Norith Book a call

Privacy Policy

Last updated: 2 July 2026

1. Who we are

Norith is a sole proprietorship (enskild firma) operated by Hugo Thunborg.

Our organisation number is the operator's personal identity number (personnummer), which is itself a personal data point under the GDPR. It appears together with our VAT number in the footer of norith.ai, in line with Section 8 of the Swedish E-Commerce Act (lagen [2002:562] om elektronisk handel).

This policy explains how we handle personal data. We act in two different roles, and the rules differ for each:

If you were contacted by a Norith-run campaign and want to understand or exercise your rights, read Part B.

PART A, When Norith is the data controller

This part applies to visitors to our website, people who email us or book a call, and recipients of Norith's own marketing.

A1. What we collect, why, and on what legal basis

DataPurposeLegal basis
Name, email, company, message (from email correspondence)Respond to your enquiry; take pre-contract stepsArt. 6(1)(b) (steps at your request) or 6(1)(f) (our legitimate interest in answering you)
Booking details when you schedule a call via CalendlyArrange and hold the callArt. 6(1)(b) (pre-contractual measures at your request)
Aggregate, cookieless analytics, if enabled (page views, referrer, approximate location, device/browser type)Understand site usage and improve the siteArt. 6(1)(f) (legitimate interest in a functioning website)
Business contact details we source for our own outreach (e.g. from public sources or business-data providers such as Apollo.io)Contact you about Norith's servicesArt. 6(1)(f) (legitimate interest in B2B marketing), supported by a documented balancing test
Server/security logs held by our hosting providerKeep the site secure and stableArt. 6(1)(f) (legitimate interest in security)

Where we rely on legitimate interest (Art. 6(1)(f)), we have weighed our interest against your rights and concluded the processing is proportionate. You can ask us for a summary of that assessment, and you can object at any time (see A5).

A2. Where your data comes from

We collect most data directly from you. For our own outbound marketing, we may obtain business contact details from publicly available sources and from business-data providers such as Apollo.io. Where data is not collected from you directly, the categories are typically your name, work email, job title, employer, and public professional profile.

A3. Who we share it with

We do not sell personal data. We share it only with service providers acting on our behalf:

Each provider processes data under a data-processing agreement. Transfers outside the EU/EEA (e.g. to Calendly in the US) rely on the European Commission's Standard Contractual Clauses, with a transfer assessment on file, and on the provider's certification under the EU-US Data Privacy Framework where applicable.

A4. How long we keep it

DataRetention
Enquiry / contact correspondenceUp to 24 months after last contact, then deleted
Booking recordsUp to 24 months, then deleted
Marketing contact dataUntil you object, or after 24 months of no engagement
AnalyticsAggregate only; no identifiable retention
Security/server logsUp to 2 months

A5. Your rights

Under the GDPR you have the right to: access your data; have it corrected; have it erased; restrict or object to processing; data portability; and, where we rely on legitimate interest for direct marketing, and an absolute right to object. If you object to marketing, we stop, no questions asked.

To exercise any right, email hugo@norith.ai. We may need to verify your identity. We respond within one month.

You also have the right to lodge a complaint with the Swedish supervisory authority: Integritetsskyddsmyndigheten (IMY): imy.se, imy@imy.se.

A6. Automated decisions

We do not make decisions producing legal or similarly significant effects about you by automated means alone.

PART B, When Norith is a data processor (client outreach campaigns)

When we deliver cold-outreach services, our client, typically a B2B SaaS company, is the data controller. The client decides the target audience, approves the criteria, and instructs the campaign. Norith acts only as a processor under Article 28 GDPR, processing prospect data on the client's documented instructions under a signed Data Processing Agreement.

B1. What we process, and for whom

On a client's instruction we process business contact data of prospects, typically name, work email, job title, employer, public LinkedIn URL, and company information, for the purpose of contacting them on the client's behalf. The legal basis for that contact is the client's, normally legitimate interest (Art. 6(1)(f)) supported by a balancing test the client adopts.

B2. Our sub-processors

Sub-processorRoleLocationTransfer safeguard
Hetzner Online GmbHHosting / infrastructureGermany (EU)None needed (EU)
Anthropic PBCAI text generation (Claude API), zero-retention enabledUSSCCs + DPF
Apollo.io (ZenLeads Inc.)Business contact dataUSSCCs + DPF
Instantly.aiEmail sending infrastructureUSSCCs
Calendly LLCMeeting bookingUSSCCs + DPF

We keep this list current. Clients are notified of sub-processor changes under their DPA.

B3. If you were contacted by a Norith-run campaign

PART C, Applies to both roles

C1. California residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information is collected, to delete it, to correct it, to opt out of its sale or sharing, and to limit the use of sensitive personal information, without discrimination for exercising those rights.

Norith does not sell personal information for monetary consideration, and does not share personal information for cross-context behavioural advertising. The personal information we handle is business contact information (identifiers, professional/employment information, and electronic activity). To make a request, email hugo@norith.ai.

C2. Cookies, analytics, and the embedded scheduler

norith.ai sets no cookies. If we enable analytics, we use a cookieless, aggregate-only tool (such as self-hosted Umami) that sets no cookies and creates no persistent identifiers. Because no non-essential cookies are set, no cookie consent banner is required.

The Calendly scheduler loads only when you ask for it. The booking section shows a plain "Pick a time" panel; no Calendly code runs until you click it. Once you open the scheduler, Calendly loads inside the page and may set cookies under its own privacy policy. A link to book directly on calendly.com is offered as an alternative. Our LinkedIn link opens an external site in a new tab; once you follow it, that site's own policies apply.

C3. Security

We apply appropriate technical and organisational measures, including encryption in transit, access controls on a least-privilege basis, and per-client data separation. No system is perfectly secure, so we cannot guarantee absolute security.

C4. Changes to this policy

We may update this policy. Material changes will be posted here with a new "last updated" date, and where appropriate notified by email.

C5. Contact

Questions about this policy or your data: hugo@norith.ai.