Privacy Policy

Effective date: May 4, 2026

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

Åsebø Digital (enkeltpersonforetak)

Org.nr. 936 620 051

Norway

Website: knowvendor.com

As a Norwegian sole proprietorship operating within the European Economic Area, we are subject to the General Data Protection Regulation (GDPR, EU 2016/679) as implemented in Norwegian law through the EEA Agreement and the Norwegian Personal Data Act (personopplysningsloven).

2. What Personal Data We Collect and Why

We collect only what is necessary to provide the Service. The table below summarises every category of personal data we process, along with the legal basis under GDPR Article 6.

Category	Data	Purpose	Legal basis	Retention
Account	Email address	Authentication (magic link sign-in), transactional emails (sign-in link, risk alerts)	Art. 6(1)(b) — contract performance	Until account deletion, max 3 years of inactivity
Subscription	Email, payment method token (held by Stripe — we never see card numbers)	Processing subscription payments, managing billing	Art. 6(1)(b) — contract performance	7 years (Norwegian bookkeeping law / regnskapsloven)
Usage / lookups	User ID + company ID searched, timestamp	Enforcing free-tier search limits, powering saved search history	Art. 6(1)(b) — contract performance	12 months rolling
Analytics	Page URL, referrer, country (no cookies, no fingerprinting)	Understanding which pages are used — Simple Analytics, privacy-first	Art. 6(1)(f) — legitimate interest (aggregate, non-personal)	Not personal data — retained indefinitely in aggregate
Contact	Name, email, message content	Responding to support or enquiry emails	Art. 6(1)(f) — legitimate interest	2 years from last contact

We do not collect sensitive categories of personal data (Article 9 GDPR). We do not collect data about children under 18.

3. Cookies and Tracking

We use a minimal number of cookies, all strictly necessary:

Session cookie (Supabase auth) — keeps you signed in. HttpOnly, Secure, SameSite=Lax. Expires when you sign out or after 7 days of inactivity.
No advertising cookies. No tracking pixels. No third-party cookies.

Our analytics provider is Simple Analytics (simpleanalytics.com), which does not set cookies, does not track individuals across sites, and respects Do Not Track (DNT) signals. We have configured Simple Analytics to collect Do Not Track signals (data-collect-dnt="true"), meaning your browser's DNT preference is honoured.

4. Who We Share Your Data With

We do not sell personal data. We share data only with the processors listed below, each bound by a Data Processing Agreement (DPA):

Supabase (supabase.com)Authentication and database hosting. Servers in the EU (AWS Frankfurt). DPA signed.
Stripe (stripe.com)Payment processing. PCI-DSS Level 1 certified. Stripe stores payment card data — we do not.
Resend (resend.com)Transactional email (sign-in links, risk alerts). EU data residency available.
Simple Analytics (simpleanalytics.com)Privacy-first analytics. No personal data transferred — aggregate only.
Vercel (vercel.com)Hosting and CDN. EU region selected for edge functions.

We may disclose personal data if required by Norwegian law, court order, or other governmental authority, or to protect the rights, property, or safety of KnowVendor or others.

5. International Data Transfers

Our primary data processors (Supabase, Vercel) operate within the EU/EEA. Where data is transferred outside the EEA — for example to Stripe's US infrastructure or Resend — such transfers rely on the European Commission's Standard Contractual Clauses (SCCs) or the processor's participation in an approved adequacy framework.

Users located in the United States should be aware that their data is stored on servers in the European Union and subject to EU/EEA data protection law.

6. Your Rights

Under GDPR you have the following rights regarding your personal data. To exercise any of them, contact us at hello@knowvendor.com. We will respond within 30 days.

Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Ask us to correct inaccurate data.
Right to erasure (Art. 17): Ask us to delete your data ("right to be forgotten"). You can also delete your account directly in Settings.
Right to restriction (Art. 18): Ask us to limit how we use your data while a dispute is resolved.
Right to data portability (Art. 20): Receive your data in a machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

You also have the right to lodge a complaint with the Norwegian supervisory authority:

Datatilsynet (Norwegian Data Protection Authority)

Postboks 458 Sentrum, 0105 Oslo

postkasse@datatilsynet.no

datatilsynet.no

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

All data transmitted over HTTPS/TLS
Authentication tokens stored in HttpOnly, Secure cookies — not in localStorage
Database access controlled via Row-Level Security (RLS) in Supabase
Service role keys never exposed to the client
Payment card data never touches our servers — handled entirely by Stripe

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and Datatilsynet as required by GDPR Articles 33-34.

8. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. See the table in Section 2 for specific retention periods. When you delete your account, your email address and lookup history are deleted within 30 days. Billing records are retained for 7 years to comply with Norwegian bookkeeping law (regnskapsloven).

9. Children's Privacy

The Service is not directed at persons under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at hello@knowvendor.com and we will delete it promptly.

10. California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

Right to know what personal information we collect, use, disclose, and sell
Right to delete personal information
Right to opt out of the sale or sharing of personal information
Right to non-discrimination for exercising your rights

We do not sell or share personal information as defined under the CCPA/CPRA. To exercise your rights, contact us at hello@knowvendor.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and update the effective date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.