External privacy policy for Norditech V3

2025-07-29

Introduction

All personal data processing carried out by Norditech AB (reg. no. 559266–7280) (hereinafter "Norditech", "we" or "us") is carried out in accordance with applicable data protection legislation.

At Norditech, we care about your personal integrity and strive for a high level of data protection. In this privacy policy, we describe how we collect and process your personal data and describe your rights.

Contact

If you have any questions or concerns regarding our processing of personal data, please contact us at:

Name: David Bacelj

E-mail: david.bacelj@norditech.se

Address: Ståhlgatan 5, 561 44, Huskvarna

Phone: +46 760 442 022

Definitions

• ‘Incredible‘ means the applications supplied by Norditech AB as a service online. It may also be referred to as “Incredible Software”, “Incredible Agents”, “Incredible Product” and “Incredible Platform”

Norditech's role as Data Controller and Data Processor

By providing Incredible and associated services, Norditech will, on behalf of the companies with which you have a business relationship, access and process your personal data in its capacity as a data processor.

In some cases, Norditech acts as a data controller when you submit a job application to us, contact our customer support or use Incredible as a private individual.

Norditech shows the utmost consideration for your personal integrity and will only handle your personal data in line with applicable legislation. This policy only applies to the processing of personal data carried out by Norditech and associated data processors. When using third-party applications through Incredible, we refer to the respective third-party's privacy policies.

Processing of personal data as a data processor

To gain access to Incredible, our customers enter into an agreement with Norditech. At where this takes place, Norditech acts as a data processor and carries out personal data processing on behalf of the customer and as a result of instructions from the customer. This includes your name, email address and messages you write in Incredible.

Processing of personal data as a controller

Norditech processes the personal data that you have provided about yourself. This can be your name, phone number, email address and in some cases your social security number. Your login details and web logs may also be processed, and should Norditech obtain or receive information about you from elsewhere, you will receive separate information about just that.

Contact persons at stakeholders, potential customers, current customers and customer service

1.1 Newsletter subscription

This includes everyone who comes into contact with us to take part in our newsletter, which includes both customers, potential customers and users of the systems that Norditech provides.

Purpose: To inform customers about the company and market Norditech's work as well as provide information about admission to the waiting list.

Categories of personal data: Name and email address.

Legal basis: The processing of personal data is based on consent.

Storage period: The personal data is collected when the individual fills out the form for subscribing to newsletters on our website or otherwise informs us that they want to receive our newsletter. You can unsubscribe from our newsletter at any time. The personal data is deleted 30 days after the individual has withdrawn their consent.

1.2 Support and customer service issues via chat and email

Purpose: The purpose is to be able to easily support the customer or potential customer with various questions regarding support and services.

Categories of personal data: Name and email address.

Legal basis: The processing of personal data is based on the legal basis of agreements for current customers as it is part of the service provided by Norditech. The legal basis of balancing of interests supports personal data processing in relation to potential customers who use chatbots for support or customer service matters.

Storage period: Personal data is collected with each new initiated message via our support chat or customer service email and is deleted 10 years after the agreement has ended.

1.3 Accounting and accounting

Purpose: To be able to administer payments and ensure that they are received and pay invoices.

Categories of personal data: Name, email address, card details, invoice details and information about the customer's bank.

Legal basis: The processing of personal data is based on the legal basis of an agreement with the customer and a legal obligation arising from the Accounting Act.

Storage period: The personal data is collected at the conclusion of the agreement and then stored for seven (7) years after the end of the calendar years in which the financial year ended in accordance with the Accounting Act and 10 years after the end of the customer relationship.

1.4 Customer administration

Norditech processes the personal data in order to be able to carry out and administer assignments and fulfil our contractual obligations with our business partners.

Purpose: To administer customer care, contract management and invoicing documentation.

Categories of personal data: Name, social security number, telephone number and e-mail address.

Legal basis: The processing of personal data is based on the legal basis of agreements in order to be able to fulfil our contractual obligations with business partners and legal obligations under the Accounting Act.

Storage period: The personal data is collected at the conclusion of a contract and then stored for seven (7) years after the end of the calendar years in which the financial year ended in accordance with the Accounting Act and 10 years after the end of the customer relationship.

2. Recruitment process

2.1 Recruitment

Purpose: The purpose of the processing is to find a suitable candidate for the intended role that meets our candidate profile.

Categories of personal data: Name, social security number, CV (information about ethnicity may occur as a result of language skills), address, e-mail address, telephone number and previous workplaces.

Legal basis: The processing is based on the legal basis of balancing of interests, where our legitimate interest is to be able to assess which candidate best meets our competence profile.

Storage period: Documents and documentation saved during the ongoing recruitment process are deleted two (2) years after the end of the recruitment process according to discrimination legislation.

2.2 Job interview

Purpose: The purpose of the processing is to find a suitable candidate for the intended role that meets our candidate profile.

Categories of personal data: Name, social security number, previous workplaces, previous duties, questions about private life such as hobbies.

Legal basis: The processing is based on the legal basis of balancing of interests, where our legitimate interest is to be able to assess which candidate best meets our competence profile.

Storage period: Documents and documentation saved during the ongoing recruitment process are deleted two (2) years after the end of the recruitment process according to discrimination legislation.

2.3 Obtaining an opinion from a reference person to a job applicant

If a candidate has provided you as a reference in connection with a recruitment process, we will collect your personal data from the candidate for the purpose of contacting you.

Purpose: The purpose of the processing is to be able to contact the specified reference person who has previously worked with the jobseeker or in some other way can comment on his/her competence, personality and work experience (obtain a judgement).

Categories of personal data: Name, telephone number and e-mail address and, if applicable, which company or organisation the reference person works or has worked for.

Legal basis: The processing is based on the legal basis of balancing of interests. Our legitimate interest is to be able to assess which candidate best meets our competence profile by contacting you as a reference to obtain an assessment of the candidate in connection with the recruitment process.

Storage period: The personal data will be processed during the current and ongoing recruitment process and then stored for two (2) years after the completion of the recruitment process in order to be able to respond to any legal claims under the Discrimination Act and then deleted.

3. Analysis and marketing related to the website and platform Incredible

3.1 Analysis of how the User interacts with the Platform, Incredible

Purpose: The purpose is to be able to improve the user experience and our services through analysis of the use of the platform Incredible.

Categories of personal data: Analysis of the usage and historical data of the platform Incredible as well as user ID.

Legal basis: The processing of personal data is based on an agreement with the user of the platform Incredible.

Storage period: The personal data is collected when an analysis is performed and is deleted 12 months after the analysis has been completed.

3.2 Marketing to website visitors and users of the platform Incredible

Purpose: The purpose is to drive additional sales and marketing towards website visitors and users in the platform, Incredible.

Categories of personal data: Email address.

Legal basis: The processing of personal data is based on a balancing of interests, in order to be able to create additional sales through marketing aimed at you who may be relevant for marketing such as potential stakeholders in the form of users of the platform and website visitors.

Retention period: Until the individual objects to the processing or six (6) months after the last visit to the website or use of the platform Incredible.

3.3 Use of Incredible as an individual

Purpose: The purpose of the processing is to assist the user's use which takes the form of a command recorded by the system (Incredible) which then initiates a process within Incredible which is a direct result of the specified command.

Categories of personal data: Email address, messages within the system (commands) and name.

Legal basis: The processing of personal data is based on an agreement that the user enters into with Norditech when creating an account and starting to use the service.

Retention period: From the time of termination of the account, it is possible to reactivate the account within six (6) months, after which all information associated with the account will be deleted.

3.4 AI Processing and Model Training

Purpose: To provide AI-powered task automation and improve platform functionality.

Categories of personal data: User commands, task instructions, and system interaction data (excluding business data accessed through integrations).

Legal basis: The processing of personal data is based on legitimate interests for platform operation and user consent for optional improvements.

By default, we do not use your personal data, business data accessed through integrations, or task results to train our AI models. We may process data for the following limited purposes:

• Security monitoring and abuse prevention

• System performance optimization

• Platform functionality improvements

• User-reported feedback for service enhancement

You maintain full control over data usage through your account settings and can opt out of any optional data processing at any time by contacting us at david.bacelj@norditech.se

Storage period: Technical data is processed temporarily during task execution and deleted upon task deletion. Anonymized analytics data may be retained for platform improvement purposes, such as at which hour a task was completed, how many steps it used, and how many AI tokens were used in total.

3.5 Integration Data Processing and Third-Party Applications

Purpose: To execute user tasks across connected business applications and provide automated workflow functionality.

Categories of personal data: Business data accessed through authorized third-party integrations, including but not limited to communications, documents, customer records, financial data, and project information.

Legal basis: The processing is based on user instructions and contractual agreements to provide the requested services.

Integration categories include:

• Customer Relationship Management (CRM) systems

• Enterprise Resource Planning (ERP) platforms

• Communication and collaboration tools

• Document and file management systems

• Financial and accounting software

• Marketing and sales automation tools

• Project management platforms

• Human resources management systems

• Business intelligence and analytics tools

User control: You maintain granular control over integration permissions through the platform interface. Each integration requires explicit authorization of specific data access scopes before activation. You can review, modify, or revoke integration permissions at any time through your account settings.

For Google Integrations: The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

Data processing: Integration data is processed temporarily in secure, sandboxed environments solely to execute your requested tasks. This data is automatically deleted upon task deletion and is not used for any other purposes.

Storage period: Integration data is processed only during active task execution and is immediately deleted upon task deletion.

3.6 Account Enhancement and Public Information

Purpose: To provide personalized recommendations, improve user experience, and enhance platform functionality.

Categories of personal data: Publicly available professional information, company details, and industry context obtained from public sources to enhance account setup and provide relevant recommendations.

Legal basis: The processing is based on legitimate interests to improve user experience and provide relevant platform recommendations.

Data sources: We may collect publicly available information from professional networks, company websites, and other public sources to better understand your business context and provide more relevant platform features and integration recommendations.

Storage period: Enhancement data is retained for the duration of your account relationship and deleted within 30 days of account termination.

4. Who do we disclose your personal data to?

Integration Partners and Subprocessors: To provide our service functionality, we work with various third-party integration partners and subprocessors who may process your data according to your instructions and our agreements. These include:

• Cloud infrastructure providers for secure data processing

• Authentication and security service providers

• Third-party application providers through which you choose to integrate

• Payment processing providers for billing services

• Customer support and communication tools

A complete and current list of our subprocessors is available at trust.Incredible/subprocessors and is updated regularly.

Business Data: Business data accessed through integrations is processed only according to your specific instructions and is not shared with third parties except as necessary to execute your requested tasks or as required by law.

4.1 Use of Google APIs and Limited Use Disclosure

Our application uses Google APIs to provide certain services, including integration with Google Docs, Sheets, Forms, and Calendar. As part of these services, we may request access to the following Google API scopes:

• https://www.googleapis.com/auth/forms.body

• https://www.googleapis.com/auth/documents

• https://www.googleapis.com/auth/spreadsheets

• https://www.googleapis.com/auth/calendar

Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Transfer of your personal data outside the EU/EEA

In cases where Norditech uses, or will use, subcontractors or collaborates with partners established outside the EU/EEA area, we are responsible for ensuring that these players can guarantee a level of security equivalent to that maintained within the EU.

In order to ensure an adequate level of protection for your personal data when transferred to countries outside the EU/EEA in the absence of an adequacy decision from the European Commission, Norditech has, where applicable, entered into agreements with the respective recipients of personal data containing standard contractual clauses adopted and approved by the European Commission, including but not limited to the standard contractual clauses adopted by Commission Decision (EU) 2021/914 as well as ensured protection for personal data via the Data Privacy Framework (DPF).

In addition, when the level of protection in the recipient country cannot be considered equivalent to that in the EU/EEA, Norditech takes additional protective measures such as pseudonymization, IP anonymization and encryption.[BS1] [DB2]

6. Your rights

If you have provided us with your personal data, you have the opportunity to exercise your rights as set out below by us free of charge by contacting us. If we receive such a request, we may need to verify your identity with appropriate security measures in order to prevent unauthorized access to your personal information. We will respond to your request without delay but no later than one (1) month after your request was received by us. You are entitled to the following rights:

(a) Right of access

You have the right to request access to and information about the categories of personal data that are processed about you through a register extract. The information provided must be easy to understand and provided free of charge in electronic form.

b) Right to rectification

You have the right to request correction of your personal data if it is incomplete or otherwise inaccurate.

c) Right to erasure (right to be forgotten)

You have the right in some cases to request that your data be deleted. For example, if:

·   the data is no longer needed for the purposes for which it was processed;

·   the processing is for direct marketing purposes and you object to the processing of the data for this purpose;

·   you object to processing that takes place according to a balancing of interests and there are no legitimate reasons that outweigh your interest,

·   the personal data has been unlawfully processed, or

·   Deletion is required to comply with a legal obligation.

If Norditech needs the personal data to fulfil an agreement with you or to comply with a legal requirement, we will not delete the data.

(d) Right to restriction

You have the right to request that we temporarily restrict the processing of your personal data. The restriction of personal data would include, for example:

·   during the time it takes us to verify the accuracy of your data;

·   for the time it takes us to verify whether our legitimate interest in processing outweighs your interests and fundamental rights;

·   to enable you to establish, exercise or defend legal claims;

·   if the processing is unlawful but you want the processing to be restricted instead of us deleting the personal data in question.

(e) Right to object

You have the right to object to the processing of personal data based on our legitimate interest. If you make such an objection, Norditech will take your objection and make an overall assessment between our legitimate interests and your rights related to the processing of personal data.

(f) Right to data portability

You have the right to receive your personal data in a structured, commonly used and machine-readable format for the personal data based on consent or contract that you have provided to us. You also have the right to request that we transfer your personal data directly to another data controller. [BS3] [DB4]

Withdrawal of consent and objection

In cases where we process your personal data on the legal basis that you have given your consent to it, you can withdraw your consent at any time by contacting us, such withdrawal may take place in whole or in part. If you do not want to receive marketing from us, you can object to the processing by contacting us or manage your notification preferences in the platform.

Additional Platform-Specific Rights:

• Integration Management: Control all active integrations and their data access permissions

• Task History: Access complete history of tasks performed and data processed

To exercise these rights, contact us at david.bacelj@norditech.se or use the privacy controls available in your account dashboard.

7. Data Security and Technical Safeguards

We implement comprehensive technical and organizational measures to protect your personal data:

Technical Measures:

• End-to-end encryption for data transmission and storage

• Sandboxed execution environments with automatic data purging

• Respecting Multi-factor authentication and access controls

• Regular security monitoring and threat detection

• Secure API connections with all integration partners

Organizational Measures:

• Employee training on data protection requirements

• Regular security audits and assessments

• Incident response procedures and breach notification protocols

• Access controls limiting personnel access to personal data

• Compliance with industry security standards

Sandboxed Environment: All task execution occurs in isolated, secure environments where business data is processed temporarily and automatically deleted upon completion. These environments are designed to prevent unauthorized access and ensure data isolation between users.

While we implement robust security measures, you acknowledge that no system is completely secure. You are responsible for maintaining the security of your account credentials and promptly notifying us of any suspected unauthorized access.

8. Contact information for the Swedish Authority for Privacy Protection (IMY)

Please contact us if you have any questions or concerns regarding the processing of personal data. You always have the right to turn to the responsible supervisory authority for complaints if you believe that we do not meet the requirements placed on us. The Swedish Authority for Privacy Protection (IMY) is the responsible supervisory authority for the processing of personal data in Sweden and you can get in touch with them here.

9. Changes to the Privacy Policy

Norditech may change its privacy policy if necessary. The updates will be published on our website.

10. Version history

Version 23/6–2025.