Privacy Policy

Introduction & scope

This Privacy Policy explains how we use cookies, and how we collect, use, disclose, retain and protect personal data in connection with our website, services, customer relationships and business operations. It is designed to meet the information requirements of the General Data Protection Regulation (GDPR) as incorporated into Norwegian law through the Personal Data Act (Personopplysningsloven).

Who we are (Controller identity)

ClampOn AS is the controller for the processing activities described in this notice.

Data protection principles

We process personal data in line with GDPR Article 5 principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

Categories of personal data & sources

We process the following categories of data, collected from you directly or generated/obtained from your use of our services and, where relevant, third-party sources such as public company registers, business partners, and fraud-prevention/security providers:

• Website visitors: Device and usage data (IP address, timestamps, pages viewed, events, approximate location), cookie preferences, consent logs
• Prospective customers & contacts: Name, role, company, email, phone, communication history, meeting notes
• Customers & users of our services: Account identifiers, authentication data, usage logs, support requests, contractual and billing information
• Chat assistant users: Questions/messages you enter, technical metadata (e.g., IP address/browser type/time) used for security and abuse prevention
• Suppliers/partners: Contact details, contract and payment data

Purposes & legal bases for processing

• Operate our website and services: Legitimate interests (GDPR Art. 6(1)(f)) to provide a secure, usable site and services; consent for non-essential cookies; contract necessity (Art. 6(1)(b)) for registered users
• Respond to inquiries and provide support: Legitimate interests (Art. 6(1)(f)) and, where applicable, contract necessity (Art. 6(1)(b))
• Marketing and communications: Consent (Art. 6(1)(a)) for communication where required; legitimate interests (Art. 6(1)(f)) for B2B communications consistent with expectations; right to opt out at any time
• Analytics and service improvement: Legitimate interests (Art. 6(1)(f)); for cookies/trackers that are not strictly necessary, we rely on consent under Ekomloven and GDPR
• Security, fraud prevention and abuse monitoring: Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) where applicable
• Fulfilling legal obligations: Legal obligation (Art. 6(1)(c)), e.g., accounting and tax retention
• Recruitment and HR administration: Legal obligation (Art. 6(1)(c)), contract necessity (Art. 6(1)(b)), and legitimate interests (Art. 6(1)(f)); where required, consent (Art. 6(1)(a))

Cookies & online tracking

We use cookies and similar technologies to remember settings, maintain sessions, provide security, measure audience and tailor content. From 1 January 2025, Norwegian rules require valid GDPR-level consent for all storage, and access to, information on the user’s terminal. This includes the use of cookies, LocalStorage, SessionStorage, IndexedDB, and similar technologies except for strictly necessary uses. Our cookie banner lets you accept, reject or granularly choose purposes; you can withdraw consent at any time via the cookie settings. No not-strictly-necessary storage/access occurs prior to the user giving an active, informed and valid consent. This also applies to third-party technology (analytics, marketing, chat, etc.) that can read/write data when a page is loaded. We use embedded YouTube-videos which may transfer data to Google/YouTube. With the YouTube privacy-enhanced mode in use, YouTube serves non-personalized ads, reducing the risk of YouTube tracking the user's browsing experience.

Analytics & marketing technologies

We use analytics (e.g., Google Analytics 4) to understand how our website is used and improve content. These tools collect aggregated insights; where they set non-essential identifiers on your device, we obtain consent via the cookie banner.

ClampOn AI chat assistant (Botpress)

We offer a chat function on the website to provide quick customer service and answer questions. The chat service is delivered by Botpress Inc., which acts as our data processor.

When you use the chat, the following information may be processed:

the information you enter in the chat

technical information such as IP address, browser type, and time of the conversation

any information you voluntarily provide, such as name or email address

The information is only used to respond to inquiries, improve the service, and analyze the use of the chat function. We will never ask you to provide sensitive personal data.

The chat service may use cookies or similar technology (for example local storage in the browser) to keep track of the conversation, recognize user sessions, and ensure that the chat works properly.

Conversations may be stored for documentation, quality assurance, and follow‑up of inquiries.

The legal basis for processing personal data is our legitimate interest in providing efficient customer service, cf. the GDPR Article 6(1)(f). Use of cookies or similar technology is carried out in accordance with the Electronic Communications Act § 2‑7a.

Botpress may process data on servers outside the EU/EEA. In such cases, the transfer is secured through approved transfer mechanisms under GDPR, such as the EU’s Standard Contractual Clauses.

For more information about how Botpress processes personal data, see their privacy policy: https://botpress.com/legal/privacy

CRM & business communications

We use CRM and productivity tools (e.g., Microsoft Dynamics 365 and Microsoft 365) to manage relationships, opportunities and communications. Typical data includes contact details, interactions and contractual information.

Data retention

• Website analytics and event logs: Are not stored on individual basis, only aggregated data is kept. Typically, 14–26 months unless required otherwise
• Chat assistant: Conversation text up to 90 days; IP addresses used for rate limiting up to 1 hour
• Customer account and contract data: For the contract term plus applicable statutory limitation periods. Data regarding delivered products are retained through the product lifetime cycle for ClampOn to be able to provide knowledge and support.
• Financial records (invoices, accounting): Retained as required by accounting/tax law
• Recruitment data: Up to 12 months unless longer retention is permitted/consented
• Support correspondence: Data regarding delivered products are retained through the product lifetime cycle for ClampOn to be able to provide knowledge and support.

Where fixed retention periods are not possible, we apply documented criteria (purpose, legal requirements, risk and business needs) to determine appropriate retention.

Sharing and disclosure of data

We do not share personal data. We may disclose information required by law (legal obligations/court orders), to protect rights and safety, or in connection with corporate transactions (e.g. fusion, company acquisition, due diligence).

International data transfers

If personal data is transferred outside the EEA, we rely on an adequacy decision where available or implement appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs). Where relevant, we perform transfer impact assessments (TIA) and apply supplementary measures to protect your data. Relevant information can be provided upon request.

Security measures

We maintain technical and organizational measures appropriate to the risk, including access controls, encryption in transit and at rest (where applicable), network security, logging and monitoring, regular backups, vulnerability management, employee training and vendor due diligence.

Your rights

• Access – receive a copy of your personal data and information about our processing
• Rectification – correct inaccurate or incomplete data
• Erasure – request deletion where the GDPR permits (e.g., where data is no longer needed or consent is withdrawn)
• Restriction – request that we limit processing under certain conditions
• Portability – receive certain data in a commonly used, machine‑readable format and have it transferred to another controller
• Objection – object to processing based on legitimate interests or to direct marketing at any time
• Withdraw consent – where processing relies on consent, you may withdraw it at any time without affecting the lawfulness of past processing

We respond without undue delay and within one month (extendable by two months for complex requests). We may need to verify your identity and consider third‑party rights or legal obligations before fulfilling a request.

Automated decision-making

We do not carry out automated decisions producing legal or similarly significant effects about you, including profiling, unless we clearly inform you, provide meaningful information about the logic involved and implement safeguards required by GDPR Article 22.

Your choices & consents

You can manage cookie preferences via the banner/settings at any time. You may opt out of marketing communications by replying to our emails with the subject “Unsubscribe”.

Contact & complaints

Questions or requests about this notice can be sent to us at mail@clampon.com with “GDPR Request” in the subject line. In the email please describe, with specificity, the GDPR right you are requesting assistance with. Please note that additional information may be required to start a request and that ClampOn reserves the right to charge a fee with respect to certain requests. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). Postal address: PO Box 458 Sentrum, 0105 Oslo, Norway. See datatilsynet.no for more information.

Data subject access request/data erasure request

To comply with a request for data access/erasure these are the steps we will follow:

Verify Identity: Confirm the identity of the requester to prevent unauthorized access.

Locate Data: Search across all systems, including email and databases.

Review Data: Remove information that belongs to other individuals.

Provide Information: Deliver the data in a secure, commonly used electronic format.

Changes to this policy

We may update this notice from time to time to reflect legal, technical or business developments. When we update it, we will take appropriate measures to inform you consistently with the significance of the changes.

Legal references (Non-exhaustive)

• GDPR Articles 5, 6–10, 12–22, 24–25, 28, 30, 32–36, 44–49

• Norwegian Personal Data Act (Personopplysningsloven) incorporating GDPR into Norwegian law

• Ekomloven (Electronic Communications Act) – § 3‑15 on cookies and similar technologies (from 1 January 2025)

• European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914) for international transfers