PRIVACY POLICY
Last Updated: April 10, 2025
Here at Noform.ai, we are committed to being fully transparent with you in regard with our privacy practices. For this reason, we developed this Privacy Policy to inform you about how we may process your personal data. We tried to write this Privacy Policy in clear and plain language for your better understanding of the complicated legal stuff. By doing so, we hope you will get all the needed details to be assured your personal data is safe with us. In this document, we will explain the following issues:
- what data we process, how we process it, and for which purposes;
- who have access to each type of your data;
- for how long we retain your data;
- what your rights are with respect to the processing of your data under GDPR and CCPA;
- what are the last changes to this Privacy Policy (if applicable)?
CCPA PRIVACY STATEMENT
This Statement applies solely to residents of California or individuals whose information has been collected in California. Noform.ai has adopted and included this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”). Any terms used in this Statement that are defined in the CCPA have the same meaning given therein.
INFORMATION WE COLLECT
In the past annum, Noform.ai, its Website, and its Platform collect from individuals and may have shared (as defined in the CCPA) certain categories of Personal Information (as defined in the CCPA) as follows:
- Identifiers.
Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
Collected? YES. Disclosed? YES.
- Personal information categories under the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Collected? Only name, signature, address, telephone, title, and associated employer. Disclosed? YES.
- Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth, and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
Collected? NO. Disclosed? NO.
- Commercial information.
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Collected? NO. Disclosed? NO.
- Biometric information.
Genetic, physiological, behavioral, and biological characteristics or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
Collected? NO. Disclosed? NO.
- Internet or other similar network activity.
Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
Collected? On the website only. Disclosed? NO.
- Geolocation data.
Physical location or movements.
Collected? Only physical location. Disclosed? NO.
- Professional or employment-related information.
Current or past employment history or performance evaluations.
Collected? No. Disclosed? NO.
- Education Information under California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99). Includes education records directly related to a student maintained by an educational institution or party acting on its behalf, like grades, transcripts, class lists and student schedules, identification codes, financial information, or disciplinary records.
Collected? No. Disclosed? NO.
- Inferences
Conclusions that could be used to create a profile reflecting an individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitude.
Collected? No. Disclosed? NO.
Under the CCPA, Personal information does not include:
- Publicly available information from government records;
- Personal Information that has been de-identified or aggregated such that it cannot be used to identify an individual;
- Information excluded from the CCPA’s scope, like (a) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data and (b) personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994. Please note that Noform.ai does not collect any such sensitive personal information.
Noform.ai obtains the categories of personal information listed above from the following categories of sources:
- Directly and indirectly from Noform.ai site visitors and activity on the Noform.ai (https://noform.ai/) website. Examples: from site visitors, by interacting with the Noform.ai chatbot and providing information to the chatbot; by cookies from the Noform.ai or Customer website; and by event registration forms or pages; and by using ROI calculator; etc.
- Directly from Noform.ai Customers, their agents, and End Customers of our Customers. Examples: the information that our clients provide to us related to the services or products that Noform.ai and/or provides them (such as contact or profile or user profile information).
- Directly and indirectly from third parties, such as partners or collaborators, that interact with Noform.ai in connection with Noform.ai marketing activities and the services we perform. Examples: leads and sales activities from partners, leads from co-marketing campaigns, event registration, or lead generation.
USE OF PERSONAL INFORMATION
We may use or disclose the personal information we collect for one or more of the following business purposes:
- to provide you with information, products, or services that you request from Noform.ai;
- to provide you with email alerts, event registrations, and other notices concerning our products or services, events, or news;
- to seek feedback on the Noform.ai products, services, or your experience with Noform.ai directly, a Noform.ai publication, or the Noform.ai website;
- to carry out our obligations and enforce our rights arising from any contracts entered into between us, including renewals, professional services, billing, collections, or other notices;
- to improve our website or interactions with you;
- for Noform.ai product or service development;
- as necessary or appropriate to protect the rights, property, or safety of Noform.ai, Noform.ai customers, and other third parties;
- to respond to law enforcement requests and as required by applicable law, order, or regulation; or
- as may be described to you when collecting your personal information or as otherwise set forth in the CCPA.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without reasonable notice.
SHARING PERSONAL INFORMATION
We may disclose your personal information for a business purpose to third parties, including service providers (as defined under the CCPA), our affiliates (to the extent applicable), and third parties to whom you or your agents authorize us to disclose your personal information in connection with the Noform.ai products and services we provide you. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient not to use it for any purpose except the performance of the contract and, if confidential, maintain its confidentiality. In the preceding twelve (12) months, Noform.ai has disclosed the categories of Personal Information for a business purpose as provided above.
SELLING INFORMATION
Noform.ai does not sell any Personal Information or any other data collected or created by its customers in their use of the Noform.ai platform, services, or otherwise.
Noform.ai may sell your Personal Information only to the extent that Noform.ai has collected your personal information for its own purposes (not by, in, or through the provision of its Services to a Noform.ai Customer).
In the preceding twelve (12) months, Noform.ai may have sold, as defined in the CCPA, the following categories of data:
Identifiers (#1); Personal information categories under the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (#2); Geolocation data (#7); and Professional or employment-related information (#9).
FOR AVOIDANCE OF DOUBT, NOFORM.AI DOES NOT SELL THE INFORMATION THAT ITS CUSTOMERS OR USERS COLLECT, GENERATE, OR STORE THROUGH THEIR USE OF THE NOFORM.AI PLATFORM AND/OR SERVICES. NOFORM.AI DOES NOT USE OR PROCESS SUCH INFORMATION FOR ITS OWN PURPOSES. ANY PROCESSING OR SHARING OF PERSONAL INFORMATION COLLECTED BY OR BELONGING TO THE CUSTOMER IS FOR THE PURPOSE OF PERFORMING THE SERVICES ONLY. SUCH INFORMATION IS AT ALL TIMES THE PROPERTY OF THE CUSTOMER, AND NOFORM.AI DOES NOT SELL IT.
YOUR RIGHTS AND CHOICES
The CCPA provides individuals residing in California or whose Personal Information was collected in California with specific rights regarding their Personal Information. The below describes your rights and how you may exercise them.
DELETION REQUEST RIGHTS
You have the right to request that Noform.ai delete any of your Personal Information that we collected from you and/or retained. Unless subject to a certain limited exception, once Noform.ai receives and confirms your verifiable data deletion request, we will delete (and direct our service providers to delete) your personal information from our records. Noform.ai will notify you promptly if it determines it must deny your deletion request and will provide reasons why retention of your information is necessary to Noform.ai and permissible under the CCPA in such cases.
DO NOT SELL OPT-OUT RIGHTS
You have the right to opt out of any sales, as defined by the CCPA, of Personal Information by Noform.ai. You must request that Noform.ai not sell any information you provide to Noform.ai as an individual, either upon the provision of Personal Information to Noform.ai or any time thereafter. Once Noform.ai receives and confirms your request, Noform.ai will refrain from selling your Personal Information.
NON-DISCRIMINATION
We will not discriminate against you or any other individual for exercising any of your CCPA rights. Unless and only to the extent permitted by the CCPA, Noform.ai will not
- deny you goods or services;
- charge you different prices or rates for goods or services;
- provide you a different level or quality of goods or services; or
- suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
YOUR RIGHTS UNDER GDPR
If you are an EU resident, you have the following rights regarding your personal data Noform.ai collects and processes:
RIGHT TO ACCESS YOUR PERSONAL DATA AND RIGHT TO DATA PORTABILITY
This means that you can ask Noform.ai what personal data of yours is processed. You may ask us if we process your personal data or not. You may also ask for clarifications on the information described in this Privacy Policy, i.e., the purpose of collecting and processing, categories of data processed, period of processing, the list of third parties that have access to information, and information on protection measures we implemented. We may also provide you with your personal data in a structured, commonly used, and machine-readable format to enable you to transmit that data to another party or service provider.
RIGHT TO RECTIFY YOUR PERSONAL DATA
You can request all the inaccurate personal data concerning you being corrected. You may also request to complete your personal data if you consider that something is missed.
RIGHT TO BE FORGOTTEN
You can request us to erase personal data from our records and records of our third-party services if its processing is no longer necessary to achieve purposes for which it was collected. You may also request so if there are no legal grounds for the processing. In most cases, we will erase it unless otherwise required by legislation.
RIGHT TO RESTRICT THE PROCESSING OF YOUR PERSONAL DATA
In some cases, prescribed by law, you will also be able to restrict the processing of your data. For example, if you contest the accuracy of your personal data being processed or if we are not interested in our processing of your personal data any longer, but you want us to do this for other reasons, for example, to bring some claim against somebody – then, instead of the erasure of information, its processing will be just restricted.
RIGHT TO WITHDRAW YOUR CONSENT
You can withdraw your consent for the processing of your personal data at any time by simply contacting us, without affecting the lawfulness of processing based on the consent before its withdrawal. After receiving such a withdrawal request from you, we will process it in a timely manner and will no longer process your personal data unless otherwise set by law.
RIGHT TO OBJECT TO THE PROCESSING
In some cases, prescribed by the applicable laws, you can object to the processing of your personal data. You can object to the processing of your personal data when the processing is related to the performance of our task carried in the public interest or in the exercise of official authority vested in us; or if we process your data to pursue our or third party’s legitimate interests, and you believe that such interests are overridden by your interests or fundamental rights and freedoms. If you make a request objecting to processing, we will no longer process the personal data unless we are able to demonstrate compelling legitimate grounds for the processing.
RIGHT TO COMPLAIN
If you have doubts as to our reply or reaction, or absence of such, you have the right to lodge a complaint with a supervisory authority, empowered to resolve such complaints in your country.
HOW TO EXERCISE YOUR RIGHTS AS TO YOUR PERSONAL DATA UNDER GDPR?
Any requests to exercise your rights can be directed to Noform.ai via the contact details provided below. These requests are free of charge. Please note that we may ask you to verify your identity before responding to such requests. Noform.ai will provide information on action taken on your request related to your rights specified above within one month of receipt of the request for the longest. That period may be extended to two months if Noform.ai is overwhelmed by the number of requests or the request at issue is complicated and requires a lot of action. We will inform you of any such extension within one month of receipt of the request, together with the reasons of such delay.
NOTE TO NOFORM.AI-PROCESSED EMAIL RECIPIENTS.
In order to stop processing of your personal data by Noform.ai products and services, including the Website and the Platform, you must first contact the relevant Noform.ai’s Services user. In the event that you contact us to exercise any right that assists you in matters of data protection, we may not be able to assist you with an immediate effect – we will inform the relevant Noform.ai user and redirect your request for further actions.
OUR ROLE
When we provide our services to our Customers, we act as their service provider (data processor) and process personal data strictly on their behalf and under their instructions. If you are a user that is using our service on behalf of one of our customers, your personal data is processed in accordance to:
- Data protection legislation;
- Instructions given to us by the Customer;
- Our Customer’s privacy policy, which they provide (typically on their website);
- Our internal privacy policy (specific to Customer-End User data processing).
For any requests related to your personal data, please contact the Customer directly, as they control how your data is processed.
INFORMATION WE COLLECT ABOUT YOU
We may process the following categories of personal data:
Category | Examples | Purpose |
Contact Details | Name, email, phone number, social media username, title, address | To provide services, customer support, and marketing (with consent) |
Financial Data | Credit card number, credit card verification number (CCV), credit card expiry date, bank account number, billing address, transaction code (TAN), income information, VAT number, and credit score | To process payments and comply with tax and regulatory obligations |
Activity & Behavioral Data | Browsing history, search history, likes, clicks, shopping cart information, products purchased | To personalize services and enhance user experience |
Location Data | Approximate location, tracking data | To improve service functionality and user experience |
Communications Data | Instant messaging data, social media posts, and postal content | To provide customer support and analyze trends |
Images & Recordings | Photos, videos, voice recordings, profile pictures | For security, identity verification, and service personalization |
Views & Opinions | Survey responses, testimonials, references, opinions (non-political/religious/philosophical) | To improve our services based on feedback |
Work-related Data | Name of employer, occupation, completed tasks, curriculum vitae/resume | For employment verification, partnerships, and compliance |
Technical Identifiers | IP address, Mac address, usernames, passwords, browser data, other device identifiers, and unique identifiers | For security, fraud prevention, and platform optimization |
AI-related Data | AI-generated conversation data, user queries, chatbot responses, user engagement metrics | To improve the functionality of the AI, personalize interactions, and enhance user engagement |
Aggregated Data | Statistical or demographic data | For analytics, provided it does not identify individuals |
Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.
However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data, which will be used in accordance with this privacy policy.
This is just an overview; please see the next section to see exactly what we use in more detail.
SENSITIVE DATA PROCESSING
We only collect and process sensitive data (such as financial or legal documents) when strictly necessary and with appropriate safeguards. Where required by law, we obtain explicit consent before processing this type of data.
LEGAL JUSTIFICATIONS WE RELY ON TO USE YOUR DATA
We process your information for the purposes described in this policy based on the following legal bases:
- Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
- Legitimate interests: a legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. Examples include:
- Preventing fraud and ensuring security
- Improving our platform and developing new features
- Marketing to existing customers in ways that do not infringe on their rights
- Contractual Obligations: the processing is necessary for a contract we have with the individual or because they have asked us to take specific steps before entering into a contract.
HOW WE USE YOUR DATA IF YOU ARE ONE OF OUR CUSTOMERS
If you are a customer, we use your personal data to provide and improve our services.
Purpose | Personal Data Category | Legal Justification |
Accounts Receivable | Contact Details, Financial Data | Contractual Obligations |
Authenticating Users | Contact Details, Technical Identifiers | Contractual Obligations |
B2B Email/Text Digital Marketing (existing customers) | Contact Details, Personal Characteristics, Views, and Opinions | Legitimate Interest |
B2C Email/Text Digital Marketing (existing customers) | Contact Details, Personal Characteristics, View,s and Opinions | Legitimate Interest |
Customer Relationship Management (CRM) | Activity and Behavioural, Contact Details, Personal Characteristics | Legitimate Interest |
Customer Support | Contact Details, Personal Characteristics, Views, and Opinions | Legitimate Interest |
Digitally Signing Documents | Contact Details, Technical Identifiers | Contractual Obligations |
Error & Log Management | Contact Details, Technical Identifiers | Legitimate Interest |
Onboarding & Product Demos | Activity and Behavioural, Contact Details, Views and Opinions | Legitimate Interest |
Product Development & Insights | Contact Details, Technical Identifiers, Views, and Opinions | Legitimate Interest |
Product Surveys & Questionnaires | Contact Details, Personal Characteristics, Technical Identifiers, Views, and Opinions | Consent |
Targeted Advertising | Activity and Behavioural, Contact Details, Location Data, Personal Characteristics | Legitimate Interest |
Transactional Emails | Contact Details | Legitimate Interest |
Website/Web App Tracking | Activity and Behavioural, Technical Identifiers | Consent |
WHEN ACTING AS A PROCESSOR
When functioning as a processor, we undertake information processing based on explicit directives provided by our Customers, who serve as the Data Controllers in this context.
To understand how your data is processed under this arrangement, please refer to the privacy policy of the respective Customer.
In the capacity of a processor, there might be instances where we handle Special Category Data pertaining to our Customer’s Users. While it is infrequent for us to regularly process such specialized data, it’s important to note that any such processing would strictly adhere to the permissions and exemptions established by the respective Customer acting as the Data Controller.
HOW WE USE YOUR DATA IF YOU ARE ONE OF OUR CUSTOMERS’ END-USERS
If you interact with our customers using our services, we process your data to provide customer support.
Purpose | Personal Data Category | Legal Justification |
Customer Support | Contact Details, Personal Characteristics, Views and Opinions | Legitimate Interest |
WHEN ACTING AS A PROCESSOR
When functioning as a processor, we undertake information processing based on explicit directives provided by our Customers, who serve as the Data Controllers in this context. For more information, please:
- Contact the customer directly.
- Review the customer’s privacy policy.
HOW WE USE YOUR DATA IF YOU ARE ONE OF OUR LEADS
If you have shown interest in our products/services but are not yet a customer, we may process your data for marketing and lead generation.
Purpose | Personal Data Category | Legal Justification |
B2B Email/Text Digital Marketing (prospective customers) | Contact Details, Personal Characteristics, Views, and Opinions | Consent |
Customer Relationship Management (CRM) | Activity and Behavioural, Contact Details, Personal Characteristics | Legitimate Interest |
Lead Generation | Contact Details | Consent |
Onboarding & Product Demos | Activity and Behavioural, Contact Details, Views and Opinions | Legitimate Interest |
Product Surveys & Questionnaires | Contact Details, Personal Characteristics, Technical Identifiers, Views and Opinions | Consent |
Targeted Advertising | Activity and Behavioural, Contact Details, Location Data, Personal Characteristics | Legitimate Interest |
Website/Web App Tracking | Activity and Behavioural, Technical Identifiers | Consent |
HOW WE USE YOUR DATA IF YOU ARE ONE OF OUR WEBSITE VISITORS
If you visit our website, we may collect data to enhance your experience and improve our services.
Purpose | Personal Data Category | Legal Justification |
Displaying Custom Fonts | Technical Identifiers | Legitimate Interest |
Tag Management | Activity and Behavioural, Technical Identifiers | Legitimate Interest |
Targeted Advertising | Activity and Behavioural, Contact Details, Location Data, Personal Characteristics | Legitimate Interest |
Video Player | Activity and Behavioural, Technical Identifiers | Legitimate Interest |
Website Hosting | Contact Details, Technical Identifiers | Legitimate Interest |
Website/Web App Tracking | Activity and Behavioural, Technical Identifiers | Consent |
HOW YOUR PERSONAL DATA IS COLLECTED
We use different methods to collect data from and about you, including through:
DIRECT INTERACTIONS
You may give us information on your Contact Details, Identifiers, Financial Data, (all the categories that come through direct interactions) by filling in forms or by corresponding with us by post, phone, email, via our website, or otherwise. This includes personal data you provide when you:
- apply for our products or services;
- create an account with us;
- subscribe to publications;
- request marketing to be sent to you; or
- give us feedback or contact us.
AUTOMATED TECHNOLOGIES OR INTERACTIONS
As you interact with our website and services, we will automatically collect Technical, Profile, and Usage Data about your equipment, browsing actions, and patterns.
THIRD PARTIES OR PUBLICLY AVAILABLE SOURCES
We might receive personal data about you from various third parties or publicly available sources like the ones set below.
- Work-related data from online recruitment platforms or professional networks.
- Identity and Contact Data from publicly available sources.
THIRD PARTIES & SUB-PROCESSORS
We might store or send personal data about you to various third parties, as listed below:
Third-Party | Encryption | Data Residency |
Google Analytics | Encryption in Transit, Encryption at Rest | United States |
Google Tag Manager | Encryption in Transit, Encryption at Rest | United States |
Hubspot | Encryption in Transit, Encryption at Rest | United States |
OpenAI | Encryption in Transit, Encryption at Rest | United States |
Anthropic | Encryption in Transit, Encryption at Rest | United States |
Google Gemini | Encryption in Transit, Encryption at Rest | United States |
Google Web Services | Encryption in Transit, Encryption at Rest | United States |
YouTube Video | Encryption in Transit, Encryption at Rest | United States |
Twitter Ads | Encryption in Transit, Encryption at Rest | United States |
Visitor Analytics | Encryption in Transit, Encryption at Rest | Germany |
WordPress.org | Encryption in Transit, Encryption at Rest | United States |
Hotjar | Encryption in Transit, Encryption at Rest | Ireland |
Facebook Pixel | Encryption in Transit, Encryption at Rest | United States |
LinkedIn Insight Tag | Encryption in Transit, Encryption at Rest | United States |
Google Sign-in | Encryption in Transit, Encryption at Rest | United States |
Amazon Web Services | Encryption in Transit, Encryption at Rest | Global |
Google Meets | Encryption in Transit, Encryption at Rest | United States |
Loom | Encryption in Transit, Encryption at Rest | United States |
Google Gmail | Encryption in Transit, Encryption at Rest | United States |
Slack | Encryption in Transit, Encryption at Rest | United States |
Zoom | Encryption in Transit, Encryption at Rest | United States |
Calendly | Encryption in Transit, Encryption at Rest | United States |
Figma | Encryption in Transit, Encryption at Rest | United States |
Miro | Encryption in Transit, Encryption at Rest | United States |
LinkedIn Analytics | Encryption in Transit, Encryption at Rest | European Economic Area |
Google Ads Conversion | Encryption in Transit, Encryption at Rest | European Economic Area |
HelloSign | Encryption in Transit, Encryption at Rest | United States |
Notion | Encryption in Transit, Encryption at Rest | United States |
Grammarly | Encryption in Transit, Encryption at Rest | United States |
Google Ads | Encryption in Transit, Encryption at Rest | European Economic Area |
LinkedIn Sales Navigator | Encryption in Transit, Encryption at Rest | United States |
Stripe | Encryption in Transit, Encryption at Rest | United States |
Jira | Encryption in Transit, Encryption at Rest | Global |
Hubspot Forms | Encryption in Transit, Encryption at Rest | United States |
Google Forms | Encryption in Transit, Encryption at Rest | United States |
Keeper | Encryption in Transit, Encryption at Rest | Global |
ZeroBounce | Encryption in Transit, Encryption at Rest | European Economic Area |
DoubleClick Ad | Encryption in Transit, Encryption at Rest | European Economic Area |
Bing Ads | Encryption in Transit, Encryption at Rest | European Economic Area |
LinkedIn Ads | Encryption in Transit, Encryption at Rest | European Economic Area |
Twitter Advertising | Encryption in Transit, Encryption at Rest | European Economic Area |
Google Fonts | Encryption in Transit, Encryption at Rest | United States |
GoDaddy | Encryption in Transit, Encryption at Rest | United States |
Sentry | Encryption in Transit, Encryption at Rest | United States |
Mailgun | Encryption in Transit, Encryption at Rest | United States |
Pipedrive | Encryption in Transit, Encryption at Rest | United States |
TikTok Ads | Encryption in Transit, Encryption at Rest | United States |
Facebook Ads | Encryption in Transit, Encryption at Rest | United States |
Drip | Encryption in Transit, Encryption at Rest | United States |
SendPulse | Encryption in Transit, Encryption at Rest | United States |
Intercom | Encryption in Transit, Encryption at Rest | United States |
Guru | Encryption in Transit, Encryption at Rest | United States |
Zapier | Encryption in Transit, Encryption at Rest | United States |
Mixpanel | Encryption in Transit, Encryption at Rest | United States |
Paddle | Encryption in Transit, Encryption at Rest | United States |
ORA | Encryption in Transit, Encryption at Rest | European Economic Area |
INTERNATIONAL TRANSFERS
Some of our external third parties are based outside the UK and EEA, meaning that processing of your personal data may involve a transfer of data outside these regions.
To ensure adequate protection, we implement one of the following safeguards:
- Adequacy Decision: The country to which personal data is transferred has been deemed to provide an adequate level of protection by the European Commission.
- Standard Contractual Clauses (SCCs): We use specific contracts approved by the European Commission to ensure your data receives the same protection it would have in the UK and EEA.
DATA PROCESSING & COMPLIANCE
NoForm.ai processes personal data in compliance with applicable data protection laws, including GDPR and CCPA.
HANDLING OF PERSONAL DATA IN AI CONVERSATIONS
- NoForm.ai does not require Customers to input personal, financial, or sensitive data into AI conversations unless necessary for business operations.
- Customers must clearly inform end-users when AI interactions involve personal data collection.
- NoForm.ai provides tools to redact, filter, and manage sensitive data within AI-generated conversations.
DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. These measures include:
- Restricted access. Data is only accessible to employees, agents, contractors, and third parties with a business need to know.
- Confidentiality obligations. Any third party handling your data is required to follow our security policies and is subject to confidentiality agreements.
- Encryption: We encrypt data in transit (TLS) and at rest to protect sensitive information.
- Incident response procedures. We have a response plan for data breaches and will notify affected users and relevant authorities as required by law.
- Regular security audits: We conduct periodic security reviews, penetration testing, and monitoring to detect potential vulnerabilities.
Password security. Where you have chosen a password that enables you to access certain parts of our applications, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
SECURITY MEASURES FOR AI CONVERSATION DATA
ENCRYPTION STANDARDS:
- All data transmitted between users and our servers is encrypted using TLS 1.2+ to prevent unauthorized interception.
- Data is encrypted with AES-256, providing industry-standard encryption for data stored on our servers.
ACCESS CONTROLS:
- Role-based access restrictions limit conversation data visibility to authorized personnel only. Please be aware that authorized administrators have the capability to access and review user chat conversations for purposes including but not limited to: support, moderation, investigating potential misuse, troubleshooting technical issues or service malfunctions, and ensuring adherence to our Terms of Use.
ANONYMIZATION & PSEUDONYMIZATION:
- AI-generated responses and logs undergo automatic anonymization where feasible.
AUDIT LOGGING:
- All access to conversation data is logged for compliance and security monitoring.
COMPLIANCE & CERTIFICATIONS
NOFORM.AI FOLLOWS INDUSTRY BEST PRACTICES AND IS COMPLIANT WITH:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
CUSTOMER RESPONSIBILITIES
- Customers must configure AI moderation tools to align with their privacy policies and legal obligations.
- Customers must ensure data subject rights (e.g., deletion requests under GDPR/CCPA) are honored within their AI implementations.
- Customers should review and update their privacy policies to reflect AI-powered interactions and data handling practices.
DATA RETENTION
We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with you.
To determine the appropriate retention period, we assess:
- The amount, nature, and sensitivity of the data.
- Potential risks associated with unauthorized access or disclosure.
- The necessity of processing the data to achieve its intended purpose.
- Relevant legal and regulatory guidelines.
In specific scenarios where our role is designated as a data processor, the duration for which data is retained is not determined by us. Instead, this time period is set and mandated by the data controller in accordance with their policies and regulatory requirements. This ensures a clear understanding and compliance with the data controller’s guidelines and legal obligations.
AUTOMATED DECISION-MAKING & PROFILING
Your personal data is not used in any automated decision-making (a decision made solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain conditions about an individual).
YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request the erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
Object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party), and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling, legitimate grounds to process your information, which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful, but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise, or defend legal claims.
- You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Make a complaint: you have the right to make a complaint at any time to the relevant regulator
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information concerning your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally, it could take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
CONTACT INFORMATION
If you have any questions, do not hesitate to contact us:
Email: hi@noform.ai
Visit our website at www.noform.ai.
