1. Introduction

NordenVault ("we", "us", "our") is committed to protecting the privacy of our customers and website visitors. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services.

NordenVault operates under Norwegian law and complies with the General Data Protection Regulation (GDPR) as implemented in Norway through the Personal Data Act (Personopplysningsloven).

2. Data Controller

NordenVault AS is the data controller for personal data collected through our website and account management systems. For customer backup data stored on our platform, NordenVault acts as a data processor on behalf of the customer (data controller).

Contact: contact@nordenvault.com

3. Information We Collect

Account Information

When you create an account, we collect your name, email address, organisation name, and billing information. This information is necessary to provide the Service and manage your account.

Usage Data

We collect data about how you use the Service, including login times, dashboard activity, API usage, storage utilisation, and backup source activity. This data is used to provide the Service, improve performance, and generate usage reports for your account.

Website Analytics

We collect anonymised analytics data from our website, including page views, referral sources, and device information. We use this data to understand how visitors find and use our website. We do not use third-party advertising trackers.

Customer Backup Data

We store the backup data you send to our platform. We do not access or inspect the contents of your backup data except as necessary to provide the Service (e.g., storage operations) or as required by law. When client-side encryption is used, we have no ability to read the contents of your data.

4. How We Use Your Information

We use your information for the following purposes:

Providing, maintaining, and improving the Service
Processing payments and managing your subscription
Sending service-related communications (account notifications, backup alerts, maintenance notices)
Responding to support requests and enquiries
Generating anonymised, aggregate statistics about Service usage
Complying with legal obligations

We do not sell your personal information to third parties. We do not use your personal information for automated decision-making or profiling.

5. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR:

Contract performance: Processing necessary to provide the Service under your subscription agreement.
Legitimate interest: Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security.
Legal obligation: Processing necessary to comply with applicable laws and regulations.
Consent: Where required, we obtain your consent before processing (e.g., for optional marketing communications).

6. Data Storage and Location

Customer backup data is stored exclusively in data centres located in the European Union. Account management data and website analytics may be processed on infrastructure located within the European Economic Area (EEA).

We do not transfer personal data or customer backup data outside the EEA. If a transfer outside the EEA becomes necessary in the future, we will ensure appropriate safeguards are in place in accordance with GDPR Chapter V.

7. Data Retention

We retain your account information for as long as your account is active and for a period of 12 months after account cancellation for legal and accounting purposes.

Customer backup data is retained for 30 days after account cancellation to allow data recovery. After this period, backup data is permanently and irreversibly deleted.

Website analytics data is retained in anonymised form for up to 24 months.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Access controls with multi-factor authentication and role-based permissions
Regular security assessments and vulnerability testing
Audit logging of all administrative actions
Employee access limited to personnel who require it for their role

9. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request correction of inaccurate or incomplete personal data.
Right to erasure: You may request deletion of your personal data, subject to legal retention requirements.
Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances.
Right to data portability: You may request your personal data in a structured, machine-readable format.
Right to object: You may object to the processing of your personal data based on legitimate interest.

To exercise any of these rights, contact us at contact@nordenvault.com. We will respond to your request within 30 days.

10. Third-Party Services

We use a limited number of third-party services to operate the platform:

Payment processing:We use Stripe to process payments. Stripe operates as an independent data controller for payment data. See Stripe's privacy policy for details.
Email delivery: We use a transactional email provider to send account notifications and alerts. Email addresses are shared with this provider solely for delivery purposes.

We do not share your personal information with advertising networks, data brokers, or social media platforms.

11. Cookies

Our website uses essential cookies required for the Service to function (session management, authentication). We do not use third-party tracking cookies or advertising cookies.

Optional analytics cookies are only set with your explicit consent. You can manage cookie preferences through the cookie banner displayed on your first visit.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the dashboard at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Supervisory Authority

If you are not satisfied with our handling of your personal data, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

14. Contact

For privacy-related questions or to exercise your data rights, contact us at contact@nordenvault.com or write to us at:

NordenVault AS
Oslo, Norway
contact@nordenvault.com