Privacy Policy

1. Introduction

Norseson ("we," "our," or "us") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with our mobile applications.

This policy applies to all users globally and incorporates specific provisions for residents of the European Economic Area (EEA), United Kingdom, California, Brazil, and other jurisdictions with specific privacy requirements.

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, company name
• Project Information: Project requirements, budget estimates, timeline preferences, industry sector
• Communication Data: Messages, feedback, and correspondence with our team
• Account Information: Username, password (hashed using bcrypt), profile preferences, security questions
• Payment Information: Billing address, payment method details (processed securely by Stripe - we do not store full credit card numbers)
• Professional Information: Job title, business needs, technical requirements

2.2 Information We Collect Automatically

• Usage Data: Pages visited, time spent on site, click patterns, navigation paths, referral sources
• Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution
• Technical Data: Cookies, session IDs, local storage data, cache information
• Location Data: General geographic location based on IP address (country and city level - we do not collect precise GPS coordinates without explicit consent)
• Analytics Data: Performance metrics, error logs, crash reports, feature usage statistics (via Google Analytics and Vercel Analytics)

2.3 Information from Third Parties

We may receive information from:

• Social Media Platforms: If you connect your GitHub, LinkedIn, or Google account
• Business Partners: Referral information from partners and affiliates
• Public Sources: Publicly available information about your business (e.g., company websites, LinkedIn profiles)
• Service Providers: Data from our hosting provider (Vercel), payment processor (Stripe), email service (SendGrid), and CRM system (if applicable)

Information for Affiliate Program Participants

If you join our Affiliate Program, we collect and process additional information to manage the program and our relationship with you.

Data We Collect

To operate the program, we collect your name, email address, website or social media details, and payment information (such as a PayPal email address or bank account details). We may also request tax forms, compliance documentation, and verification information required by applicable laws or payment providers.

How We Use Your Data

• Create, verify, and manage your affiliate account.
• Track referrals, attribute sales, and calculate commissions.
• Process commission payouts on net-30 terms, including sharing limited payment details with trusted processors to remit funds.
• Send operational communications about program performance, payouts, updates, and compliance.

Data Retention

We retain your affiliate account information for as long as you participate in the program. Payout records and related financial data are retained for longer periods as required by tax, accounting, and regulatory obligations, even after your affiliate relationship ends. You may request deletion of non-financial data, subject to our legal record-keeping requirements.

3. Legal Basis for Processing (GDPR)

For users in the EEA and UK, we process your personal data under the following legal bases as required by GDPR Article 6:

3.1 Contractual Necessity

Processing necessary to perform our contract with you:

• Providing software development services
• Project management and delivery
• Processing payments and invoicing
• Providing customer support

3.2 Consent

Where you have given explicit consent:

• Marketing communications and newsletters
• Non-essential cookies and tracking
• Special category data (if any)

3.3 Legitimate Interests

Processing necessary for our legitimate business interests:

• Website analytics and service improvement
• Fraud prevention and security
• Network and information security
• Business administration and internal operations

3.4 Legal Obligations

Processing required to comply with legal obligations:

• Tax and accounting requirements
• Regulatory reporting
• Court orders and legal processes

4. How We Use Your Information

4.1 Primary Purposes

• Service Delivery: Provide, maintain, and improve our development services
• Communication: Respond to inquiries within 12 hours, provide project updates, send transactional notifications
• Project Management: Plan, execute, and deliver software development projects
• Quality Assurance: Test applications, ensure functionality, maintain quality standards
• Customer Support: Provide technical assistance and resolve issues
• Payment Processing: Process transactions, generate invoices, manage billing

4.2 Business Operations

• Analytics: Analyze usage patterns to improve services and user experience (using Google Analytics with IP anonymization)
• Security: Protect against fraud, abuse, unauthorized access, and cyber threats
• Legal Compliance: Comply with applicable laws, regulations, and legal obligations
• Business Development: Understand market trends and improve service offerings
• Internal Operations: Administrative purposes, recordkeeping, and business reporting

4.3 Marketing (With Explicit Consent Only)

• Newsletter: Send updates about our services, industry insights, and company news (opt-in required)
• Promotional Content: Share information about new features, services, or special offers
• Event Invitations: Invite you to webinars, conferences, or networking events

You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any email or contacting us directly.

5. Information Sharing and Disclosure

5.1 Service Providers (Named Third Parties)

We share information with the following trusted service providers under strict data processing agreements:

• Vercel: Website hosting and infrastructure (US-based, GDPR-compliant)
• Google Analytics: Website analytics (with IP anonymization and data processing agreement)
• Stripe: Payment processing (PCI DSS Level 1 compliant)
• SendGrid/Mailgun: Email communication services
• Slack: Internal team communication and client project coordination
• GitHub: Code repository and version control
• Calendly: Meeting scheduling

All service providers are contractually required to maintain appropriate security measures and use your data only for the purposes specified in our agreements.

5.2 Legal Requirements

We may disclose information when required by law or in good faith belief that such action is necessary to:

• Comply with legal obligations, court orders, or government requests
• Protect our rights, property, safety, or that of our users
• Investigate or prevent fraud, security breaches, or illegal activity
• Respond to subpoenas or legal processes
• Enforce our Terms of Service or other agreements

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of the transaction. We will provide advance notice (minimum 30 days) via email and prominent website notice before your information is transferred and becomes subject to a different privacy policy.

6. Data Security

We implement comprehensive technical and organizational security measures to protect your personal information:

6.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit, AES-256 encryption for data at rest
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), principle of least privilege
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Application Security: Regular security audits, penetration testing, vulnerability scanning
• Secure Development: Security code reviews, OWASP compliance, secure coding practices

6.2 Organizational Safeguards

• Staff Training: Mandatory security and privacy training for all personnel
• Background Checks: Screening for employees with data access
• Confidentiality Agreements: All staff and contractors sign NDAs
• Incident Response: Documented breach response plan with 72-hour notification commitment
• Data Minimization: Collect only necessary data, delete when no longer needed
• Regular Backups: Encrypted daily backups with 90-day retention, tested quarterly

7. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify Affected Users: Within 72 hours of becoming aware of the breach (GDPR requirement)
• Notify Supervisory Authorities: As required by applicable laws (EU DPAs, ANPD, state attorneys general)
• Disclosure Contents: Nature of the breach, categories of data affected, approximate number of individuals impacted, likely consequences, and measures taken
• Remediation Steps: Immediate actions to contain the breach and mitigate harm
• Prevention Measures: Steps taken to prevent future breaches
• Support Services: Credit monitoring or identity theft protection services if sensitive data was compromised

Contact point for breach notifications: legal@norseson.com

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy and as required by law:

• Active Client Relationships: Throughout the duration of our business relationship plus 1 year after project completion
• Financial Records: 7 years for accounting, tax, and audit purposes (legal requirement)
• Legal Claims: For the duration of any legal hold or potential litigation (statute of limitations varies by jurisdiction)
• Marketing Data: Until you opt out, unsubscribe, or request deletion
• Inquiry/Contact Forms: 2 years from last contact if no business relationship established
• Website Analytics: 26 months (Google Analytics standard)
• Cookies: As specified in our cookie policy (13 months maximum)
• Anonymized Data: May be retained indefinitely for statistical and research purposes

When we no longer need your information, we will securely delete or anonymize it using industry-standard data destruction methods, except where retention is required by law.

9. Your Rights and How to Exercise Them

Depending on your location, you have the following rights regarding your personal data. We commit to responding to all requests within 30 days (or as required by local law):

9.1 Universal Rights (All Users)

• Right to Access: Request a copy of the personal information we hold about you
• Right to Correction: Correct inaccurate or incomplete information
• Right to Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Right to Opt-Out: Unsubscribe from marketing communications at any time

9.2 GDPR Rights (EEA & UK Residents)

• Right to Data Portability: Receive your data in a structured, machine-readable format (CSV or JSON)
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time (without affecting prior lawful processing)
• Right to Lodge a Complaint: File a complaint with your local Data Protection Authority
• Right to Not Be Subject to Automated Decision-Making: We do not use automated profiling or decision-making that produces legal effects

9.3 CCPA Rights (California Residents)

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Know Categories: Learn about categories of sources, business purposes, and third parties with whom we share data
• Right to Delete: Request deletion of personal information (with certain exceptions)
• Right to Opt-Out of Sale: We do not sell personal information, but you can request confirmation at any time
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
• Right to Designate an Authorized Agent: You may designate an authorized agent to make requests on your behalf (written authorization required)
• Shine the Light: California residents can request information about personal information shared with third parties for direct marketing (we do not engage in this practice)

9.4 LGPD Rights (Brazilian Residents)

• Confirmation and Access: Confirm the existence of processing and access your data
• Correction: Request correction of incomplete, inaccurate, or outdated data
• Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
• Portability: Receive data in a structured, interoperable format
• Information About Sharing: Learn about public and private entities with which we share data
• Refusal and Consequences: Information about refusal to provide consent and consequences
• Revocation of Consent: Revoke consent at any time
• Complaint: Lodge a complaint with ANPD (Brazilian National Data Protection Authority)

9.5 How to Exercise Your Rights

10. CCPA "Do Not Sell My Personal Information"

CCPA Non-Discrimination Policy

We will not discriminate against you for exercising your CCPA rights. We will not:

• Deny you goods or services
• Charge you different prices or rates, including through discounts or other benefits
• Provide you a different level or quality of services
• Suggest that you may receive different prices, rates, levels, or quality of services

11. International Data Transfers

We operate globally and may transfer your personal information to countries outside your residence, including the United States. We ensure appropriate safeguards are in place:

11.1 EEA/UK to Third Countries

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses (2021 version) for transfers to countries without adequacy decisions
• Adequacy Decisions: We transfer to countries recognized by the EU Commission as providing adequate protection (e.g., UK, Switzerland, Japan, Canada for commercial organizations)
• Supplementary Measures: Additional technical and organizational measures to ensure data protection (e.g., encryption, access controls)

11.2 Brazil (LGPD) International Transfers

For transfers from Brazil, we comply with LGPD requirements using:

• Countries recognized by ANPD as providing adequate protection
• Standard contractual clauses approved by ANPD
• Specific authorization from ANPD when required
• Explicit consent for specific transfers

12. Cookies and Tracking Technologies

12.1 Types of Cookies We Use

12.2 Cookie Management

You can control cookies through:

• Our Cookie Banner: Manage preferences when you first visit
• Browser Settings: Block, delete, or set preferences for cookies
• Google Analytics Opt-Out: Browser add-on available
• Do Not Track: We honor Do Not Track (DNT) signals

12.3 Cookie Retention

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Maximum 13 months (GDPR-compliant)
• Analytics Cookies: 26 months (Google Analytics default)

13. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children.

• Age Requirement: You must be at least 16 years old (or the age of majority in your jurisdiction) to use our services
• Parental Notice: If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately
• Deletion: If we discover that we have collected information from a child under 16 without parental consent, we will delete such information within 24 hours
• COPPA Compliance: We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and do not collect data from children under 13

14. Supervisory Authorities and Complaint Rights

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the relevant supervisory authority:

14.1 European Union / EEA

Contact your local Data Protection Authority. Find your local authority:

14.2 United Kingdom

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113

14.3 Brazil

Autoridade Nacional de Proteção de Dados (ANPD)
Website: gov.br/anpd

14.4 California

California Attorney General
Website: oag.ca.gov/privacy
CCPA Hotline: 1-916-210-6276

15. Data Protection Officer & Representatives

15.1 Data Controller

Norseson is the data controller responsible for your personal information.

15.2 EU Representative (If Applicable)

If Norseson processes substantial amounts of personal data from EU residents and does not have an establishment in the EU, we will appoint an EU representative as required by GDPR Article 27. Contact details will be provided here when applicable.

16. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you.

• We do not use automated systems to make decisions about your eligibility for services
• We do not create profiles that automatically determine pricing or service levels
• All business decisions involving your data involve human review
• If our practices change, we will update this policy and obtain consent where required

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• Minor Changes: We will post the updated policy on our website and update the "Last updated" date
• Material Changes: We will notify you via email (if you have provided one) at least 30 days before the changes take effect
• Prominent Notice: Material changes will be highlighted on our homepage
• Consent: We will obtain your explicit consent where required by applicable law
• Version History: Previous versions are available upon request

Your continued use of our services after changes are posted constitutes acceptance of the updated policy. If you do not agree with the changes, please discontinue use and contact us to delete your account.

18. Governing Law and Jurisdiction

18.1 Governing Law

This Privacy Policy is governed by and construed in accordance with:

• General: The laws of the jurisdiction in which Norseson operates
• EU/EEA Residents: GDPR and applicable EU member state laws
• California Residents: California Consumer Privacy Act (CCPA) and California law
• Brazilian Residents: Lei Geral de Proteção de Dados (LGPD) and Brazilian law

18.2 Dispute Resolution

In the event of any dispute arising out of or relating to this Privacy Policy:

• Informal Resolution: We encourage you to contact us first to attempt to resolve the dispute informally
• Mediation: If informal resolution fails, we will attempt mediation before litigation
• Jurisdiction: Disputes will be subject to the exclusive jurisdiction of courts in your place of residence for consumer disputes
• Your Legal Rights: Nothing in this policy affects your mandatory legal rights under applicable consumer protection laws

19. Limitation of Liability

To the maximum extent permitted by applicable law:

• We are not liable for unauthorized access to or alteration of your data resulting from circumstances beyond our reasonable control
• We are not responsible for the privacy practices of third-party websites linked from our services
• Our liability for any data breach is limited to the remedies and notifications specified in this policy and required by law
• Nothing in this policy excludes or limits our liability for fraud, gross negligence, or matters that cannot be excluded under applicable law

20. Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions will continue in full force and effect. The invalid provision will be replaced with a valid provision that most closely reflects the original intent.

21. Contact Information