NORMA SAS (“Norma”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit nor.ma, including nor.ma/hometest, place an order, contact us, subscribe to our emails, or otherwise interact with us.

Under EU data protection rules, individuals must be informed clearly about who is collecting their data, why it is collected, the legal basis, how long it is kept, who receives it, and whether it is transferred outside the EU. This Privacy Policy is intended to provide that information. 

1. Data Controller

The data controller responsible for your personal data is:

NORMA SAS
27 rue des Frênes
49740 La Romagne
France

Email: contact@nor.ma

2. Personal Data We Collect

We may collect the following categories of personal data:

Information you provide directly
• Full name
• Email address
• Phone number
• Shipping address
• Billing address
• Any information you include in messages you send to us

Order and transaction information
• Products ordered
• Order date
• Order amount
• Order status
• Shipping and delivery information
• Payment status

Technical and website usage information
• IP address
• Browser type
• Device type
• Operating system
• Basic website interaction and log data

Email and communication data
• Whether you subscribed to marketing emails
• Whether you opened or clicked an email
• Your communication preferences

3. How We Collect Your Data

We collect personal data:
• when you place an order on our website;
• when you fill in a form;
• when you contact us by email or through the website;
• when you subscribe to receive marketing emails;
• automatically through essential technical tools required for the operation and security of the website.

4. Why We Use Your Data

We use your personal data for the following purposes:

To process and fulfill orders

We use your data to manage purchases, process payments, confirm orders, arrange delivery, handle customer support, and communicate with you about your order.

To communicate with you

We use your data to answer your questions, provide support, and send service-related messages.

To send marketing emails

If you subscribe, we may send you product news, launch updates, announcements, and promotional communications.

To operate and improve our website and services

We may use limited technical and usage data to maintain, secure, and improve the performance of our website and services.

To comply with legal obligations

We may use and retain certain information where required by law, including accounting, tax, fraud prevention, and consumer law obligations.

Under the GDPR, personal data must be processed for specific purposes and on an identified legal basis.



5. Legal Bases for Processing

Depending on the context, we rely on the following legal bases:

Performance of a contract

When we process your data to accept and fulfill your order, deliver products, manage payments, and provide customer service related to your purchase.

Legitimate interests

When we process data to operate, secure, and improve our website and services, prevent misuse, and manage our business in a proportionate way.

Consent

When you subscribe to marketing emails or where consent is otherwise required for a specific processing activity.

Legal obligation

When we must retain or disclose certain data to comply with applicable laws and regulations.

6. Email Marketing

If you choose to receive marketing communications from us, we may send you emails about Norma, product launches, restocks, updates, and offers.

You can unsubscribe at any time by clicking the unsubscribe link in our emails or by contacting us at contact@nor.ma.

Transactional emails relating to your order, payment, shipment, or customer support are not marketing emails.

7. Payments

Payments made through our website are processed by third-party payment and ecommerce providers, including Shopify and its related payment infrastructure where applicable.

We do not intentionally store full payment card details on our own servers. Payment information is processed by the relevant payment provider under its own privacy and security practices.

8. Service Providers and Data Sharing

We may share your personal data with trusted third-party service providers only where necessary for the purposes described in this Privacy Policy, including:
• Shopify for ecommerce and checkout infrastructure
• Framer for website hosting and site operation
• Supabase for backend and data infrastructure
• Resend for email delivery and communications
• payment processors
• shipping, logistics, and fulfillment providers
• legal, accounting, and professional advisers
• public authorities where disclosure is required by law

We require service providers to process personal data only as needed to provide their services to us and to protect it appropriately.

9. International Transfers

Some of our service providers may process personal data outside the European Economic Area.

Where that happens, we take appropriate steps to ensure that your personal data remains protected, including relying on safeguards recognized under applicable data protection law, such as adequacy decisions or standard contractual clauses where appropriate. EU rules require organizations to inform individuals when personal data may be transferred outside the EU and to rely on lawful safeguards for such transfers. 

10. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy and to comply with legal obligations.

In general:
• order and transaction data is kept for the period necessary to fulfill the contract and to comply with legal, tax, and accounting obligations;
• customer support and contact data is kept for as long as reasonably necessary to manage the relationship and resolve requests;
• marketing data is kept until you unsubscribe or object, or until we determine it is no longer necessary to keep it;
• technical data is kept for as long as reasonably necessary for security, maintenance, and operational purposes.

Under the GDPR, personal data should not be kept longer than necessary for the purpose for which it was collected. 

11. Your Rights

If you are located in the European Union, United Kingdom, or another jurisdiction with similar privacy rights, you may have the right to:
• access your personal data;
• request correction of inaccurate data;
• request deletion of your data;
• request restriction of processing;
• object to certain processing;
• withdraw consent at any time where processing is based on consent;
• request portability of certain data;
• lodge a complaint with a competent supervisory authority.

The European Commission states that individuals must be informed about these rights when their data is collected. 

To exercise your rights, contact us at contact@nor.ma.

If you are in France, you may also lodge a complaint with the CNIL.

12. Cookies and Similar Technologies

Our website may use cookies or similar technologies that are strictly necessary for the operation, security, and core functionality of the website and checkout.

If we use any non-essential cookies or trackers in the future — including certain analytics, advertising, retargeting, or similar technologies — we may update this Privacy Policy and implement an appropriate consent mechanism where required by law. The CNIL explains that some cookies require prior consent, while only certain categories may be exempt.



13. Security

We take reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

14. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with your personal data.

15. Children

Our website and products are not intended for children, and we do not knowingly collect personal data directly from children.

If you believe that a child has provided us with personal data, please contact us at contact@nor.ma so we can take appropriate action.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business developments. When we do, we will update the “Last updated” date at the top of this page.

17. Contact

If you have any questions about this Privacy Policy or about how we handle personal data, you can contact us at:

NORMA SAS
27 rue des Frênes
49740 La Romagne
France

Email: contact@nor.ma