Skip to content
Noxys
Back to Noxys

Privacy Policy

Last updated: March 23, 2026

1. Data Controller

Noxys Security SAS (“Noxys”, “we”, “us”) is the data controller for personal data collected through this website (noxys.eu) and the Noxys platform (app.noxys.cloud).

Contact: [email protected]

2. Data We Collect

2.1 Website (noxys.eu)

  • Email address (when you submit the contact form or request a demo)
  • Language preference (stored locally in your browser, never transmitted)
  • Standard web server logs (IP address, user agent, timestamps) via Cloudflare

We do not use cookies, tracking pixels, or third-party analytics on this website.

2.2 Noxys Platform (app.noxys.cloud)

  • Account information (name, email, organization)
  • AI usage metadata (platform names, timestamps, department, risk classifications)
  • PII detection alerts (classification type only — never the actual sensitive data)
  • SHA-256 content hashes (irreversible, cannot be used to reconstruct original content)

Privacy by design: The Noxys browser extension processes prompt content entirely locally. Raw prompt text is never transmitted to our servers. Only hashes, metadata, and classifications are sent. This is a hard architectural constraint, not a policy commitment.

3. Legal Basis for Processing

We process personal data under the following GDPR legal bases:

  • Contract performance (Art. 6(1)(b)) — to provide the Noxys service
  • Legitimate interest (Art. 6(1)(f)) — to improve our service and ensure security
  • Consent (Art. 6(1)(a)) — for marketing communications (opt-in only)

4. Data Storage and Transfers

All data is stored exclusively in European Union datacenters. Noxys operates with zero dependency on US cloud providers. We do not use AWS, GCP, or Azure services.

No personal data is transferred outside the EU/EEA. For Enterprise customers, on-premises and private VPC deployments are available.

5. Data Retention

  • Free plan: 7 days
  • Starter plan: 30 days
  • Business plan: 90 days
  • Enterprise plan: custom retention period

After the retention period, data is permanently and irreversibly deleted. Account data is retained for the duration of the contract plus 30 days.

6. Your Rights

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (“right to be forgotten”, Art. 17)
  • Restrict processing (Art. 18)
  • Port your data to another provider (Art. 20)
  • Object to processing (Art. 21)

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Sub-processors

We use a minimal set of EU-based sub-processors. A current list is available upon request. All sub-processors are bound by data processing agreements compliant with GDPR Article 28.

8. Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS 1.3), encryption at rest, access controls, and regular security assessments.

9. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The “Last updated” date at the top reflects the most recent revision.

10. Contact

For questions about this privacy policy or our data practices, contact us at: [email protected]

You also have the right to lodge a complaint with your local data protection authority (DPA).