← Company Brain

Data Privacy & GDPR Compliance Policy

Covering EU/EEA, Norway, UK, California, EU AI Act, and B2B Processor Obligations

Version3.0Effective dateMarch 2026Review dateMarch 2027JurisdictionEU/EEA, Norway, UK, California (USA)Data storageEU-based servers onlyPrivacy contactprivacy@company-brain.ai

1. Introduction and Scope

This policy sets out how we collect, use, store, and protect personal data. It covers our obligations as both a data controller (for data we collect about our own users) and a data processor (when we process data on behalf of our business customers). It applies across all products and services we operate.

We operate under the following legal frameworks:

  • EU General Data Protection Regulation (GDPR) 2016/679
  • Norwegian Personal Data Act (Personopplysningsloven, 2018)
  • EU ePrivacy Directive (2002/58/EC, as amended)
  • EU AI Act (Regulation 2024/1689) — in force from 1 August 2024; obligations apply on a staggered timetable through to August 2026
  • UK GDPR and Data Protection Act 2018
  • California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)

This policy applies to all personal data we process about users and visitors, all staff and contractors, and all third parties who process data on our behalf.

2. Our Role: Data Controller and Data Processor

Our legal role depends on the context in which we process personal data. This distinction is important and affects your rights and our obligations.

2.1 When We Are a Data Controller

We act as a Data Controller when we decide why and how personal data is used. This covers:

  • Data we collect about visitors to our website
  • Account registration and profile data for individual users
  • Analytics data we collect for our own business purposes
  • Marketing and communication preferences
  • Support and correspondence records

As a controller, this policy applies in full and you have all the rights described in Section 7.

2.2 When We Are a Data Processor

We act as a Data Processor when we process personal data on behalf of our business customers. When an organisation subscribes to our product and uploads or generates data within it, that organisation is the Data Controller. We process that data on their instruction. As a processor, we:

  • Process data only on the documented instructions of the customer
  • Do not use that data for our own commercial purposes
  • Maintain a Data Processing Agreement (DPA) with every business customer as required by GDPR Article 28
  • Provide customers with a sub-processor list and notify them of any changes
  • Delete or return all customer data at the end of the contract

For business customers: a standard Data Processing Agreement (DPA) is available on request at privacy@company-brain.ai. Sub-processor changes are notified with a minimum of 30 days notice.

2.3 Privacy Officer and DPO Assessment

We have appointed a Privacy Officer who oversees our data protection practices, reviews this policy, manages data subject requests, and acts as the first point of contact for data protection enquiries. We assess annually whether a formally designated Data Protection Officer (DPO) under GDPR Article 37 is required. If a mandatory DPO is required at any time, we will appoint one immediately, register them with Datatilsynet, and publish their contact details.

Privacy Officer contact: privacy@company-brain.ai — Supervisory Authority: Datatilsynet (Norway) | datatilsynet.no

3. GDPR Compliance

3.1 Lawful Basis for Processing

We only process personal data when we have a clear lawful basis, identified and documented before processing begins:

  • Contractual necessity (Art. 6(1)(b)) — to provide the product and services you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — for security monitoring, fraud prevention, and product improvement. A Legitimate Interest Assessment is documented for each use of this basis.
  • Consent (Art. 6(1)(a)) — for optional features, marketing communications, and non-essential cookies. Always freely given, specific, and withdrawable.
  • Legal obligation (Art. 6(1)(c)) — where required by law, such as financial record-keeping obligations.

3.2 Data We Collect

We only collect data we actually need. We do not collect data speculatively or for undefined future use.

  • Account and identity data — name, email address, username, password (stored as a one-way cryptographic hash), account preferences and settings.
  • Usage and technical data — log data including truncated IP address, browser type, OS, product usage patterns, session timestamps, error logs, cookie and consent preferences.
  • AI interaction data — queries, prompts, and inputs you submit to AI-powered features; outputs generated in response; session metadata. We do not use your data to train, fine-tune, or improve any AI or machine learning model without your explicit, separate consent.
  • Communications data — support requests, messages, feedback and survey responses.

4. Norwegian Personal Data Act

Norway implements GDPR through the Norwegian Personal Data Act of 2018. As a company based in Oslo, this act applies directly to us. The supervisory authority is Datatilsynet (datatilsynet.no, +47 22 39 69 00, postkasse@datatilsynet.no, Mariboes gate 14, 0183 Oslo). We cooperate fully and you have the right to lodge a complaint with Datatilsynet at any time.

5. ePrivacy, Cookies, and Web Analytics

Non-essential cookies and analytics are only activated after you give consent.

5.1 Cookies We Use

  • Strictly necessary — set by us; maintain your login session and allow the product to function. Cannot be turned off. No consent required.
  • Functional / preference — set by us; store your layout and account preferences. Activated only with your consent.
  • Analytics (Google Analytics 4) — set by Google Ireland Limited; track pages visited and product interactions to help us improve the product. Activated only with your consent. See Section 5.2.
  • Marketing / advertising — we do not use marketing or advertising cookies.

5.2 Google Analytics 4

We use Google Analytics 4 (GA4), provided by Google Ireland Limited. In GA4, Google does not log or store IP addresses from EU/EEA users. A coarse geographic location is derived from the IP address before it is discarded. Data transfers to the US are covered by the EU–US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) as a supplementary safeguard. Data sharing with Google advertising products is disabled. Data retention is set to 14 months. Google Analytics only activates after you consent.

Independent opt-out: tools.google.com/dlpage/gaoptout

5.3 Cookie Consent

On your first visit you will see a clear cookie notice before any non-essential cookies are set. You can change or withdraw consent at any time via the cookie settings link in the footer. Withdrawing consent stops all future non-essential tracking immediately.

6. EU AI Act Compliance

The EU AI Act entered into force on 1 August 2024. Prohibitions on unacceptable-risk AI systems apply from 2 February 2025; GPAI obligations from 2 August 2025; high-risk AI system obligations from 2 August 2026.

We have assessed our product under the AI Act risk classification framework and assess our systems as limited risk or minimal risk. Where our product involves AI-generated content or AI-powered responses, this is clearly indicated in the interface. We do not use AI for automated decision-making that produces legal or similarly significant effects on individuals without human review.

7. Your Rights as a Data Subject

You have the following rights over your personal data. These apply to data we process as a controller. To submit a request, email privacy@company-brain.ai with the subject line "Data Rights Request". We will respond within 30 days.

  • Right of Access (Art. 15) — request a copy of all personal data we hold about you.
  • Right to Rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17) — ask us to delete your data where it is no longer needed or you withdraw consent.
  • Right to Restriction (Art. 18) — ask us to pause processing while a dispute is being resolved.
  • Right to Portability (Art. 20) — request your data in JSON or CSV format.
  • Right to Object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent — withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right Not to be Subject to Automated Decisions — request human review of any decision made solely by automated means that significantly affects you.

8. Data Storage and Security

All personal data we control is stored on servers located within the European Union. Security measures include TLS 1.3 encryption in transit, encryption at rest, role-based access controls, multi-factor authentication on all internal systems, regular independent penetration testing, a vulnerability disclosure programme, audit logging, and annual incident response testing.

Third-party processors are subject to a Data Processing Agreement. Named sub-processors include Google Ireland Limited (Google Analytics 4, anonymised usage metrics only) and our EU-based cloud infrastructure and email service providers. A complete sub-processor list is available on request.

9. Data Retention and Deletion

  • Account data (active) — held for the duration of your account, deleted within 30 days of closure.
  • Account data (inactive) — after 12 months of inactivity you receive notice; deleted within 30 days if no response.
  • AI interaction data — held for 90 days for security and support, then deleted. Aggregate usage metrics retained for 13 months.
  • Support and communications — 3 years from last communication.
  • Usage and analytics logs — 13 months from collection.
  • Security and access logs — 12 months from collection.
  • Financial and billing records — 5 years (Norwegian Bookkeeping Act / Bokføringsloven, Section 13).
  • Consent records — 3 years after consent expires or is withdrawn.

When retention periods expire or you request deletion, data is removed from live systems within 30 days and from backups within 90 days. If we cease to provide the product, all customer data will be made available for export for 60 days, then deleted within a further 30 days.

10. Data Breach Notification

If a breach is likely to result in a risk to people's rights and freedoms, we will notify Datatilsynet within 72 hours. Where a breach poses a high risk to individuals, we will notify affected users directly. For business customers, we will notify the customer organisation within 24 hours of becoming aware of any breach affecting their data.

11. Law Enforcement and Government Access

We carefully review every request for legal validity before taking any action. We disclose data only where legally required and will notify you before complying where permitted. We will challenge requests that are overbroad or conflict with EU law. We report annually on the number and general nature of government data requests received.

12. Privacy by Design and Default

Privacy Impact Assessments are carried out before launching new features involving significant data processing. Data minimisation is a design principle. Default settings are always the most privacy-protective option available. We carry out a formal DPIA before introducing processing likely to result in high risk to individuals.

13. International Data Transfers

We store personal data within the EU. Where data crosses borders, an appropriate safeguard is in place before any transfer occurs (EU–US Data Privacy Framework, EU Standard Contractual Clauses, or adequacy decision as applicable). UK adequacy decisions were renewed in December 2025 and are valid until December 2031.

14. UK GDPR Compliance

UK residents have the same rights as EU residents under this policy. The supervisory authority for UK residents is the Information Commissioner's Office (ico.org.uk, 0303 123 1113, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF).

15. California Privacy Rights (CCPA / CPRA)

We extend the following rights to all California users as a matter of policy commitment:

  • Right to Know — request disclosure of the personal information we collect and its purposes.
  • Right to Delete — ask us to delete your personal information, subject to legal retention obligations.
  • Right to Correct — ask us to correct inaccurate personal information.
  • Right to Opt-Out of Sale — we do not sell your personal information. There is nothing to opt out of.
  • Right to Non-Discrimination — we will never treat you differently because you exercised a privacy right.

To submit a California privacy request, email privacy@company-brain.ai with the subject line "California Privacy Request". We will respond within 45 days.

16. Children's Privacy

Our product is not directed at children. We treat 16 as our default minimum age and do not knowingly onboard users under 16. If you believe we have collected data from a person below this threshold, please contact privacy@company-brain.ai.

17. Changes to This Policy

We review this policy at least annually. When we make significant changes, we will notify you by email at least 30 days before changes take effect and display a prominent notice within the product. We will not treat continued use of the product as consent to changed terms.

18. Contact and Complaints

Email: privacy@company-brain.ai — Initial response within 5 business days.

If you are not satisfied with our response, you have the right to complain to your supervisory authority:

  • Norway: Datatilsynet — datatilsynet.no — postkasse@datatilsynet.no
  • EU/EEA: Your national data protection authority — edpb.europa.eu
  • United Kingdom: Information Commissioner's Office — ico.org.uk — 0303 123 1113
  • California: California Privacy Protection Agency — cppa.ca.gov

Version 3.0 — Effective March 2026 — Review due March 2027

← Back to Company Brain