Privacy Policy

Last updated: 27 October 2025

Norrsyn AI Handelsbolag (“Norrsyn AI”, “we”, “our”, “us”) provides a subscription SaaS platform that lets businesses deploy AI chatbots across web widgets, Facebook Messenger and Instagram, manage knowledge bases, capture leads, book appointments, and review conversations inside an admin dashboard. This notice explains how we process personal data when delivering those services.

1. Scope & Roles

This policy applies to three groups:

  • Customers – organisations that sign up for our chatbot plans and use the admin UI or APIs.
  • Customer end-users – people who interact with a customer’s bot, submit a lead, or schedule appointments through our platform.
  • Website visitors & prospects – individuals who browse our marketing pages or contact us for product information.

Each customer remains the sole owner and controller of the personal data their users provide. When we store or transmit conversations, leads, or booking details for a customer we act only as their data processor/service provider and handle that data exclusively on their instructions. Customers decide what information they collect, how long they keep it, and when it should be exported or deleted. For our own sales, billing, support and site analytics we act as the controller of the limited business contact data we collect directly from customers.

2. Data We Collect & Receive

2.1 Customer account data

  • Business name, contact name, email address, phone number, preferred language, timezone, and selected plan.
  • Authentication details (passwords stored using strong one-way hashes, API tokens, session identifiers).
  • Tenant configuration, including enabled agents (FAQ, booking, lead), platform choices (web, Messenger, Instagram), allowed embed domains, and localisation settings.
  • Support requests, billing records, subscription status, and administrative notes linked to the account.

2.2 Customer content

  • Knowledge base material and URLs supplied for indexing (our crawler stores generated text snippets and embeddings in order to answer FAQs).
  • Conversation transcripts, intents, LLM prompts/responses, and message metadata exchanged through the platform.
  • Lead entries, appointment history, cancellations/reschedules, and any notes recorded in the admin UI.

2.3 End-user data processed for customers (customer-owned)

  • Messages, attachments, quick-reply options, and structured payloads submitted via the web chat, Messenger, or Instagram bot.
  • Contact details gathered during lead flows (name, email, phone, service interest, free-text notes).
  • Booking information (requested dates/times, service selected, status, cancellations or rescheduling decisions, confirmation links sent).
  • Channel identifiers (Messenger PSID, Instagram thread ID, web session key), detected language, timezone, and conversation state required to complete the requested flow.
  • System metadata (timestamps, tenant identifiers, AI classification results, automated scoring, spam prevention counters).

2.4 Usage & technical data

  • Server logs capturing IP addresses, user agents, request identifiers, error traces and performance metrics.
  • Aggregated analytics used to monitor feature usage, prevent abuse, and improve reliability.
  • Optional Redis-backed session data when tenants enable server-side sessions.

3. How We Use the Data

  • Provide chatbot functionality: classify messages with OpenAI, answer FAQs, capture leads, schedule or cancel bookings, and send confirmations.
  • Operate the admin dashboard so customers can review conversations, manage bookings/leads, configure intents, and download data exports.
  • Sync customer data with connected services (e.g., create Google Calendar events, send emails via Gmail, push rows to Google Sheets, update CRM exports).
  • Authenticate users, enforce plan entitlements, and secure the platform against spam, abuse or unauthorised access.
  • Deliver support, product updates, system notices, invoices, and other necessary communications.
  • Analyse anonymised or aggregated usage metrics to improve our product roadmap and reliability.

4. Legal Bases (EEA & UK)

  • Performance of a contract – providing the chatbot subscription features our customers request.
  • Legitimate interests – ensuring security, preventing fraud, improving features, and giving customer support.
  • Consent – where customers ask us to send optional communications or process sensitive information provided voluntarily by end-users.

5. Sharing & Processors

We use trusted providers to help deliver the service:

  • Meta Platforms, Inc. – Messenger and Instagram APIs for message delivery and page-scoped IDs.
  • Google LLC – Google Calendar (bookings), Gmail API (confirmation emails), Google Sheets/Drive (lead archives) and cloud infrastructure.
  • OpenAI, L.L.C. – language models to classify intents and generate responses. We send only the minimal context needed for each interaction.
  • Render.com (or equivalent hosting provider) – application hosting, SSL termination and operational logs.
  • Managed PostgreSQL / Redis providers – store tenant configuration, conversations, leads, bookings, session state and audit history.
  • Email delivery – Gmail/Google Workspace or customer-configured SMTP providers for transactional notifications.

We may disclose data if required by law, to respond to lawful requests, or to protect our rights and the safety of others.

6. Retention

  • Customer accounts & configuration: retained while the subscription is active and for up to 24 months after termination unless deletion is requested earlier (needed for accounting, legal claims and product history).
  • Conversation transcripts & chat state: stored while the tenant keeps the conversation open or until the tenant deletes it; archived transcripts are purged after 24 months by default.
  • Lead records: retained up to 18 months (configurable) or until the tenant deletes them via the admin UI.
  • Booking data: kept until the appointment date has passed and for up to 12 months afterwards for audit trails.
  • Knowledge base caches and embeddings: refreshed automatically; obsolete copies are removed within 30 days.
  • Server logs & diagnostics: typically held for less than 30 days unless extended for a specific security investigation.

7. Security

We employ defence-in-depth controls such as TLS encryption in transit, hashed credentials, tenant isolation, scoped API keys, audit logging, and restricted staff access. Customers are responsible for safeguarding their admin credentials and managing user roles within their organisation.

8. International Transfers

Our infrastructure is primarily hosted within the EU/EEA, but some processors (e.g., OpenAI and Meta) operate globally. When personal data leaves the EEA/UK we rely on Standard Contractual Clauses or comparable safeguards offered by those providers.

9. Your Rights & Choices

Depending on your location, you may have the right to request access, correction, deletion, restriction, portability, or objection to processing. Customers can manage their tenant data directly in the admin UI and are responsible for responding to requests from their own end-users. End-users should contact the relevant business first; we will support that customer in fulfilling the request and act only on their documented instructions. You can also email us directly at info@norrsynai.com.

You may lodge a complaint with your local data protection authority if you believe your rights have been infringed.

10. Children

Our platform targets business users and is not intended for children under 16. Customers should not intentionally collect information from children through the chatbot.

11. Changes

We may update this policy to reflect product enhancements or legal requirements. The latest version will always be available at this page, and we will notify customers of significant changes where practicable.

12. Contact

Questions about this policy or our data practices? Email info@norrsynai.com or write to Norrsyn AI Handelsbolag, Göteborg, Sweden.