Nura Security · Last Updated: 22 April 2026 · Version 2.0
Nura Security & Compliance FZCO ("Nura", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard personal data in connection with:
This policy should be read alongside our Terms of Service and, where applicable, our Data Processing Addendum ("DPA"), which governs how we process personal data on behalf of business customers.
Nura provides AI usage visibility and data protection capabilities for small and mid-sized businesses, delivered through authorised partners and resellers. Our core product is a browser extension, available for Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari, that monitors prompts and file uploads made by employees to external generative AI tools, allowing organisations to detect, block, or mask sensitive data before it is transmitted.
Legal entity: Nura Security & Compliance FZCO is a Free Zone Company incorporated and registered in the United Arab Emirates (UAE). Our services are offered globally, with a primary focus on customers based in the United Kingdom and the European Union.
Data controller status: For personal data collected via this website and through use of the Platform (including account data and usage analytics), Nura acts as the data controller. For personal data processed on behalf of business customers through the Extension and Platform, Nura acts as a data processor under the customer's instructions.
UK and EU customers — important notice: Although Nura is established in the UAE, we actively offer services to individuals and organisations in the UK and EU and are therefore subject to the UK GDPR and the EU General Data Protection Regulation (GDPR) by virtue of Article 3 of each regulation (the "territorial scope" provision). We take our obligations under both frameworks seriously and have implemented the measures described in this policy accordingly.
UK Representative: As required under UK GDPR Article 27, Nura has appointed a representative in the United Kingdom. Contact details are provided in Section 16.
EU Representative: As required under EU GDPR Article 27, Nura has appointed a representative in the European Union. Contact details are provided in Section 16.
This section addresses end users of the Nura browser extension and satisfies the privacy disclosure requirements of the Google Chrome Web Store, Mozilla Firefox Add-ons, Microsoft Edge Add-ons, and Apple Safari Extensions policies.
The Extension operates within your web browser (Chrome, Firefox, Edge, or Safari) and intercepts outgoing content before it is transmitted to generative AI tools (including ChatGPT, Google Gemini, Anthropic Claude, and Perplexity). Specifically, the Extension:
To perform its function, the Extension requests the following browser permissions. The specific permission names vary slightly between Chrome, Firefox, Edge, and Safari but the scope of access is equivalent across all four:
The Extension does NOT access your general browsing history, saved passwords, form data on non-AI websites, or any content outside of the AI tool interfaces it is configured to monitor. It does not read content from any tab other than the active tab when a supported AI tool is in use.
Local processing: Prompt content is analysed entirely within your browser. The raw text of prompts is never transmitted to Nura's servers under any circumstances.
What is transmitted: When an event is detected or logged, only metadata is transmitted to the Nura Platform. This metadata includes: the data category detected (e.g. "Financial Data", "Employee & HR"), the action taken (block, mask, warn, or allow), a timestamp, the AI tool in use, the browser in use, and the user's account identifier as configured by the employer.
Generalised prompt summaries: Where a deploying organisation has enabled the "Generalise" prompt-handling mode, a generic summary of the prompt's purpose (not the original text) may be transmitted and stored on Nura's infrastructure. This summary is designed to obscure personally identifiable information while providing context for audit purposes. This feature is disabled by default and must be explicitly enabled by the organisation.
Raw prompt content: Raw prompt text is never stored on Nura's servers. This is an absolute constraint of the product architecture, not a policy default that can be changed by configuration.
Data collected through the Extension is used exclusively to:
We do not use Extension data for advertising, profiling, or any purpose unrelated to the Extension's core function. We do not sell Extension data to any third party.
Extension-generated data is shared only with:
If you are an employee whose organisation has deployed the Nura Extension on your device, you should be aware of the following.
Your employer is the data controller for data collected about your use of AI tools through the Extension. Nura processes this data as a data processor acting on your employer's instructions. Your employer is responsible for notifying you of the monitoring in place, obtaining any consent required under applicable employment law, and defining what data is collected and retained.
What is monitored: The Extension monitors content you enter into configured AI tool interfaces during working hours on managed devices. It does not monitor content entered on non-AI websites, personal applications, or outside of the AI tools your organisation has configured.
Privacy-first by design: By default, prompt analysis is local. Your actual prompt text is not sent to Nura's servers. If your employer has enabled raw prompt storage, this will be disclosed in your employer's own internal data protection notice.
Exercise of rights: To exercise data subject rights (access, correction, deletion, etc.) in relation to data collected through the Extension, please contact your employer in the first instance, as they are the data controller for that data.
We collect personal data when you interact with our website, including when you:
This may include your name, company name, job title, email address, phone number, and business details.
When you visit our website, we may automatically collect:
This information is used for security, analytics, and website improvement.
We use cookies and similar technologies for website functionality, analytics, and (where applicable) marketing. You may manage cookie preferences through your browser settings or our cookie consent tool. Disabling certain cookies may affect website functionality.
We use personal data to:
We do not sell personal data to third parties.
Where UK or EU GDPR applies, we process personal data on the following legal bases:
We may share personal data with:
We do not sell personal data. We do not share personal data with any party not listed above. No sub-processor receives raw prompt content under any circumstances.
Nura is established in the UAE. When we collect or process personal data from UK or EU residents, this constitutes a transfer of personal data to a third country for the purposes of UK GDPR and EU GDPR.
The UAE does not currently hold an adequacy decision from the UK or the EU. Accordingly, we rely on the following transfer mechanisms to ensure your personal data receives an equivalent level of protection to that required under UK and EU law:
Copies of the applicable transfer mechanisms are available on request from [email protected].
Where Nura engages sub-processors located outside the UK or EEA — including Digital Ocean, Intercom, and Resend, all of which are US-based — we ensure equivalent transfer safeguards are in place through our sub-processor agreements, as described in Section 9.
We use the following sub-processors to operate our services. Each is bound by a data processing agreement and required to process personal data only on our instructions, only to the extent necessary for the specific purpose described, and in accordance with applicable data protection law.
Data minimisation: Where a sub-processor's function requires only an email address, only an email address is provided. No sub-processor receives raw prompt content. Generalised prompt summaries are only ever stored on Digital Ocean infrastructure and only where the deploying organisation has explicitly enabled that feature.
All three sub-processors are based in the United States. Transfers to these sub-processors are governed by EU Standard Contractual Clauses and UK International Data Transfer Agreements as applicable, as described in Section 8. We will provide reasonable advance notice of any intended changes to our sub-processor list. An up-to-date list is available on request from [email protected].
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. Indicative retention periods are:
We implement appropriate technical and organisational security measures to protect personal data, including:
In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, as required by applicable law.
No system can guarantee absolute security. If you become aware of a security issue, please notify us promptly at [email protected].
Depending on your location, you may have the following rights in relation to your personal data:
To exercise any of these rights, contact us at [email protected]. We will respond within one month (as required under UK and EU GDPR). If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority: in the UK, the ICO (ico.org.uk); in the EU, your national data protection authority.
Note for employee users: For rights relating to data collected through the Extension, please contact your employer in the first instance, as they are the data controller for that processing.
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data relating to a child, please contact us at [email protected] and we will delete it promptly.
Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. We encourage you to review the privacy policies of any third-party sites you visit.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or product capabilities. The updated version will be posted on this page with a revised "Last Updated" date. Where changes are material, we will provide more prominent notice (for example, by email or an in-product notification).
Continued use of our website or services after changes are posted constitutes acceptance of the updated policy.
For any questions, requests, or concerns about this Privacy Policy or our data practices: