Legal
Privacy Policy
Last updated: March 2026 · Applies to norypt.com and all Norypt services
Our Privacy Commitment
Norypt sells privacy hardware. We apply the same privacy principles to our own website: no persistent tracking, no behavioural profiling, no advertising networks. This policy explains exactly what limited data we process, why, and under which legal basis — with no ambiguity.
1. Who We Are (Data Controller)
Controller: Norypt
Address: Europe
Contact: norypt@proton.me
Data Protection Officer (DPO): norypt@proton.me
We are subject to the General Data Protection Regulation (GDPR, Regulation 2016/679/EU) and applicable EU data protection law. Our lead supervisory authority is an EU data protection authority. You may also lodge a complaint with the supervisory authority in your country of residence within the EU.
2. What We Do Not Do
Before listing what we collect, it is important to state what we explicitly do not do:
- We do not set persistent cookies or write to localStorage, sessionStorage, or IndexedDB
- We do not use behavioural advertising, retargeting, or cross-site tracking
- We do not use Google Analytics, Meta Pixel, TikTok Pixel, or similar profiling tools in a persistent manner
- We do not sell, rent, or share your personal data with data brokers or advertisers
- We do not create user profiles or infer characteristics about you beyond what you provide
- We do not process any data from minors under 16 years of age
3. Data We Collect and Why
3.1 Enquiries via Encrypted Messaging
Data collected: Message content and any information you choose to share (e.g. name, delivery country, product interest). We do not use contact forms — all enquiries are received via encrypted channels (Signal, Telegram, Threema, or Proton Mail).
Purpose: To respond to your enquiry about our products or services
Legal basis: Article 6(1)(b) — pre-contractual steps; Article 6(1)(f) — legitimate interests in responding to communications
Retention: 12 months from last contact, then deleted
3.2 Order Fulfilment
Data collected: Full name, email, delivery address, order details
Purpose: Processing and delivering your order; issuing invoices; providing post-sale support
Legal basis: Article 6(1)(b) — performance of a contract
Retention: 7 years (statutory accounting and VAT obligation under EU and applicable member state law)
3.3 Payment Processing
Data collected: We accept cryptocurrency payments only. No card data, billing address, or payment credentials are collected or stored. Cryptocurrency transactions are processed on-chain with no intermediary processor accessing your personal data.
Legal basis: Article 6(1)(b) — contract performance
3.4 Shipping
Data collected: Name and delivery address are shared with DHL Express for fulfilment
Legal basis: Article 6(1)(b) — contract performance
Third party: DHL Express — dhl.com/privacy
3.5 Website Server Logs (via Cloudflare)
Data collected: IP address, browser type, pages visited, timestamp — standard HTTP access logs processed by Cloudflare as our CDN and hosting infrastructure provider
Purpose: Security monitoring, abuse prevention, uptime diagnostics, DDoS protection
Legal basis: Article 6(1)(f) — legitimate interests (security)
Retention: Approximately 30 days, then automatically purged
Sub-processor: Cloudflare, Inc. — cloudflare.com/privacypolicy. Cloudflare acts as a data processor on our behalf under Standard Contractual Clauses. Cloudflare may also set a short-lived technical cookie (__cf_bm) for bot detection purposes — see our Cookie Policy for details.
Note: These logs are not used for analytics, profiling, or marketing
4. International Data Transfers
Norypt is based in the EU. Where any service provider is located outside the EEA, we ensure appropriate safeguards are in place — Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46 GDPR), adequacy decisions, or equivalent mechanisms. A list of sub-processors is available on request.
5. Your Rights Under GDPR
You have the following rights under Articles 15–22 of the GDPR. We respond to all verified requests within 30 days (extendable to 90 days for complex requests).
Right of Access (Art. 15)
Receive a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete data.
Right to Erasure (Art. 17)
Request deletion of your data where no legal obligation requires retention.
Right to Restrict (Art. 18)
Ask us to pause processing while a dispute is resolved.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests.
Withdraw Consent (Art. 7)
Withdraw any previously given consent at any time, without penalty.
Right to Complain
Lodge a complaint with the supervisory authority in your EU member state of residence.
To exercise any right, contact: norypt@proton.me. We may need to verify your identity before processing the request.
6. Security
We implement technical and organisational measures appropriate to the risk, including TLS encryption in transit, access controls limiting data to authorised personnel, pseudonymisation where practicable, and regular security assessments. Given the nature of our products, we hold ourselves to a high standard.
7. Cookies and Tracking
This website uses zero persistent cookies or client-side storage by default. A session-only consent panel is shown to EU/EEA visitors; optional script categories are disabled until you explicitly enable them and are cleared on session end. See our full Cookie Policy.
8. Automated Decision-Making
We do not use automated decision-making or profiling as defined under Article 22 GDPR. No decisions with legal or similarly significant effects on you are made solely by automated means.
9. Changes to This Policy
We review this policy periodically. Substantive changes will be communicated by email to customers with active orders or accounts. The current version is always available at norypt.com/privacy-policy with its effective date.
10. Contact & DPO
Data Protection Officer
GDPR requests, access, erasure, objections
Response within 30 days
Supervisory Authority: You have the right to lodge a complaint with the data protection supervisory authority in your EU member state of residence. A full list of EU supervisory authorities is available at edpb.europa.eu.