General Privacy Policy

Last Updated: February 16, 2026

This document ("Privacy Policy") explains how nordvpn S.A. ("Nord", "we", "us", or "our") collects, uses, protects, discloses, and deletes your personal data when you access or use our Services and Websites where this Privacy Policy is posted, regardless of the device you're using (such as a computer, mobile phone, tablet, or TV).

Please note that we only collect and use the bare minimum of information needed. For example, NordVPN follows a no-logs policy: it does not track your online activity. For details on which information may be collected (and which is never collected), please see the "Service-specific privacy notices" section.

Unless explained here, any capitalized terms have the same meaning as in our General Terms.



1. Introduction

Please read this Privacy Policy carefully to understand our policies and practices regarding your personal data. By using our Services and/or visiting our Websites, you confirm that you have read this Privacy Policy and agree to be bound by it. If you do not agree with any part of this Privacy Policy, please refrain from accessing/using our Services and Websites.

The company responsible for handling your personal data is nordvpn S.A. (PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama). We are the "data controller" as specified under many privacy laws, like the European Union's General Data Protection Regulation ("GDPR") and the United Kingdom's Data Protection Act 2018.

PLEASE NOTE: To help you understand this Privacy Policy, we've included a short summary at the beginning of each section. While these summaries are not legally binding, they highlight the key points of the text using clear everyday language. For the full details, be sure to read the actual text of the Privacy Policy.



2. Service-Specific Privacy Notices

Summary: Different Nord Services may process different types of personal data based on your needs.

Our Services are designed to meet diverse user needs. Therefore, they may process different types of personal data depending on their specific functionalities. Additional information on our data processing for specific Services can be found here:

• NordVPN Privacy Notice
• NordPass Privacy Notice
• NordLocker Privacy Notice
• NordLabs Privacy Notice

For information about how we use cookies and similar technologies on our Websites, please see:

• Nord's Cookie policy

Contractual terms, supplemental privacy statements, or notices may also provide more information on your personal data.



3. Personal Data We Process

Summary: We do collect personal data like your email address and payment details to provide our Services. You may also voluntarily give us your data in situations that don't involve using our products, such as when you agree to accept cookies on our Website or participate in a promotional campaign. In all cases, we only collect and use the bare minimum of information needed.

To provide our Services and operate our Websites, we need to process certain information that can identify you, such as your email address or payment details (referred to as "personal information," "personal data," or simply "data"). The specific types of data we collect depend on how you interact with us, our Services, and Websites, as well as the applicable legal requirements.

Your personal data may be collected by us in several ways:

• Through information you provide directly (e.g., when creating your Nord Account).
• Automatically while you use our Services and/or Websites (e.g., through cookies).
• From third-party sources (e.g., when you subscribe to our Services through external platforms), as detailed below.

3.1. When You Create Your Account

Purpose: To let you create an Account. To create and manage your Account, we process your email address, email verification status, user ID, password (securely stored in hashed format), registration date and time, and, if applicable, the activation code used and/or the name of the partner or reseller through which the Subscription was purchased.

If you choose to create your Account using a third-party provider, such as companies like Google or Apple, you will be redirected to their respective platforms to log in. Upon successful login, Google or Apple will share only your email address with us, which we use to set up your Account.

Legal basis: The processing is based on the performance of a contract — specifically, to provide you with access to and use of our Services in accordance with our General Terms, as well as our legitimate interest in offering a convenient sign-up process.

3.2. When We Provide Our Services and Communicate with You

Purpose: To manage your Subscription. When you subscribe to our Services, we process your personal identifiers (such as your email address and user ID), Subscription details (such as the product name, Subscription creation date and time, Subscription plan, term, frequency, and status, Subscription ID, and auto-renewal status), information about optional features (e.g., multi-factor authentication), and, if applicable, amount paid, currency, payment status, last charge date, and next charge date.

Legal basis: The processing is based on the performance of a contract — specifically, to provide you with access to and use of our Services in accordance with our General Terms.

Purpose: For Service-related communications. As part of your Subscription, we use your email address to send you important messages about the Service. This may include welcome emails, payment receipts, updates on how to use the Service, charge reminders, changes to our Terms, and other essential information. When it comes to these mandatory communications, we also track certain interactions, such as when an email was sent and whether it was opened.

Legal basis: The processing is based on the performance of a contract — specifically, to provide you with essential Service-related communications in accordance with our General Terms or on our legitimate interest in ensuring that important Service information is delivered and in demonstrating compliance in the event of a dispute.

3.3. When We Handle Your Payments

Purpose: To enable purchases. When you purchase our Services, you need to provide a valid payment method along with associated billing details. The specific information collected depends on the payment method you choose and may include basic payment-related information (such as payer's IP address, if applicable, postal (ZIP) code, the item(s) purchased, tax amount, the date/time of the transaction, part of the payment card number, the cardholder's full name, and payment card issuer). Also, in certain countries the law may require payment service providers to collect additional information for payment processing (e.g., National ID number in Brazil). In all cases, this information is stored separately and can never be connected to the online behavior of any individual NordVPN user.

Your payment for our Services is handled by our dedicated Nord group companies and trusted third-party payment service providers. We may also offer payment options that minimize the personal data you provide to us, such as using virtual currency. You may be redirected to an external website managed by the payment service provider to complete your transaction.

When you make a purchase through third-party platforms (such as app stores, marketplaces, retailers, or resellers, including Amazon Marketplace, Amazon Appstore, Google Play, Best Buy, or StackSocial), that third party will directly handle the processing of your payment. In these cases, we do not collect or store your full payment card details or other payment information — these third parties are independent controllers of your data. Instead, we may receive only the information necessary to activate and manage your Subscription (such as your email address and information about the item(s) purchased). Your use of these third-party platforms is subject to their own terms.

To understand what specific personal data the aforementioned third-parties collect and store, please refer to their respective privacy policies.

Legal basis: The processing is based on the performance of a contract — specifically, to enable you to complete your purchase and receive the Services you have requested in accordance with our General Terms.

Purpose: To confirm that your payment method is valid. If auto-renewal is enabled for your paid Subscription, we may use a zero authorization method to check whether your payment method is still valid. This helps ensure the seamless continuation of the Services by confirming your payment details ahead of the auto-renewal date. We only process the result of the validation (i.e., whether the payment method is valid or not) and the date of the authorization attempt.

Legal basis: The processing is based on our legitimate interest in maintaining seamless billing operations and minimizing Service interruptions.

Purpose: To resolve disputes regarding payments. In certain cases, we may process your payment-related information and your communication with our support team to help verify the legitimacy of disputed payments. This information may also be shared with relevant payment service providers, payment card issuers, and payment dispute management providers pursuant to the resolution of the dispute.

Legal basis: The processing is based on our legitimate interest to verify the legitimacy of disputed payments and protect both you and our Services from fraudulent claims.

Purpose: To issue refunds. If you request a refund for our Services, we may process the information you provide in your refund request together with your purchase data, as necessary to assess and complete the refund process. This can include your personal identifiers (such as email address and user ID), Subscription details (such as Subscription plan and term, Subscription ID, and auto-renewal status), and payment-related information (such as payment method, payment ID, order ID, payment card details, the last four digits and expiration date, as well as the transaction amount and date/time).

Legal basis: The processing is based on the performance of a contract — specifically, to fulfill our refund obligations in accordance with our General Terms.

Purpose: To keep financial records. To comply with accounting, tax, and other legal obligations, we process certain payment and transactional data related to your purchases. This may include your email address, Subscription details (such as Subscription plan and term, Subscription ID, and auto-renewal status), and payment-related information (such as payment method, payment ID, order ID, and payment card details, including the last four digits and expiration date, as well as the transaction amount and date/time), along with any related correspondence.

Legal basis: The processing is based on our legal obligations to maintain accurate financial records.

3.4. When You Interact with Our Services

Purpose: To enable you to use our Services, applications, and extensions. When you install and use our Services, we automatically collect information related to the specific products and features you interact with. This includes data necessary for the proper functioning of the application or extension you have installed. Depending on the specific Service application or extension, this may include information such as the status of successful or unsuccessful logins, basic telemetry needed to diagnose and resolve technical issues, the device's operating system and model, browser type and version, non-personal network details, language preferences, version of our applications running on the device. This information is not used for analytics, profiling, or marketing purposes. When using NordVPN, this information relates only to device-level information and does not identify any individual NordVPN user.

For more specific information on how data is collected and used, please refer to the privacy notice of the respective Service you are using.

Legal basis: The processing is based on the performance of a contract — specifically, to provide and maintain the functionality of our Services in accordance with our General Terms.

Purpose: To enable you to interact with Websites and access their features. We collect data through cookies and similar technologies to ensure Website security and to enable you to browse, interact with, and fully utilize the features and functionalities of our Websites. This includes providing access to various sections, tools, and content, as well as supporting key interactions such as logging in, making purchases, and customizing your settings to enhance your overall experience.

Legal basis: The processing is based on the performance of a contract — specifically, to enable you to utilise our Websites.

3.5. When We Provide You Customer Support

Purpose: To help you with your inquiries. When you contact us for support (whether by email, through our Website's chat widget, or the inquiry form available within our applications), we process the information you provide to help resolve your issue.

• If you reach out via email, we process your email address and your name (if provided) along with any details submitted in your message and attachments.
• If you contact us through our Website's chat widget, we may process additional information, such as your IP address, or device information (e.g., operating system and browser).
• If you contact us through the inquiry form in our application, we may additionally process device-related information, including the version of our application on your device.

We use AI tools to help us support you better and faster. For example, AI helps with answering general questions. These tools only use the information needed to assist with your request in order to make the experience smoother and more efficient.

Legal basis: The processing is based on your consent (where applicable) and our legitimate interest to resolve your issue and provide efficient customer support services.

3.6. When We Improve Our Services

Purpose: To collect and/or address your feedback. If you leave us a public review, participate in a survey/interview, or provide other feedback, we may collect details like your name (if provided), nickname, email address, gender, age, country, the contents of your feedback, date and time of feedback, the recording of your interview, and technical information like your device's operating system (especially if the feedback comes through the App Store or Google Play).

Legal basis: The processing is based on your consent (where applicable) and our legitimate interest to collect, assess, and respond to your feedback, and/or to manage our public reputation.

Purpose: To improve the quality of our customer support. We may review your interactions with the customer support team to enhance the quality of our customer service. This could include processing details like your email address, the contents of your conversation with our customer support, and your feedback rating (e.g., whether you marked your experience as good or bad).

Legal basis: The processing is based on our legitimate interest to improve the quality of the customer support we offer.

Purpose: To enhance your experience on our Websites. We use cookies and similar tracking technologies (including third-party services like Google Analytics) to collect information about your use of the Website in order to improve its functionality, performance, and user experience. For more information on how our Websites use cookies and how to control them, please check our Cookie Policy.

Legal basis: The processing is based on the consent you provide when visiting the Website. For details on how to withdraw your consent, please see the "Your marketing choices" section.

Purpose: To improve our Services, applications, and extensions. We use app analytics to better understand how our Services, applications, and extensions are used. This includes analyzing general usage trends, patterns of feature interactions, and aggregated performance data to identify areas for improvement. These insights help us make informed decisions about updates, enhancements, and future development, ensuring that our Services remain relevant and user-friendly. When using NordVPN, this information does not identify any individual NordVPN user. Specific data practices may vary by product, so always refer to the privacy notice of the respective Service you are using.

Legal basis: The processing is based on the performance of a contract (specifically, to provide and maintain the functionality of our Services in accordance with our General Terms) or the consent you provide. For details on how to withdraw your consent, please see the "Your marketing choices" section.

3.7. When We Carry Out Our Marketing and Advertising Activities

Purpose: To send you marketing communications and optimize our marketing campaigns. Depending on your selected preferences, we may send you updates, newsletters, surveys, special offers, and other marketing communications we think may be of interest to you, either via email, in-app messages, or push notifications. To do so, we may use your email address, information about your Subscription and your Third-Party Services acquired through Nord, and device information (such as its operating system).

In addition, we may also use the status of certain Service features (enabled or disabled), message timestamps and status (whether you opened it), and, for push notifications and in-app messages, device-level information made available to us (e.g., device language or time zone) to measure and improve the effectiveness of our marketing campaigns, prevent irrelevant or duplicate messages, and determine which Services or special offers may be most relevant to your interests (tailored content). We may rely on automated decision-making, including profiling, for these purposes. In any event, we will not take any decision that could have legal or otherwise significant consequences for you based solely on the automated processing of data for the purposes laid out in this paragraph. If you have a question about our automated decision-making you may contact us using the details provided in the "Contact us" section.

Legal basis: Our legitimate interests in providing promotional communications and measuring/improving effectiveness of our marketing campaigns, or, where applicable, your consent. For details on how to opt out of our marketing communications, please see the "Your marketing choices" section.

Purpose: To enable you to participate in our referral programs. If you choose to participate in one of our referral programs, we may process the personal data necessary to manage your participation and to deliver any rewards or benefits associated with successful referrals. Usually, this includes your email address, your unique referral link or code, and referral activity. The full details regarding the personal data we collect and the terms of the program will be provided in the referral itself or its associated promotional materials.

Legal basis: The processing is based on the performance of a contract — specifically, to fulfill the terms of the referral program you chose to participate in.

Purpose: To manage your participation in our promotional campaigns. When you participate in our promotional campaigns (e.g., sweepstakes, giveaways, contests, or similar activities), we may process some of your personal data depending on the nature of the campaign. This may include your email address, country or region, responses to campaign-related actions (e.g., entries or submissions), and any details required to verify your eligibility or to deliver rewards (e.g., information about the purchased Subscription plan). In certain cases we may also share this data with third parties that help us organize/coordinate such promotional campaigns. The full details regarding the personal data we collect and how it is used will be outlined in the terms and conditions of each particular campaign.

Legal basis: The processing is based on the performance of a contract — specifically, to administer the promotional campaign you chose to participate in.

3.8. When We Administer Our Social Media Accounts

Purpose: To manage your interactions with us on social media. When you interact with us through social networking platforms like Facebook, X (formerly Twitter), LinkedIn, YouTube, and Instagram ("Social Media Pages"), we may process basic engagement metrics in order to advertise our products and/or to communicate with users. This may include your personal identifiers (such as your first name, last name, or nickname) and visual information (e.g., your profile picture), as well as any information that you provide when interacting with our Social Media Pages (e.g., commenting, sharing, and rating). Please note that our Social Media Pages are open to the public and can be viewed by anyone. You are responsible for the content you choose to make public and for managing your privacy settings on each platform.

Legal basis: The processing is based on our legitimate interest to provide promotional communication, communicate with users, and maintain an active presence on social media. You may delete your interactions (such as posts or comments) on our Social Media Pages in the same way you manage other content on those platforms.

PLEASE NOTE: We do not have access to or control over how social networking platforms process your personal data for their own purposes. Such processing is carried out solely by the platforms themselves. We recommend that you review the privacy policy of each social networking platform you use.

3.9. When We Maintain Security of Your Account and Our Services

Purpose: To verify the ownership of your Account. To help protect your Account and to ensure the integrity of our Services, we may ask you to verify the ownership of your Account before certain actions can be taken (such as creating or deleting your Account, or granting you a refund). As part of this verification process, we may process your email address, the verification code sent to you, certain payment information (depending on the payment method you used), your communications with our customer support, and the outcome of the verification (positive/negative).

Legal basis: The processing is based on our legitimate interest to protect the security of our Services and the legitimate interest of our users to keep their Accounts secure.

Purpose: To prevent payment fraud. We use fraud detection measures to help protect against unauthorized or fraudulent payment transactions. For this purpose, we may process your email address, Subscription details, service usage data, and payment-related information (such as the cardholder's full name, IP address, billing country, postal (ZIP) code, the item(s) purchased, the payment method, certain payment card information (e.g., card type, expiration date, issuing bank name and country, and the first eight and last four digits of the card number), as well as the transaction amount and date/time). This data may be analyzed using fraud management tools operated by us and/or our payment service providers. We may reject payment transactions that are determined to pose a high risk of fraud.

Legal basis: The processing is based on our and our payment service provider's legitimate interest in the security of our payment transactions.

Purpose: To detect and mitigate abuse cases. Our systems may identify irregular or prohibited usage patterns associated with your Account (e.g., web scraping or other activities that violate our Terms). This helps us protect our Services and prevent abuse. We only process personal data for this purpose insofar as it is strictly necessary and proportionate to detect, investigate, and mitigate (e.g., by blocking, restricting, or removing) such activities. Depending on the case, this may include investigating suspicious network patterns or any other threat indicators.

Legal basis: The processing is based on our legitimate interest to protect our infrastructure and Services, as well as the legitimate interest of our users to safeguard their Accounts.

Purpose: To allow you to report allegedly illegal content. If you report content on our Services or Websites you believe to be illegal, we may collect and process your email address, the information included in your report, and the date/time it was submitted.

Legal basis: The processing is based on our legal obligations and our legitimate interest to ensure the security of our Services, as well as the legitimate interest of our users to keep their Accounts secure.



4. Sharing Your Personal Data

Summary: In some cases, we may need to share personal data with certain third parties, such as trusted service providers, partners, and other Nord group companies. In all cases, we make sure to handle your data safely and respect your privacy — even when it needs to be processed outside of your country.

Nord shares your personal data in the following instances:

With Our Service Providers

We use third-party service providers to help us with various operations, such as payment processing, email automation, Website and app diagnostics, analytics, and others. As a result, some of these service providers may process personal data.

Some of our main long-term service providers are:

• Customer support services that help us deliver customer support and service-related communications (e.g., Zendesk Inc. (USA), spectra tech, UAB (Lithuania), Microsoft Ireland Operations Limited (Ireland), and Qualitista OÜ (Estonia)).
• Communication services that help us send you transactional notifications and, subject to your preferences, marketing communications (e.g., Braze, Inc. (USA) and Twilio Inc. (USA)).
• Analytics and diagnostics services that help us understand how our Services/Websites are used, monitor performance, detect technical issues, and improve the overall functionality and user experience (e.g., Google Analytics/Firebase Analytics (USA), Amazon group (USA), Atlassian Pty Ltd (USA), SmartBear Software Inc. (USA), Microsoft Corporation (USA), and Tune Inc. (HasOffers) (USA). The tools and data involved may vary depending on the Service or application you use.
• Advertising and marketing services that help us measure the effectiveness of our marketing campaigns and deliver more relevant promotional content (e.g., AppsFlyer Ltd. (USA), Tune Inc. (HasOffers) (USA), Google Analytics/Firebase Analytics (USA), Braze, Inc. (USA). The tools and data involved may vary depending on the Service or applications you use.
• Payments processing services that support secure payment transactions, recurring billing, refunds, and financial operations (e.g., Stripe (USA), Adyen (the Netherlands), PayPal (USA), Coingate (Lithuania), and Checkout Ltd (UK)).
• Security features providers that help us enhance security and performance (e.g., Cloudflare, Inc. (USA)).

Within Nord

We share your personal data with other Nord group companies to carry out our daily business operations and to maintain and provide Nord Services to you. We may also share the contact information of Nord business customers (i.e., customers who want to use our products as a tool for their business) with other Nord group companies for B2B product sales purposes (business customers have the right to object to such transfers at any time).

With Our Partners

Sometimes our partners (such as distributors, resellers, and app store partners) will act as independent data controllers of your personal data. In such cases, your relationship will be governed by the procedures they have established (e.g., their terms of use and privacy policies). In other cases, we may collaborate with partners as joint controllers, meaning that we will jointly define the purpose and means of data processing. Both joint controllers are then responsible for the data processing and its compliance with the applicable privacy laws.

With Providers of Third Party Services That You Have Acquired Through Nord

When you purchase Third Party Services through Nord (such as Incogni, Saily, or NordProtect), you agree that certain information (e.g., your email address, Subscription term, payment amount, and Subscription ID) will be shared with the provider of Third Party Services for the purpose of activating, administering, providing you with, and communicating to you about their services, as well as for improving your experience. When you use Third Party Services, your personal data is processed by the provider of Third Party Services in accordance with their established procedures and privacy policies.

Other Instances of Data Sharing

Business transfers. We may share your personal data with relevant third parties (and their agents or advisors) when we sell or negotiate to sell our business, or go through a corporate merger, acquisition, consolidation, asset sale, reorganization, liquidation, or similar event. In the course of such proceedings, Nord will take all reasonable measures to ensure the confidentiality of your personal data.

Protection of our rights. We may need to disclose personal data to establish or exercise our legal rights, or to defend ourselves against any legal claims or other complaints. We may also need to share such information if we believe it is necessary in order to investigate, prevent, or take action with respect to illegal activities, suspected fraud, and violations of our General Terms.

Requests for data. The law may require us to disclose limited personal data to law enforcement authorities. In most cases, we have no data to share. In accordance with our strict no-logs policy, we do not record our users' internet activity or their IP addresses when using our NordVPN services. As a result, there is no link between IP addresses, websites visited, and individual users. If we receive a legally valid request that includes specific identifiers (such as an email address) enabling us to identify a particular user, we may be required to disclose the requested data (to the limited extent it is available to us and in accordance with this Privacy Policy). All such requests are carefully reviewed to ensure they are legally binding — among other things, they must follow the appropriate legal process set out under the laws of the Republic of Panama (such as being submitted through a mutual legal assistance treaty or via letters rogatory) and must meet all applicable legal standards. Law enforcement authorities may contact us by using the following information: nordvpn S.A., address PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama, email inquiries@nordvpn.com.

With your consent. In addition to the reasons identified above, we may request your permission to share your personal information for specific purposes. In these cases, we will notify you of the fact in advance and ask for your consent before you provide the personal data (or before the personal data you have already provided is shared). You may revoke your consent at any time by contacting us via email at privacy@nordaccount.com (but keep in mind that this will only affect future operations, not any data processing that has already been carried out).

Cross-Border Transfers

As a global company, we may process your personal data outside of your country of residence to deliver our Services and operate our Websites effectively. For example, your personal data may be transferred internationally, including to countries where Nord operates or where our trusted third-party service providers are located (such as the United States). Some of these countries may not offer the same level of data protection as your home country, but in all cases, we have implemented appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Policy and all applicable data protection laws. These safeguards may include:

• Relying on adequacy decisions issued by the European Commission or other relevant authorities.
• Using Standard Contractual Clauses ("SCCs") approved by the European Commission (or other relevant authorities) together with any additional legal, technical, and organizational measures required.

These measures help ensure that your personal data receives an adequate level of protection regardless of where it is processed.



5. Your Privacy Rights

Summary: You have certain rights regarding the processing of your personal data. You can contact our customer support team at any time if you want to exercise your rights.

Please note that there are various data protection laws across different jurisdictions that provide privacy rights to you as an individual. Subject to the applicable data protection laws and any other applicable factors, you may have the following rights:

• Right to access. You have the right to know about your personal data being processed for the purposes listed in this Privacy Policy. You can ask us about your personal data that we process and have us send you a copy of it.
• Right to rectification. You have the right to ask us to rectify personal data you think is inaccurate or incomplete. If you'd like to edit your Nord Account information, please contact our support team at support@nordaccount.com.
• Right to deletion. You have the right to request the deletion of personal data that we have collected from or about you (also known as the right to be forgotten). However, please note that this right isn't absolute — for example, it does not cover situations where data is needed for us to comply with a legal obligation.
• Right to restrict processing. If you believe that your personal data is inaccurate or that we are processing it without valid legal reason, you have the right to request that we restrict the processing of such personal data.
• Right to object to processing. In cases where we are processing your personal data in pursuit of our legitimate interests, you have the right to object to this processing by referencing your personal circumstances.
• Rights related to automated decision-making. You have the right not to be subjected to a decision based solely on automated processing (including profiling) if such a decision could have a legal or otherwise significant impact on you.
• Right to data portability. You have the right to ask us to transfer the personal information you gave us to you or another organization. However, you only have this right when: (i) you have provided your personal information to us; (ii) the legal basis for the processing was your consent or the performance of a contract; and (iii) the processing was carried out by automated means.
• Right to withdraw consent. Even if you had previously given your consent to the processing of your data for a specific purpose, you have the right to withdraw that consent.
• Right to lodge a complaint. You can always exercise your rights by contacting us directly or, if all else fails, by lodging a complaint with a supervisory authority.

Rights Requests

To exercise your rights, ask questions, or submit complaints regarding our privacy practices, or to appeal our decisions on your privacy rights requests, please contact us using the details provided in the "Contact us" section.

PLEASE NOTE: You will be required to complete the Account verification process at a level appropriate to the request to verify you are the rightful owner of the Account in question. Only you (or an individual authorized by you) may make a request regarding your personal data. If you are an authorized representative acting on someone else's behalf, you may be asked to provide proof that the individual gave you signed permission to submit the request on their behalf.

Account Deletion

You can delete your Account at any time. Log in to your Nord Account, navigate to "Account settings," go to the "Account deletion" section, and click the "Delete account" button. You will have to verify this request via email. Alternatively, you can delete your Account using our applications by following the instructions provided in corresponding support guides.

Deleting your Account permanently removes your access to all Nord products and Services linked to that Account, including NordVPN, NordPass, and NordLocker. If you wish to delete your personal data associated only with a specific Nord product (such as NordVPN, NordPass or NordLocker), you will have to initiate the deletion separately. If you are unable to delete your Account using the means outlined above, please contact us using the details provided in the "Contact us" section.



6. Your Marketing Choices

Summary: You're in control of how we use your data for marketing. For example, you can turn off cookies or unsubscribe from marketing emails anytime.

When it comes to using your personal data for marketing and analytics purposes, you can choose to:

Opt Out of Marketing Communications

Steps you need to take opting out of our marketing communications depend on the means of marketing communications:

• Marketing emails: You can opt out of our marketing emails at any time by updating the notification preferences in your Nord Account settings or by clicking the "unsubscribe" link included in such email.
• Marketing in-app messages and push notifications: You can turn off marketing in-app messages and push notifications by adjusting the notification preferences in your Nord Account settings, if this option is available for a specific Nord product. In addition, you can always disable all push notifications in your device simply by adjusting your device settings or our applications settings (if available) – this will turn off all push notifications (including marketing push notifications).

Please note that opting out of marketing communications will not affect service-related or transactional notifications because they are necessary for provision of the Services in accordance with our General Terms.

Manage Consent for Cookies and Similar Tracking Technologies

• Websites: You can manage your privacy preferences at any time using the "Cookie Preferences" link (or, depending on your location, the "Your privacy choices" link) in the footer of our Websites.
• Applications: You have full control and can disable analytics and advertising at first use of applications and any time later in your "Privacy Preferences" settings, located in the application settings.

7. Data Security

Summary: We take your data security very seriously, using a number of protective measures to keep your personal information safe.

We maintain control over the personal data we collect to ensure that it is adequately protected. Our dedicated IT security team has implemented appropriate physical, technical, and organizational measures to protect information about you against accidental or unlawful destruction, or accidental loss, alteration, unauthorized disclosure, or access, and against all other unlawful forms of processing. These safeguards include:

• Physical measures. We control access to our facilities using secure electronic access systems. We also use security alarm systems and CCTV. Devices with personal data are stored only in locked rooms or cabinets, while our printers are protected by access control measures. We also follow a clean desk policy.
• Technical measures. We use a layered defense with firewalls, anti-malware protection, and intrusion detection and prevention systems. Our infrastructure is regularly updated, with vulnerability scans carried out periodically to detect possible gaps. We have security event and incident management solutions in place to correlate and investigate signals in security tools. Our servers are hardened and managed using automated configuration tools. All our workplaces are managed using a centralized endpoint management tool. We encrypt data at rest and in transit, using encryption protocols in accordance with the latest security practices.
• Organizational measures. We have adopted information security and data processing policies in accordance with the best practices. We have undergone external audits to prove that our information security and data processing policies meet the required standards. When it comes to our employees, we consciously foster a culture of continuous improvement with regard to security and data protection awareness (including organizing regular and ongoing training, as well as engaging in other activities to raise awareness). We analyze our organization's threat landscape and attack surface to continuously update our security measures. Finally, access to databases containing personal data is granted only on a need-to-know basis.

If we detect anything suspicious, we will notify you without undue delay and guide you through the steps you need to take to stay protected.

PLEASE NOTE: No company can guarantee the total security of your internet communications because no technology is infallible. By using our Services/Websites, you expressly acknowledge that we cannot guarantee 100% security for any personal data provided to or received by us through the Services/Websites, and that any information received from you through the Services/Websites is provided at your own responsibility. If you have any reason to believe that your interactions with us are no longer secure, please notify us at privacy@nordaccount.com.



8. Data Retention and Deletion

Summary: We only keep your personal data for as long as we need it to provide our Services or comply with the law. Once there are no legitimate grounds for holding this information, we'll immediately dispose of it in a secure way.

Nord will only keep your personal data for as long as it is necessary to provide you with our Services, or for as long as we have other legitimate grounds to do so (but not longer than permitted or required by law).

Information Retained Until Your Account Is Deleted

We retain some of your data while your Account exists, including account details such as your email address, notification preferences, and certain usage information. This helps us improve our Services, understand how users interact with our features, and personalize your experience. You can delete your Account at any time.

Retention for Specific Purposes

We may need to retain certain information for a set amount of time (which may extend beyond the deletion of your Account) to meet business or legal requirements:

• Legal compliance. We retain billing and payment information for ten (10) years after your last transaction to comply with accounting, tax, and financial regulations.
• Marketing communications. We may continue sending you marketing emails, push notifications, and/or in-app messages for up to one (1) year after your Subscription ends, unless you opt out earlier.
• Legal requests, claims, and disputes. If you contact us (e.g., for support or data access requests), we may retain related communications for as long as necessary to resolve the matter and/or protect our legal rights.

Please note that some of our Services may be subject to their own privacy notices or policies (as listed in the "Service-specific privacy notices" section), which may specify different lengths of time for data retention depending on the nature of the Service or applicable legal requirements.

Secure Disposal

When we no longer have a valid reason to retain your personal data, it will either be:

• Permanently and securely deleted using industry-standard data destruction methods, or
• Irreversibly anonymized so it can no longer be linked to you.

9. Country-Specific Provisions

Summary: While some of your rights are rooted in this Privacy Policy, you may have additional rights available to you depending on your country. If you want to exercise them (or if you want to know more), simply contact us.

For Users in the United States

Sharing in the Last Twelve (12) Months

In the past twelve (12) months, we have disclosed personal information for business purposes to the categories of service providers and contractors listed in the "Sharing your personal data" section.

"Do Not Sell or Share My Personal Information"

We do not sell personal data to third parties. We share information gathered by cookies and other tracking technologies with our data analytics and advertising partners for our advertising. Consistent with applicable privacy laws (e.g., the California Consumer Privacy Act as amended by the California Privacy Rights Act, collectively referred to as the "CCPA"), you may opt-out of such processing of your personal data by disabling third-party cookies. To disable them when you first visit our Websites, please click the "Privacy controls" link on a cookie banner of the Website. If you'd like to adjust your choices later, you can manage your preferences at any time using the "Your privacy choices" link (or, depending on your location, the "Cookie preferences" link) in the footer of our Websites. To manage third-party provider settings via our applications and extensions, follow the instructions provided therein.

"Do Not Track"

For details on the use of cookies and tracking technologies on our Websites (including how we respond to "Do not track" signals), please see our Cookie Policy.

Additional Rights for California Residents

In addition to the rights described in the "Your privacy rights" section, California residents may also have the following rights under the provisions of the CCPA applying to the processing of personal information:

• Right to opt out of sale/sharing. You have the right to opt out of the sale or sharing of your personal information to third parties. However, please note that Nord does not sell your personal information as defined by the CCPA.
• Right to non-discrimination. You have the right to not receive discriminatory treatment if and when you exercise your privacy rights under the CCPA.
• Right to limit the use of sensitive personal information. In general, you have the right to limit the use of your sensitive personal information (as described in the CCPA) when such use goes beyond that which is necessary for providing the Service (or for certain other permissible purposes, like fraud prevention, customer service, or quality control). However, Nord does not process sensitive information in a manner which might give rise to this right.

For Users in the Republic of Korea

As set out in this Privacy Policy, we share personal data with service providers and other third parties that may be located outside the Republic of Korea. For users in the Republic of Korea, a detailed list of these third parties (along with additional Korea-specific terms) is provided in the Korean-specific Privacy Policy available here.



10. Children's Data

Summary: Nord's Services are not intended for children under 18, and we do not knowingly collect personal data from minors.

We do not offer our Services to children and, therefore, do not knowingly collect or solicit personal data from anyone under the age of eighteen (18). If you are such an individual, please do not attempt to submit any personal data about yourself to Nord.



11. Other Terms

Summary: We will do our best to keep your personal data safe, but you are ultimately responsible for your actions online while using our Services and Websites. In addition, this Privacy Policy does not apply to other websites, even if you got to them by following a link on our page. Finally, this document is not set in stone — but if we do change it in a way that significantly concerns you, we'll let you know.

Limitation of Liability

It is important that you use our Services and Websites carefully and responsibly — if your actions violate someone else's privacy, rights, or any applicable laws, the responsibility lies with you and you alone. Nord is not liable for any consequences resulting from your unlawful, intentional, or careless actions, or for events that go beyond what Nord could reasonably control or foresee. For more details, please refer to our General Terms.

Links to Other Websites

Our apps or Websites may contain links to third-party websites (such as social media platforms), which are not operated by us. If you follow a link to one of these websites and share your personal data with them, that data will be handled according to their own privacy policies, which may differ from ours. We strongly encourage you to review them before providing any personal information.

Prevailing Language

For all intents and purposes, the English language version of this Privacy Policy shall be the original, governing instrument and understanding between you and us. In the event of any conflict between this English language version of the Privacy Policy and any subsequent translation of it into any other language, the English language version shall prevail.

Updates to This Privacy Policy

We're continuously developing and improving our Services and Websites, which may require us to update this Privacy Policy from time to time. When the changes are significant and materially impact how we process your personal data, we will inform you in advance using reasonable means (such as in-app notifications, messages on our Websites, or by email).

We always include the "last updated" date at the top of this Privacy Policy so that you know when changes were made. Unless stated otherwise, any updated version becomes effective as soon as it is published on the Website. We encourage you to review this Privacy Policy regularly to stay informed about how we protect your personal data. By continuing to use our Services and Websites after the changes are published, you agree to the updated terms.



12. Contact Us

Summary: Legal documents can be tricky. If you have any questions about how we handle your personal data, this Privacy Policy, or if you wish to exercise your privacy rights, please contact us using the details provided below.

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal data, or if you wish to exercise your privacy rights, please contact us directly:

• Email: privacy@nordaccount.com
• Postal address: nordvpn S.A., PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama.

For the purposes of the GDPR, Nord's representative in the European Economic Area (EEA) is NordSec B.V. (email: representative@nordsec.com; postal address: Fred. Roeskestraat 115, 1076 EE Amsterdam, the Netherlands).

To oversee matters related to data privacy, Nord has also appointed a Data Protection Officer (email: dpo@nordsec.com).



NordPass Privacy Notice

Last updated: March 4, 2026

The Privacy Policy describes the privacy practices of Nord's Websites, applications, and Services which also apply to the NordPass product. Nevertheless, provision of Services related to NordPass ("NordPass Services") involves also the processing of additional personal data. Please read more information below.



General Remarks

NordPass has no technical means to access your encrypted passwords, secure notes, or other items stored in your vaults because we built NordPass based on zero-knowledge architecture. Zero-knowledge architecture means that only you know what is stored in your vault. In cryptography, it refers to being able to prove you know something without revealing what that is. As such, our zero-knowledge password manager keeps the proof that you have the key, but not the key itself, making it very safe. No one else can see your passwords, credit card details, or notes. We also don't have your Master Password, so your encrypted data will stay secure even if someone breaches our servers.



Additional Personal Data Processed When Providing NordPass Services

In addition to the information provided in the Privacy Policy, we process the following data when you use NordPass Services:

Information Collected on NordPass Website (www.nordpass.com)

• Social media platforms and widgets. Our Website may include social media features, such as Facebook, Twitter, LinkedIn like and/or share buttons, to help you share our content more easily. These features may collect information about your IP address and which pages you visit and they may also set cookies to make sure the feature functions properly.

Information Collected on Our Applications

Autofill Diagnostics

We collect aggregated and anonymized data on your visited web addresses and autofilled fields. This helps us improve our autofill feature, as well as quickly identify and patch problems related to its performance.

App Usage and In-App Event Information

We collect information about the usage of our app: the number of items stored, the date when the item was created, how the password was created (e.g., imported, autosaved, created manually), the strength of your passwords in percentage (e.g., 85% of your passwords are very strong), the strength of your Master Password, the percentage of suggested passwords used, the number of different folders you have in your NordPass vault, and information about the usage of NordPass autofill feature (e.g., disabling it for certain websites and switching the autofill forms manually) as well as various interactions with other features within our applications.

We also collect in-app events, which contain the following information:

• General event information: which application type sent the event, event time, time zone, category, type.
• Device information: device's operating system and its architecture, browser type and version (when applicable), device type, unique device identifier, session information.
• Application information: name, version and source of the application.
• Account information: user identifier, Subscription type.

We need this information to know if the application is working properly (e.g., that you can save your passwords properly or that our security features work as intended); (ii) to know how users interact with our application (e.g., what kind of user interface items are the most or least used, are notifications we show are of interest to users, etc.); and (iii) to identify problems related to our app performance and updates (e.g., crash error reports). We collect this information only with your consent. You can opt-out of the collection of non-essential in-app information at any time by navigating NordPass app settings.

Device Information

As in the case of when you visit our Website (https://www.nordpass.com/), we collect some device information on our application too. Such information is logged automatically and may include the model of your device, your IP address, browser type, operating system version, and similar non-identifying information. We may use this information to monitor, develop, and analyze the use of NordPass Services.

Also, we process your photo if you provide it on a voluntary basis by uploading it on your NordPass Account. Please note that the photo available on your Account will be available to other users of NordPass Service with whom you share and/or who share the items with you.



Password History

NordPass offers an additional feature to all NordPass users – Password History. This feature allows you to keep a record of the last ten (10) password changes made to an item in your NordPass vault, copy and restore the previous passwords and see who and when made the change. If a user with full administrative rights of a shared item overwrites your password, you will be able to see who and when did it and, if you deem necessary, to restore the previous password. Only the owner of the item has access to a password history tab.

The data that we process is: the last ten (10) passwords created on an item, the timestamp of when the event happened, and the email address of a user who changed the password (applicable in cases when the password is shared with a user with full administrative rights). We use the aforementioned information to enable the item owner to have access to password history, to facilitate copying or restoring previous passwords and inform the owner of the item if a shared password was overwritten, and identify who and when did it.



Password Health and Exposed Passwords

NordPass offers an additional feature to its Premium users – Password Health. This feature gives users a way of checking whether passwords they use or plan to use are weak, easy-to-hack, reused in multiple accounts, old, or have been exposed in the past, and, in turn, which passwords should be changed to strong and secure ones.

Password Health feature includes Exposed Passwords functionality ("Exposed Passwords"), which checks both your saved and new passwords against a database of publicly known, compromised passwords to see if any match those previously exposed in data breaches. If a compromised password is found, you will receive a recommendation to update it to a stronger, more secure alternative. By enabling Exposed Passwords, you authorize us to share your hashed partial passwords with our trusted third-party service provider. These hashed passwords will be compared against breach databases, ensuring that no actual password data is shared or stored externally during the process.

NordPass provides the Password Health feature on an "as-is" basis and does not warrant the completeness, accuracy, or reliability of the monitoring results. We cannot guarantee that the data or information provided through or from Password Health will be correct, current, uninterrupted, precise, error-free, or up to date. You understand that there might be occasions where passwords have been compromised, but such information is not or does not become available to us or our third-party service provider. You use the Password Health feature entirely at your own risk.

Please note that even when you choose to use the Password Health feature, NordPass does not have the technical ability to access the data stored in the NordPass vault or Password Health results shown on your device. These always remain encrypted and are only accessible to you.



Data Breach Scanner

NordPass offers an additional feature to its Premium users – Data Breach Scanner ("Scanner"). This feature enables you to track if any of your monitored assets (verified email address(es) and/or credit card(s)) have been involved in any personal data breaches identified by our third-party service provider. The Scanner continuously monitors and detects breaches daily, even when you are logged out of NordPass on all devices, eliminating a need for you to proactively check for breaches yourself. By using the Scanner feature, you authorize us to share your hashed email address(es) and/or hashed credit card(s) number(s) with our third-party service provider. This enables them to monitor which parts of your data might have been compromised. Should any of your monitored assets be breached, NordPass will inform you about the breach with an in-app notification and via email. Your Account email address is added to the Scanner automatically, and you may add your other verified email address(es) and/or credit card(s) to the monitoring list. You have the option to remove any email address and/or credit card from the monitoring list and/or deactivate the feature at any time.

Please note that when you use the Scanner, NordPass has no technical means to access your encrypted items stored in your NordPass vault. These always remain encrypted and are never transferred or visible to anyone but you.



Email Masking

NordPass Premium users have access to an additional feature – Email Masking. This feature allows you to create a masked email to keep your actual email address private, reducing the likelihood of receiving spam emails and helping to protect your data from data brokers.

When you use the Email Masking service, we will process your email address. You must verify your email address to use this service. Emails received through Email Masking, including the sender and recipient's email server IP address, sender's email address, recipient's email address, and timestamps, are deleted as soon as they are forwarded to your email address. We use a trusted third-party service provider to manage this service.



Item Sharing

NordPass Premium users may use additional feature – Item Sharing. This feature enables users to share their Secured Data with other selected users. Secured Data can be shared with limited viewing rights or full administrative rights. Limited viewing rights allow a user only to view an item shared whereas full administrative rights allow a user to make changes to the item (e.g., change or delete a password, secure note, etc.).

If Secured Data has a file attached (stored) to it using our File Storage functionality, you cannot share this item with other users as Secured Data sharing with files attached (stored) to an item is restricted.

By using Item Sharing functionality you understand and confirm that Secured Data may contain sensitive information, e.g., passwords, private notes, or other confidential information, that, if used improperly, or by a compromised third party (other selected user(s)), may damage or harm you, result in leak or loss of confidential data and agree to use this functionality at your own risk and discretion. NordPass will not and cannot be held accountable for any misuse, loss, harm, or damage caused by improper use of the shared item by a compromised third party (user).

Potential risks of sharing items with other selected users and the assessment of their credibility is solely within your own discretion and risk.



File Storage and Documents

NordPass Premium users may use additional features - File Storage and Documents. Documents feature is also available to try for NordPass Free users. File Storage feature enables you to attach (store) encrypted files to an item in your NordPass vault, while Documents feature allows you to store encrypted documents in your NordPass vault (together referred to as "Your Content"). Your Content is stored on the cloud via our third-party service provider API keys using NordPass access token. NordPass encrypts Your Content to help protect it from hacking, snooping, data breaches, or other cyber threats. Your Content can only be accessed with NordPass Master Password and can be synced with your chosen devices.

Please note that due to the encrypted nature of NordPass Services, we have no ability to recover or access Your Content. Neither NordPass, nor our third-party cloud storage service provider can access or retrieve Your Content stored in your NordPass vault. Your Content always remains encrypted and is never visible to anyone but you.

NordPass deploys advanced security measures to protect NordPass Services and Your Content. However, we cannot and do not guarantee that Your Content will be 100% protected as no technology is completely bulletproof. While NordPass file storage is designed to be as secure as possible, without prejudice to the provisions of the General Terms, we cannot guarantee the security of Your Content, and we explicitly do not claim that it is immune to attack or other unlawful actions of third parties.



Term for Storing Personal Data

NordPass stores personal data of active user Accounts until your Account is active unless we are asked to delete it. This is done to not lose the encrypted data present in your Account.

Any Scanner generated results related to data which was exposed are wiped out as soon as you close the Scanner window.

NordPass Business and NordLocker Business - General Privacy Policy

Effective from: December 15, 2025

Important Notice: Starting from January 1, 2023, the provider of NordPass Business and NordLocker Business Services changes from nordvpn s.a. (address: PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama) to Nord Security Inc. (address: Americas Towers, 1177 6th Avenue, 5th FLR, New York, NY 10036, United States of America). The current provider, nordvpn s.a., will cease to provide the Services on December 31, 2022. Consequently, as of January 1, 2023, the data processor of Customers' data and, respectively, the data controller of the data specified in the Privacy Policy will change accordingly from nordvpn s.a. to Nord Security Inc.

This document ("Privacy Policy") is divided into general part ("General Privacy Policy") and product-related privacy notices ("NordPass Business Privacy Notice" and "NordLocker Business Privacy Notice"), which altogether constitute the entire Privacy Policy and explain the privacy rules applicable to personal data and other information relating to identified or identifiable natural person ("personal data" or "personal information") collected or submitted when you access, install, or use NordPass Business or NordLocker Business services, which include relevant software and any services that Nord provides to Customer through its business-related software, applications or otherwise (all of which are collectively referred to as the "Services") and websites ("Website") regardless of the device (computer, mobile phone, tablet, etc.) you use.

Personal data provided in this Privacy Policy is processed by (i) until December 31, 2022 – nordvpn s.a. (ii) from January 1, 2023 – Nord Security Inc. ("Nord","we", "us", or "our") as a data controller when the data is collected by us (e.g., when you access our Website, contact our customer support) or as a data processor when the data of the End Users is provided by our Customers and processed according to the instructions issued by them.

The capitalized words used in this Privacy Policy as definitions are defined here or in our Terms of Service.

Please acknowledge this Privacy Policy before using our Services, accessing or interacting with our Website.

Product-specific Privacy Notices. As Nord Business products cater to different customer needs, they may process different personal data points during their performance. The following links provide further information about:

• NordPass Business Privacy Notice (additional terms)
• NordLocker Business Privacy Notice (additional terms)

Additional information on your personal data may also be indicated in contractual terms, supplemental privacy statements, or notices.



1. Notice to End Users

Our Services are intended for use by organizations (businesses) and are provided on the basis of the Terms of Service. In addition, Nord receives information (including some personal data of End Users) from Customers' while operating the Services. If your organization (e.g., employer or other entity that entered into the agreement with us) provides you with access to our Services (e.g., create an account or connect to the Services by other means), you are identified as an end user ("End User") and your use of our Services is subject to your organization's policies (if any). Please note that in such a case your organization (our Customer) is the data controller of your personal data.

Nord processes the End User's personal data to provide the Services to the Customer and, in some cases, for Nord's business operations related to providing the Services as described in this Privacy Policy. Nord acts only as a data processor and processes your personal data according to the instructions issued by your organization. Nord is not and cannot be responsible for the privacy or security practices of its Customers, which may differ from those set forth in this Privacy Policy.

The following information about the End User is provided to us when the Customer uses our Services:

Account information. On behalf of our Customers, we process: End Users' full name, telephone number, email, professional information (position, represented entity's information) account registration, login information, subscription information, basic device information (e.g., device name, IP address, OS, advertising id), application diagnostics, connection timestamps, IP addresses. Please note, that Nord receives this information as a data processor from the Customer and processes this personal data on behalf of the Customer instruction (which in this case acts as a data controller) and in order to ensure proper Service provision, e.g., to send you important updates and announcements related to the use of our Services.

As mentioned above, if you have questions about the processing of your personal data by Nord in connection with providing Services to your organization, please contact your organization (the Customer). If you have questions about other business operations mentioned in this Privacy Policy when Nord acts as a data controller, please contact us as provided below (Section "Contact Us").



2. Processing of Personal Data – Nord as Data Controller

We collect (directly from you, third parties or your interactions, use, and experiences with our Services/Website) and use the information for the following purposes:

Information Related to the Conclusion and Performance of the Agreement

Personal information. In order to conclude and perform a business agreement with the Customer, we may process Customer's representatives' contact information (full name, telephone number, and/or email address) and professional information (position, represented entity's information).

Payment Related Information

Payment data. If you have provided payment information to us, such as basic billing information belonging to a natural person (date of purchase, IP address, postal (ZIP) code, billing address, credit card owner's full name, and credit card information, its expiration date, subscription details), we will process this information (i) to verify payment's information and prevent fraudulent payments for the Services; (ii) to collect payments to the extent that doing so is necessary to complete a transaction.

Country details. When making a purchase as a natural individual, we process the information on the country the purchase takes place. This information is necessary for VAT calculation purposes.

Online Activities

Access logs. To ensure Website support and security we collect access logs, such as your IP address, operating system, and browser information. This information is essential for fighting DDoS attacks, scanning, and similar hacking attempts. We also use this information to help us to better design our site, help diagnose problems with our server, and administer our Website.

Information received from analytics service providers. To analyze and improve our Website and users' experience, we use analytics service providers (e.g., Google Analytics) to help us collect aggregated information that does not directly identify you, but provides us with various statistics, such as, which pages visitors visit the most and for how long they stay there. We may also see the following: your device's IP address, device type, browser information, geographic location (country only), preferred language, the title of the page being viewed, screen size and resolution, out links, referrers, page and website speed. For the collection of such information, our service providers mostly use cookies.

Cookies. Cookies, pixels, and other similar technologies are usually small text or image files that are placed on your device when you visit our Website. Some cookies are essential for our Website to operate smoothly; others are used to improve the Website's functionality, analyze aggregated usage statistics to improve the Website's performance, and for advertising purposes. Our Website may include social media features, such as the Facebook like and/or share buttons, to help you share our content more easily. These features may collect information about your IP address and which page you are visiting on our Website, and they may set a cookie to make sure the feature functions properly. We also use affiliate cookies to identify the Customers referred to our Website by our partners so that we can grant the referrers their commission. You can check what cookies we use in our Cookie Policy.

Communication Data

Communication optimization data. We use various tools to help us optimize our email campaigns. These tools may track actions you perform with an email, such as open rates, click-through rates or unsubscribes from further communication. We may also be able to see the user device's operating system (e.g., Windows, Mac, iOS, Android), End User custom properties (such as user status, email, member level, which organization the End User belongs to, etc.), End User events (such as, End Users account creation date) and country in order to optimize push and email notifications and automatically set the language.

Social media. When you interact with us via social media, we may process information available on your social media profile, also your inquiry or post information, and other information you provide us with.

Other communication means. When you contact us to inquire about our Services, we process your full name, email address, entity's information you contact on behalf of (if provided), and/or other information you provide us with.

Marketing

Information related to marketing activities. We may receive certain data about you (i) directly from you, if you subscribe to marketing communications, complete surveys, or sign up for our events or webinars, publicly available material prepared by Nord or (ii) from certain advertisers and other partners which we use for advertising purposes. Those partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising (also known as online behavioral advertising) and account-based advertising. We may also receive your personal data from the organizers of events that you and Nord participate in, or promotions that we sponsor or participate in. Such data may include your contact and professional data (e.g., name, company, position, email address, preferences, and/or interests), cookie id, mobile device id, and inferences about your interests and preferences. We use this information in order to send you offers, surveys, and other marketing content (in line with applicable law) and to manage your participation in our events or seminars. You can easily opt-out of future marketing communications using the opt-out link provided in the emails sent to you.

Referrals data. Participation in referral programs maintained by Nord requires referrers to submit personal data (e.g., full name, e-mail address, phone number, relationship with the referred party) about themselves and a referred party so that we could (i) reach out to the referred party; (ii) contact referrers with regards to their participation in referral programs and/or provision of rewards. It is the referrer's responsibility to abide by applicable privacy laws when disclosing third parties' personal data to Nord, including informing third parties that they are providing referred parties' personal data to Nord and how it will be used and processed. Referred parties may unsubscribe from any future communication at any time. If you believe that one of your contacts has provided us with your personal data and you would like it to be removed from our database, please contact us as provided below (Section "Contact Us").



3. Grounds for Processing of Personal Data

Nord processes personal data to a limited scope and based on the following legal grounds:

• To fulfill contractual obligations. The information provided might be required for the performance of a contract, i.e., (i) to provide Services and customer support; (ii) to process your purchase transactions; (iii) to ensure the secure, reliable, and robust performance of our Services and Website.
• To ensure legal obligation. We might be required to use your information as per legal requirements, e.g., to keep and process records for tax purposes and accounting.
• Your consent. We might use your information where you have given your consent to us, i.e., (i) to send marketing communication (unless applicable law permits us to contact you without prior consent); (ii) to communicate with you and manage your participation in our contests, offers, referrals, or promotions. Please note that although we may also process your personal data for marketing purposes when applicable law permits us to contact you without your separate consent, if you choose not to receive marketing communication from us (i.e., if you opt out), we will honor your request.
• Legitimate interest. We sometimes may process your personal data under the legitimate interest, i.e., (i) to properly administer business communication with you; (ii) to detect, prevent, or otherwise address fraud, abuse, security, or technical issues with our Services and Websites; (iii) to protect against harm to the rights, property, and safety of Nord, our Customers, End Users, or third parties; (iv) to improve or maintain our Services and provide new products and features; (v) to receive knowledge of how our Website and application are being used.

4. Sharing Your Personal Data

Only where permitted by applicable laws and for the purposes listed in this Privacy Policy we share, to the extent necessary, the information with:

Service providers. We use third-party service providers to help us with various operations, such as IT, servers, marketing, customer support, data storage, website customization, website analytics, accounting, legal, agency, and others. As a result, some of these service providers may process your personal data.

Partners. Sometimes our partners, for example, distributors, resellers, managed service providers, and app store partners might also process your personal data. In such cases, the procedures established by them (e.g., terms of service and privacy policies) will apply to such relationships.

We also partner with third parties to display advertising on our Website or to manage our advertising on other sites. These partners help us deliver more relevant ads and promotional messages to you, which may include behavioral, contextual, and generic advertising. We and our advertising partners may process certain personal data to help us understand your preferences so that we can deliver advertisements that are more relevant to you.

Your personal data may be processed in any country in which we engage service providers and partners. When you use our Services and Website, you understand and acknowledge that your personal data may be transferred outside of the country where you reside.

Other Nord group companies. We share your personal data with other Nord group companies to carry out our daily business operations and to enable us to maintain and provide our Services to you. In accordance with applicable law, we may also share your contact information with Nord group companies for the marketing of their products' purposes (you have a right to object to such transfer at any time).

Protection of our rights. We may disclose your data to establish or exercise our legal rights or defend against any legal claims or other complaints. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, and violations of our Terms of Service.

Business transfers. We may share your personal data in those cases where we sell or negotiate to sell our business or go through a corporate merger, acquisition, consolidation, asset sale, reorganization, or similar event. In these situations, Nord will continue to ensure the confidentiality of your personal data.

Requests from law enforcement institutions. Any request for data should follow an appropriate official legal process recognized by the laws of incorporation (e.g., mutual legal assistance treaty, letters rogatory). We carefully review each request to make sure it satisfies laws applicable to our company, laws of requesting country, international norms, and our internal policies.

Cross-border transfers of personal data. To facilitate our Services and Website, we may store, access, and transfer personal data from around the world, including in countries where Nord has operations. These locations may not guarantee the same level of protection of personal data as the one in which you reside. We assess the circumstances involving all cross-border data transfers and have suitable safeguards in place to require that your personal data will remain protected in accordance with this Privacy Policy. For example, in case personal data is transferred to countries outside the EEA, we make sure there is an adequacy decision from the European Commission with regards to the recipient country or we use standard contractual clauses approved by the European Commission for such transfer of your personal data.



5. Choices Related to Your Personal Data

Please note that there are various data protection laws across different jurisdictions that provide privacy rights to you as a data subject. If you are interacting with the Services or Website in a territory governed by those data protection laws under which consent is required to process personal data, your acceptance of Terms of Service or visit of our Website will be deemed as your consent to the processing of personal data for purposes provided in this Privacy Policy. Subject to applicable data protection laws, among others, you may have the following rights:

• Delete: request us to erase your personal data;
• Access: know and access personal data Nord has collected about you;
• Rectify: rectify, correct, update, or complement inaccurate/incomplete personal data Nord has about you;
• Object: object to the processing of your personal data which is done on the basis of our legitimate interests (e.g., for marketing purposes);
• Portability: request us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format or to transmit (if technically feasible) your personal data to another controller (only where our processing is based on your consent, and carried out by automated means);
• Restrict: restrict the processing of your personal data (when there is a legal basis for that);
• Withdraw consent: withdraw your consent where processing is based on the consent you have previously provided;
• Lodge a complaint: exercise your rights by contacting us directly or, if all else fails, by lodging a complaint with a supervisory authority.

Rectification. If you'd like to edit your information (e.g., change your email address), please contact our support team at support@nordsecbusiness.com.

Access/Deletion. If you wish to delete your personal data that we process or request to provide you with a copy of your personal data, please contact us at privacy@nordsecbusiness.com.

Opt-out. If you wish to unsubscribe from our marketing communication, you can opt-out at any time by clicking the "unsubscribe" link at the bottom of each email or contacting us at support@nordsecbusiness.com.

You can control the use of cookies at the individual browser level on your device. To disable cookies, follow your browser's instructions on how to block or clear cookies.

If you do not agree with the processing of your personal data by Nord, please do not use our Services and Website. You can request us to discontinue processing your personal data, in which case your data will be processed only as much as it is necessary to affect the discontinuation of your use of the Services (e.g., final settlement or deleting all personal data), or finalizing other our legal relationship with you (e.g., record keeping, accounting, processing refunds). Please note that we or our third-party service providers may be obliged to retain your certain personal data as required by law.

If you are using Nord Services as an End User and you want your personal data to be no longer processed by us, you should contact the Customer that granted you access to our Services.

To raise any other questions, concerns, or complaints about our privacy practices or about our processing of your personal data, please contact us as provided below (Section "Contact Us").



6. Data Security

We maintain tight controls over the personal data we collect. Our dedicated IT security team has implemented appropriate physical, technical, and organizational measures to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access and against all other unlawful forms of processing:

• Physical Measures. We control access to our facilities with access cards. We also use security alarm systems and CCTV. We store devices with personal data information only in locked rooms or cabinets. Our printers are protected by access control measures. A clean desk policy is implemented.
• Technical Measures. We use layered defense with firewalls, anti-malware protection, intrusion detection, and prevention systems. Our infrastructure is regularly updated and regular vulnerability scans are in place to detect possible vulnerabilities. We have security event and incident management solutions to correlate and investigate signals in security tools. Servers are hardened and automated configuration tools are used to manage them. All workplaces are managed from a centralized endpoint management tool. Data at rest and in transit are encrypted. Encryption protocols are used according to the newest security practices.
• Organizational Measures. We adopted information security and data processing policies according to best practices. We have external audits to prove our information security and data processing policies are up to standards. We adopted a constant development culture of security and data protection awareness among our employees (including organizing regular and ongoing training and other awareness activities). We analyze the threat landscape and attack surface and constantly update our security measures. Access to databases containing personal data is granted on a need-to-know basis.

We maintain tight controls to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. However, no company can guarantee the absolute security of internet communications as no technology is completely bulletproof. By using the Services and Website, you expressly acknowledge that we cannot guarantee the 100% security of personal data provided to or received by us through the Services and that any information received from you through Websites or our Services is provided at your own responsibility. If you have any reason to believe that your interaction with us is no longer secure, please notify us at privacy@nordsecbusiness.com.



7. Data Retention

Nord will retain End Users' data in accordance with the Customer's instructions.

In cases when Nord acts as a data controller, it stores personal data only for as long as it is necessary for the original purpose of collection or legal requirements. We determine the appropriate retention period for personal data on the basis of the amount, nature, and sensitivity of the personal data being processed, the potential risk of harm from unauthorized use or disclosure of the personal data, if we can achieve the purposes of the processing through other means, and if the information is necessary for the execution of our legal rights, obligations and fulfillment of our other duties (for example, record and bookkeeping). When we no longer have a legal ground to keep your personal data, it will either be securely disposed of, or de-identified through appropriate anonymization means.

For more information about specific retention periods, please reach out to us at privacy@nordsecbusiness.com.



8. Country-Specific Provisions

For Users in European Economic Area ("EEA")

If you are a resident of EEA countries, you can exercise your rights as provided in the European Union's General Data Protection Regulation ("GDPR") by contacting us at privacy@nordsecbusiness.com. To comply with the GDPR, we have also implemented appropriate contracts for international transfers, on the basis of the standard contractual clauses approved by the European Commission and other international models as required by local law.

For Users in California

If you are a California resident, you can exercise your rights as provided in the California Consumer Privacy Act ("CCPA") by contacting us at privacy@nordsecbusiness.com. As per definitions in the CCPA, please note that Nord does not sell, share, lease, or rent your personal information.



9. Minors' Data

Nord does not knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, please do not attempt to send any personal data about yourself to us. If we acknowledge that we have collected and processed personal data from a minor under the age of 18, we will delete that data as quickly as possible.



10. Contact Us

If you have questions, requests, concerns, or complaints about how your data is being processed or personal data processing practices, please contact us via privacy@nordsecbusiness.com, or by writing to us at the following address: Nord Security Inc., One Rockefeller Plaza, 11th Floor, New York, NY 10020, United States of America.

On matters related to the processing of personal data, you may also contact our representative in the European Economic Area using the following details:

• Email: representative.business@nordsec.com
• Postal address: nordsec B.V., registered at Fred. Roeskestraat 115, 1076 EE Amsterdam, The Netherlands.

11. Other Terms

Limitation of Liability. To ensure the security of personal data, we apply various technical, physical, and organizational security measures; however, it is your responsibility to exercise caution and reasonableness when using the Services and Website. You will be personally liable if your use of the Services or Website violates any third-party privacy, any other rights or any applicable laws. Under no circumstances is Nord liable for the consequences of your unlawful, willful, and negligent activities, and any circumstances that may not have been reasonably controlled or foreseen (please read the Terms of Service for more information).

Links to other websites. Our Website may include links to other websites (e.g., social media websites) whose privacy practices may be different from ours. If you access any of those websites via such links and/or submit your personal data to any of those websites, your personal data is processed by the procedures established by those third parties and governed by their privacy policies. We encourage you to carefully read the privacy policy (or other respective privacy notices) of any website you visit.

Updates to the Privacy Policy. We develop our Services and Website by introducing new features or modifying current ones constantly. Therefore, we may need to amend this Privacy Policy from time to time. If the amendments to the Privacy Policy materially affect the activities of our processing of your personal data, we will notify you in advance of such changes by reasonable means (e.g., notification through the respective applications, our Website, or via email), and we will always indicate the date of the last update. Unless it is stated by us otherwise, each update of the Privacy Policy comes into force as of the moment the amended Privacy Policy is published on this Website. You are expected to check this Privacy Policy regularly so that you are familiar with the most current wording of the Privacy Policy. Your continued use of the Services and Website will be deemed acceptance thereof.

• General privacy policy
• NordPass privacy policy

NordPass Business Privacy Notice

Effective from: August 11, 2025

The General Privacy Policy describes the privacy practices of Nord's Business Services, applications, and Websites, which also apply to the NordPass Business product. Nevertheless, the provision of Services related to NordPass Business ("NordPass Business Services") also involves the processing of additional personal data. Please continue reading for more information below.



1. General Remarks

NordPass Business has no technical means to access your encrypted passwords, secure notes, or other items stored in your vaults (where the End User's items are stored; "Vault") because we built NordPass Business based on zero-knowledge architecture. Zero-knowledge architecture means that we do not have any access to what is stored in the Vault. In cryptography, it refers to being able to prove something you know without revealing what that is. As such, our zero-knowledge password manager keeps the proof that you have the key, but not the key itself, making it very safe. No one else can see the organization's passwords, credit card details, or notes. We also don't have the organization's End Users' Master Passwords, so the encrypted data will stay secure even if someone breaches our servers.

To understand more about NordPass Business specifications and technical features, please see the NordPass Business Whitepaper, where you can also find a description of the roles of NordPass Business account End Users, owners and admins.



2. Additional Notice to End Users When Using NordPass Business Services

When the End Users use NordPass Business Services with the Vault provided by an organization (our Customer), that organization can:

• Control and administer the End Users' Vault, including controlling privacy-related settings and/or features.
• Access and process End Users' personal data, including the interaction data, diagnostic data, and the contents of End Users' communications with us.
• See when End Users accessed the application, and how they used the items within the Vault (e.g., shared with others, auto-filled, deleted, etc.).
• Manage the access and ownership of items and folders in the End User's Vault.
• See other available information, such as the End User's email, timestamp, item name (available only to owners, as it is specified in the NordPass Business Whitepaper), receivers of items (where applicable), etc.
• See if End Users have been breached (this info is also available for End Users; see more in Section "Data Breach Scanner").
• View End Users' password health stats (without details of items themselves) and see how many old/weak/reused/exposed passwords the End User has stored in their Vault.
• Reassign the End User's items to another End User after the End User's account and Vault is deleted. All items within that Vault will be inherited by another End User to whom the Vault is reassigned.
• Delete all items in the End User's Vault at its own discretion.

Every item in the NordPass Business Vault has two types of data: metadata (title, website address, cardholder name, etc.) and secret data (login credentials, items (e.g., passwords, notes' content, credit card number, comments, etc.). The organization cannot see secret data. However, the End Users' items stored in the Vault are accessible by the organization via indirect ways, e.g., after deletion of the End User account. Therefore, please note that the NordPass Business Vault should only be used to store items related to the organization, and we highly recommend End Users not to keep any personal information there or to delete such personal information before leaving the organization/ceasing to use the NordPass Business Services.

If the End User is invited to join the NordPass Business account administered by an organization (by NordPass Business account owners or admins) and the End User already has one's own personal NordPass account registered with the same email address, the End User's items will be transferred to the organization, which will become the controller of this data as foreseen by the applicable legal acts. If the End User does not want their personal items to be transferred to the organization (to which NordPass Business account the End User is joining), we strongly advise deleting or exporting all items and adding them to another personal NordPass account (i.e., the NordPass version for non-business users) created with another email address before accepting the invite to join the organization on NordPass Business.



3. NordPass Business as a Data Controller

In addition to the information provided in the General Privacy Policy, we process the following data as a data controller when End Users use NordPass Business Services or visit our Website:

• Autofill diagnostics. We collect aggregated and anonymized data on End Users' visited web addresses and autofill fields. This helps us improve our autofill feature, as well as quickly identify and patch problems related to its performance and updates.
• App usage statistics and in-app events. We collect information about the End Users' usage of NordPass Business Services and applications: (i) the number of items stored, (ii) the date when the item was created, (iii) how the password was created (e.g., imported, autosaved, created manually), (iv) the strength of passwords in percentage (e.g., 85% of your passwords are very strong), (v) the strength of the Master Password, (vi) the percentage of suggested passwords used, and (vii) the number of different folders in NordPass Business Vault, (viii) information about the usage of autofill feature (e.g., disabling it for certain websites and switching the autofill forms manually) and (ix) other interactions with features in our applications.

We also collect in-app events, which contain the following information:
- General event information: which application type sent the event, event time, time zone, category, type.
- Device information: device's operating system and its architecture, browser type and version (when applicable), device type, unique device identifier, session information.
- Application information: name, version and source of the application.
- Account information: user identifier, subscription type.

We need this information to know if the application is working properly (e.g. that you can save your passwords properly or that our security features work as intended); (ii) to know how users interact with our application (e.g., what kind of user interface items are the most or least used, are notifications we show are of interest to users, etc.); and (iii) to identify problems related to our app performance and updates (e.g., crash error reports). We collect this information only with your consent. You can opt-out of the collection of in-app information at any time by navigating NordPass app settings.

• Live chat widget. If you contact us via the live chat widget, in addition to processing your contact information, we will process your device information (such as the type of the operating system and browser) and IP address. This information is necessary for our support to determine the user's country, prevent abuse, see if the user is connected to our servers, and help our support to process queries faster.
• Device information. As in the case of when you visit our Website (https://www.nordpass.com/business-password-manager), we collect some device information in our application too. Such information is logged automatically and may include your IP address, browser type, operating system version, and similar non-identifying information. We may use this information to monitor, develop, and analyze the use of NordPass Business Services.
• Also, we process your photo if you provide it on a voluntary basis by uploading it on your NordPass Business account. Please note that the photo available on the account will be available to other users of NordPass Business Services with whom you share and/or who share the items with you.

4. Data Breach Scanner

NordPass Business offers an additional feature — Data Breach Scanner ("Scanner"). This feature enables scanning and monitoring if any of your monitored assets (verified email address(es) and/or credit card(s)) have been involved in any personal data breaches identified by our third-party service provider. Using a third-party provider, the Scanner checks email addresses (which were used by the End Users to join the organization) and credit card numbers (if added) to identify which pieces of data might be exposed. The Scanner continuously monitors and detects breaches daily, even when End User is logged out of NordPass Business on all devices, eliminating a need for proactive checks for the breaches. By using the Scanner feature, you authorize us to share your hashed email addresses and/or hashed credit card(s) number(s) with our third-party service provider. This enables them to monitor which parts of your data might have been compromised. Should any of your monitored assets have been breached, NordPass will inform you about the breach with an in-app notification and via email.

NordPass Business also provides the Organization Data Breach Scanner ("Organization Scanner") feature, which allows Customer-owned domains to be examined for exposed credentials and sensitive information, providing detailed reports for immediate action on a larger scale. Although the first organization's Owner's email domain is added by default, in order to receive detailed reports on scanned domains, domain ownership verification is necessary. After the domain is verified, NordPass Business retrieves breach data related to the organization's domain(s) from our third-party service provider. This includes any compromised emails or credentials linked to the domain. The retrieved breach data is compiled into a summary report. The report provides an overview of the breaches detected, including the type of data exposed and the date of the breach. The Organization Scanner continuously monitors the verified domains. Whenever new breach data is detected, the report is promptly updated.

NordPass Business provides the Scanner and the Organization Scanner on an "as-is" basis and does not warrant the completeness or accuracy of the monitoring results. We cannot guarantee that the data or information provided through or from the Scanner / the Organization Scanner will be correct, current, uninterrupted, precise, error-free or up to date. You understand that there might be occasions where your monitored assets have been compromised, but such information is not or does not become available to us or our third-party service provider. You use the Scanner and the Organization Scanner entirely at your own risk.

Please note that even when you choose to use the Scanner, NordPass Business has no technical means to access Customer Items stored in the NordPass Business Vault and the Scanner's search results that are shown on the End Users' devices. These always remain encrypted and remain available to the End Users with administrative rights (owner and/or admin), as well as End Users having an account.



5. Password Health & Exposed Passwords

NordPass Business offers an additional Password Health feature that gives users a way of checking whether passwords they use or plan to use are weak, easy-to-hack, reused in multiple accounts, old, or have been exposed in the past, and, in turn, which passwords should be changed to strong & secure ones.

Password Health feature Exposed Passwords ("Exposed Passwords") can check both your saved and new passwords against a database of publicly known, compromised passwords to see if any match those previously exposed in data breaches. If a password is found to be compromised, users receive a recommendation to update it to a stronger, more secure alternative. By enabling Exposed Passwords feature, the organization owner authorizes us to share End Users' hashed partial passwords with our trusted third-party service provider, which are then compared against breach databases, ensuring that no actual password data is shared or stored externally during the process. Exposed Passwords feature may be enabled by the organization owner and it will be activated for the whole organization.

NordPass Business provides Password Health on an "as-is" basis and does not warrant the completeness or accuracy of the monitoring results. We cannot guarantee that the data or information provided through or from Password Health will be correct, current, uninterrupted, precise, error-free or up to date. You understand that there might be occasions where passwords have been compromised, but such information is not or does not become available to us or our third-party service provider. You use Password Health entirely at your own risk.

Please note that even when you choose to use Password Health, NordPass Business has no technical means to access Customer Items stored in the NordPass Business Vault and Password Health results that are shown on the End Users' devices. These always remain encrypted and remain available to the End Users with administrative rights (owner and/or admin), as well as End Users having an account.



6. Password History

The NordPass Business feature "Password History" allows keeping a record of the last ten (10) password changes made to an item in the Vault, as well as copying and restoring the previous passwords and seeing who made such changes and when (if the item was shared with another user).

In the case of usage of the Password History feature, NordPass Business processes the last ten (10) passwords created on an item, the timestamp of when the event happened, and the email address of the user who changed the password (applicable in cases when the user is granted full rights for item sharing; see more in the section "Item Sharing" below and NordPass Business Whitepaper). We use the aforementioned data to (i) enable the item owner access to password history, (ii) facilitate copying or restoring previous passwords, (iii) inform the item owner if a shared password was overwritten, and identify by whom and when it was done.



7. Email Masking

The NordPass Business "Email Masking" feature allows End Users to create a masked email to keep their actual email address private, reducing the receiving of spam emails and helping to protect their data from data brokers. The End User must verify the email address to use this service. Emails received through Email Masking, including the sender and recipient's email server IP address, sender's email address, recipient's email address, and timestamps, are deleted as soon as they are forwarded to the End User's email address. We use a trusted third-party service provider to manage this service.

Additionally, if you represent a HIPAA-related institution, please note that this feature will not be enabled for you, or it can be disabled upon your request. This ensures adherence to the specific regulatory requirements of such institutions.



8. Item Sharing

NordPass Business End Users may use the "Item Sharing" feature, which enables sharing of Customer Items with other selected users, depending on organization's configuration (Customer Items can be shared with limited or full rights, as it is specified in the NordPass Business Whitepaper).

By allowing the Item Sharing functionality within an organization, the Customer understands that Customer Items may contain sensitive information, e.g., passwords, private notes, or other confidential information, that, if used improperly or by a compromised user or third party, may cause damage or harm, result in leak or loss of confidential data, and agree to use this functionality at Customer's own risk and discretion. NordPass Business will not and cannot be held accountable for any misuse, loss, harm, or damage caused by improper use of the shared Customer Items by a compromised third-party/user.

Potential risks of sharing Customer Items with other selected users and the assessment of their credibility are solely within the Customer's and End User's own discretion and risk.



9. Data Center Location

Before commencing NordPass Business services, NordPass Business allows the Customer to select a region between the United States or the European Union where the Customer's and its End Users' data, i.e., Customer Items uploaded to the Vault, both metadata and secret data ("Customer Data") will be located and stored. After selecting a certain region, all Customer Data will be stored in that region, while other data, such as the hashed email address of the End User and which organization this End User belongs to, will always be stored in a data center located at the United States (regardless of the location of the selected data center).

If you plan to use NordPass Business via managed service providers ("MSP") please inform MSP about your preferred data center location in advance.

• General business privacy policy
• NordPass business privacy policy