> For the complete documentation index, see [llms.txt](https://legal.norppa.co/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://legal.norppa.co/cstplus/privacy.md). # Privacy Policy **Product:** CST+ **Controller:** Martin Nikiforov, a private individual trading as NorppaMedia, of Leksankuja 3, 01700 Vantaa, Finland ("NorppaMedia", "we", "us", "our") **Effective date:** 27.06.2026 **Canonical location:** This Privacy Policy explains how NorppaMedia collects and processes personal data when you visit our websites, purchase or activate CST+, or use the CST+ customer panel. It is written to meet the transparency requirements of Articles 12 to 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Finnish Data Protection Act (Tietosuojalaki 1050/2018). *** ### 1. Scope of this Policy 1.1 **What this Policy covers.** This Policy applies where NorppaMedia acts as the controller of personal data, namely for: (a) visitors to our websites, including norppa.co and legal.norppa.co; (b) customers who purchase, activate and hold a CST+ License; (c) users of the CST+ customer panel; and (d) people who contact us. 1.2 **What this Policy does not cover.** CST+ is self-hosted software. When you, as a customer, operate CST+ on your own systems and process personal data of your own viewers or End Users, you act as the controller of that data and NorppaMedia does not have access to it. That processing is governed by your own privacy notice and, where NorppaMedia acts as your processor, by the Data Processing Agreement at . This Policy does not cover the personal data of your End Users that you process on your installation. 1.3 We have not appointed a Data Protection Officer, as we are not required to do so. Our data protection contact details are in Section 14. *** ### 2. The personal data we process 2.1 **Account and customer data.** Name, email address, and, for business customers, company name, billing address and VAT identifier where provided, your login credentials for the customer panel (passwords are stored only in hashed form), and your support and contact history. 2.2 **Payment and billing data.** When you purchase a License, payment is processed by our payment provider Stripe. Stripe collects and processes your card or payment details directly. We receive limited billing data such as confirmation of payment, the last digits and type of the payment method, billing country and invoice records. We do not store full card numbers. 2.3 **License activation and validation data.** To issue and validate Licenses, we process your License Key, the hardware fingerprint (HWID) of your installation, a derived non-reversible installation fingerprint, the product version, the network (IP) address from which activation or validation requests are made, your plan, and activation, validation and hardware reset events. The Software contacts our licensing service periodically while it runs; we keep a log of these validation events with timestamps as described in Section 8. 2.4 **Anti-piracy and abuse detection data.** To enforce the per License limits and detect License sharing, our licensing service records the network (IP) addresses and the derived installation fingerprint from which a License Key is activated or validated within a short rolling time window, and the count of distinct addresses. These records are kept only for the rolling window described in Section 8 and are then removed. To trace unauthorised or leaked copies, the Software may also embed a non-reversible pseudonymous fingerprint, derived from your License and installation, in the Software and in the streams it serves. 2.5 **Customer panel usage data.** Login events, session identifiers, and use of self service functions such as hardware reset. 2.6 **Website and technical data.** When you visit our websites we process your IP address, device and browser information, pages viewed, referring pages, and cookie and analytics identifiers as described in Section 5. Content and downloads are delivered through a content delivery network, which processes connection data such as IP addresses to deliver the requested files. 2.7 **Communications data.** The content of emails and messages you send to us, including to and , and our replies. *** ### 3. Where the data comes from 3.1 We collect personal data: (a) **directly from you**, when you create an account, purchase a License, use the customer panel, or contact us; (b) **automatically**, when the Software contacts our licensing service for activation and validation, and when you visit our websites, through server logs, cookies and analytics; and (c) **from third parties**, namely our payment provider, which confirms your payment and provides limited billing data. *** ### 4. Purposes and legal bases 4.1 We process personal data for the following purposes and on the following legal bases under Article 6(1) GDPR: (a) **To provide and administer the Software and your License**, including account creation, activation, the customer panel and support. Legal basis: performance of a contract with you, Article 6(1)(b), or, where you are not the contracting party, our legitimate interests in providing the service, Article 6(1)(f). (b) **To process payments and keep accounting records.** Legal basis: performance of a contract, Article 6(1)(b), and compliance with our legal obligations such as accounting and tax law, Article 6(1)(c). (c) **To validate Licenses, prevent unauthorised use, detect License sharing, verify software integrity and protect against piracy and abuse.** Legal basis: our legitimate interests in protecting the Software and our business against unauthorised use and fraud, Article 6(1)(f). We have balanced these interests against your rights and limited the data and retention to what is necessary. (d) **To secure our systems and prevent and investigate security incidents and misuse.** Legal basis: our legitimate interests in security, Article 6(1)(f), and legal obligations where applicable, Article 6(1)(c). (e) **To communicate with you** about your account, activation, billing, security and service matters (transactional messages). Legal basis: performance of a contract, Article 6(1)(b), or our legitimate interests, Article 6(1)(f). We do not send marketing email. (f) **To operate and improve our websites, including analytics.** Legal basis: your consent for non essential cookies and analytics, Article 6(1)(a), and our legitimate interests for strictly necessary website operation, Article 6(1)(f). (g) **To comply with law and to establish, exercise or defend legal claims**, including responding to lawful requests and to infringement notices. Legal basis: legal obligation, Article 6(1)(c), and legitimate interests, Article 6(1)(f). *** ### 5. Cookies and analytics 5.1 Our websites use strictly necessary cookies that are required for the site and customer panel to function, including your login session and security. These do not require consent. 5.2 Our websites also use analytics provided by Google Analytics, which sets cookies and processes online identifiers such as your IP address and device data to help us understand site usage. Analytics and other non essential cookies are used only with your consent, which you can give or decline through our cookie banner and withdraw at any time. 5.3 Cookies are governed in Finland by the Act on Electronic Communications Services (Sahkoisen viestinnan palvelulaki 917/2014) and by the GDPR. Full details of the cookies we use are in our Cookies Policy at . *** ### 6. Recipients and sub-processors 6.1 We share personal data only with service providers that process it on our behalf or that are necessary to provide the service. Our main recipients are: (a) **Supabase**, database and authentication services, hosted in **Ireland**; (b) **Hetzner**, compute and server infrastructure, hosted in **Germany**; (c) our **website and customer panel hosting** provider, located in **Luxembourg**; (d) **Bunny CDN**, content delivery for our websites and downloads, served from **Germany**; (e) **Stripe**, payment processing; (f) **Google**, website analytics. 6.2 We may also disclose personal data to professional advisers, and to public authorities, courts or rights holders where required or permitted by law, including in response to valid legal requests and infringement notices. 6.3 We do not sell personal data. *** ### 7. International transfers 7.1 The infrastructure used to run CST+ and the customer panel is located within the European Economic Area (Ireland, Germany and Luxembourg), so that data stays within the EEA. 7.2 Two of our providers, Stripe and Google, may process personal data outside the EEA, including in the United States. Where this happens, the transfer is protected by appropriate safeguards under Chapter V of the GDPR, namely the European Union and United States Data Privacy Framework where the recipient is certified, and the European Commission's Standard Contractual Clauses as an additional or alternative safeguard. You can ask us for more information about these safeguards using the contact details in Section 14. *** ### 8. Retention 8.1 We keep personal data only for as long as necessary for the purposes set out in this Policy, and then delete or anonymise it. 8.2 Indicative retention periods: (a) **Account and customer data:** for the duration of your relationship with us, and afterwards as needed to handle queries or claims. (b) **Accounting and invoice records:** for the period required by Finnish accounting and tax law, which is generally up to six years. (c) **License activation and validation records, including the validation event log:** for the duration of the License and for a reasonable period afterwards, normally up to twelve months. (d) **Anti-piracy and sharing detection records:** only for the rolling detection window, which is twenty four hours, after which the records are removed. (e) **Website and security logs:** normally up to twelve months. (f) **Analytics data:** for the period set in the analytics tool, subject to your consent. (g) **Communications and support records:** normally up to twenty four months after the matter is closed. (h) **Cookie consent records:** for as long as needed to evidence consent, normally up to twelve months. *** ### 9. Automated processing and License enforcement 9.1 In order to enforce License terms and prevent piracy, the Software and our licensing service carry out automated processing. This includes automated validation of your License, automated detection of activation of a License Key from an excessive number of distinct network addresses within the rolling window, and automated integrity (anti-tamper) verification. Where these checks fail, the Software may be automatically limited, suspended or disabled, including by stopping running streams or channels. 9.2 This processing is rule based and does not involve profiling using artificial intelligence. It is necessary for the performance of the contract and for our legitimate interest in preventing unauthorised use. Where an automated measure significantly affects you, you have the right to obtain human intervention, to express your point of view and to contest the decision by contacting us using the details in Section 14. We will review the matter and respond. 9.3 **Temporary account hold.** Where we receive a complaint about your use of the Software, such as a copyright (DMCA) or abuse complaint, we may place your account on a temporary hold pending review. During a hold the Software continues to operate and your channels keep running; the panel shows a notice asking you to resolve the matter through your account portal, normally within twenty four hours. If the matter is not resolved, we may then suspend the License as described in 9.1. Legal basis: our legitimate interests in protecting the Software and third party rights, Article 6(1)(f), and compliance with legal obligations, Article 6(1)(c). The right to human intervention in 9.2 applies. *** ### 10. Your rights 10.1 Subject to the conditions in the GDPR, you have the right to: (a) **access** the personal data we hold about you and obtain a copy; (b) **rectification** of inaccurate or incomplete data; (c) **erasure** of your data in certain circumstances; (d) **restriction** of processing in certain circumstances; (e) **data portability**, to receive certain data in a structured, commonly used, machine readable format; (f) **object** to processing based on our legitimate interests, on grounds relating to your particular situation; (g) **withdraw consent** at any time where we rely on consent, such as for analytics cookies, without affecting processing already carried out; and (h) **lodge a complaint** with a supervisory authority, as set out in Section 14. 10.2 We will respond to rights requests without undue delay and within the time limits set by the GDPR. We may need to verify your identity before acting on a request. *** ### 11. Security 11.1 We apply technical and organisational measures appropriate to the risk, including encryption of credentials (passwords are stored only in hashed form), signed and integrity verified software, authenticated and rate limited access to services, transport security, and access controls. No method of transmission or storage is completely secure, but we work to protect personal data against unauthorised access, loss or misuse. *** ### 12. Children 12.1 CST+ is a commercial product intended for use by businesses and by adults. It is not directed to children, and we do not knowingly collect personal data from anyone under the age of eighteen. If you believe a child has provided us with personal data, contact us and we will delete it. *** ### 13. Changes to this Policy 13.1 We may update this Policy from time to time. The current version is always available at . For material changes we will take reasonable steps to notify you, for example through the customer panel or by email. The effective date at the top shows when the Policy was last updated. *** ### 14. Contact and complaints 14.1 For any privacy question or to exercise your rights, contact: **Martin Nikiforov, trading as NorppaMedia** Leksankuja 3, 01700 Vantaa, Finland Email: (subject line: "CST+") 14.2 You also have the right to lodge a complaint with a data protection supervisory authority. In Finland, this is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), website , postal address P.O. Box 800, FI-00531 Helsinki. If you are in another country of the European Economic Area, you may also contact the supervisory authority of your country of residence. *** *This document is the Privacy Policy for CST+, a product of NorppaMedia. Effective 27.06.2026.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://legal.norppa.co/cstplus/privacy.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.