Legal
Privacy Policy
Effective date: [EFFECTIVE_DATE] · Last updated: [EFFECTIVE_DATE]
This Privacy Policy explains how [LEGAL COMPANY NAME], org. no. [ORG NO.], [POSTAL ADDRESS, CITY, NORWAY], Norway ("vyrd", "we", "us", "our") collects, uses, stores, and shares your personal data when you use https://vyrd.example(the "Service").
We are the data controller under the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act (personopplysningsloven), and applicable US state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the CPRA.
Questions or requests: support@vyrd.example
1. Data We Collect
We collect only data that is necessary to provide and improve the Service. We do not sell your personal data.
| Category | Examples | Source | Required? |
|---|---|---|---|
| Account data | Email address, hashed password | You, at sign-up | Yes — to authenticate you |
| Profile data | Business name, industry, revenue stage, target market | You, in the profile wizard | No — improves AI advice quality |
| Conversation data | Messages you send to the AI advisor, AI responses | You, during chat sessions | Yes — to deliver the Service |
| Usage data | Pages visited, features clicked, session timestamps | Automatically via Supabase | Yes — for security and improvement |
| Check-in data | Weekly mood, energy, focus scores, goals, reflection text | You, in weekly check-ins | No — opt-in feature |
| Wins data | Win title, description, and mood rating | You, when logging wins | No — opt-in feature |
| Milestone & notes | Business milestones, private notes | You | No — opt-in feature |
| Content plan data | Generated content plan items | AI-generated from your profile | No — opt-in feature |
| Research preferences | Research intensity, schedule, and run time settings | You, in research settings | No — opt-in feature |
| Startup idea text | The idea description you submit for analysis | You, on the analysis page | Only when you run an analysis |
| Billing data | Subscription plan, payment status, Stripe customer ID | Stripe (payment processor) | Only if you subscribe |
| Technical data | IP address, browser type, device OS, request logs | Automatically via server logs | Yes — for security |
| Support communications | Emails you send to support | You | Only if you contact us |
2. How We Use Your Data
| Purpose | Data used | GDPR legal basis (Art. 6) |
|---|---|---|
| Create and manage your account | Email, password hash | Art. 6(1)(b) — contract performance |
| Deliver AI coaching and analysis | Profile, conversations, check-ins, startup idea text | Art. 6(1)(b) — contract performance |
| Process payments and manage subscriptions | Billing data, Stripe customer ID | Art. 6(1)(b) — contract performance |
| Prevent abuse, enforce rate limits, detect fraud | IP address, usage data, request logs | Art. 6(1)(f) — legitimate interests |
| Improve the Service (aggregate, anonymised data only) | Anonymised usage patterns | Art. 6(1)(f) — legitimate interests |
| Send transactional emails (password reset, billing receipts) | Art. 6(1)(b) — contract performance | |
| Send product updates and marketing (opt-in only) | Art. 6(1)(a) — consent (withdrawable any time) | |
| Comply with legal obligations (tax records, audits) | Billing data | Art. 6(1)(c) — legal obligation |
We do notuse your conversation data or profile data to train general AI models. Your data is sent to Anthropic only to generate a response for your specific request and is subject to Anthropic's data processing agreement.
3. AI Data Processing
The Service uses large language models (LLMs) provided by Anthropic PBC("Claude") to generate coaching responses and startup idea analysis. When you send a message, submit an idea for analysis, or request generated content (content plans, narrative summaries, etc.), we transmit the relevant content — which may include your idea text, profile summary, and conversation history — to Anthropic's API.
Anthropic processes this data as a data processorunder a Data Processing Agreement (DPA). Anthropic's servers are located in the United States. Data transfers to the US are covered by the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs). See Section 6 for transfer details.
AI responses are generated automatically. We do not review individual conversations unless you contact support or there is a security or legal obligation to do so.
4. Cookies and Tracking Technologies
We use only strictly necessary cookies required to keep you signed in and protect the Service from abuse. These cookies are exempt from consent under the Norwegian Electronic Communications Act (eKom-loven § 2-7b) because they are necessary for the Service to function.
| Cookie | Purpose | Duration | Consent required? |
|---|---|---|---|
| supabase-auth-token | Keeps you signed in (session token) | Session / 7 days | No — strictly necessary |
| sb-*-auth-token | Supabase authentication state | Session | No — strictly necessary |
| __Secure-next-auth.* | CSRF protection | Session | No — strictly necessary |
We do not currently use analytics cookies, advertising cookies, or third-party tracking pixels. If we introduce non-essential cookies in the future, we will update this policy and implement a cookie consent mechanism before doing so.
Browser localStorage
We also use your browser's localStorage (a client-side storage mechanism distinct from cookies) to preserve your session state between page loads. This data is stored only on your device and is never automatically sent to our servers.
| Key | What is stored | Purpose |
|---|---|---|
| be_idea | The startup idea text you entered on the analysis page | Pass your idea to the results page without a round-trip to the server |
| be_conv_id | The ID of your most recent AI conversation | Re-open your last conversation automatically |
| be_custom_channels | Marketing channel names you defined | Persist your custom channel setup between sessions |
| be_setup_done / be_silent_profile | Boolean flags (true/false only) | Remember whether onboarding steps have been completed |
You can clear all localStorage data at any time through your browser's developer tools or site settings. Clearing it does not affect data stored in your account on our servers.
5. Data Sharing and Subprocessors
We do not sell your personal data. We share your data only with the following subprocessors, each under a Data Processing Agreement:
| Subprocessor | Role | Data shared | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication, storage | All account and application data | EU (Frankfurt) / US |
| Anthropic PBC | AI language model (Claude) | Conversation content, profile summary | United States |
| Vercel Inc. | Hosting and edge functions | Request logs, IP addresses | Global (Vercel Edge Network) |
| Upstash Inc. | Rate limiting (Redis cache) | Anonymised request identifiers | EU (Frankfurt) |
| Stripe Inc. | Payment processing | Billing data, email | United States / EU |
We may also disclose your data:
- To comply with a legal obligation, court order, or lawful request from a public authority (Art. 6(1)(c));
- To protect the rights, property, or safety of vyrd, our users, or the public;
- In connection with a merger, acquisition, or sale of assets — you will be notified by email before your data is transferred.
6. International Data Transfers
Some subprocessors are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we rely on one or more of the following safeguards:
- EU-US Data Privacy Framework (DPF): Anthropic, Vercel, and Stripe are certified by the US Department of Commerce, providing an adequacy level recognised by the European Commission.
- Standard Contractual Clauses (SCCs):Where DPF certification is not in place, we rely on the European Commission's approved SCCs (Module 2 — controller to processor).
You may request a copy of the applicable safeguards by contacting support@vyrd.example.
7. Data Retention
| Data category | Retention period | Legal basis for retention |
|---|---|---|
| Account data (email, auth) | Until account deletion, then 30 days in backup | Art. 6(1)(b) — contract |
| Conversation history | Until account deletion | Art. 6(1)(b) — contract |
| Profile, notes, milestones | Until account deletion | Art. 6(1)(b) — contract |
| Billing records (invoices, payment events) | 7 years from invoice date | Art. 6(1)(c) — Regnskapsloven § 13 |
| Security / server logs (IP, request logs) | 90 days | Art. 6(1)(f) — legitimate interests |
| Marketing consent records | Until withdrawal + 3 years | Art. 6(1)(c) — proof of consent |
| Support correspondence | 3 years after resolution | Art. 6(1)(f) — legitimate interests |
After account deletion, we anonymise or delete your data within 30 days, except where longer retention is required by law (billing records) or technically unavoidable (encrypted backups, purged on a rolling 30-day cycle).
8. Your Rights
Under the GDPR and Norwegian personopplysningsloven, you have the following rights. Contact support@vyrd.example to exercise any of them. We will respond within 30 days (Art. 12(3)).
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Receive a copy of all personal data we hold about you | Email support@vyrd.example |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Update in Settings or email us |
| Erasure (Art. 17) | Delete your account and data | Settings → Delete Account, or email us |
| Restriction (Art. 18) | Restrict processing while a dispute is pending | Email support@vyrd.example |
| Portability (Art. 20) | Receive your data in a machine-readable format (JSON/CSV) | Email support@vyrd.example |
| Object (Art. 21) | Object to processing based on legitimate interests | Email support@vyrd.example |
| Withdraw consent | Withdraw marketing consent at any time | Unsubscribe link in emails, or email us |
| Lodge a complaint | File a complaint with Datatilsynet (Norwegian DPA) | datatilsynet.no |
We will not charge a fee for exercising your rights. If a request is manifestly unfounded or excessive (Art. 12(5)), we may charge a reasonable fee or refuse and explain why.
9. California Residents — CCPA/CPRA
If you are a California resident, the CCPA as amended by the CPRA gives you additional rights alongside the GDPR rights in Section 8:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, why we use it, and who we share it with.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioural advertising. No opt-out is required.
- Right to Limit Sensitive PI Use: We do not collect sensitive personal information as defined by the CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising CCPA/CPRA rights.
To submit a California privacy request, email support@vyrd.examplewith the subject line "California Privacy Request". We will verify your identity before processing. You may designate an authorised agent to submit a request on your behalf.
In the preceding 12 months, we have not sold personal information.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data. Measures include:
- Encryption in transit (TLS 1.2+) for all data between your browser and our servers
- Encryption at rest for database storage (Supabase AES-256)
- Row-Level Security (RLS) policies ensuring each user can only access their own data
- API rate limiting to prevent abuse
- Passwords are never stored in plaintext — authentication is managed by Supabase Auth
- Access to production systems is restricted to essential personnel
No internet service is completely secure. In the event of a personal data breach posing a risk to your rights and freedoms, we will notify Datatilsynet within 72 hours (Art. 33) and notify affected users without undue delay (Art. 34) where required.
11. Subscriptions and Payments
Paid plans renew automatically until cancelled. You can cancel future renewals from Account Settings or by contacting support@vyrd.example.
Payment card data is processed by Stripe, Inc. and is never stored on our servers. We receive only a Stripe customer ID and payment status.
Refunds: Refunds are handled in accordance with applicable Norwegian consumer law (forbrukerkjøpsloven). For digital services fully performed with your prior explicit consent, the right of withdrawal under Angrerettloven § 22 may not apply. Specific refund terms are shown at checkout. Contact support@vyrd.example for refund requests.
12. Automated Decision-Making and Profiling
We use AI to generate coaching advice and business analysis. This constitutes automated processing but does not produce legal or similarly significant effects on you (Art. 22 GDPR). All AI outputs are advisory. No automated decision grants or denies you access to services, credit, or legal rights.
Credit deductions for AI feature usage are determined automatically based on your subscription plan. Contact support@vyrd.example if you believe a credit charge was made in error.
13. Third-Party Links
The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email and/or a prominent notice on the Service at least 14 days before the change takes effect. The "Last updated" date at the top reflects the most recent revision.
Continued use of the Service after the effective date constitutes acceptance. If you do not accept the changes, you must stop using the Service and delete your account.
15. Summary of Legal Bases (GDPR Art. 13)
- Contract performance (Art. 6(1)(b)): Account management, AI coaching, content generation, billing.
- Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, rate limiting, anonymised service improvement. We have assessed that these interests do not override your rights.
- Legal obligation (Art. 6(1)(c)): Retaining financial records for 7 years under Regnskapsloven § 13; responding to lawful authority requests.
- Consent (Art. 6(1)(a)): Marketing emails only. Withdrawable at any time without affecting prior processing.
16. Supervisory Authority
If you are located in Norway or the EEA and believe we are processing your personal data unlawfully, you have the right to lodge a complaint with your local supervisory authority.
Datatilsynet (Norwegian Data Protection Authority)Postboks 458 Sentrum, 0105 Oslo, Norway
datatilsynet.no
We would appreciate the opportunity to address your concerns first. Please contact support@vyrd.example before lodging a formal complaint.
17. Contact Us
Org. no. [ORG NO.]
[POSTAL ADDRESS, CITY, NORWAY]
Privacy requests: support@vyrd.example
General support: support@vyrd.example
18. Glossary
- Personal data
- Any information relating to an identified or identifiable natural person (GDPR Art. 4(1)).
- Data controller
- The entity that determines the purposes and means of processing personal data.
- Data processor
- An entity that processes personal data on behalf of the controller.
- GDPR
- EU General Data Protection Regulation (Regulation (EU) 2016/679), enforceable in Norway via the EEA Agreement.
- Personopplysningsloven
- Norwegian Personal Data Act implementing the GDPR in Norwegian law.
- CCPA/CPRA
- California Consumer Privacy Act (2018) as amended by the California Privacy Rights Act (2020).
- DPF
- EU-US Data Privacy Framework — an adequacy decision by the European Commission covering US data transfers.
- SCCs
- Standard Contractual Clauses — EU Commission-approved contract terms for data transfers to third countries.
- Datatilsynet
- Norwegian Data Protection Authority — supervisory authority for GDPR compliance in Norway.
- Regnskapsloven § 13
- Norwegian Accounting Act section 13 — requires financial records to be kept for 7 years.