Legal

Privacy Policy

Last updated: April 22, 2026

Introduction

NOXRID (“we”, “us”, or “our”) operates noxrid.com — an expert-led digital identity reconstruction platform that helps individuals discover, remove, and manage their personal data across the internet.

This Privacy Policy explains what personal data we collect when you use our platform, why we collect it, how we use and protect it, and what rights you have over it. It applies to all users of noxrid.com and any related services, applications, or communications we provide.

We are committed to being transparent about our data practices. If you have any questions that this policy does not answer, please contact us at privacy@noxrid.com.

Information We Collect

We collect only what is necessary to provide our service. The categories of data we collect are described below.

(a) Account Information

When you create a NOXRID account, we collect your full name, email address, and a securely hashed version of your password (we never store your password in plain text). If you sign in via a third-party provider (e.g., Google), we receive only the data that provider shares with us under your consent, typically your name and email.

(b) Scan Data

The core of our service involves scanning the internet for your personal data. To do this, we process the information you provide for scanning — such as your name, aliases, previous addresses, phone numbers, or email addresses — as well as:

—URLs and web pages where your data appears
—Results returned by data brokers and people-search sites
—Personal data found during the scan (e.g., your publicly listed address, phone number, or age as surfaced by data brokers)
—Status of removal requests submitted on your behalf

This data is used exclusively to provide the service to you. It is never used for advertising, sold, or shared for purposes unrelated to your removal requests.

(c) Usage Data

We collect technical and behavioral data about how you interact with our platform, including:

—Pages visited and features used
—Time and duration of sessions
—Browser type, operating system, and screen resolution
—IP address and approximate geographic region
—Referral source (how you arrived at our site)

This data helps us understand how our product is used, identify bugs, and improve the user experience. We do not use third-party analytics services that track users across the web.

(d) Payment Data

Payments are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. When you subscribe to a paid plan, your payment card details are entered directly into Stripe's secure environment. We never receive, store, or process your card number, CVC, or expiry date.

We do receive from Stripe: your billing name, billing address, the last four digits of your card, card brand, and transaction records necessary for our accounting and fraud prevention obligations.

How We Use Your Information

We use the data we collect for the following purposes:

—Provide and operate our service — running scans, sending removal requests to data brokers, generating content, and displaying results in your dashboard.
—Submit removal requests on your behalf — we use your scan data to draft, send, and track GDPR, CCPA, and DMCA deletion requests to the data sources where your information appears.
—Generate professional content — for users on Content plans, we use your profile to generate optimized web content intended to replace harmful or outdated results.
—Improve our detection methods — we analyze aggregated, anonymized scan patterns to improve the accuracy and coverage of our detection processes. No individual's personal data is shared with third parties for unrelated purposes.
—Communicate with you — send transactional emails (scan results, removal updates, billing receipts), service announcements, and, where you have opted in, product news.
—Ensure security and prevent fraud — monitor for unauthorized access, abuse, and fraudulent activity.
—Comply with legal obligations — retain financial records, respond to lawful requests from authorities, and enforce our Terms of Service.

Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, our processing of your personal data rests on the following legal bases under the General Data Protection Regulation (GDPR):

Performance of a Contract (Art. 6(1)(b))

The majority of our processing — account management, running scans, submitting removal requests, billing — is necessary to perform the contract we have with you when you sign up and use our service.

Legitimate Interests (Art. 6(1)(f))

We process usage data and security logs based on our legitimate interest in improving our product and keeping it secure. We have conducted a Legitimate Interests Assessment (LIA) and determined that our interests are not overridden by your privacy rights, given the limited and non-intrusive nature of this processing.

Consent (Art. 6(1)(a))

Where we send marketing communications or use optional cookies, we do so only on the basis of your explicit, freely given, and revocable consent. You may withdraw consent at any time without affecting the lawfulness of processing that occurred before withdrawal.

Legal Obligation (Art. 6(1)(c))

We retain financial records and process data when required by applicable law, including EU tax regulations and anti-money laundering rules.

Data Sharing

We do not sell your personal data. Ever. We share data with third parties only in the following limited circumstances:

Data Brokers & People-Search Sites

To fulfill our core service, we submit removal requests to data broker websites on your behalf. This necessarily involves transmitting your identifying information (name, email, address) to those sites for the purpose of requesting deletion. We transmit only the minimum data required for each request.

Stripe (Payment Processing)

Stripe, Inc. processes all payment transactions. Stripe receives your billing information as necessary to complete and record transactions. Stripe's processing is governed by their own Privacy Policy and their certification under the EU-US Data Privacy Framework.

Anthropic (Processing Support)

We use Anthropic's API to support certain analysis and content generation workflows. Data sent to the API is anonymized and stripped of direct identifiers before transmission. We have a Data Processing Agreement with Anthropic. Anthropic does not use API inputs to train their models.

Infrastructure Providers

We use Vercel (frontend hosting) and Render (API hosting) to operate our platform. These providers act as data processors under our instructions and are bound by Data Processing Agreements. They do not have access to your personal data beyond what is technically necessary to deliver the service.

Legal Requirements

We may disclose data if required by law, court order, or a government authority with jurisdiction, provided we are not legally prohibited from notifying you of such a request.

Data Retention

We retain your data for as long as necessary to provide our service and comply with legal obligations:

Data Type	Retention Period
Account data (name, email)	While your account is active, then 30 days after deletion request
Scan results & removal history	90 days after account deletion
Payment records & invoices	7 years (EU VAT and tax law requirement)
Security & access logs	90 days rolling
Email communication records	3 years from last interaction
Anonymized aggregate analytics	Indefinitely (not personal data)

Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any of them, email privacy@noxrid.com. We will respond within 30 days at no charge.

Right of Access (Art. 15 GDPR)

Request a copy of all personal data we hold about you.

Right to Rectification (Art. 16 GDPR)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17 GDPR)

Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.

Right to Data Portability (Art. 20 GDPR)

Receive your personal data in a structured, machine-readable format and transfer it to another controller.

Right to Restriction of Processing (Art. 18 GDPR)

Request that we restrict processing of your data while a dispute is being resolved.

Right to Object (Art. 21 GDPR)

Object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, withdraw it at any time. This does not affect the lawfulness of prior processing.

Right to Lodge a Complaint

Lodge a complaint with your national Data Protection Authority. For EU users, our lead supervisory authority is the Irish Data Protection Commission (DPC).

CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

Right to Know

You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business or commercial purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete

You may request deletion of personal information we have collected about you, subject to certain exceptions (e.g., information needed to complete a transaction you requested or required by law).

Right to Opt-Out of Sale or Sharing

We do not sell or share your personal information for cross-context behavioral advertising. You do not need to opt out — we never engage in these practices.

Right to Correct

You may request correction of inaccurate personal information we maintain about you.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Exercising your rights will not result in denial of services, different prices, or reduced quality of service.

To exercise your CCPA rights, contact us at privacy@noxrid.com or use the subject line “CCPA Request”. We will respond within 45 days as required by law.

International Data Transfers

NOXRID is incorporated in Ireland and primarily operates within the EU. However, some of our service providers (Stripe, Anthropic, Vercel, Render) are located in the United States. When we transfer your personal data outside the EEA, we ensure adequate protection through:

—EU-US Data Privacy Framework (DPF) — where our sub-processors are certified under the DPF, which the European Commission has recognized as providing adequate protection.
—Standard Contractual Clauses (SCCs) — where DPF certification is not available, we rely on the European Commission's approved Standard Contractual Clauses incorporated into our Data Processing Agreements.
—Adequacy Decisions — where the European Commission has issued an adequacy decision for the recipient country.

You may request a copy of the relevant safeguards in place for any specific transfer by contacting privacy@noxrid.com.

Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

—Encryption at rest — all personal data stored in our databases is encrypted using AES-256.
—Encryption in transit — all data transmitted between your browser and our servers is protected by TLS 1.3.
—Access controls — strict role-based access controls (RBAC) ensure that only authorized personnel can access personal data, on a need-to-know basis.
—Password hashing — user passwords are hashed using bcrypt with a per-user salt before storage.
—Regular security audits — we conduct regular internal security reviews and periodic third-party penetration tests.
—Breach response — we maintain an incident response plan and will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of a qualifying data breach.

No method of transmission or storage is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at privacy@noxrid.com.

Cookies

We use a minimal cookie policy — only what is strictly necessary to operate the service. We do not use tracking cookies, advertising cookies, or third-party analytics platforms that follow you across the web.

Cookie	Purpose	Duration
nox_session	Maintains your authenticated session	Session
nox_auth_token	Secure authentication token (HttpOnly, Secure)	7 days
nox_csrf	CSRF protection token	Session

Because we use only strictly necessary cookies, we do not require a cookie consent banner under the ePrivacy Directive for these cookies. If we ever introduce optional cookies, we will obtain your explicit consent first.

Children's Privacy

Our service is not directed to children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal information without parental consent, please contact us immediately at privacy@noxrid.com and we will take prompt steps to delete that information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will distinguish between material and non-material changes:

—Material changes — we will notify you by email at least 30 days before the change takes effect, and update the “Last updated” date at the top of this page. Continued use of the service after the effective date constitutes acceptance of the updated policy.
—Non-material changes (e.g., clarifications, corrections) — we will update the page and date without advance email notice.

We encourage you to review this policy periodically. Previous versions are available upon request.

Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact:

NOXRID Privacy Team

Email: privacy@noxrid.com

Response time: Within 30 days

For urgent security matters, mark your email subject “URGENT — Privacy”