Legal

Privacy Policy

Effective date: [EFFECTIVE_DATE]  ·  Last updated: [EFFECTIVE_DATE]

This Privacy Policy explains how [LEGAL COMPANY NAME], org. no. [ORG NO.], [POSTAL ADDRESS, CITY, NORWAY], Norway ("vyrd", "we", "us", "our") collects, uses, stores, and shares your personal data when you use https://vyrd.example(the "Service").

We are the data controller under the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act (personopplysningsloven), and applicable US state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the CPRA.

Questions or requests: support@vyrd.example

1. Data We Collect

We collect only data that is necessary to provide and improve the Service. We do not sell your personal data.

CategoryExamplesSourceRequired?
Account dataEmail address, hashed passwordYou, at sign-upYes — to authenticate you
Profile dataBusiness name, industry, revenue stage, target marketYou, in the profile wizardNo — improves AI advice quality
Conversation dataMessages you send to the AI advisor, AI responsesYou, during chat sessionsYes — to deliver the Service
Usage dataPages visited, features clicked, session timestampsAutomatically via SupabaseYes — for security and improvement
Check-in dataWeekly mood, energy, focus scores, goals, reflection textYou, in weekly check-insNo — opt-in feature
Wins dataWin title, description, and mood ratingYou, when logging winsNo — opt-in feature
Milestone & notesBusiness milestones, private notesYouNo — opt-in feature
Content plan dataGenerated content plan itemsAI-generated from your profileNo — opt-in feature
Research preferencesResearch intensity, schedule, and run time settingsYou, in research settingsNo — opt-in feature
Startup idea textThe idea description you submit for analysisYou, on the analysis pageOnly when you run an analysis
Billing dataSubscription plan, payment status, Stripe customer IDStripe (payment processor)Only if you subscribe
Technical dataIP address, browser type, device OS, request logsAutomatically via server logsYes — for security
Support communicationsEmails you send to supportYouOnly if you contact us
Sensitive data: We do not knowingly collect special categories of personal data (health, religion, political opinions, etc.) as defined in GDPR Article 9. Do not enter such information in the chat or profile fields.
Children: The Service is not directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has registered, contact us at support@vyrd.example and we will delete the account.

2. How We Use Your Data

PurposeData usedGDPR legal basis (Art. 6)
Create and manage your accountEmail, password hashArt. 6(1)(b) — contract performance
Deliver AI coaching and analysisProfile, conversations, check-ins, startup idea textArt. 6(1)(b) — contract performance
Process payments and manage subscriptionsBilling data, Stripe customer IDArt. 6(1)(b) — contract performance
Prevent abuse, enforce rate limits, detect fraudIP address, usage data, request logsArt. 6(1)(f) — legitimate interests
Improve the Service (aggregate, anonymised data only)Anonymised usage patternsArt. 6(1)(f) — legitimate interests
Send transactional emails (password reset, billing receipts)EmailArt. 6(1)(b) — contract performance
Send product updates and marketing (opt-in only)EmailArt. 6(1)(a) — consent (withdrawable any time)
Comply with legal obligations (tax records, audits)Billing dataArt. 6(1)(c) — legal obligation

We do notuse your conversation data or profile data to train general AI models. Your data is sent to Anthropic only to generate a response for your specific request and is subject to Anthropic's data processing agreement.

3. AI Data Processing

The Service uses large language models (LLMs) provided by Anthropic PBC("Claude") to generate coaching responses and startup idea analysis. When you send a message, submit an idea for analysis, or request generated content (content plans, narrative summaries, etc.), we transmit the relevant content — which may include your idea text, profile summary, and conversation history — to Anthropic's API.

Anthropic processes this data as a data processorunder a Data Processing Agreement (DPA). Anthropic's servers are located in the United States. Data transfers to the US are covered by the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs). See Section 6 for transfer details.

AI disclaimer:AI-generated content is not professional advice. Do not rely on vyrd's AI output as legal, financial, medical, tax, or professional advice. Do not enter sensitive personal information — health records, financial account numbers, passwords, or information about children — in the chat.

AI responses are generated automatically. We do not review individual conversations unless you contact support or there is a security or legal obligation to do so.

4. Cookies and Tracking Technologies

We use only strictly necessary cookies required to keep you signed in and protect the Service from abuse. These cookies are exempt from consent under the Norwegian Electronic Communications Act (eKom-loven § 2-7b) because they are necessary for the Service to function.

CookiePurposeDurationConsent required?
supabase-auth-tokenKeeps you signed in (session token)Session / 7 daysNo — strictly necessary
sb-*-auth-tokenSupabase authentication stateSessionNo — strictly necessary
__Secure-next-auth.*CSRF protectionSessionNo — strictly necessary

We do not currently use analytics cookies, advertising cookies, or third-party tracking pixels. If we introduce non-essential cookies in the future, we will update this policy and implement a cookie consent mechanism before doing so.

Browser localStorage

We also use your browser's localStorage (a client-side storage mechanism distinct from cookies) to preserve your session state between page loads. This data is stored only on your device and is never automatically sent to our servers.

KeyWhat is storedPurpose
be_ideaThe startup idea text you entered on the analysis pagePass your idea to the results page without a round-trip to the server
be_conv_idThe ID of your most recent AI conversationRe-open your last conversation automatically
be_custom_channelsMarketing channel names you definedPersist your custom channel setup between sessions
be_setup_done / be_silent_profileBoolean flags (true/false only)Remember whether onboarding steps have been completed

You can clear all localStorage data at any time through your browser's developer tools or site settings. Clearing it does not affect data stored in your account on our servers.

5. Data Sharing and Subprocessors

We do not sell your personal data. We share your data only with the following subprocessors, each under a Data Processing Agreement:

SubprocessorRoleData sharedLocation
Supabase Inc.Database, authentication, storageAll account and application dataEU (Frankfurt) / US
Anthropic PBCAI language model (Claude)Conversation content, profile summaryUnited States
Vercel Inc.Hosting and edge functionsRequest logs, IP addressesGlobal (Vercel Edge Network)
Upstash Inc.Rate limiting (Redis cache)Anonymised request identifiersEU (Frankfurt)
Stripe Inc.Payment processingBilling data, emailUnited States / EU

We may also disclose your data:

  • To comply with a legal obligation, court order, or lawful request from a public authority (Art. 6(1)(c));
  • To protect the rights, property, or safety of vyrd, our users, or the public;
  • In connection with a merger, acquisition, or sale of assets — you will be notified by email before your data is transferred.

6. International Data Transfers

Some subprocessors are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we rely on one or more of the following safeguards:

  • EU-US Data Privacy Framework (DPF): Anthropic, Vercel, and Stripe are certified by the US Department of Commerce, providing an adequacy level recognised by the European Commission.
  • Standard Contractual Clauses (SCCs):Where DPF certification is not in place, we rely on the European Commission's approved SCCs (Module 2 — controller to processor).

You may request a copy of the applicable safeguards by contacting support@vyrd.example.

7. Data Retention

Data categoryRetention periodLegal basis for retention
Account data (email, auth)Until account deletion, then 30 days in backupArt. 6(1)(b) — contract
Conversation historyUntil account deletionArt. 6(1)(b) — contract
Profile, notes, milestonesUntil account deletionArt. 6(1)(b) — contract
Billing records (invoices, payment events)7 years from invoice dateArt. 6(1)(c) — Regnskapsloven § 13
Security / server logs (IP, request logs)90 daysArt. 6(1)(f) — legitimate interests
Marketing consent recordsUntil withdrawal + 3 yearsArt. 6(1)(c) — proof of consent
Support correspondence3 years after resolutionArt. 6(1)(f) — legitimate interests

After account deletion, we anonymise or delete your data within 30 days, except where longer retention is required by law (billing records) or technically unavoidable (encrypted backups, purged on a rolling 30-day cycle).

8. Your Rights

Under the GDPR and Norwegian personopplysningsloven, you have the following rights. Contact support@vyrd.example to exercise any of them. We will respond within 30 days (Art. 12(3)).

RightWhat it meansHow to exercise
Access (Art. 15)Receive a copy of all personal data we hold about youEmail support@vyrd.example
Rectification (Art. 16)Correct inaccurate or incomplete dataUpdate in Settings or email us
Erasure (Art. 17)Delete your account and dataSettings → Delete Account, or email us
Restriction (Art. 18)Restrict processing while a dispute is pendingEmail support@vyrd.example
Portability (Art. 20)Receive your data in a machine-readable format (JSON/CSV)Email support@vyrd.example
Object (Art. 21)Object to processing based on legitimate interestsEmail support@vyrd.example
Withdraw consentWithdraw marketing consent at any timeUnsubscribe link in emails, or email us
Lodge a complaintFile a complaint with Datatilsynet (Norwegian DPA)datatilsynet.no

We will not charge a fee for exercising your rights. If a request is manifestly unfounded or excessive (Art. 12(5)), we may charge a reasonable fee or refuse and explain why.

9. California Residents — CCPA/CPRA

If you are a California resident, the CCPA as amended by the CPRA gives you additional rights alongside the GDPR rights in Section 8:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, why we use it, and who we share it with.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioural advertising. No opt-out is required.
  • Right to Limit Sensitive PI Use: We do not collect sensitive personal information as defined by the CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising CCPA/CPRA rights.

To submit a California privacy request, email support@vyrd.examplewith the subject line "California Privacy Request". We will verify your identity before processing. You may designate an authorised agent to submit a request on your behalf.

In the preceding 12 months, we have not sold personal information.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data. Measures include:

  • Encryption in transit (TLS 1.2+) for all data between your browser and our servers
  • Encryption at rest for database storage (Supabase AES-256)
  • Row-Level Security (RLS) policies ensuring each user can only access their own data
  • API rate limiting to prevent abuse
  • Passwords are never stored in plaintext — authentication is managed by Supabase Auth
  • Access to production systems is restricted to essential personnel

No internet service is completely secure. In the event of a personal data breach posing a risk to your rights and freedoms, we will notify Datatilsynet within 72 hours (Art. 33) and notify affected users without undue delay (Art. 34) where required.

11. Subscriptions and Payments

Paid plans renew automatically until cancelled. You can cancel future renewals from Account Settings or by contacting support@vyrd.example.

Payment card data is processed by Stripe, Inc. and is never stored on our servers. We receive only a Stripe customer ID and payment status.

Refunds: Refunds are handled in accordance with applicable Norwegian consumer law (forbrukerkjøpsloven). For digital services fully performed with your prior explicit consent, the right of withdrawal under Angrerettloven § 22 may not apply. Specific refund terms are shown at checkout. Contact support@vyrd.example for refund requests.

12. Automated Decision-Making and Profiling

We use AI to generate coaching advice and business analysis. This constitutes automated processing but does not produce legal or similarly significant effects on you (Art. 22 GDPR). All AI outputs are advisory. No automated decision grants or denies you access to services, credit, or legal rights.

Credit deductions for AI feature usage are determined automatically based on your subscription plan. Contact support@vyrd.example if you believe a credit charge was made in error.

13. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and/or a prominent notice on the Service at least 14 days before the change takes effect. The "Last updated" date at the top reflects the most recent revision.

Continued use of the Service after the effective date constitutes acceptance. If you do not accept the changes, you must stop using the Service and delete your account.

  • Contract performance (Art. 6(1)(b)): Account management, AI coaching, content generation, billing.
  • Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, rate limiting, anonymised service improvement. We have assessed that these interests do not override your rights.
  • Legal obligation (Art. 6(1)(c)): Retaining financial records for 7 years under Regnskapsloven § 13; responding to lawful authority requests.
  • Consent (Art. 6(1)(a)): Marketing emails only. Withdrawable at any time without affecting prior processing.

16. Supervisory Authority

If you are located in Norway or the EEA and believe we are processing your personal data unlawfully, you have the right to lodge a complaint with your local supervisory authority.

Datatilsynet (Norwegian Data Protection Authority)
Postboks 458 Sentrum, 0105 Oslo, Norway
datatilsynet.no

We would appreciate the opportunity to address your concerns first. Please contact support@vyrd.example before lodging a formal complaint.

17. Contact Us

[LEGAL COMPANY NAME]
Org. no. [ORG NO.]
[POSTAL ADDRESS, CITY, NORWAY]
Privacy requests: support@vyrd.example
General support: support@vyrd.example

18. Glossary

Personal data
Any information relating to an identified or identifiable natural person (GDPR Art. 4(1)).
Data controller
The entity that determines the purposes and means of processing personal data.
Data processor
An entity that processes personal data on behalf of the controller.
GDPR
EU General Data Protection Regulation (Regulation (EU) 2016/679), enforceable in Norway via the EEA Agreement.
Personopplysningsloven
Norwegian Personal Data Act implementing the GDPR in Norwegian law.
CCPA/CPRA
California Consumer Privacy Act (2018) as amended by the California Privacy Rights Act (2020).
DPF
EU-US Data Privacy Framework — an adequacy decision by the European Commission covering US data transfers.
SCCs
Standard Contractual Clauses — EU Commission-approved contract terms for data transfers to third countries.
Datatilsynet
Norwegian Data Protection Authority — supervisory authority for GDPR compliance in Norway.
Regnskapsloven § 13
Norwegian Accounting Act section 13 — requires financial records to be kept for 7 years.
← HomeTerms of ServicePrivacy requests