Call between 09:00 - 20:00
contact@nevorth.com
+47 405 49 133
en

Privacy Policy

Version: 1.0

Effective date: February 13th, 2026

Provider / Data controller for website matters: Nevorth AS (Org. no. 935761247), Grindstuveien 41, Rykkin, Norway ("Nevorth", "we", "us").

Legal contact: legal@nevorth.com • Support: support@nevorth.com

This Privacy Policy explains how Nevorth processes personal data in connection with (i) the Decision Referee Slack app/service ("Service"), and (ii) the nevorth.com website.


If you are a business customer using the Service, please also review:

  • Terms of Service

  • DPA (Data Processing Agreement)

  • Subprocessor List

  • Security Exhibit

  • Acceptable Use Policy

1. Roles (who is controller/processor)

1.1 Service (Decision Referee):

For Customer Data processed through the Service, your company (Customer) is the Controller and Nevorth is the Processor, as described in the DPA.


1.2 Website / direct communications:

For website analytics/cookies (where applicable), inbound inquiries, and general business communications, Nevorth acts as an independent Controller for the personal data we collect directly.

2. What personal data we process

2.1 Service (Decision Referee) — typical categories

The Service is designed to operate in Slack and therefore processes certain Slack-related identifiers and metadata. Typical categories include:

  • Slack workspace, user, and channel identifiers; message metadata; timestamps

  • Decision input text may inadvertently include personal data, even though Customers are expected to avoid submitting it

  • Firm profile fields / business context inputs, to the extent provided by Customer and processed to provide outputs

  • Operational data for reliability and troubleshooting (logs)


2.2 Support and communications

  • Support requests, emails, and correspondence (typically business contact details and message content).


2.3 Billing (if applicable)

  • Payment and billing data handled via Stripe (e.g., billing contact details, subscription and payment status).


2.4 Website (nevorth.com)

  • Website traffic data and basic web logs (not intended to process decision content).

  • Cookie preferences and cookie-related identifiers (as configured through our cookie banner/settings on the site).

3. What we do not intend to process

  • The Service is not intended to process special category personal data (sensitive data) or data about criminal convictions, and Customers/Authorized Users must not submit it.

  • Customers/Authorized Users must not submit passwords, API keys, authentication secrets, or payment card data to the Service.

  • The Service is not intended to process file attachments.

4. Why we process personal data (purposes)

4.1 Provide the Service

To operate Decision Referee, including receiving inputs via Slack, generating AI-assisted outputs, and running integrations (Cloudflare Worker and Make scenarios).

4.2 Security and abuse prevention

To keep the Service reliable and secure, including operational logging and incident handling.

4.3 Customer support

To respond to support requests and maintain service communications.

4.4 Payments and subscription management (if applicable)

To process payments, taxes (where applicable), and subscription billing.

4.5 Improve the Service (aggregated/de-identified only)

We may create and use aggregated and/or de-identified data (e.g., volume metrics, feature usage, error rates) to operate and improve the Service, provided it does not identify a Customer or any individual.

5. Legal bases (GDPR)

Service (Decision Referee):

Processing is primarily performed on Customer instructions under the Terms/DPA (GDPR Art. 28 processor relationship).

Where Nevorth acts as Controller (e.g., security logs, account/admin communications), the typical legal bases are legitimate interests (security, service operation), and performance of a contract (support and service delivery), depending on the context.

Website / inquiries:

Legal bases typically include legitimate interests (operating and improving the website, responding to inquiries) and, where required for non-essential cookies, consent via the cookie banner/settings.

6. Subprocessors (third parties)

Decision Referee relies on established third-party providers. Our current subprocessors (Version 1.0; effective February 8th, 2026) include:

  1. Slack (Salesforce) — app integration in Customer workspaces

  2. Make — workflow automation/scenario execution

  3. Cloudflare — worker routing, CDN, security features

  4. OpenAI — AI inference to generate decision-support output (model: gpt-4.1-mini via API)

  5. Stripe — payments, tax calculation, subscription billing

  6. Webnode — website hosting/redirection (not intended to process decision content)

  7. Microsoft 365 — customer communications (support/legal inboxes)

OpenAI training note: Nevorth is not opted into data sharing for training; API data may still be retained by OpenAI for limited periods for abuse monitoring unless a zero-retention program applies.

Customers provide general authorization for subprocessors under the DPA, and we will update the public subprocessor list for material changes.

7. International transfers

Subprocessors may process data outside the EEA. Where required, transfers are made under appropriate safeguards (e.g., SCCs), as implemented by the relevant subprocessor and/or Nevorth.

8. Security

We maintain reasonable administrative, technical, and organizational measures appropriate for a startup SaaS and rely on subprocessors for core infrastructure. Key measures include:

  • Encryption in transit (TLS/HTTPS) for communications with Slack, Cloudflare, Make, OpenAI, Stripe, and the website

  • Encryption at rest as provided/configured by subprocessors

  • Access restrictions (authorized personnel only)

  • Operational logging for reliability/troubleshooting

  • Incident handling and breach notification consistent with the DPA

We do not claim certifications unless stated in an Order Form.

9. Data retention and deletion

Service data (Decision Referee):

  • Nevorth does not intentionally maintain a separate long-term database of decision text or firm profiles outside subprocessors. Customer Data may exist in operational logs and in subprocessor systems as described in the Terms/DPA and Subprocessor List.

  • Deletion after termination/expiration: Within 30 days, Nevorth will delete personal data under its control, unless legally required to retain it. Residual copies in backups and subprocessor systems may persist for up to 90 days (or per subprocessor retention cycles).

Website:

Cookie retention depends on the category and your selections, and on provider configurations.

10. Your rights (and how to exercise them)

If Nevorth processes personal data as a Processor (Service usage), requests should typically be directed to your employer/Customer (the Controller). Nevorth will assist the Customer to the extent applicable and technically feasible.

If Nevorth processes your personal data as a Controller (website/contact/billing contexts), you may have rights such as access, rectification, deletion, restriction, objection, and data portability (as applicable). Contact: legal@nevorth.com.

You also have the right to lodge a complaint with your local data protection authority (in Norway: Datatilsynet).

11. Cookies (nevorth.com)

We use cookies to ensure the website functions properly and to provide the best user experience. The website cookie banner allows you to manage categories such as essential, functional, performance, and marketing/third-party cookies (where enabled).

12. Changes to this Privacy Policy

We may update this policy from time to time. The "Effective date" will reflect the current version. Material changes will be communicated via the website and/or reasonable notice to customers where appropriate.