Privacy Policy

NoxReg is a pharmaceutical regulatory intelligence platform operated by NoxReg S.à r.l., registered in Luxembourg. We provide automated monitoring of global health authority publications to life sciences professionals.

Our registered address and data controller contact: privacy@noxreg.com

We collect and process the following categories of personal data:

• Account data: Name, work email address, company name, job title, and password (hashed).
• Usage data: Pages visited, features used, filter profiles created, email digest preferences, and login timestamps.
• Billing data: Subscription plan, billing cycle, and payment status. Card details are processed directly by Stripe and are never stored on our servers.
• Contact data: Messages submitted via our contact form, including name, email, and message content.
• Technical data: IP address, browser type, device type, and access logs retained for security and abuse prevention.

We do not collect or process special categories of personal data (health data, biometric data, etc.).

We process your personal data under the following legal bases (GDPR Article 6):

• Contract performance (Art. 6(1)(b)): To provide your NoxReg subscription, deliver email digests, and process payments.
• Legitimate interests (Art. 6(1)(f)): To improve our platform, prevent fraud, and send service-related communications. We have balanced our interests against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): To comply with applicable law, including tax and accounting requirements.
• Consent (Art. 6(1)(a)): For optional marketing communications, where you have opted in explicitly. You may withdraw consent at any time.

We retain personal data only for as long as necessary for the purposes described:

• Account data: Retained for the duration of your subscription plus 90 days after cancellation, then deleted.
• Billing records: Retained for 7 years to comply with Luxembourg accounting law.
• Usage logs: Retained for 12 months for security and product improvement purposes.
• Contact form data: Retained for up to 24 months, then deleted unless a commercial relationship has been established.

You may request early deletion of your data at any time (see Section 6).

We use the following third-party sub-processors to deliver our service. Each is bound by a Data Processing Agreement (DPA) and operates under GDPR-compliant conditions:

• Supabase (Supabase Inc.): PostgreSQL database hosting. Your account data and subscription preferences are stored in Supabase. Data is hosted in the EU (eu-central-1). Supabase is SOC 2 Type II certified.
• Stripe (Stripe Inc.): Payment processing. Stripe processes card payments under PCI DSS Level 1 certification. NoxReg never stores card numbers. Stripe's privacy policy: stripe.com/privacy.
• Resend (Resend Inc.): Transactional email delivery for email digests, alerts, and account notifications. Emails contain your name and digest content. Resend is SOC 2 compliant.

We do not sell, rent, or share your personal data with any other third parties for marketing or advertising purposes.

As a data subject under the GDPR, you have the following rights, which you may exercise at any time by contacting us at privacy@noxreg.com:

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
• Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior processing.

We will respond to all requests within 30 days. You also have the right to lodge a complaint with your national supervisory authority. In Luxembourg, this is the CNPD (Commission Nationale pour la Protection des Données): cnpd.public.lu.

NoxReg uses only essential cookies necessary to operate the platform:

• Session cookie: Maintains your authenticated session. Expires when you close your browser or after 30 days of inactivity.
• Preference cookie: Stores your UI preferences (theme, default filter view). Expires after 1 year.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in cross-site tracking.

For any privacy-related questions, data subject requests, or concerns:

• Email: privacy@noxreg.com
• General contact: contact@noxreg.com
• Contact form: noxreg.com/contact

We aim to respond to all privacy requests within 5 business days.