Last updated: 1 June 2026 · UK GDPR & Data Protection Act 2018
Who we are
This website (nora-systems.com) is operated by NORA Technology Ltd, registered in England & Wales under company number 17228303. Our registered office is 3 Swiss Cottage New Road, Studley, Calne, Wiltshire, SN11 9NA.
For any question about how we use your data, contact: [email protected].
NORA Technology Ltd is the Data Controller for the information described in this policy.
What data we collect
We only collect data you give us, when you contact us. Specifically:
- Enquiry forms on the home page and each tier page: your name, email address, optional company / organisation name, the service or sector you selected, the budget range you selected (where applicable), and the message you wrote.
- Tier 3 attachments: any files you choose to upload alongside an enterprise enquiry (PDFs, documents, images). You decide what to send. Please do not upload special category data (health information, criminal records, biometric or genetic data) or third-party personal data at the enquiry stage — sensitive material is only handled later, under a signed data processing agreement.
- Email correspondence: anything you write to [email protected], including any attachments you send.
- Basic technical metadata: when you submit a form, we record the User-Agent string of your browser, a timestamp, and your IP address, alongside your enquiry. Our web servers also record IP addresses in standard access logs (kept up to 30 days) for security and abuse-prevention. Legal basis: legitimate interest. We do not use IP addresses for marketing, advertising, profiling, or to identify individuals beyond what is needed to operate the site safely.
We do not use Google Analytics, advertising trackers, or third-party marketing cookies on this website.
Why we collect it (legal basis)
- To reply to your enquiry and discuss a possible engagement. Legal basis: legitimate interest — you contacted us first.
- To deliver any services you subsequently engage us to provide. Legal basis: contract.
- To keep an audit trail of who we have spoken to, in line with normal business record-keeping. Legal basis: legitimate interest.
We do not use your data for marketing, profiling, or automated decision-making.
How long we keep it
- Unsuccessful enquiries (where we don't end up working together): up to 12 months, then deleted.
- Client records (where we are engaged): kept for the duration of our working relationship plus 7 years afterwards, to meet HMRC and Companies House obligations.
- Tier 3 attachments: kept only for the period of active discussion. If we don't proceed to a paid engagement, attachments are deleted within 90 days.
Who we share it with
We do not sell your data and we do not share it with third parties for marketing.
Your data may be processed by the following infrastructure providers under standard data-processing arrangements:
- Cloudflare, Inc. — provides the public-facing connection (DNS and tunnel) to our website.
- Anthropic PBC — provides the Claude AI model that may assist us in triaging or drafting responses to enquiries. Where used, the message text is sent to Anthropic's API for processing. Anthropic does not train its models on this data.
- Our own infrastructure — your enquiry, including any attachments, is stored on servers we operate in the United Kingdom.
For Tier 3 (regulated-sector) engagements, we operate on-premise where required, meaning your data does not leave your own infrastructure.
International transfers
Anthropic processes data in the United States. Transfers are made under the UK International Data Transfer Agreement (IDTA), the UK's approved mechanism for transferring personal data outside the UK under UK GDPR. Cloudflare operates a global network with equivalent data-transfer safeguards under its own published terms.
Your rights
Under UK GDPR you have the right to:
- Access the data we hold on you
- Correct data that is wrong
- Delete your data (subject to legal record-keeping obligations)
- Restrict or object to our processing of it
- Receive a copy in a portable, machine-readable format
- Withdraw consent where consent is the legal basis
To exercise any of these, email [email protected]. We will respond within 30 days.
Complaints
If you believe we have handled your data unlawfully, you can complain to the UK Information Commissioner's Office:
We'd appreciate the chance to address your concern directly first — email [email protected] and we'll respond within 5 working days.
Cookies
This website does not use cookies for tracking, analytics or advertising. We do not use Google Analytics, Facebook Pixel or similar third-party scripts.
If you visit the internal admin areas of this site (LAN/Tailscale only), your browser may store local preferences such as theme (light/dark) using localStorage. These are purely cosmetic and never transmitted off your device.
Changes to this policy
If we change this policy materially we will update the "Last updated" date at the top. For anyone we are actively engaged with, we will email you about material changes.