Who we are and scope
NORTIQ Ai Corp. ("NORTIQ", "we", "us") provides the NORTIQ GTM OS platform, applications, websites, APIs, custom GPTs and other AI assistants, GPT actions and integrations, consulting, implementation, advisory, training, workshops, coaching, support, and related services (collectively, the "Services").
This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information in connection with the Services. It applies to information we collect through our websites, applications, platform, direct interactions with you, professional services engagements, and any custom GPT, GPT action, API, connector, or integration that sends information to NORTIQ-controlled systems.
Some Services may be delivered through third-party platforms, such as ChatGPT or other AI platforms. When you use those third-party platforms, their own terms, privacy policies, account settings, and data controls also apply. NORTIQ does not control those third-party platforms' independent collection, use, retention, security, or model-training practices, except where we have a direct contractual relationship with the platform provider for NORTIQ's own business use.
Relationship to our Terms
Your use of the Services is governed by the NORTIQ GTM OS Terms of Service (the "Terms"). If this Privacy Policy conflicts with Section 7 (Data Processing and Security) of the Terms, Section 7 controls.
Additional terms may apply to specific Services, including statements of work, order forms, data processing agreements, coaching agreements, consulting agreements, workshop terms, acceptable use rules, or third-party platform terms.
Roles: controller vs. processor
Our privacy role depends on the Service and the context.
| Service or context | NORTIQ role | Customer or user role |
|---|---|---|
| Enterprise use of the NORTIQ GTM OS platform | Processor/service provider for Customer Personal Data in Customer Content | Customer is controller/business |
| Direct or self-serve use not provisioned by an organization | Controller/business | User is the individual data subject |
| Consulting, implementation, training, workshops, advisory, or support services for an organization | Processor/service provider for personal information processed on Customer's documented instructions; independent controller for NORTIQ business relationship, billing, contracting, compliance, and internal administration data | Customer is generally controller/business for participant, employee, prospect, client, or business data it provides |
| Individual coaching or consulting purchased directly by an individual | Controller/business | Individual is the data subject |
| Custom GPTs made available inside a third-party AI platform without a NORTIQ action/API | NORTIQ generally does not receive individual conversation content unless you separately submit it to us, export/share it with us, or the platform provides it to us under applicable settings | Third-party platform processes platform-side account and conversation data under its own terms |
| Custom GPTs, GPT actions, APIs, connectors, or integrations that send data to NORTIQ | Controller or processor depending on whether the data is submitted by an enterprise Customer or a direct user | Customer/user controls what is authorized to be sent |
Information we collect
We collect only what is reasonably necessary for the Services, including the categories below.
Platform and application content
Content you submit through the Services, including uploads, prompts, chat messages, files, workflow data, CRM or sales information, knowledge-base materials, and, if enabled, recordings or transcripts.
Custom GPT and GPT action data
If you use a NORTIQ custom GPT, GPT action, API, app, connector, or integration that sends information to NORTIQ, we may receive the information you authorize or cause to be sent, such as prompt content, action inputs, action outputs, files, URLs, business data, and technical logs.
Professional services and coaching data
Information provided or generated in consulting, coaching, implementation, advisory, training, workshops, or support, including intake forms, goals, business context, participant information, notes, feedback, session materials, deliverables, meeting recordings, transcripts, and communications.
Account and authentication data
The minimum information needed to create, administer, and secure accounts and workspaces, such as business email, name, organization, role, password hash, SSO ID, authentication logs, and administrative settings.
Business contact, marketing, and communications data
Information you provide when you contact us, book a meeting, request a demo, register for training, subscribe to communications, respond to surveys, interact with our website or marketing, or otherwise communicate with us.
Payment and transaction data
Billing and subscription information processed by our payment provider. We do not store full payment card numbers.
Website, device, cookie, and analytics data
Technical and usage information such as IP address, device/browser type, pages visited, referring URLs, session events, cookie identifiers, and similar analytics, security, or operational data.
Operational, security, diagnostic, and audit logs
Short-lived or limited-retention technical records used for routing, abuse prevention, fraud prevention, security, reliability, debugging, audit, and incident response.
Sensitive information
We do not intentionally collect sensitive personal information unless it is necessary for a specific Service and permitted by applicable law. Users should not submit health, biometric, children's, government ID, financial account, union, precise location, or other sensitive information unless authorized by their organization and necessary for the applicable Service. If a Customer enables features that could capture sensitive information, the Customer is responsible for ensuring lawful collection and use.
Customer Content and human access
For enterprise platform deployments, human access to Customer Content is disabled by default and permitted only: (i) if the Customer asks us to access specific items to resolve a support issue, (ii) to investigate or remediate a security incident, or (iii) if required by law. Such access is restricted and logged.
For consulting, implementation, advisory, training, workshops, coaching, support, and other professional services, authorized NORTIQ personnel and approved service providers may access information you intentionally provide to deliver the engagement, prepare deliverables, provide coaching or advisory support, document decisions, and administer the relationship. Such access is limited to personnel with a business need and subject to confidentiality and security controls.
How we use information
We use information to:
- provide, operate, configure, secure, support, and improve the Services;
- generate AI-assisted outputs, recommendations, coaching materials, implementation support, analyses, workflows, and deliverables at your or your organization's direction;
- administer accounts, subscriptions, billing, authentication, workspaces, customer relationships, and professional services engagements;
- provide consulting, coaching, workshops, training, onboarding, implementation, advisory, and support;
- communicate with you about the Services, meetings, security, product updates, professional services, and administrative matters;
- send marketing communications where permitted by law and your preferences;
- monitor, prevent, detect, and investigate abuse, fraud, security incidents, service misuse, and legal violations;
- comply with law, enforce agreements, maintain audit logs, and protect rights, safety, and property; and
- create aggregated or de-identified information for analytics, benchmarking, reporting, product improvement, and business planning, where reasonably designed not to identify an individual or Customer.
No training on Customer Content by default
We do not use Customer Content, Professional Services Content, or Custom GPT Data to train public or shared AI models without the Customer's or user's express agreement.
We may use aggregated, de-identified, or non-identifying operational information to understand, secure, and improve the Services.
When you use a third-party AI platform, that platform's own data-use and training settings may apply to information processed by that platform.
Custom GPTs and third-party AI platforms
NORTIQ may make custom GPTs, GPT actions, AI assistants, or related tools available through third-party AI platforms, including ChatGPT, or through NORTIQ-controlled applications and APIs.
Third-party platform processing
When you access a NORTIQ custom GPT through a third-party AI platform, that platform may process your account information, prompts, files, outputs, usage data, and other information under its own terms, privacy policy, and data controls. NORTIQ does not control the third-party platform's independent processing, model-training settings, retention, security, or user-account controls.
Conversation visibility
Unless a GPT uses an action, app, API, connector, or other mechanism that sends information to NORTIQ, NORTIQ generally does not receive individual conversation content from your interactions with a custom GPT on the third-party platform.
GPT actions, apps, APIs, and connectors
If a NORTIQ custom GPT uses an action, app, API, connector, or integration, relevant parts of your input, files, or request may be sent to NORTIQ or another third-party service to complete the requested function. Information received by NORTIQ-controlled systems is processed under this Privacy Policy and applicable agreements. Information received by other third parties is governed by their privacy terms.
User responsibility
Do not submit confidential, regulated, sensitive, or third-party personal information to a custom GPT unless you are authorized to do so and the applicable Customer has approved that use case. Customers are responsible for configuring access, user permissions, notices, consents, and usage restrictions for organization-sponsored use.
Consulting, coaching, workshops, training, and professional services
When we provide consulting, coaching, implementation, workshops, training, advisory, or support services, we may collect and process information you or your organization provide before, during, and after the engagement. This may include intake information, business goals, sales or go-to-market data, participant names and roles, communications, workshop outputs, coaching notes, assessments, session summaries, deliverables, recordings, transcripts, and follow-up action items.
For organization-sponsored services, the Customer is responsible for providing appropriate notices and obtaining required consents from participants. Unless otherwise agreed, NORTIQ may share engagement-level deliverables, attendance information, implementation outputs, and administrative status with the sponsoring Customer.
NORTIQ will not share private one-on-one coaching notes with the sponsoring Customer except as agreed in the applicable statement of work, with the participant's consent, as required by law, or where necessary to address security, safety, legal, or contractual issues.
Professional Services Content is used to deliver the engagement, prepare deliverables, provide coaching or advisory support, improve engagement quality, administer the relationship, comply with law, and enforce our agreements. Access is limited to authorized NORTIQ personnel and approved service providers with a need to know.
AI and automated processing
The Services use automated systems, including AI models, to generate outputs, summaries, recommendations, classifications, coaching prompts, workflow suggestions, business analyses, and other content from the information provided.
AI outputs may be inaccurate, incomplete, outdated, biased, or unsuitable for a particular purpose. Users must review outputs before relying on them.
NORTIQ does not make decisions with legal or similarly significant effects about individuals based solely on automated processing. Customers must not use AI outputs as the sole basis for employment, hiring, promotion, compensation, discipline, termination, credit, housing, insurance, legal, medical, or other consequential decisions.
Where required by applicable law, we will provide information about automated processing features and assist Customers in responding to requests about automated processing.
Recording and transcription
The Services may include recording, transcription, or analysis of meetings, calls, workshops, demos, coaching sessions, or communications.
Customer-enabled product recordings
If a Customer enables recording, transcription, or analysis within the platform, the Customer is responsible for all required notices, consents, lawful bases, and retention settings, including all-party consent where applicable.
NORTIQ-led professional services recordings
For consulting, coaching, workshops, training, implementation, advisory, or support sessions, NORTIQ will provide notice before recording where required and will obtain consent where required by law or contract. Participants may be offered a non-recorded alternative where reasonably available.
Unless otherwise configured or agreed:
- recordings and raw transcripts are retained for 30 days, then deleted from active systems;
- session notes, summaries, action items, and deliverables may be retained for the engagement term and a limited period thereafter for support, continuity, audit, legal, and business-record purposes; and
- security, diagnostic, and audit logs may be retained as described in this Privacy Policy.
Cookies, analytics, and marketing communications
We may use cookies, pixels, SDKs, local storage, analytics tools, and similar technologies to operate our websites and Services, remember preferences, secure accounts, understand usage, improve performance, and measure marketing effectiveness.
Where required, we will provide cookie notices and choices. If we use advertising or retargeting technologies that constitute "sale", "sharing", or targeted advertising under applicable law, we will provide required disclosures and opt-out mechanisms.
We may send commercial electronic messages where permitted by law, including where we have consent or an existing business relationship. You may opt out of non-transactional communications using the unsubscribe mechanism in our messages.
No sale/share for ads
We do not sell personal information and do not share it for cross-context behavioral advertising unless expressly stated in this Privacy Policy and accompanied by required opt-out rights.
How we share information
We do not sell personal information. We share information only as described below.
Service providers and subprocessors
We share information with service providers/subprocessors we select for hosting, storage, security, support, payments, communications, analytics, document processing, AI inference, and other functions necessary to provide and operate the Services.
Customers and workspace administrators
For enterprise or organization-sponsored Services, we may share information with the Customer and its authorized administrators as directed by the Customer or as necessary to provide, secure, administer, and support the Services.
Engagement sponsors
For organization-sponsored consulting, coaching, workshops, training, advisory, implementation, or support, we may share agreed engagement deliverables, implementation outputs, attendance, administrative status, and other information described in the applicable statement of work.
AI platform and GPT providers
Where you access a NORTIQ custom GPT or AI assistant through a third-party platform, the platform provider may process your information under its own terms and privacy policy. Where a GPT action, API, app, or connector sends information to NORTIQ or a third-party service, that information is shared as necessary to complete the requested action.
Conferencing, calendar, communications, document, CRM, analytics, and professional services tools
We may use service providers to schedule meetings, host calls, transcribe sessions, manage documents, communicate with you, provide support, administer engagements, and operate our business.
Other participants
If you submit information in a shared workspace, workshop, channel, meeting, or collaborative setting, it may be visible to other authorized participants.
Professional advisors
We may share information with legal, accounting, insurance, security, and other professional advisors under confidentiality obligations.
Authorities and legal process
We may disclose information to authorities or other parties when required by law or where necessary to protect rights, safety, property, security, or the integrity of the Services.
Business transactions
We may disclose information to successors or prospective successors in a merger, acquisition, financing, reorganization, asset sale, or similar transaction, subject to protections consistent with this Privacy Policy.
Subprocessors and model/hosting choice
NORTIQ selects its infrastructure, AI/LLM providers, and subprocessors. We maintain the current list in Annex A to this Privacy Policy. We may update Annex A from time to time. Posting an updated Annex A with a revised "Last updated" date constitutes notice of any new or replacement subprocessor. Objections and the sole remedy are handled under the Terms.
International data transfers
We may process information in Canada, the United States, and other countries where we or our subprocessors operate. Where required, we implement appropriate safeguards for cross-border transfers, such as contractual safeguards, standard contractual clauses, transfer assessments, or analogous mechanisms.
Retention
We retain personal information only as long as needed for the purposes described in this Privacy Policy, as configured by the Customer, or as required by law.
| Data category | Default retention |
|---|---|
| Chat/prompt/output history in the NORTIQ application | 30 days unless Customer configures otherwise |
| Custom GPT action/API payloads received by NORTIQ | 30 days unless needed for the requested action, security, support, audit, or a Customer-configured retention period |
| Recordings/raw transcripts from product features | 30 days unless Customer configures otherwise |
| NORTIQ-led coaching/consulting recordings/raw transcripts | 30 days unless a longer period is agreed or required |
| Session notes, summaries, action items, and professional services deliverables | Engagement term plus a limited business-record period |
| Support tickets and communications | As needed to provide support, maintain records, and resolve disputes |
| Security, diagnostic, and audit logs | Up to 12 months unless needed for security, legal, or compliance purposes |
| Account, billing, tax, and contract records | Subscription/engagement term plus legally required recordkeeping period |
| Marketing leads and preferences | Until no longer needed, consent is withdrawn, or deletion is requested, subject to legal exceptions |
| Encrypted backups | Limited backup cycle before secure deletion |
Encrypted backups may persist for a limited cycle before being securely deleted.
Security and access controls
We maintain administrative, technical, and organizational measures designed to protect information, including encryption in transit and at rest, role-based access controls, logging/monitoring, vulnerability management, and incident response.
Human access to enterprise Customer Content is disabled by default and allowed only under the narrow circumstances described above and is logged. Professional services access is limited to authorized personnel and approved providers with a need to know.
No method of transmission or storage is perfectly secure.
Your rights and choices
Enterprise deployments
Submit privacy requests, including access, deletion, correction, portability, objection, or restriction requests, to your organization, which is the controller/business. We assist the controller as described in the Terms and any applicable data processing agreement.
Direct/self-serve users
Contact us using the details below. We will verify your identity and respond within applicable timelines.
Communications
You may opt out of non-transactional emails using the unsubscribe link. Transactional, security, legal, and service-related messages may still be sent where necessary.
Do Not Sell/Share
We do not sell personal information or share it for cross-context behavioral advertising unless expressly stated in this Privacy Policy and accompanied by required opt-out rights.
California notice at collection
This section applies where the California Consumer Privacy Act, as amended, applies to NORTIQ or where we provide this notice voluntarily for transparency.
Categories collected
We may collect identifiers; business contact data; account and authentication data; commercial and billing information; internet, device, cookie, analytics, and usage data; Customer Content; Custom GPT Data; Professional Services Content; audio/video recordings and transcripts where enabled or consented to; support and communications data; inferences, summaries, scores, recommendations, or outputs generated from the Services; and sensitive personal information only if provided by you or your organization and necessary for the Services.
Purposes
We collect and use information for providing, securing, supporting, personalizing, and improving the Services; generating outputs and deliverables; administering accounts and engagements; billing; communications; marketing where permitted; security; legal compliance; and enforcing agreements.
Retention
Retention is described in the Retention section above.
Disclosure
We may disclose information to service providers, subprocessors, AI platform providers, professional advisors, Customers/workspace administrators, engagement sponsors as agreed, authorities where required, and transaction successors.
Sale/share
We do not sell personal information or share it for cross-context behavioral advertising unless expressly stated in this Privacy Policy and accompanied by required opt-out rights.
Sensitive personal information
We do not seek sensitive personal information and use it only to provide the Services, comply with law, ensure security, or for other permitted purposes. We do not use sensitive personal information to infer characteristics except as permitted by law and necessary for the Services.
Canada-specific disclosures
We rely on consent, contractual necessity, legitimate business purposes recognized under applicable law, legal compliance, or another lawful basis under PIPEDA and applicable provincial privacy laws.
For enterprise and organization-sponsored Services, the Customer is responsible for providing required notices and obtaining required consents from its users, employees, participants, prospects, customers, and other individuals whose information is submitted to the Services.
NORTIQ maintains safeguards, breach-response processes, and breach records. Where required, we will notify Customers, regulators, and/or affected individuals of privacy or security incidents.
Québec Law 25
Where Québec privacy law applies, NORTIQ will support required transparency, confidentiality-incident, privacy-impact-assessment, cross-border-transfer, automated-processing, and access/rectification obligations as applicable to the Service and our role. Customers remain responsible for determining when a Québec privacy impact assessment is required for their deployment or use case.
Children's privacy
The Services are not directed to individuals under 16. We do not knowingly collect personal information from children.
Third-party services and links
The Services may link to or interoperate with third-party services. Their practices are governed by their own privacy statements, terms, and controls.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will post the updated Privacy Policy with the "Last updated" date and, where required, provide additional notice.
Contact
NORTIQ Ai Corp.
Oakville, ON
privacy@nortiq.ai
Definitions
"Business Contact Data" means name, business email, organization, role/title, contact details, meeting information, communications, marketing preferences, and relationship history relating to customers, prospects, partners, suppliers, and professional contacts.
"Customer Content" means information submitted to the Services by or for a Customer, including uploads, prompts, chat messages, files, workflow data, and, if enabled, recordings/transcripts.
"Customer Personal Data" means personal information in Customer Content that we process on behalf of a Customer.
"Custom GPT Data" means prompts, inputs, files, outputs, metadata, API payloads, action requests, action responses, or other information that is submitted to or generated by a NORTIQ custom GPT, GPT action, API, app, connector, or integration and that is received by NORTIQ-controlled systems.
"Professional Services Content" means information, documents, recordings, transcripts, notes, messages, worksheets, business plans, sales materials, CRM exports, strategy documents, workshop materials, coaching goals, assessments, feedback, and other content provided to or generated with NORTIQ in connection with consulting, implementation, advisory, training, workshops, coaching, support, or other professional services.
"Process" and related terms follow applicable privacy law definitions.
"Service Data" means account, billing, authentication, device, usage, diagnostic, security, audit, support, communications, and operational data used to provide, administer, secure, improve, or support the Services.
Annex A - Current Subprocessors and Infrastructure Providers
Last updated: June 2, 2026
How we update this Annex
This Annex forms part of the NORTIQ Privacy Policy and is referenced by the Terms. Posting an updated Annex with a new "Last updated" date constitutes notice of any new or replacement subprocessor.
If your organization objects on reasonable data-protection grounds to a newly added subprocessor, the sole remedy is to terminate the affected service or feature within thirty (30) days after this Annex is posted, as described in the Terms.
NORTIQ selects and may change infrastructure, AI models, and subprocessors in its discretion while meeting the commitments in the Terms and this Privacy Policy. Customers cannot require specific providers or regions unless expressly agreed in writing.
How to read this Annex
"Core subprocessors" are vendors NORTIQ engages to host, store, or process Customer Content, Custom GPT Data, Professional Services Content, or Service Data to operate the Services.
"Professional services providers" are vendors NORTIQ may use to schedule, deliver, record, transcribe, document, administer, or support consulting, coaching, workshops, implementation, advisory, or training services.
"Optional customer-enabled connectors" are third-party tools you connect or authorize, such as identity providers, conferencing tools, CRM systems, collaboration tools, or customer-authorized GPT actions and integrations. Those are not NORTIQ subprocessors unless NORTIQ separately engages them to process information for NORTIQ.
"Data types processed" reflects our minimal-collection posture: content you upload or enter in chat; Custom GPT Data received by NORTIQ-controlled systems; Professional Services Content you intentionally provide; and strictly necessary account, billing, support, security, and operational data.
For custom GPTs accessed through a third-party AI platform, the platform provider may process information under its own terms and privacy policy. Where a GPT action, API, app, or connector sends information to NORTIQ-controlled systems, NORTIQ processes that information under the Privacy Policy, the Terms, and any applicable data processing agreement.
A.1 Core subprocessors and infrastructure providers
Amazon Web Services, Inc. (AWS)
Category/purpose: Cloud infrastructure, including compute, storage, and managed databases.
Data types processed: Customer Content; Custom GPT Data if routed to NORTIQ systems; Professional Services Content if stored in NORTIQ systems; Service Data including logs and metadata.
Regions actually used: Canada (ca-central-1).
Retention at vendor: Follows NORTIQ's retention configuration for Customer Content and related data; default 30-day purge for chat/prompts and recordings/transcripts unless Customer configures otherwise; logs approximately 30 days; automated RDS backups retained 7 days.
Training on Customer Content, Custom GPT Data, or Professional Services Content for public/shared models: No.
Security attestations and encryption: SOC 2; ISO 27001; encryption in transit and at rest.
NORTIQ system(s)/owner: Core platform infrastructure; primary database; vector store; document storage.
Stripe, Inc.
Category/purpose: Payment processing and billing.
Data types processed: Service Data including payment details and transaction metadata; no Customer Content.
Regions actually used: Stripe global infrastructure; region not pinned in application code.
Retention at vendor: Per Stripe's standard retention policies for financial/compliance records.
Training on Customer Content, Custom GPT Data, or Professional Services Content for public/shared models: No.
Security attestations and encryption: PCI-DSS; SOC 1; SOC 2; encryption in transit and at rest.
NORTIQ system(s)/owner: Billing and subscription management.
Twilio Inc. (SendGrid)
Category/purpose: Transactional and notification email delivery.
Data types processed: Email content such as OTPs and notifications; Service Data including email metadata and delivery logs.
Regions actually used: Vendor-hosted; region not set in application code.
Retention at vendor: Email content generally transient; delivery logs retained per SendGrid defaults.
Training on Customer Content, Custom GPT Data, or Professional Services Content for public/shared models: No.
Security attestations and encryption: SOC 2; TLS encryption.
NORTIQ system(s)/owner: Authentication emails; system notifications.
OpenAI, L.L.C.
Category/purpose: AI inference, including Responses API and embeddings.
Data types processed: Customer Content; Custom GPT Data if routed to NORTIQ systems or through NORTIQ-configured API workflows; Service Data.
Regions actually used: OpenAI API infrastructure; no region pinning in application code.
Retention at vendor: Transient processing per OpenAI API policies, unless otherwise configured or agreed.
Training on Customer Content, Custom GPT Data, or Professional Services Content for public/shared models: No, unless expressly agreed or enabled by an authorized Customer/user.
Security attestations and encryption: SOC 2; encryption in transit and at rest.
NORTIQ system(s)/owner: Coaching Agent; Lead Enrichment; custom GPT/API workflows where applicable.
LlamaIndex, Inc. (LlamaParse)
Category/purpose: Document parsing for complex PDFs and knowledge-base ingestion.
Data types processed: Customer Content; Custom GPT Data if submitted for parsing through a NORTIQ workflow; Service Data.
Regions actually used: Vendor-hosted; region not configured in application code.
Retention at vendor: Transient parsing only.
Training on Customer Content, Custom GPT Data, or Professional Services Content for public/shared models: No.
Security attestations and encryption: TLS encryption; formal attestations not recorded.
NORTIQ system(s)/owner: Knowledge Base ingestion.
Firecrawl
Category/purpose: Website crawling for company and market intelligence.
Data types processed: Service Data including target URLs and crawl results; no Customer Content when used for public-web crawling.
Regions actually used: Vendor-hosted; region not set.
Retention at vendor: Per vendor defaults; not persisted in NORTIQ systems unless incorporated into a Service output.
Training on Customer Content, Custom GPT Data, or Professional Services Content for public/shared models: Not applicable for public-web crawling.
Security attestations and encryption: TLS encryption; formal attestations not recorded.
NORTIQ system(s)/owner: Lead Enrichment.
Google LLC (Google Custom Search)
Category/purpose: Web search and LinkedIn discovery.
Data types processed: Service Data including search queries; no Customer Content when used for public-web search.
Regions actually used: Google global infrastructure.
Retention at vendor: Per Google service logging policies.
Training on Customer Content, Custom GPT Data, or Professional Services Content for public/shared models: Not applicable for public-web search.
Security attestations and encryption: SOC 2; ISO 27001; TLS encryption.
NORTIQ system(s)/owner: Lead Enrichment.
A.2 Professional services providers
NORTIQ may use professional services tools to schedule, deliver, record, transcribe, document, administer, or support consulting, coaching, workshops, training, implementation, advisory, and support services.
Examples may include conferencing tools, calendar tools, document collaboration platforms, CRM systems, support tools, transcription tools, survey/form tools, email tools, and project management tools.
Before listing a vendor by name in this section, verify that NORTIQ actually uses the vendor and record:
- category/purpose;
- data types processed;
- regions actually used, if known;
- retention at vendor, if known;
- whether the vendor trains public/shared AI models on NORTIQ content;
- security attestations and encryption, if known;
- NORTIQ system or business owner.
Do not insert unverified vendor names into this public Annex.
A.3 AI platform providers for custom GPTs and AI assistants
NORTIQ may make custom GPTs or AI assistants available through third-party AI platforms. Where a user accesses a NORTIQ custom GPT inside a third-party AI platform, the platform provider may process information under its own terms, privacy policy, and data controls.
Where the GPT uses an action, API, app, connector, or integration that sends data to NORTIQ-controlled systems, NORTIQ processes the data received by NORTIQ under this Privacy Policy and applicable agreements.
If NORTIQ publishes public custom GPTs or GPTs with actions, make sure each GPT configuration includes the current Privacy Policy URL required by the relevant platform.
A.4 Optional customer-enabled connectors
Optional customer-enabled connectors are third-party tools authorized, connected, or configured by a Customer or user. These may include:
- identity and single sign-on, such as Google Workspace or Microsoft Entra ID;
- conferencing and communications, such as Google Meet, Microsoft Teams, or Zoom;
- CRM and RevOps systems, such as Salesforce or HubSpot;
- collaboration tools, such as Slack;
- customer-authorized GPT actions, APIs, apps, connectors, or workflow automations.
These optional customer-enabled connectors are not NORTIQ subprocessors unless NORTIQ separately engages them to process information for NORTIQ. Their processing is governed by the Customer's or user's own agreement with the third-party provider.