NordiQ Archive LogoNordiQ
Back to Homepage

Privacy Policy

Effective Date: 2025-08-11
Last Updated: 2025-08-11

1. Introduction

Wisteria Inc. ("we", "our", "us") operates the NordiQ platform, which includes NordiQ Archive - your trusted solution for secure, compliant, long-term data protection. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our NordiQ services.

The NordiQ platform is designed exclusively for business-to-business (B2B) enterprise use. While our clients are organizations, this policy also applies to individual users of those organizations who interact with the NordiQ ecosystem.

By accessing or using NordiQ services, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy covers:

  • Information collected through NordiQ Archive - our enterprise-grade secure document management and archiving system with advanced compliance features.
  • Security and authentication data collected to maintain the integrity and compliance of the NordiQ platform.
  • privacyPolicy.sections.introduction.coversItems.2

It does not cover:

  • Websites or services not operated by Wisteria Inc.
  • Links to third-party sites, even if accessed through the NordiQ platform.

2. Data We Collect

2.1 Information You Provide Directly

We collect the following information when you or your organization's administrator set up and use the NordiQ platform:

  • Account details: Name, work email, business phone number, job title, and organization name for secure NordiQ platform access.
  • Login credentials: Passwords are stored securely using industry-standard encryption to protect your NordiQ Archive documents.
  • Two-Factor Authentication (2FA) setup: Security codes, authenticator app details, or hardware token registration ensuring compliance-ready access to NordiQ services.
  • Biometric authentication setup: When enabled, we use your device's native biometric system (e.g., Touch ID, Face ID, Windows Hello). We do not store or process your biometric data — verification occurs locally on your device.

2.2 Information Collected Automatically

When you access our services, we automatically collect certain technical information to maintain security and service integrity:

  • IP address (used for login risk assessment and fraud detection).
  • Device information (browser type, operating system, device type, time zone).
  • Login history (timestamps, successful/failed login attempts).
  • GeoIP location (country and region, derived from IP, for security checks only).

2.3 Trusted Device Cookies

When you successfully log in with 2FA, you may choose to mark your device as "trusted" to reduce the need for repeated 2FA challenges.

  • This cookie contains only a randomly generated identifier linked to your account in our secure database.
  • It does not store personal information such as your name, email, or IP address.
  • It is classified as a strictly necessary cookie and does not require user consent under the ePrivacy Directive.

3. How We Use Your Data

3.1 Authentication and Account Security

We use your personal and technical information to:

  • Authenticate your login using passwords, biometrics (if enabled), and two-factor authentication (2FA).
  • Enforce risk-based 2FA: If you log in from a device or IP address we do not recognize, we may require additional verification.
  • Store a "trusted device" identifier so that returning logins from the same device may not require 2FA.
  • Detect and prevent unauthorized access attempts, fraud, or abuse.

3.2 Service Operation

We process your data to operate, maintain, and improve the NordiQ platform, including:

  • NordiQ Archive: Managing your encrypted documents with enterprise-grade security, ensuring long-term data protection and regulatory compliance.
  • Providing comprehensive audit logs across the NordiQ platform for compliance, security monitoring, and complete traceability.
  • privacyPolicy.sections.dataUsage.serviceOperation.items.2

3.3 Support and Communication

We use your contact details to:

  • Respond to technical support requests.
  • Notify you of security alerts, changes to your account, or service updates.
  • Send operational communications required for the functioning of the service (non-marketing).

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following lawful bases:

Contract Performance (Article 6(1)(b))

We process account information, authentication data, and service usage details to deliver the NordiQ platform services you have contracted with us to provide - including NordiQ Archive for secure, compliant document management.

Legitimate Interests (Article 6(1)(f))

We process IP addresses, device information, and "trusted device" identifiers to protect accounts against unauthorized access and fraud. This includes risk-based 2FA: When a login is attempted from an unrecognized IP or device, we may require additional verification to protect your account.

The "trusted device" cookie is considered a strictly necessary cookie under the ePrivacy Directive and does not require prior consent, as it is essential to reduce friction while maintaining security.

Legal Obligations (Article 6(1)(c))

We may process and retain logs or audit trails where required by applicable laws, including data protection, financial reporting, or other regulatory requirements.

Consent (Article 6(1)(a))

We will obtain your consent if we ever process your data for purposes not covered above, such as optional analytics or marketing communications.

5. Data Sharing & Storage

5.1 Data Hosting

Your data is stored on secure servers located in Canada, with backups maintained in the same region. We select hosting providers that comply with applicable data protection laws, including GDPR for EU clients and PIPEDA for Canadian clients.

5.2 Data Transfers

If you are located in the European Union or another jurisdiction with data transfer restrictions, we ensure that any cross-border transfers comply with legal requirements. This may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Hosting within the same region to avoid cross-border transfers where possible.

5.3 Third-Party Service Providers

We may share your data with trusted third-party service providers (subprocessors) who assist us in operating our services, such as:

  • Cloud hosting and infrastructure providers.
  • Authentication and security service providers.
  • Backup and disaster recovery partners.

We only share the minimum data necessary for the service to function, and all subprocessors are contractually bound to comply with our security and privacy requirements.

5.4 No Sale of Personal Data

We do not sell, rent, or trade your personal data to any third parties.

6. Data Retention & Security

6.1 Data Retention

We retain your personal data only for as long as necessary to provide our services and comply with legal obligations. Specifically:

  • Account and authentication data (including trusted device tokens) are retained as long as your account is active and for up to 90 days after your last login to support security features like risk-based 2FA.
  • Audit logs and access records are kept for a minimum of 1 year to meet compliance and troubleshooting needs.
  • When you delete your account or request data removal, we securely erase your personal data within 30 days, except for any data we are required to retain by law.

6.2 Data Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data at rest and in transit using industry-standard protocols (e.g., TLS, AES-256).
  • Secure hashing of passwords using bcrypt.
  • Limiting access to personal data only to authorized personnel with a legitimate need.
  • Regular security audits and penetration testing.
  • Monitoring and logging access attempts to detect suspicious activity.

6.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

  • Notify you and the relevant data protection authorities promptly, in accordance with applicable laws.
  • Provide information on the nature of the breach, the data affected, and mitigation steps.
  • Take immediate action to contain and remediate the breach.

7. Your Rights & Choices

7.1 Access and Correction

You have the right to request access to the personal data we hold about you and to request correction of any inaccurate or incomplete information. To do so, please contact us using the details provided below.

7.2 Data Portability

Where applicable, you may request a copy of your personal data in a commonly used, machine-readable format. This enables you to transfer your data to another service provider.

7.3 Right to Erasure ("Right to be Forgotten")

You may request the deletion of your personal data, subject to any legal or contractual obligations that require us to retain certain data. Upon such request, we will securely delete your data within a reasonable timeframe.

7.4 Object and Restrict Processing

You have the right to object to or request restriction of the processing of your personal data where applicable under law. We will consider such requests and respond accordingly.

7.5 Withdrawal of Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

7.6 How to Exercise Your Rights

To exercise any of your rights, please contact our Data Protection Officer at:

Email: general@nordiqarchive.com

We will respond to your request within the timeframe required by applicable law.

8. Cookies & Tracking

8.1 Use of Cookies

We use cookies and similar technologies to enhance the security and functionality of NordiQ Apps. The only cookies we deploy are:

Trusted Device Cookies: These contain a randomly generated identifier that helps us recognize devices where you have successfully completed two-factor authentication (2FA). This reduces the frequency of repeated 2FA prompts while maintaining account security.

These cookies are classified as strictly necessary and do not require your consent under applicable privacy laws. We do not use cookies or trackers for marketing, advertising, or analytics by default.

Trusted Device Cookie Details

  • Purpose: To verify whether a device is trusted and reduce the need for repeated 2FA challenges.
  • Type: Strictly necessary, authentication security cookie.
  • Data stored: Random token linked to your account in our secure database.
  • Retention: Up to 90 days, after which you will be prompted to complete 2FA again.
  • Legal basis: Legitimate interest in maintaining the security of our service (Article 6(1)(f) GDPR).

8.2 Managing Cookies

You can manage or delete cookies through your browser settings. However, disabling strictly necessary cookies may impair your ability to use certain security features, including trusted device recognition and 2FA convenience.

9. Contact Information & Updates

9.1 Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer (DPO) at:

Email: general@nordiqarchive.com

We aim to respond to all inquiries promptly and transparently.

9.2 Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of significant changes by email or via the NordiQ Apps platform.

Please review this policy periodically to stay informed of how we protect your data.

NordiQ | Secure Business Solutions - File Management & ERP