Norith is a sole proprietorship (enskild firma) operated by Hugo Thunborg.
Our organisation number is the operator's personal identity number (personnummer), which is itself a personal data point under the GDPR. It appears together with our VAT number in the footer of norith.ai, in line with Section 8 of the Swedish E-Commerce Act (lagen [2002:562] om elektronisk handel).
This policy explains how we handle personal data. We act in two different roles, and the rules differ for each:
If you were contacted by a Norith-run campaign and want to understand or exercise your rights, read Part B.
This part applies to visitors to our website, people who email us or book a call, and recipients of Norith's own marketing.
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, company, message (from email correspondence) | Respond to your enquiry; take pre-contract steps | Art. 6(1)(b) (steps at your request) or 6(1)(f) (our legitimate interest in answering you) |
| Booking details when you schedule a call via Calendly | Arrange and hold the call | Art. 6(1)(b) (pre-contractual measures at your request) |
| Aggregate, cookieless analytics, if enabled (page views, referrer, approximate location, device/browser type) | Understand site usage and improve the site | Art. 6(1)(f) (legitimate interest in a functioning website) |
| Business contact details we source for our own outreach (e.g. from public sources or business-data providers such as Apollo.io) | Contact you about Norith's services | Art. 6(1)(f) (legitimate interest in B2B marketing), supported by a documented balancing test |
| Server/security logs held by our hosting provider | Keep the site secure and stable | Art. 6(1)(f) (legitimate interest in security) |
Where we rely on legitimate interest (Art. 6(1)(f)), we have weighed our interest against your rights and concluded the processing is proportionate. You can ask us for a summary of that assessment, and you can object at any time (see A5).
We collect most data directly from you. For our own outbound marketing, we may obtain business contact details from publicly available sources and from business-data providers such as Apollo.io. Where data is not collected from you directly, the categories are typically your name, work email, job title, employer, and public professional profile.
We do not sell personal data. We share it only with service providers acting on our behalf:
Each provider processes data under a data-processing agreement. Transfers outside the EU/EEA (e.g. to Calendly in the US) rely on the European Commission's Standard Contractual Clauses, with a transfer assessment on file, and on the provider's certification under the EU-US Data Privacy Framework where applicable.
| Data | Retention |
|---|---|
| Enquiry / contact correspondence | Up to 24 months after last contact, then deleted |
| Booking records | Up to 24 months, then deleted |
| Marketing contact data | Until you object, or after 24 months of no engagement |
| Analytics | Aggregate only; no identifiable retention |
| Security/server logs | Up to 2 months |
Under the GDPR you have the right to: access your data; have it corrected; have it erased; restrict or object to processing; data portability; and, where we rely on legitimate interest for direct marketing, and an absolute right to object. If you object to marketing, we stop, no questions asked.
To exercise any right, email hugo@norith.ai. We may need to verify your identity. We respond within one month.
You also have the right to lodge a complaint with the Swedish supervisory authority: Integritetsskyddsmyndigheten (IMY): imy.se, imy@imy.se.
We do not make decisions producing legal or similarly significant effects about you by automated means alone.
When we deliver cold-outreach services, our client, typically a B2B SaaS company, is the data controller. The client decides the target audience, approves the criteria, and instructs the campaign. Norith acts only as a processor under Article 28 GDPR, processing prospect data on the client's documented instructions under a signed Data Processing Agreement.
On a client's instruction we process business contact data of prospects, typically name, work email, job title, employer, public LinkedIn URL, and company information, for the purpose of contacting them on the client's behalf. The legal basis for that contact is the client's, normally legitimate interest (Art. 6(1)(f)) supported by a balancing test the client adopts.
| Sub-processor | Role | Location | Transfer safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Hosting / infrastructure | Germany (EU) | None needed (EU) |
| Anthropic PBC | AI text generation (Claude API), zero-retention enabled | US | SCCs + DPF |
| Apollo.io (ZenLeads Inc.) | Business contact data | US | SCCs + DPF |
| Instantly.ai | Email sending infrastructure | US | SCCs |
| Calendly LLC | Meeting booking | US | SCCs + DPF |
We keep this list current. Clients are notified of sub-processor changes under their DPA.
If you are a California resident, you have the right to know what personal information is collected, to delete it, to correct it, to opt out of its sale or sharing, and to limit the use of sensitive personal information, without discrimination for exercising those rights.
Norith does not sell personal information for monetary consideration, and does not share personal information for cross-context behavioural advertising. The personal information we handle is business contact information (identifiers, professional/employment information, and electronic activity). To make a request, email hugo@norith.ai.
norith.ai sets no cookies. If we enable analytics, we use a cookieless, aggregate-only tool (such as self-hosted Umami) that sets no cookies and creates no persistent identifiers. Because no non-essential cookies are set, no cookie consent banner is required.
The Calendly scheduler loads only when you ask for it. The booking section shows a plain "Pick a time" panel; no Calendly code runs until you click it. Once you open the scheduler, Calendly loads inside the page and may set cookies under its own privacy policy. A link to book directly on calendly.com is offered as an alternative. Our LinkedIn link opens an external site in a new tab; once you follow it, that site's own policies apply.
We apply appropriate technical and organisational measures, including encryption in transit, access controls on a least-privilege basis, and per-client data separation. No system is perfectly secure, so we cannot guarantee absolute security.
We may update this policy. Material changes will be posted here with a new "last updated" date, and where appropriate notified by email.
Questions about this policy or your data: hugo@norith.ai.