Per utilizzare questi componenti aggiuntivi è necessario scaricare Firefox

Accedi
Icona componente aggiuntivo

Informativa sulla privacy per nurasecurity

nurasecurity di Nura Security & Compliance, Taras Gearhert

0 stelle su 5
5
0
4
0
3
0
2
0
1
0
Informativa sulla privacy per nurasecurity

Privacy Policy
Nura Security · Last Updated: 22 April 2026 · Version 2.0

Nura Security & Compliance FZCO ("Nura", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard personal data in connection with:
• this website (nurasecurity.com);
• the Nura browser extension, available for Chrome, Firefox, Microsoft Edge, and Safari (the “Extension”); and
• the Nura web-based administration console (the “Platform”).

This policy should be read alongside our Terms of Service and, where applicable, our Data Processing Addendum (“DPA”), which governs how we process personal data on behalf of business customers.

  1. Who We Are
    Nura provides AI usage visibility and data protection capabilities for small and mid-sized businesses, delivered through authorised partners and resellers. Our core product is a browser extension, available for Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari, that monitors prompts and file uploads made by employees to external generative AI tools, allowing organisations to detect, block, or mask sensitive data before it is transmitted.

Legal entity: Nura Security & Compliance FZCO is a Free Zone Company incorporated and registered in the United Arab Emirates (UAE). Our services are offered globally, with a primary focus on customers based in the United Kingdom and the European Union.

Data controller status: For personal data collected via this website and through use of the Platform (including account data and usage analytics), Nura acts as the data controller. For personal data processed on behalf of business customers through the Extension and Platform, Nura acts as a data processor under the customer’s instructions.

UK and EU customers — important notice: Although Nura is established in the UAE, we actively offer services to individuals and organisations in the UK and EU and are therefore subject to the UK GDPR and the EU General Data Protection Regulation (GDPR) by virtue of Article 3 of each regulation (the “territorial scope” provision). We take our obligations under both frameworks seriously and have implemented the measures described in this policy accordingly.

UK Representative: As required under UK GDPR Article 27, Nura has appointed a representative in the United Kingdom. Contact details are provided in Section 16.

EU Representative: As required under EU GDPR Article 27, Nura has appointed a representative in the European Union. Contact details are provided in Section 16.

Legal entity Nura Security & Compliance FZCO
Jurisdiction United Arab Emirates (FZCO — Free Zone Company)
Email info@nurasecurity.com
Website nurasecurity.com
DPO / Privacy contact info@nurasecurity.com
UK supervisory authority ICO — Information Commissioner’s Office | ico.org.uk | 0303 123 1113
EU supervisory authority Your local EU data protection authority. For cross-border complaints, refer to your lead supervisory authority based on your country of residence.
  1. Browser Extension — Data Practices
    This section addresses end users of the Nura browser extension and satisfies the privacy disclosure requirements of the Google Chrome Web Store, Mozilla Firefox Add-ons, Microsoft Edge Add-ons, and Apple Safari Extensions policies.

2.1 What the Extension Does
The Extension operates within your web browser (Chrome, Firefox, Edge, or Safari) and intercepts outgoing content before it is transmitted to generative AI tools (including ChatGPT, Google Gemini, Anthropic Claude, and Perplexity). Specifically, the Extension:
• reads text entered into AI tool input fields in real time, before submission;
• scans files attached to AI tool upload functions;
• analyses content locally against configured detection rules to identify sensitive data categories; and
• depending on the policy configured by your employer, blocks the submission, masks sensitive values within the content, warns the user, or allows the content through and logs the event.

2.2 What Data the Extension Accesses
To perform its function, the Extension requests the following browser permissions. The specific permission names vary slightly between Chrome, Firefox, Edge, and Safari but the scope of access is equivalent across all four:
• activeTab / tabs: to detect when a supported AI tool is open in the active browser tab.
• scripting / content scripts: to read and optionally modify prompt content within the AI tool’s input fields before submission.
• storage (local): to cache policy configuration locally within the browser, reducing the need for repeated network requests.
• host permissions (AI tool domains only): to operate on the specific AI platform domains your organisation has configured for monitoring (e.g. chat.openai.com, gemini.google.com, claude.ai, perplexity.ai).

The Extension does NOT access your general browsing history, saved passwords, form data on non-AI websites, or any content outside of the AI tool interfaces it is configured to monitor. It does not read content from any tab other than the active tab when a supported AI tool is in use.

2.3 How Prompt Content Is Handled
Local processing: Prompt content is analysed entirely within your browser. The raw text of prompts is never transmitted to Nura’s servers under any circumstances.

What is transmitted: When an event is detected or logged, only metadata is transmitted to the Nura Platform. This metadata includes: the data category detected (e.g. “Financial Data”, “Employee & HR”), the action taken (block, mask, warn, or allow), a timestamp, the AI tool in use, the browser in use, and the user’s account identifier as configured by the employer.

Generalised prompt summaries: Where a deploying organisation has enabled the “Generalise” prompt-handling mode, a generic summary of the prompt’s purpose (not the original text) may be transmitted and stored on Nura’s infrastructure. This summary is designed to obscure personally identifiable information while providing context for audit purposes. This feature is disabled by default and must be explicitly enabled by the organisation.

Raw prompt content: Raw prompt text is never stored on Nura’s servers. This is an absolute constraint of the product architecture, not a policy default that can be changed by configuration.

2.4 Use of Data Collected by the Extension
Data collected through the Extension is used exclusively to:
• enforce the data protection policies configured by the deploying organisation;
• generate usage events and risk logs visible in the Nura admin console;
• produce aggregate analytics and risk scoring for the organisation.

We do not use Extension data for advertising, profiling, or any purpose unrelated to the Extension’s core function. We do not sell Extension data to any third party.

2.5 Extension Data Sharing
Extension-generated data is shared only with:
• the deploying organisation’s authorised administrators via the Nura Platform;
• Nura’s infrastructure sub-processors (see Section 9) who process data solely on our instructions; and
• legal or regulatory authorities where required by law.
  1. Employees and End Users
    If you are an employee whose organisation has deployed the Nura Extension on your device, you should be aware of the following.

Your employer is the data controller for data collected about your use of AI tools through the Extension. Nura processes this data as a data processor acting on your employer’s instructions. Your employer is responsible for notifying you of the monitoring in place, obtaining any consent required under applicable employment law, and defining what data is collected and retained.

What is monitored: The Extension monitors content you enter into configured AI tool interfaces during working hours on managed devices. It does not monitor content entered on non-AI websites, personal applications, or outside of the AI tools your organisation has configured.

Privacy-first by design: By default, prompt analysis is local. Your actual prompt text is not sent to Nura’s servers. If your employer has enabled raw prompt storage, this will be disclosed in your employer’s own internal data protection notice.

Exercise of rights: To exercise data subject rights (access, correction, deletion, etc.) in relation to data collected through the Extension, please contact your employer in the first instance, as they are the data controller for that data.
  1. Website and Marketing Data
    4.1 Data You Provide Directly
    We collect personal data when you interact with our website, including when you:
    • fill out a contact or demo request form;
    • apply to become a reseller or partner;
    • subscribe to product updates or newsletters;
    • communicate with us by email.

This may include your name, company name, job title, email address, phone number, and business details.

4.2 Data Collected Automatically
When you visit our website, we may automatically collect:
• IP address and approximate location;
• browser type and version;
• device type and operating system;
• pages visited, time on site, and referring URL;
• date and time of visit.

This information is used for security, analytics, and website improvement.

4.3 Cookies
We use cookies and similar technologies for website functionality, analytics, and (where applicable) marketing. You may manage cookie preferences through your browser settings or our cookie consent tool. Disabling certain cookies may affect website functionality.
  1. How We Use Your Information
    We use personal data to:
    • respond to enquiries, demo requests, and partner applications;
    • provide and improve the Nura Platform and Extension;
    • send product updates and relevant communications (where you have opted in or where we have a legitimate interest);
    • conduct security monitoring and fraud prevention;
    • comply with legal obligations; and
    • enforce our Terms of Service.

We do not sell personal data to third parties.
  1. Legal Basis for Processing (GDPR)
    Where UK or EU GDPR applies, we process personal data on the following legal bases:

Consent Newsletter subscriptions; optional cookies and analytics.
Contractual necessity Providing the Platform and Extension to customers; fulfilling partner agreements.
Legitimate interests Responding to enquiries; improving services; security monitoring; direct marketing to business contacts (proportionate and with opt-out).
Legal obligation Compliance with applicable law, regulatory requests, or court orders.
  1. Data Sharing
    We may share personal data with:
    • Authorised resellers and partners: where your enquiry was referred through a partner channel, we may share relevant contact details to fulfil your request.
    • Business customers: where you are an employee user, your employer has access to usage events generated through your use of the Extension, as described in Section 3.
    • Sub-processors: Digital Ocean (infrastructure — receives all Platform data including usage events and, where enabled, generalised prompt summaries), Intercom (customer communications — receives email address only), and Resend (email delivery — receives email address only). See Section 9 for full details.
    • Legal or regulatory authorities: where required by law, court order, or regulatory obligation.
    • Acquirers: in the event of a merger, acquisition, or sale of all or part of our business, in which case data subjects will be notified.

We do not sell personal data. We do not share personal data with any party not listed above. No sub-processor receives raw prompt content under any circumstances.
  1. International Data Transfers
    Nura is established in the UAE. When we collect or process personal data from UK or EU residents, this constitutes a transfer of personal data to a third country for the purposes of UK GDPR and EU GDPR.

The UAE does not currently hold an adequacy decision from the UK or the EU. Accordingly, we rely on the following transfer mechanisms to ensure your personal data receives an equivalent level of protection to that required under UK and EU law:
• UK International Data Transfer Agreements (IDTAs): for transfers of UK personal data to Nura and our sub-processors outside the UK.
• EU Standard Contractual Clauses (SCCs): for transfers of EU personal data to Nura and our sub-processors outside the EEA, approved under EU Commission Decision 2021/914.
• Supplementary technical and organisational measures: including encryption in transit and at rest, access controls, and data minimisation, to supplement the above mechanisms where appropriate.

Copies of the applicable transfer mechanisms are available on request from info@nurasecurity.com.

Where Nura engages sub-processors located outside the UK or EEA — including Digital Ocean, Intercom, and Resend, all of which are US-based — we ensure equivalent transfer safeguards are in place through our sub-processor agreements, as described in Section 9.
  1. Sub-Processors
    We use the following sub-processors to operate our services. Each is bound by a data processing agreement and required to process personal data only on our instructions, only to the extent necessary for the specific purpose described, and in accordance with applicable data protection law.

Digital Ocean Cloud infrastructure — hosts the Nura Platform and all associated data, including: user account information (name, email address, employer organisation); usage event metadata (data category detected, action taken, timestamp, AI tool, browser); and, where a deploying organisation has enabled the Generalise prompt-handling mode, generalised prompt summaries. Digital Ocean processes this data as infrastructure only and has no independent access to or use of this data. Headquartered in the USA. Transfer mechanism: EU SCCs / UK IDTA.
Intercom Customer communications — receives the email address of registered Platform users only, used solely to support onboarding and customer communications. Intercom does not receive prompt content, usage event data, or any other personal data. Headquartered in the USA. Transfer mechanism: EU SCCs / UK IDTA.
Resend Transactional email delivery — receives the email address of registered Platform users only, used solely to deliver system-generated notifications and product emails. Resend does not receive prompt content, usage event data, or any other personal data. Headquartered in the USA. Transfer mechanism: EU SCCs / UK IDTA.

Data minimisation: Where a sub-processor’s function requires only an email address, only an email address is provided. No sub-processor receives raw prompt content. Generalised prompt summaries are only ever stored on Digital Ocean infrastructure and only where the deploying organisation has explicitly enabled that feature.

All three sub-processors are based in the United States. Transfers to these sub-processors are governed by EU Standard Contractual Clauses and UK International Data Transfer Agreements as applicable, as described in Section 8. We will provide reasonable advance notice of any intended changes to our sub-processor list. An up-to-date list is available on request from info@nurasecurity.com.
  1. Data Retention
    We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. Indicative retention periods are:

Website contact / enquiry data 24 months from last interaction, unless an ongoing relationship is established.
Customer account data Duration of the contract plus 7 years for legal and audit purposes.
Extension usage event metadata As specified in the customer agreement, typically 12 months rolling.
Generalised prompt summaries Only stored where explicitly enabled by the deploying organisation. Retention period set by the organisation in Platform settings. Not stored by default.
Raw prompt content Not stored by Nura under any circumstances. Not transmitted to Nura’s servers.
Email addresses (Intercom / Resend) Retained for the duration of the customer relationship. Deleted within 30 days of account closure on request.
Cookies and analytics data As specified in our cookie policy, typically 12–24 months.
  1. Data Security
    We implement appropriate technical and organisational security measures to protect personal data, including:
    • encryption of data in transit (TLS) and at rest;
    • access controls and role-based permissions;
    • regular security assessments and penetration testing;
    • incident response and breach notification procedures.

In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, as required by applicable law.

No system can guarantee absolute security. If you become aware of a security issue, please notify us promptly at info@nurasecurity.com.
  1. Your Rights
    Depending on your location, you may have the following rights in relation to your personal data:

Access Request a copy of the personal data we hold about you.
Correction Request correction of inaccurate or incomplete data.
Erasure Request deletion of your data where there is no overriding legal basis for retention.
Restriction Request that we restrict processing of your data in certain circumstances.
Objection Object to processing based on legitimate interests or for direct marketing.
Portability Receive your data in a structured, machine-readable format where processing is based on consent or contract.
Withdraw consent Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact us at info@nurasecurity.com. We will respond within one month (as required under UK and EU GDPR). If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority: in the UK, the ICO (ico.org.uk); in the EU, your national data protection authority.

Note for employee users: For rights relating to data collected through the Extension, please contact your employer in the first instance, as they are the data controller for that processing.
  1. Children’s Privacy
    Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data relating to a child, please contact us at info@nurasecurity.com and we will delete it promptly.
  2. Third-Party Links
    Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. We encourage you to review the privacy policies of any third-party sites you visit.
  3. Changes to This Policy
    We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or product capabilities. The updated version will be posted on this page with a revised “Last Updated” date. Where changes are material, we will provide more prominent notice (for example, by email or an in-product notification).

Continued use of our website or services after changes are posted constitutes acceptance of the updated policy.
  1. Contact Us
    For any questions, requests, or concerns about this Privacy Policy or our data practices:

Legal entity Nura Security & Compliance FZCO
Registered address Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai 342001, U.A.E
Email info@nurasecurity.com
Website nurasecurity.com

© 2026 Nura Security & Compliance FZCO. All rights reserved. | nurasecurity.com | info@nurasecurity.com