Privacy Policy
This Privacy Policy ("Policy") explains how Nordis Engage ("Nordis", "we", "us", or "our") collects, uses, discloses, and protects personal information when you access our website, use our SaaS platform, or interact with our services (collectively, the "Service").
This Policy is incorporated into our Terms of Service and should be read alongside our Cookie Policy and Data Processing Agreement (DPA). By using the Service, you acknowledge and agree to the practices described herein.
1. INTRODUCTION & SCOPE
Nordis Engage is a B2B SaaS platform for performance management, employee evaluations, goal tracking, and HR workflows. Our data processing roles vary depending on the context:
As Data Controller: For information you provide directly to us (e.g., account registration, billing, website visits, support requests).
As Data Processor: For employee, manager, and organizational data uploaded or generated by our Customers. In this context, our Customer is the Data Controller and determines the purposes and means of processing.
We comply with applicable privacy laws, including the GDPR (EU/UK), CCPA/CPRA (California), and other regional regulations. Where conflicts arise, mandatory local laws shall prevail.
2. INFORMATION WE COLLECT
A. Information Provided by Customers & Administrators
Account details: name, email, job title, company name, role/permissions
Billing & payment: company address, tax ID, payment method, invoice history
Configuration data: organizational structure, team mappings, evaluation templates, goal frameworks
B. Employee & Performance Data (Processed on Behalf of Customers)
Identity & role: employee name, email, ID, department, manager, location
Evaluation & feedback: performance reviews, peer/manager comments, ratings, development plans
Goal tracking: OKRs/KPIs, milestones, progress updates, completion status
Optional fields: diversity/demographic data, compensation bands, tenure, training records (only if enabled by Customer)
C. Automated & Usage Data
Device & connection: IP address, browser type, OS, device identifiers, approximate location
Platform usage: feature interactions, session duration, error logs, audit trails, API calls
Cookies & tracking: see our Cookie Policy for details on strictly necessary, analytics, functional, and marketing technologies
D. Support & Communications
Support tickets, chat transcripts, email correspondence, call recordings (if applicable)
Survey responses, NPS feedback, beta program participation
3. HOW WE USE YOUR INFORMATION
We process personal information only for legitimate, specified purposes:
Service Delivery: Provision, authentication, configuration, and maintenance of the Platform
Account & Billing Management: Subscription administration, invoicing, fraud prevention, renewal notifications. Security & Compliance: Access controls, threat detection, incident response, audit logging, legal compliance. Product Improvement: Aggregated/anonymized analytics, feature optimization, bug resolution, UX research
Customer Support: Troubleshooting, onboarding, training, and relationship management
Communications: Service updates, security notices, policy changes, and (with consent) marketing materials. We do not sell personal data. We do not use employee evaluation data for advertising, profiling, or third-party data brokering.
4. LEGAL BASIS FOR PROCESSING
Where required by law, we rely on the following legal bases:
Performance of Contract: To provide the Service, manage subscriptions, and fulfill support obligations.
Legitimate Interests: Platform security, fraud prevention, service improvement, and business operations (balanced against your rights).
Consent: For marketing communications, non-essential cookies, and optional feature enablement (where applicable). You may withdraw consent at any time.
Legal Obligation: To comply with tax, employment, data protection, or regulatory requirements.
Customer Instruction (Processor Role): For employee performance data, processing is strictly governed by the Customer's directives and our DPA.
5. DATA SHARING & THIRD-PARTY SERVICES
We do not sell, rent, or share personal data for cross-context behavioral advertising. We may disclose information only in the following circumstances:
Category
Purpose
Examples
Subprocessors
Hosting, security, analytics, support, email delivery
[AWS/GCP], [Cloudflare], [Intercom], [Plausible/Google Analytics]
Professional Advisors
Legal, audit, insurance, compliance
Law firms, accounting firms, certification bodies
Law Enforcement & Regulators
Legal compliance, fraud prevention, court orders
As required by law or to protect rights/safety
Business Transfers
Mergers, acquisitions, asset sales
Subject to confidentiality & data protection safeguards
All subprocessors are bound by written agreements requiring equivalent data protection standards. A current list is available at [yourdomain.com/subprocessors] or upon request.
6. DATA SECURITY
We implement industry-standard technical and organizational measures to protect personal data:
Encryption: AES-256 at rest; TLS 1.2+ in transit
Access Controls: Role-based permissions, MFA, SSO, principle of least privilege, regular access reviews
Infrastructure Security: VPC isolation, WAF, DDoS protection, vulnerability scanning, penetration testing
Operational Controls: Secure SDLC, employee background checks, security training, incident response plan, audit logging
Certifications: [SOC 2 Type II / ISO 27001 / GDPR-compliant framework] (update as applicable)
While we strive to protect your data, no system is 100% secure. We will notify affected parties and regulators of material breaches as required by law.
7. DATA RETENTION & DELETION
Customer/Account Data: Retained for the duration of the subscription + [30/60] days post-termination, or as required for billing, tax, or legal compliance.
Employee Performance Data: Retained only as directed by the Customer. Upon termination, we provide a [30]-day export window before secure deletion or anonymization.
Usage & Analytics Data: Aggregated or anonymized after [12-24] months, or sooner if no longer needed for service operation.
Legal Holds: Data may be preserved longer if required by litigation, regulatory investigation, or contractual obligation.
Customers control retention periods for their organizational data. We will honor deletion, export, or archival requests per the DPA and applicable law.
8. INTERNATIONAL DATA TRANSFERS
Nordis operates globally. Data may be transferred to, stored, and processed in countries outside your jurisdiction, including the United States. Where required:
We rely on EU Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum, or adequacy decisions
We implement supplementary technical measures (encryption, access controls, data minimization)
You may request a copy of our transfer mechanisms or data flow documentation
9. YOUR RIGHTS & CHOICES
Depending on your jurisdiction, you may have the right to:
Access a copy of your personal data
Rectify inaccurate or incomplete information
Delete data subject to legal/contractual retention requirements
Restrict or Object to processing (including direct marketing)
Data Portability in a structured, machine-readable format
Withdraw Consent where processing is consent-based
Opt-Out of sale/sharing (CCPA/CPRA) or targeted advertising
How to Exercise Rights:
Submit requests to [privacy@yourdomain.com] or use our Data Subject Request portal at [yourdomain.com/privacy-requests]. We will verify your identity and respond within [30] days (extendable where legally permitted).
Note for Employees of Our Customers:
If you are an employee, contractor, or manager using Nordis Engage through your employer, your personal performance data is controlled by your organization. Please direct privacy requests to your HR or Data Protection team. Nordis will assist Customers in fulfilling employee requests per our DPA and applicable law.
10. CHILDREN'S PRIVACY
The Service is intended for workplace use by adults of legal working age. We do not knowingly collect personal data from individuals under [16/18] (or applicable age of consent). If we learn such data has been collected, we will promptly delete it. Contact us immediately if you believe a minor's data has been submitted.
11. CHANGES TO THIS POLICY
We may update this Policy to reflect product changes, legal developments, or operational improvements. Material changes will be communicated via email, in-app notification, or updated effective date. Continued use after the effective date constitutes acceptance. We recommend reviewing this Policy periodically.
12. CONTACT INFORMATION
For privacy inquiries, data subject requests, or DPA execution:
Privacy & Legal Team
Email: [privacy@yourdomain.com]
Address: [Company Legal Address]
Support Portal: [support.yourdomain.com]
Data Protection Officer (if applicable): [dpo@yourdomain.com]
IMPLEMENTATION & COMPLIANCE CHECKLIST
Execute a DPA: Offer a GDPR/CCPA-compliant Data Processing Agreement to all Customers before onboarding.
Publish Subprocessor List: Maintain a live, version-controlled list with opt-out/notification procedures.
Deploy DSAR Workflow: Implement a ticketing or automated portal for access, deletion, and correction requests with SLA tracking.
Map Data Flows: Document collection, storage, transfer, and deletion paths for employee data vs. account data.
Cookie & Consent Alignment: Ensure your CMP blocks non-essential cookies until consent is captured; sync retention periods with this Policy.
Employee Notice Template: Provide Customers with a ready-to-deploy "Employee Privacy Notice" explaining data collection, purpose, and employer control.
Legal Review: Have qualified privacy counsel validate jurisdictional requirements, transfer mechanisms, and liability allocations before publication.
Version Archiving: Keep dated copies of all prior policies for audit, regulatory, or litigation readiness.
Disclaimer: This Privacy Policy reflects current SaaS and HR-tech privacy best practices but does not constitute legal advice. Always consult qualified privacy counsel to ensure alignment with your specific data flows, jurisdictions, certifications, and contractual obligations.