provide data processing, analytics, and other functionality. We engage third-party AI service providers to power certain features of our Services.
When you use AI-powered features:
● Your prompts and inputs will be processed by third-party AI providers acting as sub processors
● If your Customer Data contains personal data, it may be processed by these AI providers as sub processors under our Data Processing Agreement
● We do not allow third-party AI providers to use your data to train their models
● For a complete list of all AI sub processors, including their names, locations, the services they provide, and the safeguards in place, please see our Subprocessor List here.
4.2 Your Responsibilities When Using AI Features
When using AI-powered features of the Services, you are responsible for:
● Ensuring you have a lawful basis under GDPR (consent, contract, legitimate interest, etc.)to provide any personal data to Normain for AI processing
● Providing required privacy notices to individuals whose personal data you process using the Services
● Validating and verifying all AI-generated outputs before using them in business decisions or operations
● Not inputting special categories of personal data (health data, biometric data, racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation) unless you have an explicit lawful basis under GDPR Article 9 and have informed us in advance
● Understanding that AI outputs may contain errors - you must independently review all AI-generated content
4.3 AI Accuracy and Limitations
Customer expressly acknowledges that outputs generated by AI features, including but not limited to analyses, predictions, recommendations, and other AI-generated content, may contain inaccuracies, errors, or omissions. You bear sole responsibility for independently reviewing, validating, and verifying all outputs and results generated by the Services prior to relying upon them.
5. WHO WE SHARE YOUR PERSONAL DATA WITH
5.1 Within Normain
Access to your personal data within Normain is restricted to employees and contractors who need itto perform their duties, such as:
● Engineering and product development teams
● Customer support personnel
● Security and compliance teams
● Finance and accounting staff
All personnel with access to personal data are bound by confidentiality obligations.
5.2 Service Providers and Subprocessors
We engage third-party service providers to assist us in operating, maintaining, and improving the Services. These service providers act as data processors and process personal data on our behalf under data processing agreements.
5.3 List of Subprocessors
A current and complete list of our sub processors, including their names, locations, and the services they provide, is available here.
Subprocessor Changes: We will notify you at least 30 days in advance of adding or replacing sub processors via email to your registered address. If you object to a new sub processor for legitimate data protection reasons, you may object by emailing support@normain.com within the 30-day notice period. If you object, you may terminate your subscription without penalty before the subprocessor is engaged. If no objection is raised within 30 days, your right to object lapses and the new sub processor will be deemed approved.
5.4 Business Transfers
If Normain is involved in a merger, acquisition, corporate reorganization, sale of assets, or similar transaction, your personal data may be transferred to the successor entity. We will notify you via email and/or prominent notice on our website at least 30 days before any such transaction is completed and provide information about how your personal data will be handled by the successor entity. The successor entity will be bound by the same data protection obligations as set forth in this Privacy Policy.
5.5 Legal Requirements
We may disclose your personal data to:
● Law enforcement, regulatory authorities, or other public bodies when required by law or in response to lawful requests
● Courts or arbitration bodies in connection with legal proceedings
● Professional advisors (lawyers, accountants, auditors) under confidentiality obligations
● Third parties as necessary to enforce our Terms of Service, protect our rights, or prevent harm
5.6 With Your Consent
We may share your personal data with third parties when you have given us your explicit consentto do so.
6.INTERNATIONAL DATA TRANSFERS
6.1 Data Storage and Processing Locations
Personal data is primarily stored on servers located in Sweden and Germany within the European Union.
However, some of our service providers and subprocessors process personal data outside the EU/EEA, including in the United States and other countries. For a complete list of subprocessors and their locations, please see here.
6.2 Transfer Safeguards
When we transfer personal data outside the EU/EEA to countries that do not provide an adequate level of data protection as determined by the European Commission, we implement appropriate safeguards in accordance with GDPR Chapter V:
Standard Contractual Clauses (SCCs): We use the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) with all service providers located outside the EU/EEA. These clauses provide contractual guarantees for the protection of your personal data.
TransferImpact Assessments (TIAs): We have conducted Transfer Impact Assessments for all transfers to countries without an adequacy decision (including the United States)to evaluate the level of protection and identify any risks to your personal data.
Supplementary Measures:Beyond Standard Contractual Clauses, we have implemented additional technical and organizational measures for high-risk transfers, including:
● End-to-end encryption of data in transit and at rest
● Strict access controls and authentication requirements
● Contractual commitments from subprocessors notto access data except as necessary to provide services
● Regular security audits and assessments
● Transparency regarding government access requests (where legally permitted)
6.3 EU-US Data Privacy Framework
Fortransfers to the United States, we may also rely on the EU-US Data Privacy Framework where our subprocessors hold valid and current certification under that framework.
7. DATA RETENTION
7.1 Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specific retention periods include:
● Account data: Retained for the duration of your active account, plus 30 days after account closure to allow for reactivation. After this period, personal data is deleted or anonymized, except as required for legal, tax, or accounting obligations.
● Payment and billing data: Retained for 7 years after the last transaction to comply with accounting and tax obligations under Swedish law (Bokföringslagen).
● Usage and analytics data: Retained in identifiable form for up to 12 months for service improvement and security analysis; may be retained indefinitely in aggregated, anonymized form that cannot be attributed to any individual.
● Communications data: Retained for up to 2 years to provide ongoing customer support and maintain a record of technical issues and resolutions.
● Marketing data: Retained until you withdraw your consent or unsubscribe from marketing communications, at which point your email and preferences are deleted within 30 days.
● Security and fraud prevention data: Retained for up to 3 years to detect patterns of abuse and protect the Services.
7.2 Deletion Requests
You may request deletion of your personal data at any time by contacting us at support@normain.com (see Section 9.9). We will delete your personal data within 30 days of your request, except where we are required to retain it for legal compliance (such as accounting records) or to defend against legal claims.
7.3 Justification for Retention
All retention periods have been established based on:
● The purposes for which the data was collected
● The nature and sensitivity of the data
● Legal, regulatory, accounting, and tax obligations
● The need to defend or bring legal claims
● Industry best practices and standards
We regularly review our retention periods to ensure they remain appropriate and justified.
8. DATA SECURITY
8.1 Technical and Organizational Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage, in accordance with GDPR Article 32. These measures include:
● Encryption: Data in transitis encrypted using TLS 1.3 or higher; data at restis encrypted using AES-256 encryption
● Access controls: Role-based access controls (RBAC) and multi-factor authentication (MFA)for all systems
● Authentication: Strong password policies and secure authentication mechanisms
● Security monitoring: 24/7 security monitoring and logging of access to personal data
● Incident response: Documented incident response procedures and regular security incident drills
● Employee training: Regular data protection and security training for all personnel
● Vendor management: Security assessments of all subprocessors before engagement
● Regular testing: Penetration testing, security audits, and vulnerability assessments
● Backups: Regular encrypted backups with tested disaster recovery procedures
● Physical security: Secure data centers with restricted physical access
8.2 Security Standards and Certifications
We align our security practices with industry standards and frameworks, including:
● ISO 27001 principles for information security management
● GDPR Article 32 requirements for security of processing
● SOC 2 Type IIfor information security management
Upon request, we can provide customers with security documentation, questionnaires, and auditreports (subjectto confidentiality agreements).
8.3 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (Swedish Authority for Privacy Protection) without undue delay and, where feasible, not later than 72 hours after having become aware of it, in accordance with GDPR Article 33.
Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay in accordance with GDPR Article 34. Our notification to you will include:
● A description of the nature of the personal data breach
● The categories and approximate number of affected individuals
● The likely consequences of the breach
● The measures taken or proposed to address the breach
● Contact information for our data protection point of contact
8.4 Your Security Responsibilities
You are responsible for:
● Maintaining the confidentiality of your account credentials
● Using a strong, unique password for your account
● Enabling multi-factor authentication if available
● Notifying us immediately of any unauthorized access to your account
● Keeping your registered email address current
9. YOUR RIGHTS UNDER GDPR
You have the following rights regarding your personal data under GDPR:
9.1 Right of Access (Article 15)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that personal data and receive information about:
- The purposes of processing
- The categories of personal data processed
- The recipients or categories of recipients
- The retention period
- Your rights regarding the data
- The source of the data (if not collected directly from you)
- The existence of automated decision-making, including profiling
9.2 Right to Rectification (Article 16)
You have the right to request that we correct any inaccurate personal data we hold about you and to complete any incomplete personal data.
9.3 Right to Erasure / "Right to Be Forgotten" (Article 17)
You have the right to request that we delete your personal data in the following circumstances:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw your consent(where processing was based on consent) and there is no other legal basis for processing
- You object to the processing and there are no overriding legitimate grounds for processing
- The data has been unlawfully processed
- The data must be erased to comply with a legal obligation
- The data relates to a child and was collected in relation to information society services Exceptions: We may not be able to delete your personal data if we are required to retain it:
- To comply with legal, tax, or accounting obligations (e.g., retention of billing records for 7 years)
- To establish, exercise, or defend legal claims
- For archiving purposes in the public interest, scientific or historical research, or statistical purposes
9.4 Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data in the following circumstances:
- You contest the accuracy of the data (restriction applies while we verify accuracy) - The processing is unlawful but you prefer restriction to deletion
- We no longer need the data, but you need it to establish, exercise, or defend legal claims
- You have objected to processing based on legitimate interests (restriction applies while we verify whether our legitimate grounds override yours)
When processing is restricted, we may only store the data and process it with your consent or for legal claims, protection of rights of others, or important public interest.
9.5 Right to Data Portability (Article 20)
You have the right to:
- Receive your personal data in a structured, commonly used, and machine-readable format(e.g., CSV,JSON)
- Transmit your personal data to another data controller, where technically feasible This right applies only to personal data that:
- You have provided to us
- We process based on your consent or for performance of a contract - Is processed by automated means
9.6 Right to Object (Article 21)
You have the right to object to processing of your personal data in the following circumstances:
Objection to Processing Based on Legitimate Interests: You may object at any time to processing based on our legitimate interests (including profiling). We will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for establishment, exercise, or defence of legal claims.
Objection to Direct Marketing: You have an absolute right to object to processing of your personal data for direct marketing purposes at any time. This includes profiling related to direct marketing. If you object, we will immediately stop processing your personal data for such purposes.
Objection to Processing for Research/Statistical Purposes: You may object to processing for scientific or historical research or statistical purposes unless the processing is necessary for performance of a task in the public interest.
9.7 Right to Withdraw Consent (Article 7)
Where we process your personal data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent:
- Does not affect the lawfulness of processing based on consent before its withdrawal
- Can be done by contacting support@normain.com or using the opt-out mechanisms provided (e.g.,"unsubscribe"links in marketing emails)
9.8 Automated Decision-Making and Profiling (Article 22) Normain's Use of Automated Decision-Making:
Normain does not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, except where:
- Such processing is necessary to enter into or perform a contract between you and Normain
- It is authorized by EU or Member State law
- It is based on your explicit consent
Your Use of AI Features:
However, the Services utilize AIto process Customer Data you provide. If you use the Services to make automated decisions about individuals (such as employment decisions, creditworthiness assessments, eligibility for benefits, or other significant decisions), you are the data controller responsible for ensuring compliance with GDPR Article 22, including:
- Providing notice to affected individuals about automated decision-making - Implementing appropriate safeguards, including the right to human review - Ensuring the processing is lawful under GDPR Article 6
- Conducting Data Protection Impact Assessments where required
We recommend consulting with a data protection professional before using the Services for automated decision-making about individuals.
9.9 How to Exercise Your Rights
To exercise any of the rights described above, please contact us at:
Email: support@normain.com
Mail: Normain AB, Att: Privacy Officer, Luntmakargatan 26,111 37 Stockholm, Sweden
What We Need From You:
To process your request, we may need to verify your identity by requesting:
- Proof of identity (e.g., copy ofID, passport, or driver's license)
- Additional information to locate your account in our systems
Response Time:
We will respond to your request:
- Within one month of receipt of your request
- Extended to two months for complex requests - we will inform you of any extension within one month and explain the reasons
No Fee:
We will not charge a fee for processing your request unless:
- The request is manifestly unfounded or excessive (particularly if repetitive) - You request further copies of data beyond the first copy
If we charge a fee, we will inform you before processing your request.
Right to Complain:
If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the rightto lodge a complaint with a supervisory authority (see Section 11.2 below).
10. CHANGES TO THIS PRIVACY POLICY
10.1 Updates to This Policy
We may update this Privacy Policy from time to time to reflect:
● Changes in our practices or Services
● Changes in applicable law or regulatory requirements
● New features or functionality
● Feedback from users or regulators
10.2 Notice of Changes
When we make material changes to this Privacy Policy, we will:
● Update the "Last Updated" date at the top of this Privacy Policy
● Post the updated Privacy Policy on our website at https://normain.com/privacy
● Notify you via email to your registered email address
● Display a prominent notice on the Platform for at least 30 days
● Where required by law, obtain your consent to the changes
Material changes include changes to:
● The purposes for which we process personal data
● The categories of personal data we collect
● The recipients or categories of recipients of personal data
● International data transfers
● Retention periods
● Your rights
10.3 Your Choices After Changes
After we notify you of material changes:
● If the changes require your consent under applicable law, you will be prompted to accept the updated Privacy Policy before continuing to use the Services
● If the changes do not require consent, your continued use of the Services after the changes become effective constitutes your acceptance of the updated Privacy Policy
● If you do not agree to material changes, you may terminate your account in accordance with our Terms of Service
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.
11. CONTACT US
11.1 Privacy Questions and Requests
If you have any questions about this Privacy Policy or how we process your personal data, or if you wish to exercise your rights, please contact us at:
Normain AB
Att: Privacy Officer
Luntmakargatan 26
111 37 Stockholm, Sweden
Support: support@normain.com
Website: https://normain.com
11.2 Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates data protection law. The relevant supervisory authority in Sweden is:
Swedish Authority for Privacy Protection
(Integritetsskyddsmyndigheten)
Box 8114
104 20 Stockholm, Sweden
Website: www.imy.se
Email: imy@imy.se
Phone: +46 8 657 61 00
You may also contact the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
Other EU Supervisory Authorities: A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
12. EXTERNAL LINKS AND SOCIAL MEDIA
The Platform may include links to external websites or services that we do not control, as well as social media widgets that allow users to share content from Normain's Platform on different platforms (e.g., LinkedIn, Twitter/X).
We are not responsible for the privacy practices or content of these third-party websites and services. To understand how these third parties collect and use your data, we recommend reviewing their privacy policies.
External links we may include:
● Partner websites
● Third-party tools and integrations
● Educational resources
● Social media platforms
BY USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.
Last reviewed and updated: February 8, 2026
Version: 2.0