Privacy Notice

Last updated: 14 June 2026

This Privacy Notice explains how SUNURA collects, uses, shares, stores, and protects personal data in connection with the SUNURA website, customer workspaces, dashboards, APIs, widgets, integrations, disclosure workflows, evidence records, public verification pages, exports, support, billing, and related services.

SUNURA provides operational software for AI transparency, disclosure workflows, evidence records, public verification pages, and evidence exports. SUNURA does not provide legal advice, legal representation, regulatory certification, or a guarantee that any customer is compliant with applicable law.

1. Controller and contact details

For personal data processed by SUNURA for its own business purposes, the controller is:

SUNURA

Postal address: Hendrik-Ido-Ambacht, The Netherlands

General contact: [email protected]

Privacy contact: [email protected]

Security contact: [email protected]

Legal contact: [email protected]

SUNURA has not appointed a Data Protection Officer at this stage. Privacy enquiries may be sent to the privacy contact above.

Where SUNURA processes customer personal data on behalf of a customer through the services, the customer is normally the controller and SUNURA acts as processor. That processing is governed by the applicable Data Processing Addendum.

2. Who this notice applies to

This Privacy Notice applies to:

  • website visitors;
  • trial users;
  • customers;
  • customer administrators;
  • customer workspace users;
  • developers using SUNURA APIs or widgets;
  • support contacts;
  • billing contacts;
  • prospects and business contacts;
  • individuals whose information may appear in customer-configured evidence records, screenshots, DOM captures, URLs, metadata, exports, or public verification pages.

3. Personal data we collect

SUNURA may process the following categories of personal data:

  • Account and profile data
  • Name, email address, organization name, job title, workspace membership, user role, permissions, login details, account settings, language preferences, and contact details.
  • Customer workspace data
  • Workspace names, client names, user roles, team membership, AI use-case records, disclosure configurations, notice text, deployment surfaces, verification-page settings, export settings, and customer-managed metadata.
  • Evidence and proof-capture data

Disclosure notice text, notice versions, timestamps, surface URLs or labels, rendered-notice hashes, DOM snapshots, screenshots, screenshot hashes, record hashes, export logs, verification-page metadata, API payloads, and technical metadata associated with proof capture where configured by the customer.

Technical and usage data

IP address or derived location, browser type, device information, operating system, referral URL, pages viewed, features used, timestamps, session identifiers, logs, API usage, error reports, performance data, and security events.

Billing and payment data

Billing name, billing address, VAT number, invoice details, plan, subscription status, payment metadata, transaction identifiers, payment status, and related correspondence. SUNURA does not intentionally store full payment-card numbers.

Support and communication data

Messages, emails, support tickets, attachments, chat records, call notes, feedback, survey responses, and related metadata.

Marketing and prospect data

Name, email address, company, role, country, communication preferences, enquiry details, campaign source, event participation, and engagement with marketing communications.

Security and compliance data

Authentication logs, administrative actions, audit logs, abuse-prevention signals, fraud-prevention data, incident records, legal notices, consent records, and records necessary to enforce agreements or protect the services.

4. Personal data customers should not submit

Unless expressly agreed in writing, customers must not intentionally submit special categories of personal data, such as health data, biometric templates, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, or sex-life information.

Customers must not intentionally submit criminal-offence data, children’s data, government identifiers, payment-card numbers, passwords, secrets, or confidential third-party data that is not required for the services.

If such data is inadvertently submitted, the customer remains responsible for the lawfulness of the data capture and should delete it promptly or contact SUNURA for assistance.

5. Sources of personal data

SUNURA may collect personal data from:

  • you directly;
  • your employer or organization;
  • customer administrators;
  • users invited to a SUNURA customer workspace;
  • customer websites, applications, APIs, widgets, or integrations configured to use SUNURA;
  • payment processors;
  • support and communication tools;
  • security and analytics systems;
  • publicly available business sources;
  • third parties authorized by you or the customer.

6. Purposes and legal bases

SUNURA processes personal data for the following purposes and legal bases:

PurposeExamplesLegal basis
Providing the servicesAccounts, dashboards, workspaces, disclosure workflows, evidence records, public verification pages, exports, APIs, widgets, integrationsPerformance of a contract; legitimate interests
Customer supportResponding to enquiries, troubleshooting, technical assistance, service qualityPerformance of a contract; legitimate interests
Billing and account administrationSubscriptions, invoices, payments, tax records, renewals, cancellations, plan changesPerformance of a contract; legal obligation; legitimate interests
Security and abuse preventionAccount protection, misuse detection, access control, incident investigation, enforcement of termsLegitimate interests; legal obligation
Legal and complianceLegal notices, disputes, records, lawful requests, regulatory responses, enforcement of agreementsLegal obligation; legitimate interests
Product improvement and analyticsReliability, feature usage, error fixing, performance measurement, service improvementLegitimate interests; consent where required
Marketing communicationsProduct updates, newsletters, event invitations, educational material, commercial communicationsConsent where required; legitimate interests where permitted for B2B communications
Cookies and similar technologiesNecessary cookies, preference cookies, analytics, and marketing cookies where enabledLegitimate interests for necessary cookies; consent for non-essential cookies where required

Where SUNURA relies on legitimate interests, those interests may include operating and improving the services, securing accounts and systems, preventing misuse, supporting customers, maintaining business records, and communicating with business users and prospects.

7. Where SUNURA acts as processor

When a customer uses SUNURA to process customer personal data through the services, the customer normally determines the purposes and means of processing. In that case, SUNURA processes the personal data on the customer’s instructions and acts as processor.

Customers are responsible for:

  • providing privacy information to affected individuals;
  • selecting lawful evidence-capture settings;
  • avoiding unnecessary personal data in screenshots, DOM captures, URLs, exports, and public verification pages;
  • reviewing exports before sharing them;
  • setting appropriate access controls and retention settings;
  • ensuring their AI systems, websites, applications, and disclosure workflows are legally configured.
  • If you are an end user of a SUNURA customer and have questions about how your personal data is used in that customer’s AI system, website, application, disclosure notice, or evidence workflow, you should contact that customer directly.

8. Public verification pages

Customers may use SUNURA to create public verification pages. These pages may display limited evidence metadata, such as proof identifier, disclosure type, timestamp, notice version, hash values, surface label, and verification status.

Public verification pages are intended to verify operational evidence records. They do not certify legal compliance.

Customers are responsible for deciding whether a public verification page should be published, shared, indexed, restricted, or removed.

9. Evidence exports

Customers may export evidence packages in formats such as PDF, CSV, JSON, ZIP, or other available formats. Exports may contain personal data depending on customer configuration.

Customers are responsible for reviewing exports before sharing them with clients, auditors, lawyers, regulators, or other third parties.

10. Sharing of personal data

SUNURA may share personal data with:

  • service providers and subprocessors that support hosting, infrastructure, email delivery, analytics, logging, security, storage, support, payment processing, and operational services;
  • payment processors for billing and payment handling;
  • customer administrators where your account belongs to a customer workspace;
  • legal, regulatory, and safety recipients where required or reasonably necessary;
  • business-transfer recipients in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction;
  • other recipients where you or the customer instructs SUNURA to do so.
  • SUNURA does not sell personal data.

11. Subprocessors

SUNURA maintains a subprocessor list at /subprocessors or provides it upon request.

The subprocessor list may identify service categories, provider names, purposes, data categories, processing regions, transfer mechanisms, and status.

For security reasons, SUNURA does not publish unnecessary operational architecture, server names, IP addresses, internal security configurations, or sensitive technical implementation details in public notices.

12. International transfers

Where personal data is transferred outside the European Economic Area, SUNURA uses an applicable transfer mechanism, such as an adequacy decision, the European Commission Standard Contractual Clauses, or another lawful safeguard.

Where required, SUNURA assesses whether supplementary technical, contractual, or organizational measures are necessary.

Transfer details may depend on the customer plan, deployment region, subprocessors, and applicable contract.

13. Retention

SUNURA keeps personal data only for as long as necessary for the purposes described in this Privacy Notice, unless a longer period is required or permitted by law.

Data categoryRetention approach
Account dataFor the duration of the account and a reasonable period after closure for administration, security, and dispute handling
Billing and tax recordsFor the period required by applicable accounting and tax laws
Evidence recordsAccording to customer configuration, plan limits, legal requirements, or contract
Support recordsFor as long as necessary to handle the request and maintain appropriate business records
Security logsFor a limited period appropriate for security, fraud prevention, and incident response
Marketing dataUntil opt-out, withdrawal of consent, or deletion under SUNURA’s retention process
Backup dataUntil overwritten under backup-retention cycles

Customers are responsible for setting appropriate retention periods for evidence records and exports where the services provide such controls.

14. Security

SUNURA uses technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction.

Measures may include access controls, authentication, workspace-aware authorization, encryption in transit, secure configuration, logging, monitoring, backup practices, subprocessor controls, and incident-response procedures.

No system is completely secure. Customers are responsible for secure account configuration, user access, API-key management, lawful data capture, and review of public verification pages and exports.

15. Privacy rights

Depending on your location and applicable law, you may have the right to:

  • access your personal data;
  • correct inaccurate personal data;
  • request deletion of personal data;
  • restrict processing;
  • object to processing;
  • receive personal data in a portable format;
  • withdraw consent where processing is based on consent;
  • object to direct marketing;
  • lodge a complaint with a supervisory authority.
  • To exercise rights in relation to personal data for which SUNURA is controller, contact the privacy contact listed above.
  • If SUNURA processes your personal data on behalf of a customer, SUNURA may direct your request to that customer or assist the customer in responding to the request.

16. Withdrawal of consent

Where SUNURA relies on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

17. Marketing communications

You may opt out of marketing emails by using the unsubscribe link in the email or by contacting SUNURA.

SUNURA may still send non-marketing service messages, such as account, billing, legal, security, or transactional notices.

18. Cookies

SUNURA uses cookies and similar technologies.

Necessary cookies are used to operate the website and services. Non-essential cookies, such as analytics or marketing cookies, are used only where permitted by law and, where required, with consent.

More information is available in SUNURA’s Cookie Policy.

19. Children

The services are intended for business users and are not directed to children.

Customers must not intentionally use the services to process children’s personal data unless expressly agreed in writing and supported by an appropriate legal basis and safeguards.

20. AI, automated decisions, and profiling

SUNURA may provide operational classifications, workflow suggestions, disclosure templates, or evidence-status labels. These outputs are intended to assist human review and operational decision-making.

SUNURA does not intend to make decisions about individuals solely by automated means that produce legal effects or similarly significant effects.

Customers are responsible for any automated decision-making, profiling, AI deployment, emotion recognition, biometric categorization, synthetic-content publication, or end-user interaction conducted through their own systems.

21. Changes to this Privacy Notice

SUNURA may update this Privacy Notice from time to time. Material changes may be notified through the website, dashboard, email, or other reasonable means.

The “Last updated” date indicates when this Privacy Notice was last revised.

22. Complaints

If you are located in the European Economic Area, you may lodge a complaint with your local data protection authority.

In the Netherlands, the supervisory authority is the Autoriteit Persoonsgegevens.

SUNURA encourages you to contact SUNURA first so the concern can be reviewed.

23. Contact

For privacy questions, requests, or complaints, contact:

SUNURA Privacy

Email: [email protected]

For security issues, contact SUNURA Security at the same email address.

For legal notices, contact SUNURA Legal through the legal contact listed above or through the applicable customer agreement.

These materials are provided as legal and operational information for SUNURA services. They do not constitute legal advice, legal representation, regulatory certification, or a guarantee that any customer is compliant with applicable law.