Privacy Policy

Norrstone ("Norrstone", "we", "us", "our") operates the Norrstone Vault platform — a digital certificate, ownership, and resale service for fine jewelry. This Privacy Policy describes how we collect, use, share, and protect personal data when you use our website, mobile app, or any service that links to this policy (collectively, the "Service").

If you have any questions, contact us at privacy@norrstone.com.

We collect the following categories of personal data:

• Account data — name, email address, authentication identifiers (e.g. Google OAuth subject, Apple sign-in identifier), password hashes (when applicable), and preferred language.
• Purchase and certificate data — the jeweler that issued your certificate, order reference, product details, purchase date, and certificate status.
• Blockchain data — the public wallet address associated with your certificate and any on-chain transaction data (token ID, contract address, transaction hash). Blockchain data is public by nature.
• Usage data — device model, operating system, app version, IP address, language, crash and error reports, and interaction events required to operate and improve the Service.
• Communications — messages you send us and support tickets you submit.
• Insurance applicant data — collected only when you start an insurance application and only used to underwrite, identify you, and pay out a claim. This includes your legal first and last name, date of birth, national identifier (e.g. kennitala, personnummer, CPR, fødselsnummer, henkilötunnus, or passport / government-issued ID number), phone number in international format, and residential address (street, postal code, city, country). See Section 10 for how this data is shared.

• To create and manage your Norrstone Vault account.
• To issue, display, and transfer digital certificates of ownership.
• To send you service notifications, security alerts, and transactional emails.
• To operate, monitor, debug, and improve the Service.
• To detect and prevent fraud, abuse, and unauthorized access.
• To comply with legal obligations and enforce our Terms of Service.

Where the EU General Data Protection Regulation (GDPR) or UK GDPR applies, we process your personal data on the following legal bases:

• Contract — to provide the Service you signed up for.
• Legitimate interests — to secure, improve, and operate the Service, balanced against your rights.
• Consent — where you have given us permission (e.g. marketing emails).
• Legal obligation — where required by law.

We do not sell personal data. We share it only with service providers and partners that help us run the Service, and only to the extent necessary. Our current sub-processors include:

• Supabase — database, authentication, file storage, and background functions (EU, Frankfurt).
• Vercel — web application hosting (US + EU edge).
• Stripe — payment processing for marketplace purchases and insurance premiums, and seller payouts via Stripe Connect (US, Standard Contractual Clauses).
• Resend — transactional email delivery (US, Standard Contractual Clauses).
• Polygon public blockchain (accessed via an RPC provider such as Alchemy or QuickNode) — stores a tamper-evident record of each certificate. We never write your name, email, home address, or personal wallet address to the blockchain.
• Sentry — error reporting for our backend functions only; not used on the websites or mobile app (US, Standard Contractual Clauses).
• Expo, Apple APNs and Google FCM — push notifications for the mobile app, if you opt in.
• Shopify — when a jeweler connects a Shopify store, limited OAuth and order data flows through Shopify.
• Google / Apple — only if you sign in with Google or Apple.
• Insurer partners — independent insurance companies that underwrite and service your policy. We share only what you explicitly consent to share when you request or maintain a policy (see Section 10).
• Authorities and law enforcement — when we are legally required to, or when necessary to protect rights, safety, or property.

The full up-to-date list, with purpose and region for each provider, is on our Sub-processors page.

Because Norrstone Vault certificates are represented as non-fungible tokens on the Polygon blockchain, certain data — including the wallet address that currently holds the certificate and the history of transfers — is stored on a public ledger and cannot be deleted or altered by us or by you. We do not write your name, email, or home address to the blockchain. Only a wallet identifier and certificate metadata are stored on-chain.

We retain personal data for as long as your account is active and for a period afterward to comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods differ by data category:

• Account profile — until you ask us to delete your account. On deletion your name, email, and phone are anonymized in our systems; the underlying customer record is preserved without identifying information so that certificates and order history remain consistent for the jewelers you bought from.
• Certificates — retained indefinitely as proof of issuance and ownership history. Your name is removed on account deletion; the certificate identifier remains.
• Marketplace orders and payments — retained for tax, anti-fraud, and dispute-resolution purposes for the period required by applicable law (typically six years).
• Insurance requests, policies and claims — the insurer that underwrites your policy is required by financial services regulation to retain claims files and related records for several years after the policy ends, typically six to ten years depending on jurisdiction. We retain our own copy for the same period.
• Communications, notifications and audit logs — retained as long as needed for security, compliance, and support.
• Short-lived data (rate-limit records, expired claim tokens, OAuth nonces, session data) — purged automatically once no longer needed, typically within minutes to hours.
• On-chain data (see Section 6) — cannot be deleted.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of off-chain data.
• Object to or restrict certain processing.
• Receive a portable copy of your data.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@norrstone.com. We will respond within the time required by applicable law.

Our primary database and file storage are hosted in the European Union (Frankfurt, Germany). Some of our sub-processors — for example Stripe, Resend, and Sentry — are based in the United States. When personal data is transferred to a country outside the European Economic Area or the United Kingdom, we rely on appropriate safeguards such as the European Commission's and UK's Standard Contractual Clauses and, where applicable, adequacy decisions.

If you request insurance coverage for a certificate, we collect (a) underwriting context — the certificate, declared value, how and where the piece is stored, and how often it travels — and (b) applicant identity, namely your legal name, date of birth, national identifier, phone number, and residential address. Applicant identity is required because European insurers must identify the policyholder under know-your-customer and anti-money-laundering rules, contact you for claims handling, and transfer claim payouts to a verified individual.

We collect applicant identity only when you start an insurance application — it is not collected at signup. The legal basis for processing is the performance of a contract you have requested (GDPR Article 6(1)(b)). We store this profile under access controls that allow only you to read or edit it, and re-use it on your subsequent applications so you do not have to re-enter it.

We share this data with an insurer only when you submit a request to that specific insurer and confirm the consent statement on the review screen. We record every grant and revocation of insurance-data consent, including the time and your device information, as evidence of consent under GDPR Article 7.

Once you bind a policy, the insurer acts as an independent data controller for the underwriting, identity, and claims data, and retains claims files for the period required by financial services regulation (typically six to ten years after the policy ends). Claim evidence you upload (photos, documents) is stored in a private bucket with access limited to you, the insurer that underwrites the relevant policy, and our operations team when strictly needed for support.

We take reasonable technical and organizational measures to protect your personal data, including encryption in transit, encrypted storage, role-based access controls, and routine monitoring. No online service is ever perfectly secure, and we cannot guarantee the absolute security of your data.

Norrstone Vault is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service. Your continued use of the Service after the changes take effect means you accept the updated policy.

Norrstone ehf.
Reykjavík, Iceland
privacy@norrstone.com