Privacy & data
Last updated 13 July 2026
Norviqa is a platform that sports clubs and rights holders use to manage their sponsorship-rights inventory. This page explains what personal data the platform handles, where it is stored, and the choices you and the people in your workspace have.
Who is responsible
Your club is the controller for everything inside its workspace — the rights, partners, bookings and contacts it enters. Norviqa processes that data on the club's behalf as a processor, under a data-processing agreement (AVV). Norviqa is the controller only for its own account, billing and support data.
What we store
Club staff accounts: email address and authentication data. Sponsor and partner contacts: name, contact person, email, phone and any notes the club adds. Activity: an audit log of who changed what, with a timestamp.
Where it lives
All application compute and all data at rest run in Frankfurt, Germany (Supabase eu-central-1, Vercel fra1, Sentry EU). Your data does not leave the EU, with one interim exception: the optional AI Consultant feature currently sends the inputs of any preview you generate (right name, brief, photo, logo) to OpenAI in the US; we are moving this to an EU AI provider, which removes the transfer. Static parts of the interface (no personal data) are served from a global content network for speed.
Your rights
Club owners and admins can export the club's full data as an Excel workbook, and can delete individual contacts, the whole club, or their own account — all self-serve from Settings. If a sponsor contact asks us directly to access or delete their data, we forward the request to the club, which is the controller and answers it.
Retention and deletion
Deletions take effect immediately on live systems. The audit log is kept for 12 months and then removed automatically; when an account is deleted, its identity is removed from the log while the events themselves are retained for security. Backups are overwritten on a rolling schedule; if a backup is ever restored, deletions are re-applied.
Security
Each club's data is isolated at the database level (row-level security keyed on the club), so one club can never see another's. Data is encrypted in transit and at rest, access is restricted and logged, and all hosting is EU-only.
Subprocessors
Norviqa uses the following processors. Changes are announced to clubs by email at least 14 days in advance, so a club can object.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | Frankfurt (eu-central-1) |
| Vercel | Application hosting | Frankfurt (fra1) |
| Sentry | Error monitoring | EU (Frankfurt) |
| Resend | Transactional email | EU (Ireland) |
| OpenAI | AI preview generation (Consultant) | US (interim; EU planned) |
Contact
Questions about data protection, or the data-processing agreement for clubs: privacy@norviqa.com.