Provider / Data controller for website matters: Nevorth AS (Org. no. 935 761 247), Grindstuveien 41, Rykkin, Norway ("Nevorth", "we", "us").
Legal contact: [email protected] Support: [email protected]
This Privacy Policy explains how Nevorth processes personal data in connection with (i) the Decision Referee Slack app/service ("Service"), and (ii) the nevorth.com website.
If you are a business customer using the Service, please also review:
For Customer Data processed through the Service, your company (Customer) is the Controller and Nevorth is the Processor, as described in the DPA.
For website analytics/cookies (where applicable), inbound inquiries, and general business communications, Nevorth acts as an independent Controller for the personal data we collect directly.
The Service is designed to operate in Slack and therefore processes certain Slack-related identifiers and metadata. Categories include:
Support requests, emails, and correspondence (typically business contact details and message content).
Payment and billing data handled via Stripe (billing contact details, subscription and payment status).
The Service is not intended to process special category personal data (sensitive data) or data about criminal convictions, and Customers/Authorized Users must not submit it.
Customers/Authorized Users must not submit passwords, API keys, authentication secrets, or payment card data to the Service.
The Service is not intended to process file attachments.
To operate Decision Referee, including receiving inputs via Slack, generating AI-assisted outputs, storing decision history for contextual analysis, and running integrations (Cloudflare Worker, Cloudflare D1, and Make scenarios).
To store prior decision inputs, outputs, and outcome feedback so that the Service can reference earlier decisions when analysing new ones for the same Customer. This processing is carried out solely to deliver the Service as described in the Terms and DPA and does not involve sharing one Customer's data with another.
To keep the Service reliable and secure, including operational logging and incident handling.
To respond to support requests and maintain service communications.
To process payments, taxes (where applicable), and subscription billing.
We may create and use aggregated and/or de-identified data (volume metrics, feature usage, error rates) to operate and improve the Service, provided it does not identify a Customer or any individual.
Processing is primarily performed on Customer instructions under the Terms/DPA (GDPR Art. 28 processor relationship).
Where Nevorth acts as Controller (security logs, account/admin communications), the typical legal bases are legitimate interests (security, service operation) and performance of a contract (support and service delivery), depending on the context.
Legal bases typically include legitimate interests (operating and improving the website, responding to inquiries) and, where required for non-essential cookies, consent via the cookie banner/settings.
Decision Referee relies on established third-party providers. Our current subprocessors are listed at nevorth.com/en/subprocessors and include:
OpenAI training note: Nevorth is not opted into data sharing for training. API data may be retained by OpenAI for limited periods for abuse monitoring unless a zero-retention programme applies.
Customers provide general authorisation for subprocessors under the DPA. We will update the public subprocessor list for material changes.
Subprocessors may process data outside the EEA. Where required, transfers are made under appropriate safeguards (such as SCCs), as implemented by the relevant subprocessor and/or Nevorth.
We maintain reasonable administrative, technical, and organisational measures appropriate for a startup SaaS and rely on subprocessors for core infrastructure. Key measures include:
We do not claim certifications unless stated in an Order Form.
Decision history (inputs, outputs, and outcome feedback) is retained in Cloudflare D1 for the duration of the Customer's subscription. This data is used to provide contextual analysis as described in Section 4.2.
Operational logs and data in other subprocessor systems are retained in accordance with the applicable subprocessor's retention policies.
Deletion after termination/expiration: Within 30 days after the end of the subscription, Nevorth will delete Customer Data under its control (including decision history stored in Cloudflare D1), unless legally required to retain it. Residual copies in backups and subprocessor systems may persist for up to 90 days (or per subprocessor retention cycles).
Cookie retention depends on the category and your selections, and on provider configurations.
If Nevorth processes personal data as a Processor (Service usage), requests should typically be directed to your employer/Customer (the Controller). Nevorth will assist the Customer to the extent applicable and technically feasible.
If Nevorth processes your personal data as a Controller (website/contact/billing contexts), you may have rights such as access, rectification, deletion, restriction, objection, and data portability (as applicable). Contact: [email protected].
You also have the right to lodge a complaint with your local data protection authority (in Norway: Datatilsynet).
We use cookies to ensure the website functions properly and to provide the best user experience. The website cookie banner allows you to manage categories such as essential, functional, performance, and marketing/third-party cookies (where enabled).
We may update this policy from time to time. The "Effective date" will reflect the current version. Material changes will be communicated via the website and/or reasonable notice to customers where appropriate.