Privacy Notice
Last updated: 14 June 2026
This Privacy Notice explains how SUNURA collects, uses, shares, stores, and protects personal data in connection with the SUNURA website, customer workspaces, dashboards, APIs, widgets, integrations, disclosure workflows, evidence records, public verification pages, exports, support, billing, and related services.
SUNURA provides operational software for AI transparency, disclosure workflows, evidence records, public verification pages, and evidence exports. SUNURA does not provide legal advice, legal representation, regulatory certification, or a guarantee that any customer is compliant with applicable law.
1. Controller and contact details
For personal data processed by SUNURA for its own business purposes, the controller is:
SUNURA
Postal address: Hendrik-Ido-Ambacht, The Netherlands
General contact: [email protected]
Privacy contact: [email protected]
Security contact: [email protected]
Legal contact: [email protected]
SUNURA has not appointed a Data Protection Officer at this stage. Privacy enquiries may be sent to the privacy contact above.
Where SUNURA processes customer personal data on behalf of a customer through the services, the customer is normally the controller and SUNURA acts as processor. That processing is governed by the applicable Data Processing Addendum.
2. Who this notice applies to
This Privacy Notice applies to:
- website visitors;
- trial users;
- customers;
- customer administrators;
- customer workspace users;
- developers using SUNURA APIs or widgets;
- support contacts;
- billing contacts;
- prospects and business contacts;
- individuals whose information may appear in customer-configured evidence records, screenshots, DOM captures, URLs, metadata, exports, or public verification pages.
3. Personal data we collect
SUNURA may process the following categories of personal data:
- Account and profile data
- Name, email address, organization name, job title, workspace membership, user role, permissions, login details, account settings, language preferences, and contact details.
- Customer workspace data
- Workspace names, client names, user roles, team membership, AI use-case records, disclosure configurations, notice text, deployment surfaces, verification-page settings, export settings, and customer-managed metadata.
- Evidence and proof-capture data
Disclosure notice text, notice versions, timestamps, surface URLs or labels, rendered-notice hashes, DOM snapshots, screenshots, screenshot hashes, record hashes, export logs, verification-page metadata, API payloads, and technical metadata associated with proof capture where configured by the customer.
Technical and usage data
IP address or derived location, browser type, device information, operating system, referral URL, pages viewed, features used, timestamps, session identifiers, logs, API usage, error reports, performance data, and security events.
Billing and payment data
Billing name, billing address, VAT number, invoice details, plan, subscription status, payment metadata, transaction identifiers, payment status, and related correspondence. SUNURA does not intentionally store full payment-card numbers.
Support and communication data
Messages, emails, support tickets, attachments, chat records, call notes, feedback, survey responses, and related metadata.
Marketing and prospect data
Name, email address, company, role, country, communication preferences, enquiry details, campaign source, event participation, and engagement with marketing communications.
Security and compliance data
Authentication logs, administrative actions, audit logs, abuse-prevention signals, fraud-prevention data, incident records, legal notices, consent records, and records necessary to enforce agreements or protect the services.
4. Personal data customers should not submit
Unless expressly agreed in writing, customers must not intentionally submit special categories of personal data, such as health data, biometric templates, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, or sex-life information.
Customers must not intentionally submit criminal-offence data, children’s data, government identifiers, payment-card numbers, passwords, secrets, or confidential third-party data that is not required for the services.
If such data is inadvertently submitted, the customer remains responsible for the lawfulness of the data capture and should delete it promptly or contact SUNURA for assistance.
5. Sources of personal data
SUNURA may collect personal data from:
- you directly;
- your employer or organization;
- customer administrators;
- users invited to a SUNURA customer workspace;
- customer websites, applications, APIs, widgets, or integrations configured to use SUNURA;
- payment processors;
- support and communication tools;
- security and analytics systems;
- publicly available business sources;
- third parties authorized by you or the customer.
6. Purposes and legal bases
SUNURA processes personal data for the following purposes and legal bases:
| Purpose | Examples | Legal basis |
|---|---|---|
| Providing the services | Accounts, dashboards, workspaces, disclosure workflows, evidence records, public verification pages, exports, APIs, widgets, integrations | Performance of a contract; legitimate interests |
| Customer support | Responding to enquiries, troubleshooting, technical assistance, service quality | Performance of a contract; legitimate interests |
| Billing and account administration | Subscriptions, invoices, payments, tax records, renewals, cancellations, plan changes | Performance of a contract; legal obligation; legitimate interests |
| Security and abuse prevention | Account protection, misuse detection, access control, incident investigation, enforcement of terms | Legitimate interests; legal obligation |
| Legal and compliance | Legal notices, disputes, records, lawful requests, regulatory responses, enforcement of agreements | Legal obligation; legitimate interests |
| Product improvement and analytics | Reliability, feature usage, error fixing, performance measurement, service improvement | Legitimate interests; consent where required |
| Marketing communications | Product updates, newsletters, event invitations, educational material, commercial communications | Consent where required; legitimate interests where permitted for B2B communications |
| Cookies and similar technologies | Necessary cookies, preference cookies, analytics, and marketing cookies where enabled | Legitimate interests for necessary cookies; consent for non-essential cookies where required |
Where SUNURA relies on legitimate interests, those interests may include operating and improving the services, securing accounts and systems, preventing misuse, supporting customers, maintaining business records, and communicating with business users and prospects.
7. Where SUNURA acts as processor
When a customer uses SUNURA to process customer personal data through the services, the customer normally determines the purposes and means of processing. In that case, SUNURA processes the personal data on the customer’s instructions and acts as processor.
Customers are responsible for:
- providing privacy information to affected individuals;
- selecting lawful evidence-capture settings;
- avoiding unnecessary personal data in screenshots, DOM captures, URLs, exports, and public verification pages;
- reviewing exports before sharing them;
- setting appropriate access controls and retention settings;
- ensuring their AI systems, websites, applications, and disclosure workflows are legally configured.
- If you are an end user of a SUNURA customer and have questions about how your personal data is used in that customer’s AI system, website, application, disclosure notice, or evidence workflow, you should contact that customer directly.
8. Public verification pages
Customers may use SUNURA to create public verification pages. These pages may display limited evidence metadata, such as proof identifier, disclosure type, timestamp, notice version, hash values, surface label, and verification status.
Public verification pages are intended to verify operational evidence records. They do not certify legal compliance.
Customers are responsible for deciding whether a public verification page should be published, shared, indexed, restricted, or removed.
9. Evidence exports
Customers may export evidence packages in formats such as PDF, CSV, JSON, ZIP, or other available formats. Exports may contain personal data depending on customer configuration.
Customers are responsible for reviewing exports before sharing them with clients, auditors, lawyers, regulators, or other third parties.
10. Sharing of personal data
SUNURA may share personal data with:
- service providers and subprocessors that support hosting, infrastructure, email delivery, analytics, logging, security, storage, support, payment processing, and operational services;
- payment processors for billing and payment handling;
- customer administrators where your account belongs to a customer workspace;
- legal, regulatory, and safety recipients where required or reasonably necessary;
- business-transfer recipients in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction;
- other recipients where you or the customer instructs SUNURA to do so.
- SUNURA does not sell personal data.
11. Subprocessors
SUNURA maintains a subprocessor list at /subprocessors or provides it upon request.
The subprocessor list may identify service categories, provider names, purposes, data categories, processing regions, transfer mechanisms, and status.
For security reasons, SUNURA does not publish unnecessary operational architecture, server names, IP addresses, internal security configurations, or sensitive technical implementation details in public notices.
12. International transfers
Where personal data is transferred outside the European Economic Area, SUNURA uses an applicable transfer mechanism, such as an adequacy decision, the European Commission Standard Contractual Clauses, or another lawful safeguard.
Where required, SUNURA assesses whether supplementary technical, contractual, or organizational measures are necessary.
Transfer details may depend on the customer plan, deployment region, subprocessors, and applicable contract.
13. Retention
SUNURA keeps personal data only for as long as necessary for the purposes described in this Privacy Notice, unless a longer period is required or permitted by law.
| Data category | Retention approach |
|---|---|
| Account data | For the duration of the account and a reasonable period after closure for administration, security, and dispute handling |
| Billing and tax records | For the period required by applicable accounting and tax laws |
| Evidence records | According to customer configuration, plan limits, legal requirements, or contract |
| Support records | For as long as necessary to handle the request and maintain appropriate business records |
| Security logs | For a limited period appropriate for security, fraud prevention, and incident response |
| Marketing data | Until opt-out, withdrawal of consent, or deletion under SUNURA’s retention process |
| Backup data | Until overwritten under backup-retention cycles |
Customers are responsible for setting appropriate retention periods for evidence records and exports where the services provide such controls.
14. Security
SUNURA uses technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction.
Measures may include access controls, authentication, workspace-aware authorization, encryption in transit, secure configuration, logging, monitoring, backup practices, subprocessor controls, and incident-response procedures.
No system is completely secure. Customers are responsible for secure account configuration, user access, API-key management, lawful data capture, and review of public verification pages and exports.
15. Privacy rights
Depending on your location and applicable law, you may have the right to:
- access your personal data;
- correct inaccurate personal data;
- request deletion of personal data;
- restrict processing;
- object to processing;
- receive personal data in a portable format;
- withdraw consent where processing is based on consent;
- object to direct marketing;
- lodge a complaint with a supervisory authority.
- To exercise rights in relation to personal data for which SUNURA is controller, contact the privacy contact listed above.
- If SUNURA processes your personal data on behalf of a customer, SUNURA may direct your request to that customer or assist the customer in responding to the request.
16. Withdrawal of consent
Where SUNURA relies on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
17. Marketing communications
You may opt out of marketing emails by using the unsubscribe link in the email or by contacting SUNURA.
SUNURA may still send non-marketing service messages, such as account, billing, legal, security, or transactional notices.
18. Cookies
SUNURA uses cookies and similar technologies.
Necessary cookies are used to operate the website and services. Non-essential cookies, such as analytics or marketing cookies, are used only where permitted by law and, where required, with consent.
More information is available in SUNURA’s Cookie Policy.
19. Children
The services are intended for business users and are not directed to children.
Customers must not intentionally use the services to process children’s personal data unless expressly agreed in writing and supported by an appropriate legal basis and safeguards.
20. AI, automated decisions, and profiling
SUNURA may provide operational classifications, workflow suggestions, disclosure templates, or evidence-status labels. These outputs are intended to assist human review and operational decision-making.
SUNURA does not intend to make decisions about individuals solely by automated means that produce legal effects or similarly significant effects.
Customers are responsible for any automated decision-making, profiling, AI deployment, emotion recognition, biometric categorization, synthetic-content publication, or end-user interaction conducted through their own systems.
21. Changes to this Privacy Notice
SUNURA may update this Privacy Notice from time to time. Material changes may be notified through the website, dashboard, email, or other reasonable means.
The “Last updated” date indicates when this Privacy Notice was last revised.
22. Complaints
If you are located in the European Economic Area, you may lodge a complaint with your local data protection authority.
In the Netherlands, the supervisory authority is the Autoriteit Persoonsgegevens.
SUNURA encourages you to contact SUNURA first so the concern can be reviewed.
23. Contact
For privacy questions, requests, or complaints, contact:
SUNURA Privacy
Email: [email protected]
For security issues, contact SUNURA Security at the same email address.
For legal notices, contact SUNURA Legal through the legal contact listed above or through the applicable customer agreement.