Data Privacy & GDPR Compliance Policy

1. Introduction and Scope

This policy sets out how we collect, use, store, and protect personal data. It covers our obligations as both a data controller (for data we collect about our own users) and a data processor (when we process data on behalf of our business customers). It applies across all products and services we operate.

We operate under the following legal frameworks:

• EU General Data Protection Regulation (GDPR) 2016/679
• Norwegian Personal Data Act (Personopplysningsloven, 2018)
• EU ePrivacy Directive (2002/58/EC, as amended)
• EU AI Act (Regulation 2024/1689) — in force from 1 August 2024; obligations apply on a staggered timetable through to August 2026
• UK GDPR and Data Protection Act 2018
• California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)

This policy applies to all personal data we process about users and visitors, all staff and contractors, and all third parties who process data on our behalf.

2. Our Role: Data Controller and Data Processor

Our legal role depends on the context in which we process personal data. This distinction is important and affects your rights and our obligations.

2.1 When We Are a Data Controller

We act as a Data Controller when we decide why and how personal data is used. This covers:

• Data we collect about visitors to our website
• Account registration and profile data for individual users
• Analytics data we collect for our own business purposes
• Marketing and communication preferences
• Support and correspondence records

As a controller, this policy applies in full and you have all the rights described in Section 7.

2.2 When We Are a Data Processor

We act as a Data Processor when we process personal data on behalf of our business customers. When an organisation subscribes to our product and uploads or generates data within it, that organisation is the Data Controller. We process that data on their instruction. As a processor, we:

• Process data only on the documented instructions of the customer
• Do not use that data for our own commercial purposes
• Maintain a Data Processing Agreement (DPA) with every business customer as required by GDPR Article 28
• Provide customers with a sub-processor list and notify them of any changes
• Delete or return all customer data at the end of the contract

For business customers: a standard Data Processing Agreement (DPA) is available on request at privacy@company-brain.ai. Sub-processor changes are notified with a minimum of 30 days notice.

2.3 Privacy Officer and DPO Assessment

We have appointed a Privacy Officer who oversees our data protection practices, reviews this policy, manages data subject requests, and acts as the first point of contact for data protection enquiries. We assess annually whether a formally designated Data Protection Officer (DPO) under GDPR Article 37 is required. If a mandatory DPO is required at any time, we will appoint one immediately, register them with Datatilsynet, and publish their contact details.

Privacy Officer contact: privacy@company-brain.ai — Supervisory Authority: Datatilsynet (Norway) | datatilsynet.no

3. GDPR Compliance

3.1 Lawful Basis for Processing

We only process personal data when we have a clear lawful basis, identified and documented before processing begins:

• Contractual necessity (Art. 6(1)(b)) — to provide the product and services you signed up for.
• Legitimate interests (Art. 6(1)(f)) — for security monitoring, fraud prevention, and product improvement. A Legitimate Interest Assessment is documented for each use of this basis.
• Consent (Art. 6(1)(a)) — for optional features and marketing communications. Always freely given, specific, and withdrawable.
• Legal obligation (Art. 6(1)(c)) — where required by law, such as financial record-keeping obligations.

3.2 Data We Collect

We only collect data we actually need. We do not collect data speculatively or for undefined future use.

• Account and identity data — name, email address, username, password (stored as a one-way cryptographic hash), account preferences and settings.
• Usage and technical data — log data including truncated IP address, browser type, OS, product usage patterns, session timestamps, and error logs.
• AI interaction data — queries, prompts, and inputs you submit to AI-powered features; outputs generated in response; session metadata. We process this data through third-party model providers, currently Anthropic, under commercial terms that prohibit the use of your data to train their models. We do not use your data to train, fine-tune, or improve any AI or machine learning model without your explicit, separate consent.
• Communications data — support requests, messages, feedback and survey responses.

4. Norwegian Personal Data Act

Norway implements GDPR through the Norwegian Personal Data Act of 2018. As a company based in Oslo, this act applies directly to us. The supervisory authority is Datatilsynet (datatilsynet.no, +47 22 39 69 00, postkasse@datatilsynet.no, Mariboes gate 14, 0183 Oslo). We cooperate fully and you have the right to lodge a complaint with Datatilsynet at any time.

5. ePrivacy and Cookies

We use only strictly necessary cookies — small files that maintain your login session and allow the product to function. We do not use analytics, advertising, or preference cookies. Because we set no non-essential cookies, the ePrivacy Directive does not require us to display a cookie consent banner, and we do not show one.

5.1 Cookies We Use

• Strictly necessary — set by us; maintain your login session and allow the product to function. No consent required.
• Analytics, marketing, and advertising cookies — we do not use any.

6. EU AI Act Compliance

The EU AI Act entered into force on 1 August 2024. Prohibitions on unacceptable-risk AI systems apply from 2 February 2025; GPAI obligations from 2 August 2025; high-risk AI system obligations from 2 August 2026.

We have assessed our product under the AI Act risk classification framework and assess our systems as limited risk or minimal risk. Where our product involves AI-generated content or AI-powered responses, this is clearly indicated in the interface. We do not use AI for automated decision-making that produces legal or similarly significant effects on individuals without human review.

7. Your Rights as a Data Subject

You have the following rights over your personal data. These apply to data we process as a controller. To submit a request, email privacy@company-brain.ai with the subject line "Data Rights Request". We will respond within 30 days.

• Right of Access (Art. 15) — request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
• Right to Erasure (Art. 17) — ask us to delete your data where it is no longer needed or you withdraw consent.
• Right to Restriction (Art. 18) — ask us to pause processing while a dispute is being resolved.
• Right to Portability (Art. 20) — request your data in JSON or CSV format.
• Right to Object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent — withdraw consent at any time without affecting the lawfulness of prior processing.
• Right Not to be Subject to Automated Decisions — request human review of any decision made solely by automated means that significantly affects you.

8. Data Storage and Security

Application data, including account data and the knowledge bases our business customers build in the product, is stored in Railway's EU region (europe-west4, Netherlands). Some of the services we rely on to operate the product are provided by companies headquartered in the United States. Transactional email content is processed and stored in the US by Postmark. Billing data is processed by Stripe. Where personal data leaves the EU or EEA, the transfer is covered by the safeguards described in Section 13.

We protect personal data with the following measures:

• TLS 1.3 encryption for all data in transit
• Encryption at rest for databases and backups
• Role-based access controls, so people and systems only reach the data their function requires
• Multi-factor authentication on all administrative and infrastructure accounts
• Audit logging of changes to customer knowledge bases. Every change to governed company knowledge passes through a review step with a recorded decision trail.
• Security review of code and infrastructure changes before each release

We rely on the certified infrastructure of our hosting providers, who maintain SOC 2 Type II and equivalent attestations. As the company grows, we will add independent penetration testing of our own application layer and update this policy when we do.

Security issues can be reported to security@company-brain.ai. We respond to security reports within 2 business days.

8.1 Sub-processors

We use the following sub-processors. Changes are notified to business customers with a minimum of 30 days notice, as described in Section 2.2.

9. Data Retention and Deletion

• Account data (active) — held for the duration of your account, deleted within 30 days of closure.
• Account data (inactive) — after 12 months of inactivity you receive notice; deleted within 30 days if no response.
• AI interaction data — held for 90 days for security and support, then deleted. Aggregate usage metrics retained for 13 months.
• Support and communications — 3 years from last communication.
• Usage and analytics logs — 13 months from collection.
• Security and access logs — 12 months from collection.
• Financial and billing records — 5 years (Norwegian Bookkeeping Act / Bokføringsloven, Section 13).
• Consent records — 3 years after consent expires or is withdrawn.

When retention periods expire or you request deletion, data is removed from live systems within 30 days. Backups operate on a rolling retention cycle of no more than 90 days, after which deleted data is no longer present in any backup. If we cease to provide the product, all customer data will be made available for export for 60 days, then deleted within a further 30 days.

10. Data Breach Notification

If a breach is likely to result in a risk to people's rights and freedoms, we will notify Datatilsynet within 72 hours. Where a breach poses a high risk to individuals, we will notify affected users directly. For business customers, we will notify the customer organisation within 24 hours of becoming aware of any breach affecting their data.

11. Law Enforcement and Government Access

We carefully review every request for legal validity before taking any action. We disclose data only where legally required and will notify you before complying where permitted. We will challenge requests that are overbroad or conflict with EU law. We report annually on the number and general nature of government data requests received.

12. Privacy by Design and Default

Privacy Impact Assessments are carried out before launching new features involving significant data processing. Data minimisation is a design principle. Default settings are always the most privacy-protective option available. We carry out a formal DPIA before introducing processing likely to result in high risk to individuals.

13. International Data Transfers

Application data and customer knowledge bases are stored within the EU. Some personal data is transferred to the United States because certain sub-processors operate there, as set out in Section 8.1. This applies to transactional email handled by Postmark, billing data handled by Stripe, AI processing handled by Anthropic, and operational data handled by our hosting providers Railway and Vercel.

Every transfer outside the EU/EEA is covered by at least one approved safeguard before it occurs:

• EU Standard Contractual Clauses (SCCs), included in the Data Processing Agreement we hold with each sub-processor
• The EU-US Data Privacy Framework, where the sub-processor holds a current certification
• An adequacy decision, where the destination country has one

UK adequacy decisions were renewed in December 2025 and are valid until December 2031.

14. UK GDPR Compliance

UK residents have the same rights as EU residents under this policy. The supervisory authority for UK residents is the Information Commissioner's Office (ico.org.uk, 0303 123 1113, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF).

15. California Privacy Rights (CCPA / CPRA)

We extend the following rights to all California users as a matter of policy commitment:

• Right to Know — request disclosure of the personal information we collect and its purposes.
• Right to Delete — ask us to delete your personal information, subject to legal retention obligations.
• Right to Correct — ask us to correct inaccurate personal information.
• Right to Opt-Out of Sale — we do not sell your personal information. There is nothing to opt out of.
• Right to Non-Discrimination — we will never treat you differently because you exercised a privacy right.

To submit a California privacy request, email privacy@company-brain.ai with the subject line "California Privacy Request". We will respond within 45 days.

16. Children's Privacy

Our product is not directed at children. We treat 16 as our default minimum age and do not knowingly onboard users under 16. If you believe we have collected data from a person below this threshold, please contact privacy@company-brain.ai.

17. Changes to This Policy

We review this policy at least annually. When we make significant changes, we will notify you by email at least 30 days before changes take effect and display a prominent notice within the product. We will not treat continued use of the product as consent to changed terms.

18. Contact and Complaints

Email: privacy@company-brain.ai — Initial response within 5 business days.

If you are not satisfied with our response, you have the right to complain to your supervisory authority:

• Norway: Datatilsynet — datatilsynet.no — postkasse@datatilsynet.no
• EU/EEA: Your national data protection authority — edpb.europa.eu
• United Kingdom: Information Commissioner's Office — ico.org.uk — 0303 123 1113
• California: California Privacy Protection Agency — cppa.ca.gov