Privacy Policy
Last updated: 2026-04-21 · Effective: 2026-04-21
This Privacy Policy explains how Norden Vision OÜ(“we”, “us”, “nordenagent”) collects, uses, shares and protects personal data when you use nordenagent.com (the “Service”). We comply with the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and the Estonian Personal Data Protection Act.
1. Who we are (data controller)
Norden Vision OÜ, registry code 14173557, registered at Katusepapi 6, Tallinn, Estonia.
Privacy contact: privacy@nordenagent.com. We have not appointed a statutory Data Protection Officer — we are not required to under GDPR Art. 37 — but our privacy mailbox is monitored and routed to the person responsible for data protection.
We are established in the EU and do not require an Article 27 representative. We may process personal data both as controller (for account and billing data of our customers) and as processor (for data you push through the Service on your end users). Processor duties are covered in our Data Processing Addendum.
2. Who this notice applies to
- People who visit our marketing pages or read our blog.
- Customers who sign up for a workspace (Free or paid).
- Affiliates who join our referral program.
- People who contact us by email or chat.
If you are an end customer of one of our customers (for example, someone whose ad performance flows through a workspace), the data controller is that customer, not us. Direct requests to them; we will assist under the DPA.
3. What we collect and why
| Category | Examples | Lawful basis | Retention |
|---|---|---|---|
| Account & profile | Email, password hash, display name, company, ICP fields from the onboarding wizard | Contract (Art. 6(1)(b)) | Until account deletion + 30 days |
| Billing | Stripe customer id, subscription state, invoice totals (we never store card numbers) | Contract + legal obligation (Art. 6(1)(b)(c)) | 7 years (Estonian Accounting Act) |
| Integration credentials | API keys for Meta Ads, Google Ads, Shopify, etc. encrypted at rest in Supabase Vault | Contract (Art. 6(1)(b)) | Until you disconnect the integration, then destroyed |
| Workspace content | Tasks, proposals, ad drafts, reports, generated images, prompts, leads | Contract (Art. 6(1)(b)) | Until account deletion + 30 days; soft-deleted items hard-deleted after 30 days |
| Usage & product analytics | Pages visited, features used, workflow runs, quota counters, timestamps, IP address during session | Legitimate interest (Art. 6(1)(f)) — service operation, security, quotas | 13 months for raw events; aggregated metrics indefinitely |
| Transactional email logs | From / to / subject / status, via Resend | Legitimate interest (Art. 6(1)(f)) — deliverability, abuse | 90 days |
| Security & error logs | Request metadata, stack traces (PII scrubbed before upload), IP address | Legitimate interest (Art. 6(1)(f)) — security, debugging | 30 days for access logs; 90 days for Sentry error events |
| Support correspondence | Emails you send us and our replies | Legitimate interest (Art. 6(1)(f)) | 24 months |
| Affiliate attribution | Referral cookie, conversion event, payout history | Contract (Art. 6(1)(b)) | For the 12-month commission period + 7 years for accounting |
| Marketing emails | Opt-in list for product updates / newsletter (if/when launched) | Consent (Art. 6(1)(a)) | Until you unsubscribe |
4. How we collect it
- Directly from you when you sign up, configure your workspace, pay, or contact us.
- Automatically when you use the Service (server logs, usage events).
- From third-party integrations you connect (only the scopes you grant).
- From Stripe for billing events and subscription status.
5. Who we share it with (sub-processors)
We never sell your data, and we never share it for advertising. We engage carefully vetted sub-processors to run the Service. The authoritative, dated list is at /legal/subprocessors. At the date of this policy it includes, in summary:
- Supabase (EU) — Postgres database, authentication, object storage, Vault for secrets.
- Stripe (IE) — subscription billing, tax, Connect payouts.
- Resend (US, SCCs) — transactional email delivery.
- OpenRouter (US, SCCs) — AI-model gateway routing to Anthropic, OpenAI, Google. Prompts are not used to train these providers’ models.
- Hostinger (EU) — VPS hosting of the Next.js application and cron worker.
- Sentry (US, SCCs) — error tracking (PII-scrubbed before upload).
- Slack (US, SCCs) — our internal ops channel; only triggered when you connect Slack.
We disclose personal data to the authorities when legally required, and to our professional advisors (lawyer, accountant) under confidentiality. In the event of a merger, acquisition or asset sale, personal data may be transferred to the acquirer subject to the same protections described here.
6. International transfers
Where we transfer personal data outside the European Economic Area (for example, to US-based sub-processors), we rely on the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, on supplementary measures identified in our Transfer Impact Assessment. You can request a summary of the assessment at the privacy contact above.
7. Automated decision-making
The Service uses AI agents to draft content, surface anomalies and propose actions (ad creation, bid changes, coach prompt updates). Every action that affects third parties (publishing an ad, sending an email, approving a proposal) requires an explicit human click in the Service — we do not take automated decisions that produce legal or similarly significant effects on a data subject within the meaning of GDPR Art. 22. If that changes, we will update this policy and make the applicable opt-out controls available.
8. Your rights
Under the GDPR you can:
- Access — export all your data from Settings → Account, or email us.
- Rectify — edit profile and company fields at any time, or email us.
- Erase — delete your account from Settings → Account. Backups containing your data roll off within 30 days.
- Port — the export is a machine-readable JSON bundle.
- Restrict or object — contact the privacy mailbox; where processing relies on legitimate interest, you can object and we will stop unless we have compelling legitimate grounds.
- Withdraw consent — for processing based on consent (e.g. marketing email), at any time, with no effect on past processing.
- Complain — to the Estonian Data Protection Inspectorate (aki.ee) or your local supervisory authority.
We will respond to verified requests within 30 days (extendable to 90 days for complex cases, with notice).
9. Security
All traffic is encrypted via TLS 1.3 with HSTS preload enforcement. Passwords are hashed server-side by Supabase. Optional multi-factor authentication (TOTP) is available for every account. Integration secrets are encrypted at rest via Supabase Vault. Cross-tenant isolation is enforced by Postgres row-level security on every workspace-scoped table. Service-role access is restricted to webhook handlers and offline scripts and never reached from page code. Error telemetry is scrubbed of keys, tokens, Bearer headers, and authentication cookies before leaving our servers.
10. Data breach notification
If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the Estonian Data Protection Inspectorate within 72 hours as required by GDPR Art. 33, and notify affected users without undue delay where Art. 34 applies. See also the breach procedure in the DPA.
11. Cookies and tracking
We only set cookies that are strictly necessary for the Service to function (authentication, CSRF protection, affiliate attribution, accessibility preferences). We do not set advertising, cross-site, or third-party analytics cookies by default. See the Cookie Policy for the full table.
12. Children
The Service is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact the privacy mailbox and we will delete it.
13. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email to account holders at least 7 days before they take effect. The version date at the top of this page always reflects the current text.
14. Contact
Norden Vision OÜ · Katusepapi 6, Tallinn, Estonia · privacy@nordenagent.com