— Privacy notice

What we collect, what we don't, and how to delete it.

Plain-language version. Legal version available on request from support@nordicdata.cloud.

One-paragraph version

Nordic Data is a Norwegian B2B data API. We process publicly-registered company information from Brønnøysundregistrene, Aksjonærregisteret, Doffin, sanctions lists, and EU R&D registries. We store our customers' email addresses and the org numbers they look up, for billing and abuse prevention. We do not sell data, do not advertise, and process everything in EU/EEA infrastructure (Vultr Amsterdam). You can delete your account and all associated data by emailing support@nordicdata.cloud.

1. Who we are

Nordic Data is operated by André Johansen, sole proprietor (Norwegian enkeltpersonforetak). All processing happens in EU/EEA jurisdictions. Contact: support@nordicdata.cloud.

2. What we collect

From customers (you, if you have an API key)

Your email address (used to send the API key, billing receipts, and account notifications).
Your API key usage logs: timestamp, IP address, endpoint called, the org number you looked up, response status code. Retained for 90 days for rate-limiting and abuse prevention.
If you upgrade to a paid plan: billing name and the Stripe customer ID. Card details are handled by Stripe; we never see them.

From end-users of products built on Nordic Data (e.g., users of the browser extension)

Org numbers they look up.
The Nordic Data API key (provided by the customer who installed the integration) used to authenticate the request.
No personal data of the end-user is sent to Nordic Data unless the customer explicitly configures it.

From the public registries we redistribute

The company data we serve (company names, addresses, board members, NACE codes, sanctions hits) is all sourced from public Norwegian and EU registries operating under their respective legal mandates. Brønnøysundregistrene and the Aksjonærregisteret are public-by-design under Norwegian law. We do not collect this data from individuals; we redistribute it from official feeds.

3. What we don't collect

We do not use cookies for advertising or third-party tracking.
We do not sell or share data with advertising networks or data brokers.
We do not collect biometric data, geolocation beyond IP-derived region, or content from your accounting software.
The browser extension does not read any form data other than the org-number field you click on.
We do not transfer customer data outside the EU/EEA.

4. Why we process this data (legal bases under GDPR)

Contract performance (Art. 6(1)(b)): to provide the API service you signed up for.
Legitimate interest (Art. 6(1)(f)): redistribution of publicly-registered company data; rate-limiting and abuse prevention.
Legal obligation (Art. 6(1)(c)): tax records for paid customers.

5. How long we keep it

API key usage logs: 90 days, then purged.
Customer email and account: until you delete your account, or 24 months of inactivity.
Billing records: 5 years (Norwegian bookkeeping law minimum).
Public registry data: live mirror of the source registries; deletions in the source propagate within 24 hours.

6. Where the data lives

All servers and databases are hosted with Vultr in Amsterdam (EU). Backups are encrypted and stored in the same region. We use Stripe Ireland for payment processing. We do not use US-based cloud providers.

7. Your rights (GDPR)

Access: request a copy of everything we have about you.
Rectification: correct anything inaccurate.
Erasure: delete your account and all derived data.
Portability: receive your data in a machine-readable format.
Object: object to processing based on legitimate interest.
Complaint: lodge a complaint with the Norwegian Datatilsynet.

To exercise any of these rights, email support@nordicdata.cloud with the subject "GDPR request". We respond within 30 days.

8. The browser extension specifically

The Nordic Data Connect Chrome extension reads only the org-number field on customer/supplier forms across Tripletex, Visma.net, PowerOffice, 24SevenOffice, and Fiken. When you click the "Slå opp" button, the extension sends only the 9-digit org number to api.nordicdata.cloud. The accounting platform's other form fields, your login session with the platform, and any data in the underlying accounting database are never read or transmitted.

The extension stores only your Nordic Data API key locally in chrome.storage.sync. The key is not sent anywhere except as an Authorization header to api.nordicdata.cloud on lookup requests.

9. Information about minors

Nordic Data is a B2B service for businesses. We do not knowingly process data about minors. If you believe we have, contact us and we will delete it.

10. Changes to this policy

If we change anything material we will email registered customers at least 30 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.