Legal
GDPR Compliance
Last updated: April 22, 2026
This page describes how NOXRID complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Irish Data Protection Act 2018. Privacy is foundational to what we build — a platform that fights for people's right to control their own data cannot afford to be anything less than exemplary in how we handle data ourselves.
Our Commitment to GDPR
NOXRID is a privacy-first company. Our entire business exists to help people reclaim control over their personal data online. We therefore treat GDPR compliance not as a legal checkbox but as a core organizational value reflected in every product and engineering decision we make.
We have implemented Privacy by Design and Privacy by Default principles across our platform from its inception. We apply data minimization, purpose limitation, and storage limitation as defaults, not as afterthoughts.
Our GDPR compliance program is reviewed quarterly and updated in response to regulatory guidance from the Irish Data Protection Commission (DPC), European Data Protection Board (EDPB) opinions, and developments in case law.
Data Controller Information
For the purposes of the GDPR, the data controller responsible for your personal data is:
NOXRID
Registered in Ireland
Privacy enquiries: privacy@noxrid.com
Data Protection Officer: dpo@noxrid.com
As a company incorporated in Ireland, NOXRID's lead supervisory authority under the GDPR's one-stop-shop mechanism is the Irish Data Protection Commission (DPC). Users in other EU member states may also contact their national DPA.
Lawful Basis for Processing
The GDPR requires that every processing activity have a documented lawful basis. Below are the lawful bases we rely upon and the specific processing activities they cover:
Article 6(1)(b) — Performance of a Contract
This is our primary lawful basis. We process your data to fulfill our contractual obligations to you as a user of the Service. This covers: creating and managing your account, running scans against data brokers, submitting removal requests on your behalf, generating professional content at your request, sending transactional emails (scan results, billing), and processing payments.
Article 6(1)(f) — Legitimate Interests
We process usage analytics and security logs based on our legitimate interests in: improving the quality and security of our service, detecting and preventing fraud and abuse, and understanding how our platform is used at an aggregate level. We have conducted and documented a Legitimate Interests Assessment (LIA) confirming that these interests are not overridden by your rights and freedoms, given the limited and non-intrusive nature of this data processing.
Article 6(1)(a) — Consent
We rely on consent for: sending marketing or promotional emails (you can opt out at any time via the unsubscribe link), any optional cookies beyond strictly necessary ones (currently none), and processing any sensitive data categories that may arise during scans (e.g., if a data broker has published information about your health or political views). Consent is freely given, specific, informed, and unambiguous. You may withdraw it at any time without affecting prior lawful processing.
Article 6(1)(c) — Legal Obligation
We process and retain certain data to comply with legal obligations, including: retaining financial and transaction records for EU VAT and tax compliance (typically 7 years), responding to lawful requests from law enforcement or regulatory authorities, and maintaining audit logs required by applicable Irish law.
Data Protection Officer
NOXRID has appointed a Data Protection Officer (DPO) responsible for overseeing our GDPR compliance program, advising on data protection matters, and serving as the primary point of contact for data subjects and supervisory authorities.
NOXRID Data Protection Officer
Email: dpo@noxrid.com
Response time: Within 30 calendar days
Free of charge for all data subject requests
The DPO operates independently and reports directly to the highest management level. The DPO is not subject to any instructions regarding the exercise of their tasks and may not be dismissed or penalized for performing those tasks.
Data Subject Rights — Detailed Explanation
Under the GDPR, you have the following rights. All rights are free of charge and we will respond within 30 calendar days (extendable by two further months for complex requests, with notice).
Right of Access
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about: the purposes of processing, the categories of data, recipients or categories of recipients, the retention period, your other rights, the right to lodge a complaint, and the source of the data if not collected from you directly.
How to exercise: Email dpo@noxrid.com with subject 'Data Access Request'. We will provide your data in a structured, machine-readable format (JSON or CSV).
Right to Rectification
You have the right to request correction of inaccurate personal data and completion of incomplete data. This is particularly important given that our service involves personal data — if a scan result incorrectly attributes data to you, you have the right to have that corrected in our systems.
How to exercise: Log into your dashboard to update account information directly, or email dpo@noxrid.com for other corrections.
Right to Erasure ('Right to be Forgotten')
You have the right to request deletion of your personal data when: the data is no longer necessary for its original purpose; you withdraw consent (where processing was based on consent); you object and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required by EU or Irish law. Erasure may be refused where processing is necessary for legal obligations or for the establishment, exercise, or defense of legal claims.
How to exercise: Email dpo@noxrid.com with subject 'Erasure Request'. We will action within 30 days and confirm deletion.
Right to Restriction of Processing
You have the right to restrict our processing of your data while: the accuracy is being contested; the processing is unlawful but you oppose erasure; we no longer need the data but you need it for legal claims; or you have objected and we are verifying whether our legitimate grounds override yours. During restriction, we store but do not otherwise process your data.
How to exercise: Email dpo@noxrid.com with subject 'Restriction Request'. We will acknowledge within 72 hours.
Right to Data Portability
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON), and to transmit that data to another controller. This applies to: account information, scan results, removal request history, and generated content.
How to exercise: Email dpo@noxrid.com with subject 'Portability Request'. We will provide a complete data export within 30 days.
Right to Object
You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)) or processing for direct marketing purposes. On receipt of an objection to legitimate interest processing, we must cease unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
How to exercise: Email dpo@noxrid.com with subject 'Objection to Processing'. To opt out of marketing emails, use the unsubscribe link in any email.
Rights Related to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects concerning you. NOXRID does not make automated decisions with legal effects about users. Our tools present information to you; all significant decisions are human-reviewed.
How to exercise: Not currently applicable. If we introduce automated decision-making, we will update this section and provide appropriate opt-out mechanisms.
Data Processing Activities
The following table documents our primary processing activities in accordance with Article 30 GDPR (Records of Processing Activities):
| Activity | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Account registration & management | Create and maintain user accounts | Contract (Art. 6(1)(b)) | Life of account + 30 days |
| Identity scanning | Discover personal data exposures across data sources | Contract (Art. 6(1)(b)) | Life of account + 90 days |
| Removal request submission | Submit deletion requests to data brokers on user's behalf | Contract (Art. 6(1)(b)) | Life of account + 90 days |
| Professional content creation | Generate positive digital content at user's request | Contract (Art. 6(1)(b)) | Life of account |
| Continuous monitoring | Detect new personal data exposures | Contract (Art. 6(1)(b)) | Life of subscription |
| Payment processing | Process subscription payments via Stripe | Contract (Art. 6(1)(b)) | 7 years (tax law) |
| Transactional email | Send scan results, billing receipts, service notices | Contract (Art. 6(1)(b)) | 3 years |
| Marketing email | Share product news and updates (opted-in users only) | Consent (Art. 6(1)(a)) | Until consent withdrawn |
| Usage analytics | Understand product usage and improve the service | Legitimate Interest (Art. 6(1)(f)) | 90 days (raw), indefinitely anonymized |
| Security & audit logging | Detect and prevent unauthorized access and abuse | Legitimate Interest (Art. 6(1)(f)) | 90 days rolling |
| Customer support records | Resolve user queries and disputes | Contract / Legitimate Interest | 3 years |
| Legal compliance records | Respond to lawful authority requests | Legal Obligation (Art. 6(1)(c)) | As required by law |
Sub-Processors
We engage the following sub-processors to provide the Service. All sub-processors are bound by Data Processing Agreements (DPAs) that impose obligations no less protective than those in this policy. Where processors are located outside the EEA, transfers are covered by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework (DPF):
| Sub-Processor | Function | Location | Transfer Mechanism |
|---|---|---|---|
| Stripe, Inc. | Payment processing & billing | United States | EU-US DPF + SCCs |
| Anthropic, PBC | Processing support (Claude API) | United States | SCCs + DPA (no model training on API data) |
| Vercel, Inc. | Frontend hosting & CDN | United States | SCCs + DPA |
| Render Services, Inc. | API & backend hosting | United States | SCCs + DPA |
| PostgreSQL (self-hosted) | Primary database | EU (Render EU region) | No transfer — EU-based |
| Redis (self-hosted) | Caching layer | EU (Render EU region) | No transfer — EU-based |
We will update this list when we add or remove sub-processors. For material changes affecting your data, we will provide at least 14 days' notice. You may contact dpo@noxrid.com to object to any new sub-processor.
Cross-Border Data Transfers
Where we transfer personal data to countries outside the European Economic Area (EEA), we ensure adequate protection through one or more of the following mechanisms:
EU-US Data Privacy Framework (DPF)
Stripe is certified under the EU-US Data Privacy Framework, which the European Commission recognized as providing an adequate level of data protection in its adequacy decision of July 10, 2023. We rely on this adequacy decision for transfers to Stripe.
Standard Contractual Clauses (SCCs)
For processors not covered by an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021 version, incorporating the EU-US transfer supplement where applicable). SCCs are incorporated into our DPAs with Anthropic, Vercel, and Render.
Supplementary Measures
Where required by our Transfer Impact Assessments (TIAs), we implement supplementary technical measures including: end-to-end encryption, data minimization (sending only what is necessary for each processing purpose), and pseudonymization before transfer where technically feasible.
You may request a copy of the relevant SCCs or other transfer safeguards by emailing dpo@noxrid.com.
Data Breach Notification
In the event of a personal data breach, we follow the procedures mandated by GDPR Article 33 and 34:
Notification to Supervisory Authority (Art. 33)
Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Irish Data Protection Commission (DPC) within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.
Notification to Data Subjects (Art. 34)
Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to affected data subjects 'without undue delay'. The communication will include a plain-language description of the nature of the breach, contact details of our DPO, likely consequences, and the measures we have taken to address the breach and mitigate its adverse effects.
Internal Breach Register
We maintain an internal record of all personal data breaches, including those that do not reach the threshold for external notification, as required by Article 33(5). This register is reviewed regularly by our DPO and used to improve our security posture.
Response Timeline
Our incident response plan mandates: immediate (within 1 hour) escalation to the security team on breach discovery; containment and initial assessment within 24 hours; DPC notification within 72 hours if required; user notification as rapidly as technically feasible once the extent of impact is determined, and in all cases before significant harm can occur.
Data Protection Impact Assessments
NOXRID conducts Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 for processing activities that are likely to result in a high risk to the rights and freedoms of individuals.
Given the nature of our service — processing personal data found in the wild across hundreds of data sources, including potentially sensitive categories of data — we consider DPIAs essential, not optional. DPIAs have been completed and are maintained for:
- —The SCAN feature — systematic discovery of personal data exposures across data brokers and public databases.
- —The DELETE feature — automated submission of removal requests involving transmission of personal data to third-party data brokers.
- —Professional content creation — processing of user profile data to generate positive digital content.
- —Continuous monitoring — ongoing automated processing of user identity signals against live data sources.
Where a DPIA indicates high residual risk that cannot be mitigated by technical or organizational measures, we consult with the Irish DPC prior to commencing processing (Article 36). DPIAs are reviewed annually or when processing activities materially change.
Privacy by Design & by Default
In accordance with Article 25 GDPR, NOXRID implements Privacy by Design and Privacy by Default across our entire product development lifecycle:
Data Minimization
We collect and process only the personal data that is strictly necessary for each defined purpose. Our data model is reviewed at design time to challenge every field: is this necessary? Can we achieve the same goal with less?
Purpose Limitation
Data collected for one purpose is not reprocessed for another incompatible purpose. Our engineering standards include data access controls that prevent cross-purpose data flows at a system level.
Storage Limitation
Automated data retention policies delete personal data once its retention period expires. Our deletion jobs run daily and are monitored for failures.
Default Privacy
The most privacy-protective settings are the default. For example, marketing emails are off by default (opt-in only), and optional data sharing features require explicit activation.
Encryption by Default
All data is encrypted at rest (AES-256) and in transit (TLS 1.3) as a baseline requirement, not an optional configuration.
Access Control by Default
Role-based access control (RBAC) means employees can only access personal data categories required for their specific role. Access to production data requires explicit approval and audit logging.
Pseudonymization
Where possible, we pseudonymize personal data in analytical pipelines, separating identifying information from the data being analyzed.
Privacy in Development
Our engineering team follows a Privacy Engineering checklist for every pull request that touches personal data. Privacy impact is assessed before code is merged, not after deployment.
How to Exercise Your Rights
Exercising your data subject rights is straightforward and always free of charge. Here is how:
Submit a Request
Email dpo@noxrid.com with the subject line stating the right you wish to exercise (e.g., “Access Request”, “Erasure Request”).
Include your registered email address so we can verify your identity. For sensitive requests, we may ask for additional verification to protect your data from unauthorized access requests.
We will acknowledge your request within 72 hours and provide a substantive response within 30 calendar days. For complex requests, we may extend this by up to two further months, with prior notice.
There is no charge for any data subject request. If a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable administrative fee or refuse to act, with written explanation.
Complaints to Supervisory Authority
If you are not satisfied with our response to a data subject request, or if you believe we are processing your personal data in a way that violates the GDPR, you have the right to lodge a complaint with the relevant data protection supervisory authority.
Irish Data Protection Commission (Lead Authority)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
Email: info@dataprotection.ie
Phone: +353 57 868 4800
Your National DPA
Users in other EU member states may also contact their national supervisory authority. A full list of EU data protection authorities is available at edpb.europa.eu.
We always encourage you to contact us first at dpo@noxrid.com — we take all complaints seriously and aim to resolve them quickly and fairly. However, your right to contact a supervisory authority directly at any time is absolute.