Privacy Policy
Effective 23 May 2026
This Privacy Policy explains how Nordva (“we”, “us”, “our”) collects, uses, stores, and shares personal data when you use the Nordva platform (the “Service”). We act as a data controller for your account data and as a data processor for content submitted by your End Users through your integration with the Service.
1. Data we collect
Account data (controller)
- Email address, name, and password hash — collected via Clerk when you sign up.
- Billing details — handled by Clerk Billing / Stripe; we never see your card number.
- Project metadata — project name, plan, API key fingerprints (hashed; we cannot recover the plaintext key).
Usage data (controller)
- Request logs — timestamps, endpoints, status codes, IP addresses, user-agent strings. Retained ~30 days for abuse detection and debugging.
- Aggregated metrics — request counts per project per minute for rate-limit enforcement and usage reporting.
Customer Data (processor)
Content you or your End Users submit through the Service. This includes:
- Waitlist signups — email address, optional referrer, IP address, timestamp.
- Feedback submissions — feedback text, optional source URL, optional category hint, IP address. Best- effort PII stripping is applied before AI classification but is not guaranteed.
- Notifications — title, body, optional
user_idyou supply, optional action URL. - Changelog entries — markdown content you author.
You are the controller of Customer Data. You determine what is collected from your End Users and are responsible for providing them with an appropriate privacy notice and lawful basis.
2. Why we process it
- To provide, operate, and maintain the Service (contractual necessity, Art. 6(1)(b) GDPR).
- To bill you and prevent fraud (legitimate interest, Art. 6(1)(f)).
- To detect, prevent, and respond to abuse, security incidents, and rate-limit violations (legitimate interest).
- To run AI classification on feedback content, when enabled by your plan (contractual necessity).
- To comply with legal obligations (Art. 6(1)(c)).
- To send transactional emails (account, billing, security). We do not send marketing emails without your consent.
3. Sub-processors
We use the following trusted sub-processors to operate the Service:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare Workers / D1 / KV / R2 | Hosting, database, key-value, file storage | Global (edge) |
| Cloudflare Turnstile | Bot detection on public forms | Global (edge) |
| Clerk | Authentication, account management, billing UI | USA |
| Stripe | Payment processing (via Clerk Billing) | USA / EU |
| Resend | Transactional email delivery | USA / EU |
| Anthropic | AI classification of feedback content (no training on customer data per Anthropic’s API terms) | USA |
| Linear / GitHub / Slack | Routing destinations (only if you configure them) | USA / Global |
Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place for transfers outside the EEA where required.
4. Cookies
We use only essential cookies — primarily the Clerk session cookie that keeps you logged in. We do not use advertising cookies, cross-site tracking, or third-party analytics. The embeddable widget sets no cookies on your End Users’ browsers.
5. Retention
- Account data — kept while your account is active; deleted within 30 days of account closure.
- Request logs — ~30 days.
- Notifications — auto-purged after 90 days.
- Feedback / waitlist / changelog — kept until you delete them. You control retention via the dashboard or API.
- Billing records — retained as required by tax and accounting law (typically 5 years).
6. Your rights
Subject to applicable law (GDPR, UK GDPR, CCPA), you have the right to:
- access the personal data we hold about you;
- request correction or deletion;
- export your data in a portable format;
- object to or restrict processing;
- withdraw consent (where processing relies on consent);
- lodge a complaint with a supervisory authority (in Norway: Datatilsynet).
To exercise these rights, email hello@nordva.dev. We will respond within 30 days. For requests about Customer Data (End-User submissions), contact the relevant Customer — we will assist as your data processor.
7. Security
We protect data with TLS in transit, encryption at rest where supported by Cloudflare D1, bcrypt-hashed API keys, AES-256-GCM encryption for routing-destination credentials, role-scoped access, and Turnstile / rate-limiting on public endpoints. No system is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and applicable authorities within 72 hours where required by law.
8. International transfers
Cloudflare’s edge network and several sub-processors operate outside the EEA. Where personal data is transferred to a non-adequate country, we rely on Standard Contractual Clauses and supplementary measures.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
10. Changes
We may update this Privacy Policy as the Service evolves. Material changes will be announced via email or in-product notice at least 14 days in advance.
11. Contact
Data controller: Nordva, governed by the laws
of Norway.
Email:
hello@nordva.dev