Privacy Policy

Norman AI GmbH Last updated: March 2026

Welcome to Norman! As part of the registration, login, and use of the Norman platform, we collect certain personal data that we receive from you in order to enable the provision of tax and accounting services to you. We attach great importance to protecting your data and maintaining your privacy. Below, we will therefore inform you about the collection and use of personal data when using our website and app.

1. Name and Contact Details of the Data Controller

This data protection information applies to data processing by:

Norman AI GmbH Kolonnenstraße 8 10827 Berlin, Germany

Email: compliance@norman.finance

If you have questions regarding the processing of your personal data, your rights as a data subject, or wish to withdraw consent, please contact us at the above address.

2. Collection and Storage of Personal Data as Well as the Type and Purpose of Their Use

a) When Visiting the Website

When you access our website https://www.norman.finance/, the browser used on your device automatically sends information to our website's server. This information is temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until it is automatically deleted:

IP address of the requesting computer,
date and time of access,
name and URL of the retrieved file,
website from which access is made (referrer URL),
browser used and, if applicable, the operating system of your computer as well as the name of your access provider.

We process the above data for the following purposes:

ensuring a smooth connection to the website,
ensuring comfortable use of our website,
evaluation of system security and stability,
further administrative purposes.

The legal basis for data processing is Article 6(1)(f) GDPR. Our legitimate interest follows from the data collection purposes listed above. Under no circumstances do we use the data collected for the purpose of drawing conclusions about you personally.

We also use cookies and analysis services when you visit our website. Further explanations can be found in Sections 5 and 6 of this privacy policy.

b) When Registering for Our Newsletter

If you have expressly consented in accordance with Article 6(1)(a) GDPR, we will use your email address to regularly send you our newsletter. To receive the newsletter, it is sufficient to provide an email address. You can unsubscribe at any time, for example via a link at the end of each newsletter. Alternatively, you can send your request to unsubscribe at any time to compliance@norman.finance.

If you are our customer, we may send you direct advertising for our own similar products or services based on the provisions of Article 6(1)(f) GDPR in conjunction with Section 7(3) UWG. In this case, too, you have the right at any time to object to our use of your email address for advertising purposes. To do this, simply click on the unsubscribe link within a newsletter or send us a short email to compliance@norman.finance. You will not incur any costs for unsubscribing (except for possible transmission costs according to your basic tariff).

c) When Requesting the Download Link

On our website we offer you the opportunity to request a download link to use our app. It is necessary to provide a valid telephone number, which must be confirmed to ensure that the request comes from you. Data processing for the purpose of contacting you is carried out in accordance with Article 6(1)(a) GDPR based on your voluntarily given consent.

d) When Using the App

In order to download and install our app from an app store (e.g. Google Play, Apple App Store), you must first register for a user account with the respective app store provider and conclude a corresponding usage agreement with them. We have no influence on this, and in particular we are not a party to such a usage agreement.

When you download and install the app, the necessary information is transferred to the respective app store, in particular your user name, email address, customer number of your account, time of download, payment information, and the individual device code. We have no influence on this data collection and are not responsible for it.

We only process the data provided to the extent necessary for downloading and installing the app on your mobile device (e.g. smartphone, tablet). Data processing is carried out on the basis of Article 6(1)(b) GDPR (performance of contract) and Article 6(1)(f) GDPR (legitimate interest in the efficient and secure provision of our services).

e) When Making an Appointment via Calendly

We use the Calendly tool to make appointments simple, quick, and uncomplicated. When using the tool, you will be asked for personal information such as name, email address, and telephone number. You also have the opportunity to describe your concerns and provide us with further information. If you use the tool, your details from the inquiry form, including the information you provided there, will be saved and transmitted to us.

The data entered is processed based on your consent in accordance with Article 6(1)(a) GDPR.

Calendly's privacy policy can be found at: https://calendly.com/pages/privacy

f) When Registering for Tax Purposes via Our Website

If you use our tax registration service via our website, you will be asked for personal data such as name, email address, telephone number, date of birth, marital status, and religious affiliation. Your details will then be transmitted directly to the tax office via the ELSTER interface (see Section g) for more information about the ELSTER software). The data entered is processed based on your consent in accordance with Article 6(1)(a) GDPR.

g) When Filing a Tax Return

If you instruct us to file a tax return, you will provide us with personal data such as name, email address, telephone number, date of birth, marital status, religious affiliation, national tax number, responsible tax office, home address, second home (if applicable), work address, legal form, commercial register number, bank details, proof of identity, and information on income and expenses.

Your details will then be transmitted directly to the tax office via the ELSTER interface. The data entered is processed on the basis of your consent in accordance with Article 6(1)(a) GDPR and for the purpose of executing the contract in accordance with Article 6(1)(b) GDPR.

Insofar as special categories of personal data within the meaning of Article 9(1) GDPR are requested — such as health data, data on religious affiliation, or trade union membership — this is done on the basis of your explicit consent in accordance with Article 9(2)(a) GDPR.

The tax return is submitted to the tax office using the ELSTER tax software. Your tax return and the tax assessment notice, once available, can be accessed in digital form in our app after submission, unless you have objected to this.

We provide the following information from the tax authorities regarding the use of ELSTER:

"This software is used to collect personal data within the meaning of Article 4(1) GDPR and Article 9(1) GDPR for the purpose of processing. In addition to the data required for tax assessment, the software collects data about the type of operating system of the user and transmits this to the tax authorities. This data is needed to ensure the proper processing of the data and to prevent errors in the processing process. The use of the data takes place within the framework of Article 6(1)(1)(e) in conjunction with (3)(1)(b) GDPR in conjunction with federal or state tax laws by the tax authorities and only for the stated purpose. General information on the implementation of the data protection requirements of Articles 12 to 14 GDPR in tax administration can be found at https://download.elster.de/download/documents/Informationen_zu_artikel_12_bis_14_Datenschutz-Grundverfassung.pdf."

3. Duration for Which the Personal Data Will Be Stored

Personal data is generally stored for as long as is necessary for the processing purposes described. The criterion for the duration of storage is generally the respective statutory, tax, and commercial law retention period (usually 6–10 years) or the period for which the data is required for legal and/or factual reasons. After the deadline has expired, the relevant data will be routinely deleted unless it is still required to fulfill or initiate a contract.

4. Sharing of Data

Your personal data will not be transferred to third parties for purposes other than those listed below. We will only share your personal information with third parties if:

you have given your express consent in accordance with Article 6(1)(a) or Article 9(2)(a) GDPR,
the disclosure is necessary to assert, exercise, or defend legal claims in accordance with Article 6(1)(f) GDPR and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data,
there is a legal obligation for the transfer in accordance with Article 6(1)(c) GDPR, or
this is legally permissible and necessary for the processing of contractual relationships with you in accordance with Article 6(1)(b) GDPR.

We have entered into data processing agreements in accordance with Article 28 GDPR with all service providers who process personal data on our behalf.

Data Transfers to Third Countries

If we process data in a third country (i.e. outside the European Union or the European Economic Area) or if this occurs as part of the use of third-party services or disclosure or transmission of data to third parties, this will only occur if it is done to fulfill our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the requirements of Articles 44 et seq. GDPR are met. This means that the processing is carried out, for example, on the basis of an adequacy decision by the European Commission (such as the EU-U.S. Data Privacy Framework for certified U.S. companies), on the basis of Standard Contractual Clauses (SCCs), or on the basis of other legally recognized transfer mechanisms.

5. Cookies and Consent

Our website uses so-called cookies. Cookies are small text files that are stored on your device and that your browser saves. They serve to make our offering more user-friendly, effective, and secure. Cookies do not cause any damage to your device and do not contain any malware.

Consent Management

When you first visit our website, you will be presented with a cookie consent banner. Through this banner, you can decide which categories of cookies you wish to accept. You may withdraw your consent at any time by adjusting your cookie preferences via the consent settings accessible on our website.

Strictly Necessary Cookies

These cookies are essential for the operation of our website and cannot be switched off. They include session cookies that recognize you have visited individual pages on our website and are automatically deleted after you leave our site.

The legal basis for the use of strictly necessary cookies is Article 6(1)(f) GDPR (legitimate interest) and Section 25(2) TTDSG (Telecommunications and Telemedia Data Protection Act).

Analytics and Marketing Cookies

We use analytics and marketing cookies only with your prior consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG. These cookies enable us to statistically record and evaluate the use of our website for the purpose of optimizing our offering. These cookies are automatically deleted after a defined period of time.

You can configure your browser so that no cookies are stored on your device or that a message appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all functions of our website.

6. Analysis and Marketing Tools

The tracking measures listed below are used only with your prior consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG. You may withdraw your consent at any time via our cookie settings.

Google Analytics

For the purpose of needs-based design and ongoing optimization of our pages, we use Google Analytics, a web analysis service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). In this context, pseudonymized usage profiles are created and cookies are used. The information generated by the cookie about your use of this website — such as browser type/version, operating system used, referrer URL, hostname of the accessing computer (IP address), and time of server request — is transferred to a Google server and stored there. Google Analytics uses IP anonymization, so that your IP address is truncated beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area.

Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID that can be used to recognize you on future website visits.

The data we send, linked to cookies, user identifiers (e.g. user ID), or advertising IDs, are automatically deleted after 14 months. Data whose retention period has been reached is deleted automatically once a month.

This information may be transferred to third parties if required by law or if third parties process this data on behalf of Google. You can prevent the installation of cookies by setting the browser software accordingly. You can also prevent the collection of data generated by the cookie by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en). As an alternative, especially for browsers on mobile devices, you can prevent data collection by Google Analytics by adjusting your cookie preferences on our website.

Further information on data protection in connection with Google Analytics can be found at: https://support.google.com/analytics/answer/6004245

Google is certified under the EU-U.S. Data Privacy Framework. Further information: https://www.dataprivacyframework.gov

Google Ads Conversion Tracking

In order to statistically record and evaluate the use of our website, we also use Google Ads Conversion Tracking. Google Ads sets a cookie on your computer if you came to our website via a Google ad. These cookies expire after 30 days and are not used for personal identification.

Every Google Ads customer receives a different cookie. Cookies cannot therefore be tracked across the websites of different customers. The information collected using the conversion cookie is used to create conversion statistics for customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag; they do not receive any information that can be used to personally identify users.

If you do not wish to participate in the tracking process, you can refuse the setting of a cookie, for example by adjusting your browser settings or our cookie preferences. Google's data protection policy on conversion tracking can be found here: https://policies.google.com/privacy

For the purpose of needs-based design and ongoing optimization of our pages and their economic operation, we use Reddit Ads and Reddit Conversion Tracking (Pixels), a marketing service provided by Reddit, Inc., 548 Market St. #16093, San Francisco, California 94104, USA.

We use Reddit Conversion Tracking for marketing and optimization purposes, in particular to analyze the use of our website and to improve individual functions, offers, and the user experience.

You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. You can also prevent Reddit from collecting the above-mentioned information by changing the relevant settings on the Reddit website: https://www.reddit.com/personalization/

For more information about Reddit Ads' use of cookies, see: https://www.redditinc.com/policies/cookies

Meta Pixel (Meta Ads)

For the purpose of needs-based design and ongoing optimization of our pages and their economic operation, we use (re)marketing services from Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland ("Meta"). Using this function, we can target website visitors with personalized, interest-based ads when they visit the social network Facebook or Instagram.

When you visit the website, a direct connection is established to the Meta servers. Information about the use of the websites visited is transmitted. Meta assigns this information to your personal Facebook/Instagram user account.

Further information on the collection and use of data by Meta, your rights in this regard, and options for protecting your privacy can be found in Meta's data protection information at: https://www.facebook.com/about/privacy/

You can deactivate the "Custom Audiences" remarketing function in your Facebook settings. To do so, you must be logged in to Facebook.

Meta is certified under the EU-U.S. Data Privacy Framework.

Hotjar

For the purpose of needs-based design and ongoing optimization of our pages, we use services from Hotjar Ltd, Level 2, St Julians Business Centre, 3 Elia Zammit Street, St Julians STJ 1000, Malta ("Hotjar"). Hotjar evaluates the behavior of website visitors using anonymized data collected via cookies (see Section 5), which is used for optimization. This data has no personal reference and will not be used to create one. The data collected will be automatically deleted after a few days.

Further information can be found in Hotjar's privacy policy at: https://www.hotjar.com/legal/policies/privacy

TikTok Pixel

For the purpose of needs-based design and ongoing optimization of our pages and their economic operation, we use the so-called "TikTok Pixel" from the provider TikTok (for the EU: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland).

This is a cookie which we have implemented on our site. This creates a connection to the TikTok servers when you visit our website in order to track your behavior on our website. Personal data such as your IP address and email address, as well as other information such as device ID, device type, and operating system may be transferred to TikTok. TikTok uses this data to show its users targeted and personalized advertising and to create interest-based user profiles.

The data collected is anonymous and cannot be viewed by us and can only be used by us as part of measuring the effectiveness of advertising placements.

Further information about data protection at TikTok can be found at: https://www.tiktok.com/legal/new-privacy-policy

7. Other Tools

Typeform

We use the services of Typeform, SL, Carrer Bac de Roda 163, 08018 Barcelona, Spain ("Typeform") to process user input. Typeform receives secure user IDs for this purpose.

The data processing is based on your consent in accordance with Article 6(1)(a) GDPR.

Further information on data processing by Typeform can be found at: https://admin.typeform.com/to/dwk6gt/

8. Affiliate Programs

Tapfiliate

For the purpose of needs-based design and ongoing optimization of our pages as well as their economic operation, we use the affiliate program Tapfiliate from Tapfiliate BV, Rapenburgerstraat 173, 1011 VM Amsterdam, Netherlands.

Tapfiliate sets a so-called "cookie" when you click on an ad containing a partner link. This allows us to understand where the order came from and to bill our partners correctly. Tapfiliate also allows us to create, manage, and analyze marketing and referral programs.

Tapfiliate stores and processes the following personal data: first name, last name, contact details, email address, IP address.

You can prevent the storage of cookies by selecting the appropriate technical settings in your browser software; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

The legal basis for using the partner program is Article 6(1)(f) GDPR (legitimate interest in the analysis, optimization, and economic operation of our online offering).

Further information on data protection at Tapfiliate can be found at: https://tapfiliate.com/privacy/privacy-policy/

financeAds

For the purpose of needs-based design and ongoing optimization of our pages and their economic operation, we use the partner program of financeAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg, Germany.

This is a so-called affiliate system. financeads.net uses so-called "cookies" when you click on an ad containing a partner link. This allows us to understand where the order came from and to bill our partners correctly.

Further information on data use by financeads.net and options for objection can be found in the company's data protection declaration: https://www.financeads.net/aboutus/datenschutz/

9. Payment Service Providers

GoCardless

We use GoCardless Bank Account Data, a service from GoCardless Ltd, Sutton Yard, 65 Goswell Road, London, EC1V 7EN, United Kingdom. Norman does not store your banking login credentials.

GoCardless is a fintech company. Transactions via online banking are processed via GoCardless. GoCardless handles the communication with the bank and sends the account statements or transaction information to Norman (e.g. transfer) after the payment transaction has been completed.

Information about GoCardless's data protection can be found at: https://gocardless.com/privacy/account-holders/

finAPI

We use finAPI, a service provided by finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich, Germany. In order to offer online banking, the respective provider must have a banking license from the banking supervisory authority BaFin. We therefore carry out online banking via the service provider finAPI.

Norman does not store your banking login credentials.

finAPI is a fintech company with the corresponding BaFin license. Transactions via online banking are processed via finAPI. finAPI handles the communication with the bank and transmits the account statements or transaction information to Norman after the payment transaction has been completed (e.g. transfer).

Information on finAPI's data protection can be found at: https://www.finapi.io/datenschutz/

Stripe

We use the services of Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA ("Stripe"). Stripe is a third-party payment service provider that processes payments made to us. We do not retain any personally identifiable information or financial information such as credit card numbers in connection with processing such payments. Rather, this data (in particular contact and transaction data such as credit card details or bank details) is sent directly to Stripe, whose use of your personal data is governed by their privacy policy.

Stripe collects additional data for its own purposes, such as to prevent misuse and further develop its products as well as for marketing purposes. The other data collected through cookies and other technologies includes, in particular, communication data (IP address, device identification, browser version, operating system information).

The legal basis is Article 6(1)(b) GDPR (performance of contract) and Article 6(1)(f) GDPR (legitimate interest in offering an additional payment option).

Stripe is certified under the EU-U.S. Data Privacy Framework. Further information can be found at: https://stripe.com/privacy

10. Newsletter Dispatch and Communication

SendGrid

Our newsletters are sent via the shipping service provider "SendGrid," a brand of Twilio Inc., 101 Spear Street, 5th Floor, San Francisco, California 94105, USA.

The shipping service provider may use the recipient's data in a pseudonymized form — i.e. without assigning it to a user — to optimize or improve its own services, for example to technically optimize shipping and the presentation of the newsletter or for statistical purposes. The shipping service provider does not use the data of our newsletter recipients to write to them itself or to pass the data on to third parties.

The newsletters contain tracking pixels that are retrieved when the newsletter is opened. Information about the browser, the system used, the IP address, and the time of access are collected. It is also determined whether and when the newsletter was opened and which links were followed. This serves statistical evaluation only and is not used for personal identification.

The legal basis for the use of the service is Article 6(1)(f) GDPR (legitimate interest in the economic operation of our online offering) and, insofar as you have consented to receiving the newsletter, Article 6(1)(a) GDPR.

Twilio is certified under the EU-U.S. Data Privacy Framework. The shipping service provider's privacy policy can be found at: https://www.twilio.com/en-us/legal/privacy

Intercom

To improve the user experience in our applications, we use the Intercom service from Intercom, Inc., 98 Battery Street, Suite 402, San Francisco, CA 94111, USA, to send messages by email and for live chats.

As part of our service agreement with Intercom, we transfer a limited amount of your information (such as email address and sign-up date) to Intercom and use Intercom to analyze the use of our services. Intercom analyzes the use of our services and tracks our customer relationships with the aim of continually improving our offering.

The legal basis for processing is Article 6(1)(f) GDPR (legitimate interest in the economic operation of our online offering).

Further information on data protection at Intercom can be found at: https://www.intercom.com/legal/privacy

11. Integration of Third-Party Services and Content

Based on our legitimate interests (i.e. interest in the analysis, optimization, and economic operation of our online offering within the meaning of Article 6(1)(f) GDPR), we use content or service offerings from third-party providers in order to integrate their content and services.

This always requires that the third-party providers of this content are aware of the user's IP address, as without the IP address they would not be able to send the content to their browser. The IP address is therefore required to display this content.

YouTube

Videos from the "YouTube" platform of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, are integrated. Privacy policy: https://www.google.com/policies/privacy

Google Fonts

Fonts ("Google Fonts") from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, are integrated. Privacy policy: https://www.google.com/policies/privacy

12. Hosting Services

DigitalOcean

We host some of our systems at DigitalOcean, LLC, 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA. For technical reasons, the infrastructure may be maintained from the USA.

The legal basis for the aforementioned data processing is Article 6(1)(f) GDPR based on our legitimate interest in providing you with the technical infrastructure to offer our products and services.

Further information can be found in the DigitalOcean privacy policy: https://www.digitalocean.com/legal/privacy-policy

Microsoft Azure

We host some of our systems at Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052, USA. For technical reasons, the infrastructure may be maintained from the USA.

The legal basis for the aforementioned data processing is Article 6(1)(f) GDPR based on our legitimate interest in providing you with the technical infrastructure to offer our products and services.

Microsoft is certified under the EU-U.S. Data Privacy Framework. For more information, please see: https://privacy.microsoft.com/en-us/privacystatement

Amazon Web Services

We host some of our systems at Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA ("AWS"). For technical reasons, the infrastructure may be maintained from the USA.

The legal basis for the aforementioned data processing is Article 6(1)(f) GDPR based on our legitimate interest in providing you with the technical infrastructure to offer our products and services.

AWS is certified under the EU-U.S. Data Privacy Framework. For more information, please see: https://aws.amazon.com/compliance/data-privacy/

13. AI and Document Processing Services

OpenAI

We use services from OpenAI, LLC, 3180 18th Street, San Francisco, CA 94110, USA ("OpenAI") for document processing and AI-powered features within our platform. In this context, personal data contained in documents you upload or provide to our platform may be transmitted to OpenAI for processing. This may include, but is not limited to, names, addresses, tax identification numbers, and financial data contained in your documents.

OpenAI processes this data exclusively on our behalf and in accordance with our instructions under a data processing agreement pursuant to Article 28 GDPR. We have contractually ensured that OpenAI does not use your data for training its AI models.

The legal basis for processing is Article 6(1)(b) GDPR (performance of contract) and Article 6(1)(f) GDPR (legitimate interest in efficient document processing). Insofar as special categories of personal data within the meaning of Article 9(1) GDPR are processed, the legal basis is your explicit consent pursuant to Article 9(2)(a) GDPR.

Data transfers to the USA are based on the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses.

Further information can be found in OpenAI's privacy policy at: https://openai.com/policies/privacy-policy

Anthropic

We use services from Anthropic, PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA ("Anthropic") for document processing and AI-powered features within our platform. In this context, personal data contained in documents you upload or provide to our platform may be transmitted to Anthropic for processing. This may include, but is not limited to, names, addresses, tax identification numbers, and financial data contained in your documents.

Anthropic processes this data exclusively on our behalf and in accordance with our instructions under a data processing agreement pursuant to Article 28 GDPR. We have contractually ensured that Anthropic does not use your data for training its AI models.

Data transfers to the USA are based on Standard Contractual Clauses and/or other legally recognized transfer mechanisms pursuant to Articles 44 et seq. GDPR.

Further information can be found in Anthropic's privacy policy at: https://www.anthropic.com/privacy

14. Rights of Data Subjects

You have the following rights:

Right to information (Article 15 GDPR): You may request information about your personal data processed by us, including the purposes of processing, the categories of personal data, the categories of recipients, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right to complain, the origin of your data if not collected by us, and the existence of automated decision-making including profiling.
Right to rectification (Article 16 GDPR): You may request the immediate correction of incorrect or incomplete personal data stored by us.
Right to erasure (Article 17 GDPR): You may request the deletion of your personal data stored by us, unless the processing is required to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest, or to assert, exercise, or defend legal claims.
Right to restriction of processing (Article 18 GDPR): You may request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful but you refuse its deletion, we no longer need the data but you need it to assert, exercise, or defend legal claims, or you have objected to the processing in accordance with Article 21 GDPR.
Right to data portability (Article 20 GDPR): You may receive your personal data that you have provided to us in a structured, common, and machine-readable format or request that it be transmitted to another controller.
Right to withdraw consent (Article 7(3) GDPR): You may revoke your consent to us at any time. This means that we are no longer permitted to continue the data processing based on this consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint (Article 77 GDPR): You may lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority at your usual place of residence or place of work, or our supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219, 10969 Berlin https://www.datenschutz-berlin.de

15. Right to Object

If your personal data is processed on the basis of legitimate interests in accordance with Article 6(1)(f) GDPR, you have the right to object to the processing of your personal data in accordance with Article 21 GDPR, provided there are reasons arising from your particular situation, or the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without requiring you to specify a particular situation.

If you would like to exercise your right of withdrawal or objection, all you need to do is send an email to: compliance@norman.finance

16. Data Security

When visiting our website, we use the common SSL/TLS procedure (Secure Socket Layer / Transport Layer Security) in conjunction with the highest level of encryption supported by your browser. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the lock symbol in your browser's address bar.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

17. Topicality and Changes to This Privacy Policy

This privacy policy is currently valid as of March 2026. Due to the further development of our website and offerings or due to changed legal or official requirements, it may become necessary to change this privacy policy. You can access and print out the current privacy policy at any time on the website at https://www.norman.finance/privacy-policy.

← Back to Norman