Privacy Policy

We only collect personal data that is necessary to provide and improve the NORMA platform. This includes:

Account Information

When you register, we collect information like your name (or username), email address, password, and any profile details you choose to provide. This is used to create and manage your account.

Listings and Content

If you list a pair of shoes or post other content, any information you include (such as descriptions, photos, price, location of the item) may be collected and displayed to other users.

Communications

If our platform allows messaging between users or with our support team, we collect the contents of those messages. Keep in mind that messages on NORMA are not end-to-end encrypted, so our team and service providers (like our database host) may access them if necessary for safety or support.

Usage Data

We gather data about how you use the app. This includes technical information automatically collected when you interact with NORMA:

• Device and Browser Data: IP address, browser type, device type, operating system, and app version.
• Usage Logs: Dates and times of logins, pages or screens viewed, features used, clicks and actions on the platform.
• Cookie Data: See Cookies and Analytics below for details on what cookies collect.

Support and Inquiries

If you contact us for support or give feedback, we collect the information you provide (like your email and the content of your message) to assist you and improve our services.

No Payment or Sensitive Data

NORMA's MVP version does not process payments within the platform, so we do not collect any credit card or financial information. We also do not intentionally collect any sensitive personal data such as race, religion, health information, or biometric identifiers. Please avoid sharing sensitive personal details on the platform.

Children's Privacy

NORMA is not intended for children under 13 years of age. We do not knowingly collect personal information from anyone under 13. If you are under 13, please do not use NORMA or provide any personal data. If we learn that we have collected information of a child under 13, we will delete it. Parents or guardians who believe their child may have provided personal data can contact us to request deletion.

We use the collected information to operate, protect, and improve the NORMA platform, and to serve our community of runners. Specifically, we use personal data for the following purposes:

• Providing the Service: We use your account and profile information to create your account, allow you to log in, and enable you to list, rent, or sell running shoes. For example, we display your listings and profile info to other users as part of the marketplace functionality.
• Facilitating User Interactions: Your data allows us to connect you with other users (e.g. showing your username or contact info to interested renters/buyers, or enabling messaging if available) so you can arrange rentals or sales.
• Communication: We send service-related communications, such as verification emails, notifications about activity (e.g. if someone is interested in your listing), or important updates about NORMA. We may also respond to you if you reach out with questions or support requests.
• Improving and Analyzing the Platform: Usage data and analytics help us understand how users interact with NORMA. We analyze this data to troubleshoot issues, test features, and make improvements.
• Moderation and Safety: We may monitor listings, messages, and user activities to keep the community safe and respectful. This includes using your data to detect and prevent fraud, scams, or policy violations, and to enforce our community guidelines or Terms of Service.
• Legal Compliance: If required, we will use and retain your information to comply with legal obligations – for instance, keeping records for tax/audit purposes, or responding to lawful requests by authorities.
• Protecting Rights and Interests: We may process data as needed to investigate or address illegal activities, security issues, or violations of our terms. This is to protect the rights, property, and safety of our users, NORMA, and the public.

We will not use your personal data for any purpose that is incompatible with the above purposes without informing you and obtaining your consent if required.

Under the UK General Data Protection Regulation (UK GDPR), we must have a valid legal basis to process your personal data. Depending on the specific situation, NORMA relies on one or more of the following legal bases:

• Performance of a Contract: Most data processing is to provide you with the NORMA service as described in our Terms of Service. When you create an account or use our platform, a contract is formed between you and us, and we need to process your data to fulfill our obligations (e.g. displaying your listings to others, enabling transactions, providing support).
• Legitimate Interests: We process certain data as needed for NORMA's legitimate business interests, provided those are not overridden by your rights. For example, we have a legitimate interest in understanding how our website is used (analytics), in securing and maintaining our platform, in preventing fraud, and in communicating with you about product updates or community news. We always consider your privacy rights and will implement safeguards to protect your data.
• Consent: For non-essential cookies and similar technologies (e.g. analytics cookies), we rely on your consent. When you first visit NORMA, we will ask for your consent to place analytics cookies. You can withdraw consent at any time by adjusting your cookie settings. If in the future we send any marketing communications or newsletter, we would also rely on your consent (and provide a clear opt-in and opt-out mechanism).
• Legal Obligation: In some cases, we need to process and retain your data to comply with a legal obligation under UK law. For example, if a law enforcement agency lawfully requires us to provide data, or we need to keep transaction records for tax regulations, we will process personal data to fulfill those legal duties.

If we ever need to process your data for a new purpose that relies on consent, we will ask for your consent explicitly. Where legitimate interest is the basis, we will ensure our interests do not unfairly infringe on your rights.

Like most websites and apps, NORMA uses cookies and similar tracking technologies to provide functionality and analyze user behavior.

What Are Cookies

Cookies are small text files stored on your browser or device. NORMA uses a few types of cookies:

• Essential Cookies: These are necessary for the site to function. For example, when you log in, we use authentication cookies (or tokens stored in your browser) so you remain logged in as you navigate the site. These cookies do not require consent.
• Analytics Cookies: These help us understand how users use NORMA. For instance, we use Google Analytics (or a similar analytics tool) which places cookies to collect information about your visit. This may include which pages you view, how long you stay, how you arrived at our site, and general information about your device (like IP address, which can infer your approximate location, browser and OS version, etc.). We configure analytics to avoid collecting any directly identifying information. For example, we may anonymize or truncate your IP address in analytics logs.

Why We Use Cookies

• Essential cookies enable core functionality like security, authentication, and account management.
• Analytics cookies help us improve the platform by providing insights into user interactions. For example, knowing which features are frequently used can guide our development priorities.

Cookie Consent

When you first visit NORMA, you will see a cookie notice requesting your consent for us to use non-essential cookies (such as analytics cookies). You can choose to accept or reject these. If you opt out, our site will still function, but our understanding of usage will be limited.

Managing Cookies

You can manage or delete cookies at any time through your browser settings. Most browsers allow you to block or delete cookies. However, be aware that blocking certain cookies (especially essential ones) might affect site functionality (for example, you might not stay logged in). For analytics, Google also provides an opt-out browser add-on if you wish to prevent data from being used by Google Analytics across all sites.

Other Tracking Technologies

At this MVP stage, NORMA does not use any advanced tracking like pixel tags, or cross-site tracking for advertising. We also do not use any third-party advertising cookies. If this changes in the future, we will update this policy and ask for appropriate consent.

NORMA relies on a few third-party services to operate our application. We only partner with services that meet high standards for data protection, and we share the minimum data necessary with them. The key third parties we use are:

Supabase

We use Supabase as our backend service provider for user authentication, database, and file storage. When you sign up or use NORMA, your account data and other personal information (such as your email, password, profile details, listings, and messages) are stored in Supabase's databases and storage systems on our behalf. Supabase is essentially our data host and processor. They store data on secure servers, which may be located outside the UK (see International Data Transfers below). Supabase employees do not access your data unless needed for debugging or legal compliance at our request.

Analytics Providers

As noted, we use analytics tools like Google Analytics to collect usage data. These providers process usage information (e.g. page visits, IP, device info) on our behalf for the purpose of analytics. Google may store this data on servers around the world (commonly in the United States or EU). We have configured our analytics settings to respect privacy (for example, Google Analytics is set to anonymize IP addresses). Google acts as a data processor for us, meaning they cannot use the data for their own purposes beyond providing analytics services to NORMA.

Infrastructure and Other Tools

Beyond Supabase and Analytics, we may use standard infrastructure services to run NORMA:

• For example, if our website frontend is hosted by a cloud provider or content delivery network (CDN), that provider might incidentally process your IP and requests to serve the site to you.
• If we send emails (like verification or support emails) through an email delivery service, your email address and message content will pass through that service.

We will ensure any such providers also have appropriate privacy and security measures. We do not currently use any other major third-party integrations in the MVP, but if we introduce additional third-party services (for example, a payment processor in the future or social media login), we will update this Privacy Policy accordingly.

Rest assured, all third-party service providers act on our instructions and are bound by contractual terms to protect your data and use it only for the purposes we specify.

We treat your personal information with care and do not share it with others except in the following circumstances:

• Service Providers (Processors): As described above, we share data with third-party service providers who need the information to provide services on our behalf. This includes our database host (Supabase), analytics services, and any cloud hosting or email providers. They are not allowed to use your data for anything outside the scope of their work for NORMA.
• Within Our Team: Authorized members of the NORMA team (which is currently a small MVP-stage team) will access personal data as needed to operate the service. For example, our developers or support staff may access user account information or message content if required to resolve a technical issue, assist you, or investigate abuse. We limit access to only those personnel who need it for their job duties and all staff are bound to confidentiality.
• Legal Requirements: We may disclose personal information if we are required to do so by law or a lawful governmental request. For instance, if we receive a court order or a request from law enforcement with proper authority, we may be obliged to provide relevant user data. Where permitted, we will inform the affected users about such requests.
• Protection of Rights: If necessary, we may share data to enforce our Terms of Service or other agreements, or to investigate potential violations. We may also share information to detect or prevent fraud or security issues, and to protect the rights, property, or safety of NORMA, our users, or the public.
• Business Transfers: If in the future NORMA is involved in a merger, acquisition, investment, or sale of all or part of its business, user information might be transferred to the new owners or partners as part of that deal. If that happens, we will ensure the new owners similarly respect your personal data and notify you of any change in data handling.
• With Your Consent: Apart from the cases above, if we ever want to share your information for any other purpose, we will ask for your consent. For example, if we wanted to feature a user story on our blog using your name or photo, we'd only do so if you agree.

No Selling of Personal Data: We do not sell or rent your personal information to third-party companies for their marketing or any other purposes. Your data is used only to provide and improve NORMA and as otherwise described in this policy.

We keep your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law. How long we retain data depends on the type of information and the context:

• Account Data: We retain the personal information in your account (like your registration details, profile info, and listings) as long as you have an active account. If you decide to delete your account or if it's inactive for an extended period, we will remove or anonymize your personal data in line with our deletion procedures (unless we are required to keep it longer for legal reasons). Note: At this MVP stage, account deletion may not be automated through the app, but you can request deletion by contacting us.
• Listings and Transactions: Information related to listings you create or transactions you engage in (rentals/sales) is retained for the duration of the listing and for a reasonable time thereafter. Even if you delete a listing or your account, we might retain certain transaction records (e.g. rental agreements, timestamps) for a limited time to handle disputes, accounting, or legal obligations.
• Communications: If you send messages through NORMA or communicate with our support, we may keep those communications as long as needed to manage user relations and improve our services. Support emails, for example, might be kept to refer back to if you have future issues.
• Analytics Data: Analytics and usage data is typically collected in aggregate form. We may retain anonymized or aggregated analytics information (which no longer identifies any individual) indefinitely to help us understand long-term usage trends. For identifiable analytics data (like full IP addresses in logs), we either delete or anonymize it after a short period (e.g. several months), unless needed longer for security analysis.
• Legal Retention: In some cases, we must keep certain data for a set period by law. For example, financial transaction records (if any) might be kept for a number of years for tax or accounting purposes, or information related to an investigation might be retained as required by authorities. During such retention, your data will be stored securely and isolated from routine use.

When we no longer have a legitimate need or legal obligation to keep your personal data, we will securely delete or anonymize it. If complete deletion is not immediately possible (for example, stored in secure backups), we will isolate the data from further use until deletion is feasible.

As a user of NORMA in the United Kingdom (or generally under applicable data protection law), you have several rights regarding your personal data. We are committed to honoring these rights:

• Right to Be Informed: You have the right to be informed about how your data is collected and used. This Privacy Policy aims to provide that transparency.
• Right of Access: You can request a copy of the personal data we hold about you, as well as information on how we use it. This is commonly known as a "Subject Access Request". We will provide you with a copy of your data in a common format, usually within one month.
• Right to Rectification: If any personal data we have about you is incorrect or incomplete, you have the right to have it corrected. You can update some information via your account settings (if available) or by contacting us to make the correction.
• Right to Erasure: You have the right to request deletion of your personal data ("the right to be forgotten"). You can ask us to erase your data, for example, if you no longer want to use NORMA. We will comply unless we have a specific legal reason to retain some data (we'll let you know if so). Note that removing your data may involve deleting your account and content.
• Right to Restrict Processing: You can ask us to limit or pause the processing of your data in certain circumstances. For instance, if you contest the accuracy of your data or object to our processing, you can request a restriction until the issue is resolved. During restriction, we can store the data but not use it.
• Right to Data Portability: You have the right to obtain the personal data you provided to us in a structured, commonly used, machine-readable format, and to transfer it to another service where applicable. For example, you could ask for an export of your profile and listing information. This right applies to data processed by automated means under the legal basis of consent or contract.
• Right to Object: You may object to our processing of your personal data when we are relying on legitimate interests as the legal basis. If you object, we will review whether our interests in using your data are overriding or not. If you object to direct marketing (if we ever send any), we will stop using your data for that purpose immediately.
• Rights related to Automated Decision-Making: You have rights concerning significant decisions made about you based solely on automated processing. However, NORMA does not currently make any automated decisions or profiling that have legal or similarly significant effects on users.
• Right to Withdraw Consent: If we are processing any of your data based on consent, you have the right to withdraw that consent at any time. For example, if you consented to analytics cookies, you can change your mind and opt out (which will stop those cookies). Withdrawing consent won't affect the lawfulness of any processing we did prior to your withdrawal.
• Right to Complain: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), which is the supervisory authority for data protection issues. You can find more information on the ICO website (www.ico.org.uk). We would appreciate the chance to address your concerns before you contact the ICO, so please feel free to reach out to us first.

Exercising Your Rights

You can exercise most of the above rights by contacting us (see Contact Us below). We will respond to your requests as soon as possible, and within one month at most. For complex requests, we may extend the time by up to two further months, but we will inform you if that is the case. We may need to verify your identity before fulfilling certain requests, to ensure we don't disclose or modify data to the wrong person. Exercising your rights is free of charge. However, if a request is manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on it – but we'll provide an explanation in such cases.

We are committed to protecting your personal data and have implemented appropriate security measures to safeguard it. However, no website or Internet transmission is completely secure, so we want you to understand how we protect your data and also what limitations exist:

• Data Encryption in Transit: Whenever data is transmitted between your device and our servers (or between our servers and third-party services), we use encryption protocols such as HTTPS/TLS. This means personal information (like your login credentials or any messages you send) is encrypted while it travels over the internet to prevent eavesdropping.
• Secure Storage: The personal data you provide is stored in our Supabase database and storage, which employs its own security measures. Supabase states that it uses secure servers and industry-standard practices to protect data. We also enable security features provided by Supabase, such as authentication controls and, where possible, encryption at rest for stored data.
• Access Controls: We restrict access to personal data to authorized individuals on our team and service providers who have a need-to-know. Our team members are trained on data protection and are bound by confidentiality obligations. Each internal system or tool we use to manage user data is protected with strong passwords and, where available, two-factor authentication.
• Monitoring and Testing: We monitor the NORMA platform for potential vulnerabilities and attacks. Our small development team regularly updates dependencies and applies security patches to keep the platform up-to-date. We also periodically review our security practices and may conduct tests or audits (internally or via third-parties) especially as our platform grows.

No End-to-End Encryption in Messages

It's important to reiterate that while we encrypt data in transit, in-app messages are not end-to-end encrypted. This means that message content is stored on our servers (in the database) in plain text, and our team can access it if necessary (for example, to investigate a reported issue or abuse). We value user privacy and will only access message content when absolutely needed and authorized, but we want you to be aware that these communications are not completely private from us. Please refrain from sharing highly sensitive personal information via the NORMA messaging feature.

Your Responsibility

You also play a role in keeping your data secure. Please use a strong, unique password for your NORMA account and do not share it. Be careful about what personal information you decide to share in your profile, listings, or messages with others on the platform. If you suspect any unauthorized access to your account or any security breach, notify us immediately so we can help.

While we strive to protect your information, no system can guarantee 100% security. In the unlikely event of a data breach that affects your personal data, we will follow all applicable laws regarding notification (for example, we may notify you and regulators like the ICO as required).

NORMA is based in the United Kingdom, but the tools and services we use may involve transferring or storing your personal data outside of the UK. In particular:

• Supabase (Data Hosting): Our database and file storage (via Supabase) might be located on servers outside the UK. Supabase's infrastructure can be in various regions. It's possible that your data is stored in the United States or other countries where Supabase or its partners operate facilities. We will attempt to choose EU/UK server regions where feasible, but some data may still be transferred internationally for redundancy or processing.
• Analytics and Other Services: Google Analytics and similar providers typically store and process data in the United States or other jurisdictions. Also, if you are accessing NORMA from outside the UK, your data will naturally cross borders to reach our servers.

Whenever we transfer personal data out of the UK to a country that may have different data protection laws, we take steps to ensure your data is afforded adequate protection:

• Adequacy Decisions: In some cases, data may be transferred to countries that the UK government has determined to have an adequate level of data protection (for example, transfers to the European Union/EEA are currently permitted since the UK deems the EU adequate).
• Standard Contractual Clauses: For transfers to countries without an adequacy decision (such as the U.S.), we rely on standard contractual clauses (SCCs) or the UK's International Data Transfer Agreement/Addendum as applicable. These are legally approved contracts that obligate the recipient to protect your data to UK GDPR standards. Our contracts with Supabase, Google, and other providers include such clauses or equivalent safeguards when required.
• Additional Safeguards: We also ensure that our service providers implement additional security measures (encryption, access control, etc.) and policies to safeguard data. We review their privacy practices to make sure they align with our standards.

By using NORMA, you understand that your personal data may be transferred to and stored in countries outside your own. However, this will always be done in accordance with this Privacy Policy and applicable law. If you have questions about our international data transfers or need more information about the safeguards in place, please contact us.

As NORMA grows and laws evolve, we may update this Privacy Policy to reflect changes in our practices or legal requirements. If we make significant changes, we will notify you in an appropriate way – for example, via email (if you have provided one) or by posting a prominent notice on the app/site. The "Effective Date" at the top of this policy indicates when the current version came into force.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Continuing to use NORMA after updates to this policy will be taken as acceptance of the new terms, to the extent permitted by law.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out to us. We are here to help and committed to addressing any privacy-related issues.

Data Controller: For the purposes of UK data protection law, the "controller" of your personal data is the operator of the NORMA app. You can use the contact details above to reach the controller.

We value your privacy and trust. Thank you for reading our Privacy Policy. Enjoy using NORMA, and happy running!