Legal · Privacy
How we handle personal data on the marketing site, and how that differs from data we process inside the Norven platform under the Data Processing Addendum.
Norven Ltd. is the data controller for the Norven marketing site and the data processor for tenant data inside the Norven platform. Registered in Israel; primary operations in Tel Aviv–Yafo.
Operational analytics (page views, country, referrer) via Cloudflare Web Analytics — no cookies, no fingerprinting, no third-party tracking. Form submissions you send us. That is the full list.
Inside the Norven platform we process the data your team imports as part of compliance work — system metadata, control evidence, employee identifiers needed for access reviews. This is processed under our DPA, not under this notice.
Marketing-site data: operating the site, answering inquiries you send, understanding aggregate traffic patterns. We do not sell, rent, or trade personal data. We do not run ads.
Inquiries: 24 months from last contact unless you ask for deletion sooner. Aggregate analytics: 13 months at the Cloudflare edge, no longer retained by us. Account data inside the product follows the DPA retention schedule.
Access, rectification, deletion, restriction, portability, objection — exercised via privacy@norven.app. For Israeli residents, rights under the Privacy Protection Law (including Amendment 13) apply. For EU/EEA residents, GDPR Articles 12–22 apply.
Marketing-site infrastructure runs on Cloudflare (global edge). Product infrastructure runs on Supabase (eu-central by default; Tel Aviv residency optional on Enterprise). Where transfers leave the EEA, Standard Contractual Clauses are in place.
Data Protection Officer: privacy@norven.app. Norven Ltd., Tel Aviv–Yafo, Israel. We respond within 30 days of receipt.
