Nura
How it works Coverage Industries Use cases For partners
Sign in
Legal

Privacy Policy

Nura Security · Last Updated: 2 June 2026 · Version 2.1

Nura Security & Compliance FZCO ("Nura", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard personal data in connection with:

  • this website (nurasecurity.com);
  • the Nura browser extension, available for Chrome, Firefox, Microsoft Edge, and Safari (the "Extension"); and
  • the Nura web-based administration console (the "Platform").

This policy should be read alongside our Terms of Service and, where applicable, our Data Processing Addendum ("DPA"), which governs how we process personal data on behalf of business customers.

1. Who We Are

Nura provides AI usage visibility and data protection capabilities for small and mid-sized businesses, delivered through authorised partners and resellers. Our core product is a browser extension, available for Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari, that monitors prompts and file uploads made by employees to external generative AI tools, allowing organisations to detect, block, or mask sensitive data before it is transmitted.

Legal entity: Nura Security & Compliance FZCO is a Free Zone Company incorporated and registered in the United Arab Emirates (UAE). Our services are offered globally, with a primary focus on customers based in the United Kingdom and the European Union.

Data controller status: For personal data collected via this website and through use of the Platform (including account data and usage analytics), Nura acts as the data controller. For personal data processed on behalf of business customers through the Extension and Platform, Nura acts as a data processor under the customer's instructions.

UK and EU customers — important notice: Although Nura is established in the UAE, we actively offer services to individuals and organisations in the UK and EU and are therefore subject to the UK GDPR and the EU General Data Protection Regulation (GDPR) by virtue of Article 3 of each regulation (the "territorial scope" provision). We take our obligations under both frameworks seriously and have implemented the measures described in this policy accordingly.

UK Representative: As required under UK GDPR Article 27, Nura has appointed a representative in the United Kingdom. Contact details are provided in Section 16.

EU Representative: As required under EU GDPR Article 27, Nura has appointed a representative in the European Union. Contact details are provided in Section 16.

Legal entity
Nura Security & Compliance FZCO
Jurisdiction
United Arab Emirates (FZCO — Free Zone Company)
Email
[email protected]
Website
nurasecurity.com
DPO / Privacy contact
[email protected]
UK supervisory authority
ICO — Information Commissioner's Office  |  ico.org.uk  |  0303 123 1113
EU supervisory authority
Your local EU data protection authority. For cross-border complaints, refer to your lead supervisory authority based on your country of residence.

2. Browser Extension — Data Practices

This section addresses end users of the Nura browser extension and satisfies the privacy disclosure requirements of the Google Chrome Web Store, Mozilla Firefox Add-ons, Microsoft Edge Add-ons, and Apple Safari Extensions policies.

2.1 What the Extension Does

The Extension operates within your web browser (Chrome, Firefox, Edge, or Safari) and intercepts outgoing content before it is transmitted to generative AI tools (including ChatGPT, Google Gemini, Anthropic Claude, and Perplexity). Specifically, the Extension:

  • reads text entered into AI tool input fields in real time, before submission;
  • scans files attached to AI tool upload functions;
  • analyses content locally against configured detection rules to identify sensitive data categories; and
  • depending on the policy configured by your employer, blocks the submission, masks sensitive values within the content, warns the user, or allows the content through and logs the event.

2.2 What Data the Extension Accesses

To perform its function, the Extension requests the following browser permissions. The specific permission names vary slightly between Chrome, Firefox, Edge, and Safari but the scope of access is equivalent across all four:

  • scripting / content scripts: to read and optionally modify prompt content within the AI tool's input fields before submission.
  • storage (local): to cache policy configuration and your session token locally within the browser, reducing the need for repeated network requests.
  • host permissions (AI tool domains and the Nura backend): to operate on the specific AI platform domains your organisation has configured for monitoring (e.g. chatgpt.com, gemini.google.com, claude.ai, www.perplexity.ai, copilot.microsoft.com, chat.deepseek.com) and to communicate with the Nura Platform.

The Extension does NOT access your general browsing history, saved passwords, form data on non-AI websites, or any content outside of the AI tool interfaces it is configured to monitor.

In the course of performing this function, the Extension collects and transmits the following categories of data to the Nura Platform:

  • Website content: a redacted copy of the prompt text and a redacted classification summary entered into configured AI tools (see Section 2.3).
  • Authentication information: a session token issued when you sign in, stored locally in the browser and sent with each request to authenticate you.
  • Personally identifying information: your name, email address and role, retrieved from your Nura account.
  • User activity: records of detection events (incidents), including the action taken and detection metadata.
  • Technical and device information: your operating system, browser, and time zone, attached to each event.

2.3 How Prompt Content Is Handled

Local detection and redaction: Prompt content is analysed within your browser. Sensitive values that the Extension detects under your organisation's configured rules are redacted in-browser before any content is transmitted.

What is transmitted and stored: When an event is detected or logged, the following is transmitted to and stored on the Nura Platform as an incident record:

  • a redacted copy of the prompt, from which detected sensitive values have been removed in your browser;
  • a truncated classification summary of the prompt (up to 5,000 characters), also redacted, used to categorise the event;
  • detection metadata: the data categories detected (e.g. "Financial Data", "Employee & HR"), the type, position and confidence score of each detected item, and the action taken (block, mask, warn, or allow);
  • event context: a timestamp, the AI tool in use, your operating system and browser, your time zone, and your account and organisation identifiers as configured by your employer.

Where no sensitive values are detected in a logged event, the transmitted prompt text will not have had any redactions applied. The Extension does not transmit the responses returned by the AI tool, and it does not transmit content from non-AI websites.

Detected sensitive values: The specific values the Extension detects as sensitive (for example a card number or national insurance number) are redacted in your browser and are not transmitted to or stored on Nura's servers.

2.4 Use of Data Collected by the Extension

Data collected through the Extension is used exclusively to:

  • enforce the data protection policies configured by the deploying organisation;
  • generate usage events and risk logs visible in the Nura admin console;
  • produce aggregate analytics and risk scoring for the organisation.

We do not use Extension data for advertising, profiling, or any purpose unrelated to the Extension's core function. We do not sell Extension data to any third party.

2.5 Extension Data Sharing

Extension-generated data is shared only with:

  • the deploying organisation's authorised administrators via the Nura Platform;
  • Nura's infrastructure sub-processors (see Section 9) who process data solely on our instructions; and
  • legal or regulatory authorities where required by law.

3. Employees and End Users

If you are an employee whose organisation has deployed the Nura Extension on your device, you should be aware of the following.

Your employer is the data controller for data collected about your use of AI tools through the Extension. Nura processes this data as a data processor acting on your employer's instructions. Your employer is responsible for notifying you of the monitoring in place, obtaining any consent required under applicable employment law, and defining what data is collected and retained.

What is monitored: The Extension monitors content you enter into configured AI tool interfaces during working hours on managed devices. It does not monitor content entered on non-AI websites, personal applications, or outside of the AI tools your organisation has configured.

How your prompts are handled: Detection happens in your browser, and the specific sensitive values it detects are redacted locally before anything is transmitted. A redacted copy of your prompt and a redacted classification summary are then sent to and stored on the Nura Platform as incident records, together with the detection metadata described in Section 2.3. The specific sensitive values detected are not transmitted.

Exercise of rights: To exercise data subject rights (access, correction, deletion, etc.) in relation to data collected through the Extension, please contact your employer in the first instance, as they are the data controller for that data.

4. Website and Marketing Data

4.1 Data You Provide Directly

We collect personal data when you interact with our website, including when you:

  • fill out a contact or demo request form;
  • apply to become a reseller or partner;
  • subscribe to product updates or newsletters;
  • communicate with us by email.

This may include your name, company name, job title, email address, phone number, and business details.

4.2 Data Collected Automatically

When you visit our website, we may automatically collect:

  • IP address and approximate location;
  • browser type and version;
  • device type and operating system;
  • pages visited, time on site, and referring URL;
  • date and time of visit.

This information is used for security, analytics, and website improvement.

4.3 Cookies

We use cookies and similar technologies for website functionality, analytics, and (where applicable) marketing. You may manage cookie preferences through your browser settings or our cookie consent tool. Disabling certain cookies may affect website functionality.

5. How We Use Your Information

We use personal data to:

  • respond to enquiries, demo requests, and partner applications;
  • provide and improve the Nura Platform and Extension;
  • send product updates and relevant communications (where you have opted in or where we have a legitimate interest);
  • conduct security monitoring and fraud prevention;
  • comply with legal obligations; and
  • enforce our Terms of Service.

We do not sell personal data to third parties.

6. Legal Basis for Processing (GDPR)

Where UK or EU GDPR applies, we process personal data on the following legal bases:

Consent
Newsletter subscriptions; optional cookies and analytics.
Contractual necessity
Providing the Platform and Extension to customers; fulfilling partner agreements.
Legitimate interests
Responding to enquiries; improving services; security monitoring; direct marketing to business contacts (proportionate and with opt-out).
Legal obligation
Compliance with applicable law, regulatory requests, or court orders.

7. Data Sharing

We may share personal data with:

  • Authorised resellers and partners: where your enquiry was referred through a partner channel, we may share relevant contact details to fulfil your request.
  • Business customers: where you are an employee user, your employer has access to usage events generated through your use of the Extension, as described in Section 3.
  • Sub-processors: Digital Ocean (infrastructure — receives all Platform data, including usage events and the redacted incident records described in Section 2.3), Intercom (customer communications — receives email address only), Resend (email delivery — receives email address only), and Sentry (error and crash diagnostics — receives technical diagnostic data only). See Section 9 for full details.
  • Legal or regulatory authorities: where required by law, court order, or regulatory obligation.
  • Acquirers: in the event of a merger, acquisition, or sale of all or part of our business, in which case data subjects will be notified.

We do not sell personal data. We do not share personal data with any party not listed above. No sub-processor receives the sensitive values redacted in your browser under any circumstances.

8. International Data Transfers

Nura is established in the UAE. When we collect or process personal data from UK or EU residents, this constitutes a transfer of personal data to a third country for the purposes of UK GDPR and EU GDPR.

The UAE does not currently hold an adequacy decision from the UK or the EU. Accordingly, we rely on the following transfer mechanisms to ensure your personal data receives an equivalent level of protection to that required under UK and EU law:

  • UK International Data Transfer Agreements (IDTAs): for transfers of UK personal data to Nura and our sub-processors outside the UK.
  • EU Standard Contractual Clauses (SCCs): for transfers of EU personal data to Nura and our sub-processors outside the EEA, approved under EU Commission Decision 2021/914.
  • Supplementary technical and organisational measures: including encryption in transit and at rest, access controls, and data minimisation, to supplement the above mechanisms where appropriate.

Copies of the applicable transfer mechanisms are available on request from [email protected].

Where Nura engages sub-processors located outside the UK or EEA — including Digital Ocean, Intercom, Resend, and Sentry, all of which are US-based — we ensure equivalent transfer safeguards are in place through our sub-processor agreements, as described in Section 9.

9. Sub-Processors

We use the following sub-processors to operate our services. Each is bound by a data processing agreement and required to process personal data only on our instructions, only to the extent necessary for the specific purpose described, and in accordance with applicable data protection law.

Digital Ocean
Cloud infrastructure — hosts the Nura Platform and all associated data, including: user account information (name, email address, employer organisation); usage event metadata (data categories detected, action taken, timestamp, AI tool, browser, time zone); and the incident records generated by the Extension, comprising a redacted copy of the prompt and a redacted classification summary (see Section 2.3). Digital Ocean processes this data as infrastructure only and has no independent access to or use of this data. Headquartered in the USA. Transfer mechanism: EU SCCs / UK IDTA.
Intercom
Customer communications — receives the email address of registered Platform users only, used solely to support onboarding and customer communications. Intercom does not receive prompt content, usage event data, or any other personal data. Headquartered in the USA. Transfer mechanism: EU SCCs / UK IDTA.
Resend
Transactional email delivery — receives the email address of registered Platform users only, used solely to deliver system-generated notifications and product emails. Resend does not receive prompt content, usage event data, or any other personal data. Headquartered in the USA. Transfer mechanism: EU SCCs / UK IDTA.
Sentry (Functional Software, Inc.)
Error and crash diagnostics — receives technical diagnostic data only (exception messages and stack traces) to help us detect and fix faults in the Extension and Platform. IP addresses and user identifiers are not attached to these reports. Sentry does not receive prompt content, usage event data, account details, or any other personal data. Headquartered in the USA. Transfer mechanism: EU SCCs / UK IDTA.

Data minimisation: Where a sub-processor's function requires only an email address, only an email address is provided. No sub-processor receives the sensitive values redacted in your browser. Incident records (redacted prompt and redacted classification summary) are only ever stored on Digital Ocean infrastructure.

All three sub-processors are based in the United States. Transfers to these sub-processors are governed by EU Standard Contractual Clauses and UK International Data Transfer Agreements as applicable, as described in Section 8. We will provide reasonable advance notice of any intended changes to our sub-processor list. An up-to-date list is available on request from [email protected].

10. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. Indicative retention periods are:

Website contact / enquiry data
24 months from last interaction, unless an ongoing relationship is established.
Customer account data
Duration of the contract plus 7 years for legal and audit purposes.
Extension usage event metadata
As specified in the customer agreement, typically 12 months rolling.
Incident records (redacted prompt and redacted classification summary)
Stored as part of the usage event record. Retained as specified in the customer agreement, typically 12 months rolling.
Detected sensitive values
Redacted in your browser. Not transmitted to or stored by Nura under any circumstances.
Email addresses (Intercom / Resend)
Retained for the duration of the customer relationship. Deleted within 30 days of account closure on request.
Cookies and analytics data
As specified in our cookie policy, typically 12–24 months.

11. Data Security

We implement appropriate technical and organisational security measures to protect personal data, including:

  • encryption of data in transit (TLS) and at rest;
  • access controls and role-based permissions;
  • regular security assessments and penetration testing;
  • incident response and breach notification procedures.

In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, as required by applicable law.

No system can guarantee absolute security. If you become aware of a security issue, please notify us promptly at [email protected].

12. Your Rights

Depending on your location, you may have the following rights in relation to your personal data:

Access
Request a copy of the personal data we hold about you.
Correction
Request correction of inaccurate or incomplete data.
Erasure
Request deletion of your data where there is no overriding legal basis for retention.
Restriction
Request that we restrict processing of your data in certain circumstances.
Objection
Object to processing based on legitimate interests or for direct marketing.
Portability
Receive your data in a structured, machine-readable format where processing is based on consent or contract.
Withdraw consent
Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact us at [email protected]. We will respond within one month (as required under UK and EU GDPR). If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority: in the UK, the ICO (ico.org.uk); in the EU, your national data protection authority.

Note for employee users: For rights relating to data collected through the Extension, please contact your employer in the first instance, as they are the data controller for that processing.

13. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data relating to a child, please contact us at [email protected] and we will delete it promptly.

14. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or product capabilities. The updated version will be posted on this page with a revised "Last Updated" date. Where changes are material, we will provide more prominent notice (for example, by email or an in-product notification).

Continued use of our website or services after changes are posted constitutes acceptance of the updated policy.

16. Contact Us

For any questions, requests, or concerns about this Privacy Policy or our data practices:

Legal entity
Nura Security & Compliance FZCO
Registered address
Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai 342001, U.A.E
Email
[email protected]
Website
nurasecurity.com
Nura

AI access for your team.
Without the risk.

Product

  • How it works
  • Coverage
  • Industries
  • Use cases

Solutions

  • For security teams
  • For MSPs & resellers
  • For service partners
  • Financial services
  • Healthcare
  • Legal

Company

  • Partners
  • Contact
SOC 2 Type IICertified
GDPRCompliant
ISO 27001Aligned
HIPAAReady
CCPACompliant

© 2026 Nura. All rights reserved.

Terms Privacy All systems operational