NORSTRIDE
Legal

Privacy Policy

Effective date: 2026-04-29 · Last updated: 2026-05-08

Note: This is a working document for a B2B engineering services business that does not operate a consumer-facing app. Have it reviewed by a lawyer before relying on it for compliance with a specific regulatory regime (GDPR, UK GDPR, CCPA/CPRA, etc.).

Your privacy matters to us. This Privacy Policy explains who we are, what personal information we collect when you visit norstride.com or contact us, why we collect it, how we use and share it, where it goes, how long we keep it, and what rights you have. Please read it carefully. By using this website or contacting us, you agree to the processing described here.

1. Who we are

1.1 References to "we," "us," "our," or "Norstride" in this Privacy Policy are to Norstride Inc. (incorporated August 2012, D-U-N-S 079322774), located in Cheyenne, WY 82001, USA. Email: hello@norstride.com. Phone: +1-904-558-0003.

1.2 Where the EU or UK General Data Protection Regulation (GDPR) applies — for example, if you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland and we collect or process your personal information — we act as the data controller of that information for the purposes of those laws.

1.3 Where we process personal information on behalf of a client under a Master Services Agreement and Data Processing Addendum (e.g., during an engagement on the client's product), we act as the data processor for that client's data. This Privacy Policy does not govern that processing — those terms are negotiated per engagement.

2. What personal information we collect

2.1 We collect personal information in three ways: (a) information you give us directly; (b) information collected automatically when you visit the website; and (c) information we may receive from third parties.

2.2 Information you give us directly. When you contact us through the form on the contact page, send us an email, sign up for the playbook, schedule a call, or sign a contract, you may provide:

  • your name;
  • your work email address;
  • your phone number (optional);
  • your company name and role (optional);
  • the country or region you operate from (optional);
  • the project timeline you have in mind (optional);
  • the contents of your message and any attachments;
  • any other personal information you choose to share with us during a discovery call or engagement.

2.3 Note about the contact form. The contact form on this site composes a message in your own email client and sends it from your own email account to hello@norstride.com. Norstride does not run a server-side form processor for that submission. Once your email is sent, it is received and stored in our mailbox hosted by Bluehost (see Section 7).

2.4 Information collected automatically. When you visit the website, our hosting provider automatically records:

  • your IP address (or proxy server);
  • the date and time of the request;
  • the URL you requested and the referring URL (if any);
  • your browser user agent string and language preferences;
  • basic statistics on page views and request paths;
  • error reports and other technical information needed to keep the site running.

2.5 Information from third parties. Where permitted, we may receive limited business contact information from public sources (e.g., LinkedIn, your company website, mutual introductions) when we are responding to or following up on an inquiry you have started.

2.6 We do not collect financial account numbers, payment-card numbers, government identifiers, biometric data, or special-category data (race, religion, health, etc.) through the website. If an engagement requires processing of such data on a client's behalf, that processing is governed by the engagement contract and a Data Processing Addendum, not this policy.

3. Cookies and similar technologies

3.1 The norstride.com website does not set first-party tracking cookies and does not use cross-site advertising or behavioral-profiling cookies.

3.2 Our content delivery network (Cloudflare, see Section 7) may set strictly necessary cookies (for example, __cf_bm) to mitigate bot traffic and ensure site security. These cookies do not identify you personally.

3.3 If we add web analytics in the future, we will use a privacy-respecting tool (such as Plausible or Fathom) that does not place cookies, does not collect personal data, and does not track users across sites. We will update this Privacy Policy and the cookie list when we do.

3.4 You can configure your browser to notify you when cookies are set, accept or reject them, and clear stored cookies at any time.

4. How we use personal information and on what legal basis

4.1 We use the personal information you provide to:

  • (a) reply to your inquiry and schedule a discovery call;
  • (b) send you a written scope, proposal, contract, and supporting documents;
  • (c) provide engineering services under a signed engagement;
  • (d) administer the business relationship — invoices, payments, support, and engagement communications;
  • (e) keep records of communications and contracts for tax, accounting, and legal-defense purposes;
  • (f) protect the security, integrity, and availability of the website and our systems;
  • (g) comply with our legal obligations and respond to lawful requests by public authorities;
  • (h) where you have explicitly opted in, send you the playbook PDF or other content you have requested;
  • (i) improve the website and the services we offer.

4.2 Where the GDPR or UK GDPR applies, we rely on the following legal bases (and on occasion more than one may apply to the same processing):

  • (a) Performance of a contract — to enter into or perform an engagement contract with you or your organization, or to take steps at your request before entering into such a contract (Article 6(1)(b));
  • (b) Our legitimate interests — to respond to inquiries, manage the business relationship, secure the website, keep records, and improve our services, where those interests are not overridden by your interests, rights, and freedoms (Article 6(1)(f));
  • (c) Compliance with a legal obligation — to keep tax and accounting records and to respond to lawful requests (Article 6(1)(c));
  • (d) Your consent — for any processing where consent is required by law or where it is our policy to seek consent (e.g., to send you the playbook), withdrawable at any time without affecting the lawfulness of past processing (Article 6(1)(a)).

4.3 We do not use the information you give us for direct marketing email, newsletters, or promotional campaigns unless you have explicitly and separately opted in. We do not sell your personal information to third parties. We do not "share" your personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).

5. To whom we disclose personal information

5.1 We disclose personal information only to:

  • (a) the service providers listed in Section 7, each bound by a contract that requires them to keep your information confidential and use it only on our instructions;
  • (b) our outside professional advisors (lawyers, accountants, auditors), where required for the running of the business and bound by professional confidentiality;
  • (c) government, regulatory, or law-enforcement authorities, when required or authorized by law;
  • (d) a successor entity in the event of a merger, acquisition, reorganization, or sale of substantially all of our assets — in which case we will give notice and any successor will be bound by terms at least as protective as these;
  • (e) any party you have authorized us to disclose your information to.

5.2 We do not disclose personal information to advertising networks, data brokers, social-media advertising platforms, or marketing firms.

6. International transfers

6.1 Norstride is established in the United States. If you contact us from outside the United States, your personal information will be transferred to and processed in the United States and may be processed in any country where our service providers operate (see Section 7).

6.2 Some countries outside the EEA, the UK, and Switzerland — including the United States — do not have the same data protection laws as your country of residence. Where the GDPR or UK GDPR applies to a transfer, we rely on appropriate safeguards (for transfers to the United States, the EU-U.S. Data Privacy Framework where the recipient is certified, or European Commission–approved Standard Contractual Clauses, supplemented by additional measures where required) to protect the transfer.

6.3 If you have any questions about the basis on which your personal information is transferred internationally, please contact us at privacy@norstride.com.

7. Service providers we use

7.1 We use a small number of third-party service providers to operate the website and to communicate with you. Each acts as a data processor on our behalf. The current list:

  • Bluehost (a brand of Newfold Digital Inc.) — website hosting and email mailbox hosting (hello@norstride.com and related addresses). Located in the United States. Privacy policy.
  • Cloudflare, Inc. — DNS, content delivery, and security (DDoS protection and bot mitigation). Located in the United States. Privacy policy.
  • Google LLC (Google Fonts) — web font delivery for the typefaces used on this website. Google's font CDN may receive your IP address and user agent when your browser fetches a font file. Located in the United States. Privacy policy.
  • Bottly AI (widget.bottlyai.com) — on-site chat assistant. When the chat widget loads on your device, Bottly may receive your IP address, user agent, page URL, and the contents of any messages you choose to send through the chat. Bottly stores conversation transcripts so that we can review them and improve the assistant. Do not enter sensitive personal data, account credentials, or confidential business information into the chat. Located in the United States. Privacy policy.

7.2 The contact form on this site does not use a third-party form processor. The form composes a message in your own email client; the message is sent from your account to hello@norstride.com, where it is received and stored on Bluehost's mail servers.

7.3 If we add or remove a service provider, we will update this list and the date of last revision below. We do not currently use any web analytics, advertising network, A/B-testing platform, marketing automation tool, or session-replay tool.

8. Marketing communications

8.1 We do not send unsolicited marketing email. If you have downloaded the playbook or otherwise explicitly opted in to receive occasional updates from Norstride, we will use the email address you provided only to send those updates.

8.2 You may opt out of all such communications at any time by replying with "unsubscribe," using the unsubscribe link in any email we send, or contacting privacy@norstride.com. Operational messages necessary to provide a service you have engaged us for (e.g., status updates during an active engagement) cannot be opted out of without ending the engagement.

9. How long we keep personal information

9.1 We keep personal information only for as long as we need it for the purposes set out in this Privacy Policy, or for as long as required by applicable law. The defaults:

  • Inquiry data (contact form messages, emails about a potential engagement) — kept for up to 24 months from your last contact with us, then deleted unless an active engagement is in place.
  • Engagement records (signed contracts, scoping documents, invoices, deliverables, retained for tax and legal-defense purposes) — duration of the engagement plus seven years.
  • Server logs and security logs — 30 days, then automatically rotated and deleted.
  • Cloudflare bot-mitigation cookies — typically 30 minutes per session.
  • Mailbox content (emails sent to or from @norstride.com addresses) — retained on Bluehost for the duration of the business relationship and for the periods set out above; archived offline thereafter.

9.2 At the end of the applicable retention period we delete, anonymize, or securely archive the data, subject to any legal obligation to retain it longer (for example, an active legal hold).

10. Your rights

10.1 Depending on the law that applies to you, you may have the following rights with respect to your personal information:

  • (a) Access — to obtain confirmation of whether we are processing personal information about you, and a copy of that information together with certain supplementary information;
  • (b) Rectification — to ask us to correct inaccurate or incomplete personal information;
  • (c) Erasure ("right to be forgotten") — to ask us to delete personal information about you in certain circumstances;
  • (d) Restriction — to ask us to restrict the processing of your personal information in certain circumstances;
  • (e) Portability — to receive the personal information you have provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller, in certain circumstances;
  • (f) Objection — to object to processing based on our legitimate interests, and to object at any time to processing for direct marketing;
  • (g) Withdraw consent — where processing is based on your consent, to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal;
  • (h) Not be subject to automated decision-making — we do not make automated decisions that produce legal effects concerning you or significantly affect you;
  • (i) Complain — to lodge a complaint with the data-protection supervisory authority in your country of residence.

10.2 If you are a California resident, you have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we have collected about you, the categories of sources, the business or commercial purposes, and the categories of recipients; the right to request deletion or correction; the right to opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising); the right to limit the use of sensitive personal information (we do not collect such information through the website); and the right not to be discriminated against for exercising these rights.

10.3 You will not be charged a fee for exercising any of these rights, except where the law allows us to charge a reasonable fee for manifestly unfounded or excessive requests.

11. How to exercise your rights

11.1 To exercise any of the rights in Section 10, please email privacy@norstride.com from the email address we hold for you, or write to: Norstride Inc., Attn: Privacy, Cheyenne, WY 82001, USA. Include enough detail to identify the request (e.g., the email address you used to contact us, an approximate date of contact, and the nature of your request).

11.2 We may need to verify your identity before processing certain requests. We will respond to verifiable requests within 30 days (or longer where the law permits, in which case we will tell you why).

11.3 You may use an authorized agent to make a request on your behalf, subject to verification.

12. Security

12.1 We protect personal information using technical and organizational measures appropriate to the risk: TLS 1.2+ encryption in transit on the website; encrypted storage on managed cloud and mailbox infrastructure; access controls scoped to the people who need the information; multi-factor authentication on administrative accounts; periodic password rotation; and an incident-response procedure.

12.2 No internet transmission or electronic storage is perfectly secure. If we confirm a breach involving your personal information that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, in line with applicable law.

13. Children

13.1 Norstride sells engineering services to businesses. The website is not directed at children under 16 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from anyone under that age.

13.2 If you believe a child has provided us personal information, please email privacy@norstride.com and we will delete it.

14. Third-party links

14.1 The website may contain links to third-party websites (for example, the LinkedIn, GitHub, and X profiles in the footer). Those websites are not under our control, and we are not responsible for their content or their privacy practices. You should review the privacy policy of any third-party site you visit.

15. Changes to this Privacy Policy

15.1 We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the services we use. The current version always lives at https://norstride.com/privacy/, with the date of last revision below.

15.2 If we make material changes, we will post a notice on the website and, where required, notify affected individuals directly before the changes take effect.

16. How to contact us or complain

16.1 For any question about this Privacy Policy, to exercise your rights, or to make a complaint, contact:

Norstride Inc. — Privacy
Email: privacy@norstride.com
General: hello@norstride.com
Mail: Cheyenne, WY 82001, USA
Phone: +1-904-558-0003

16.2 We respond to privacy complaints in writing within the timeframes required by applicable law. If you are not satisfied with our response, you may lodge a complaint with the data-protection authority in your country of residence — for example, the U.S. Federal Trade Commission (United States), the California Privacy Protection Agency (California residents), the Information Commissioner's Office (United Kingdom), or your national supervisory authority in the EEA.

17. Definitions

  • "Personal information" (or "personal data") means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on personal information, including collection, recording, organization, storage, use, disclosure, and erasure.
  • "Controller" means the entity that determines the purposes and means of processing personal information.
  • "Processor" means an entity that processes personal information on behalf of a controller.
  • "Website" means norstride.com and any subdomain operated by Norstride.
  • "Services" means the engineering services Norstride provides under a signed engagement.
  • "You" / "your" means any individual who visits the website, contacts us, or otherwise interacts with Norstride.