Privacy Policy

Effective Date: February 11, 2026
Last Updated: February 11, 2026

1. Introduction

Norrix ("we", "us", "our") is established in Japan and operates the Norrix web and Android applications (the "Services").

This Privacy Policy explains how we collect, use, and share personal information under Japan's Act on the Protection of Personal Information (APPI). If and when we make the Services available to individuals in the EEA/UK, we will provide any additional disclosures required by the GDPR (including the information items typically required by GDPR Art. 13).

2. Information We Collect

We may collect the following categories of information:

• Account and contact information — name, email address.
• Technical information — IP address, device identifiers, browser and app information.
• Usage information — pages and screens viewed, actions taken, timestamps.

We do not intentionally collect sensitive information (including "special care-required personal information" as defined under APPI). If we ever need to collect such information, we will request consent where required by law.

3. How We Use Information

We use personal information for the following purposes:

• Provide and operate the Services — account creation, authentication, and core functionality.
• Communicate with you — respond to support requests, send service messages and updates.
• Security and integrity — monitor, secure, debug, and prevent abuse of the Services.
• Analytics and improvement — analyze aggregated usage patterns to prioritize feature development, fix usability issues, and improve the Services, where enabled by your settings (see Section 4).

4. Analytics (Google Analytics)

We use Google Analytics to help us understand how the Services are used and to improve them. Google Analytics uses cookies and similar tracking technologies to collect usage data.

Analytics setting defaults: Analytics is ON by default in Japan and OFF by default elsewhere, based on an approximate location signal (e.g., IP-based geolocation). You can change this setting at any time in the Services.

If you disable analytics, we will stop sending Google Analytics data from that device or browser to the extent technically feasible. You can also use Google's Google Analytics Opt-out Browser Add-on (where available) for additional control.

5. Sharing and Service Providers

We do not sell your personal information.

We may share personal information with service providers that help us operate the Services:

• Hosting and deployment: Vercel.
• Database, authentication, and storage: Supabase.
• Error monitoring: Sentry.
• Analytics: Google Analytics.
• Payment processing: Stripe (when payment features are enabled).

We only share what is necessary for these providers to perform services on our behalf.

6. International Transfers

Our primary data hosting is in Japan (Vercel, Supabase, and Google Analytics use Japan-based regions). Sentry uses EU-based hosting. However, all of our service providers are US-based companies, and some personal information (such as account or support metadata) may be accessible from or transit through the United States or other jurisdictions in the course of providing their services.

We select service providers that maintain data protection practices consistent with APPI obligations. Where APPI requires it for cross-border transfers, we will obtain consent or rely on an applicable exception under the Act.

7. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

• Account data: Retained while your account is active, then deleted or anonymized within 60 days after you delete your account.
• Support communications: Retained for up to 12 months to resolve issues and improve support quality.
• Security logs: Retained for up to 12 months for security, debugging, and abuse prevention.
• Payment and billing records (when Stripe is enabled): Retained as required for accounting, tax, and fraud prevention obligations.

8. Security

We use reasonable technical and organizational measures designed to protect personal information. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Your Rights and Choices (APPI)

Depending on your situation and applicable law, you may request:

• Access to personal information we hold about you.
• Correction of inaccurate information.
• Deletion of your information where appropriate.

Where applicable under APPI, you may also request suspension of use or cessation of provision to third parties if your information is handled in violation of the Act.

How to Exercise Your Rights

To exercise any of these rights, submit a request by email to privacy@norrix.io. Please include:

1. Your registered email address
2. A clear description of your request
3. Any relevant details to help us locate your information

We will respond to your request within 10 working days in accordance with applicable data protection laws.

Note for Enterprise Users: If you are a driver using Norrix through your employer's organization, your account and data may be managed by your employer. You may need to contact your organization's administrator in addition to contacting us directly. We will work with your employer to fulfill your request where appropriate.

10. Contact Us

• Privacy contact: privacy@norrix.io
• Controller: Norrix
• Address: 152-0002, Tokyo, Meguro-ku, Megurohoncho 6-19-7