Privacy Notice
Version 2.0 | Last Updated: 7 December, 2025
1. Personal data responsibility and basis for processing
This Privacy Notice applies when Norriva (“Norriva” “we,” “our,” “us”) – part of From Scratch AB, business registration number 559494-1261, located at Box 6022, 187 06 Täby, Sweden – processes personal data relating to individuals using Norriva services (“you,” “your”). Norriva’s processing of personal data complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Norriva, and From Scratch AB, is committed to protecting your privacy and complying with applicable data protection laws, including but not limited to the GDPR. This Privacy Notice explains what data we collect, how we use it, how we protect it, and the rights you have over your information.
Processing of personal data when using Norriva services is based on an agreement with the company that you, the data subject, represent. Other instances include when you submit a contact request through our website, subscribe to our newsletter, interact with us on social media, or participate in a webinar we organize. We may also process your personal data if we believe the company you represent may be interested in our services. Additionally, we process personal data to comply with legal obligations under applicable laws and governmental decisions.
2. Categories of personal data collected
Personal data refers to any information that can be directly or indirectly linked to a living person. Norriva collects and processes various types of personal data within the scope of its activities.
Norriva may collect the following personal data from you:
Category | Examples of personal data collected |
Personal Information | Name, email address, phone number, billing details |
Company Information | Company name, industry, size, location, domains |
Operational & Business Data | Budget data, financial targets, Profit & Loss (P&L) statements, performance metrics |
Sales & Marketing Data | Pipeline details, marketing events, funnel data, campaign performance |
Product Data | Roadmap milestones, launch dates |
Usage Data | Website/app activity, feature interactions, IP address, browser type, device information |
Tracking Data | Cookies, analytics tracking, similar technologies |
Customer Content Data | Data you upload or input (e.g., sales performance, lead performance). You retain all rights. |
3. Purpose of processing
Norriva processes your personal data for the following purposes:
- To fulfil contractual obligations.
- To provide services and communicate with you.
- To send information about our activities.
- To conduct targeted marketing via social media.
- To handle inquiries and complaints.
- To facilitate invoicing.
- To comply with legal obligations imposed by authorities and applicable laws.
For detailed information on the purposes and legal basis for processing, please refer to the table below in section 5.
4. Use of AI in services
Norriva uses Artificial Intelligence (“AI”) as part of our platform to help you analyse data and improve your go-to-market (“GTM”) strategy. AI is not used to improve our own product for unrelated purposes, its primary role is to provide insights and recommendations. Norriva is currently using two kinds of AI features:
- Core AI features: analysing sales, marketing, and operational data to identify trends, generate performance insights, GTM recommendations and support strategic planning.
- Optional AI features: enabled only with your consent, may include experimental tools.
When you use AI features, the relevant input data you provide is sent securely to our AI development platform: Vertex AI (Google). We do not use your AI input data to train public AI models. Processing is limited to delivering the requested AI insights to you. AI-generated insights are intended as decision-support tools and do not replace human judgment. Outputs are subject to human oversight.
5. Data Retention and Deletion
Personal data is retained as long as necessary to fulfil the specified purposes. Most personal data is automatically deleted after the statutory retention period following contract termination.
For instance, under the Swedish Accounting Act, Norriva is required to retain specific personal data (e.g., invoices and accounting documents) for seven years. Such data will only be used for accounting purposes.
Customer-related data is retained while you are considered a Norriva customer. After contract termination, most of your data will be deleted unless retention is required for other purposes. Certain data, such as Personal and Company information, will be kept for 36 months for marketing purposes.
Personal data will be deleted or anonymized when it is no longer necessary for retention. Once anonymization is executed, it cannot be reversed, and no individual can be linked to the remaining information.
For full details on data retention periods, see the table below.
Purpose | Example Activities | Legal Basis | Categories of personal data | Retention period |
Providing Services | Account creation, subscription management, AI-powered features | Contract Performance | Personal info, Company info, Customer content | Duration of account + 3 years |
Communication | Service updates, newsletters (opt-in) | Consent | Personal info, Company info | Until consent is withdrawn |
Marketing | Promotions via e-mail, telephone or by mail | Legitimate Interests | Personal info, Company info, | Duration of account + 3 years |
Improvement & Customization | Analyzing usage, improving AI outputs, UX enhancements | Legitimate Interests | Usage data, Tracking data | 24 months (then anonymized) |
Core AI features | Troubleshooting, ensuring service accuracy, and security monitoring | Contract Performance | Customer Content Data | 30 days |
Optional AI features | Depends on the feature chosen, e.g. competitive analysis or update vision, mission and core values based on company overview. Similarly, we can provide suggestions on any numbers or text provided. | Consent | Customer Content Data | Displayed before you consent |
Analytics & Research | Aggregated analysis, AI performance reviews | Legitimate Interests | Usage data, Operational data | 24 months |
Legal Compliance | Tax reporting, regulatory requests | Legal Obligation | Financial and transaction records | 7 years |
Fraud Prevention & Security | Security monitoring, fraud detection | Legitimate Interests | Personal info, Usage data | 12 months |
6. Recipients of personal data
We do not sell or rent your data. However, Norriva collaborates with various companies, including partners and suppliers. As a result, we may share your personal data with third parties when necessary. The following types of recipients may process your data:
- Service providers – Used for us to be able to provide you with our services such as payment processors, hosting, and support tools. These service providers will only get access to information on a need-to-know basis and are contractually bound to maintain confidentiality.
- Notification services – Used for communication (e.g., newsletters or reminders). These services only access your contact details and are contractually bound to maintain confidentiality.
- Authorities – Norriva may be legally required to disclose information to authorities. In some cases, we may be prohibited from informing you about such disclosures.
- Business Transfers – in the event of Norriva being part of a merger, acquisition, or sale of assets, your data will be a part of that Business Transfer.
Norriva primarily processes data within the EU/EEA. If data is transferred outside this region, we apply safeguards such as:
- EU–U.S. Data Privacy Framework (DPF)
- Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
7. Information Security
As a data controller, Norriva implements appropriate technical and organizational measures to safeguard personal data, adhering to GDPR regulations. We maintain internal policies and procedures to address security risks and prevent unauthorized access or leaks.We also use appropriate technical and organizational measures to protect your data, e.g.:
- Encrypted connections (TLS 1.2+)
- Secure hosting environments compliant with recognized standards
- Monitoring, prevention, and reporting of security incidents
8. Your Rights
You have the following rights regarding your personal data:
- Right to Withdraw Consent:
You may withdraw consent at any time without affecting the lawfulness of prior processing. Email us at privacy@norriva.com. - Right to Restrict Processing:
You may request that processing be limited to storage or object to certain processing activities. For instance, you may choose to unsubscribe from newsletters and other mailings by following a link in these mailings or by sending an e-mail to privacy@norriva.com. - Right to Object:
You may object to processing based on legitimate interests or for direct marketing purposes. Contact us at privacy@norriva.com. - Right of Access:
You may request a record of how your data is processed, which will be provided within one month. Request this by emailing privacy@norriva.com. - Right to Rectification:
You may request corrections to inaccurate personal data or add missing details. Contact us at privacy@norriva.com. - Right to Data Portability:
You can request the transfer of your data to another company or yourself, except for legally retained data. Email privacy@norriva.com. - Right to Erasure:
You may request deletion of personal data not required for legal compliance or certain others activities such as contractual obligations. Email privacy@norriva.com.
If you believe we are not complying with this privacy policy, we encourage you to contact us at privacy@norriva.com. You also have the right to file a complaint with your local data protection authority. In the EU, you can find contact details here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
9. Updates to This Privacy Notice
We may update this Privacy Notice from time to time. When significant changes are made, we will notify you via email (if applicable) and update the ‘Last Updated’ date.