Privacy Policy
Last updated: April 2026
1. Data Controller
The data controller for personal data processed on fundinn.no is:
fundinnNorway
Email: privacy@fundinn.no
2. Personal Data We Collect
- Contact information: email address, name and optionally company name — provided by you when requesting a free report or creating an account.
- Website information: the URL of the website you want analysed. We crawl publicly available content from that website.
- Sign-in data (Google OAuth): When you sign in with Google, we receive your name, email address and profile picture from your Google account. We do not store your password.
- SEO and analysis data: Results from SEO analysis (technical findings, rankings, content data) for the website you have registered. This is business data, not personal data, but may in some cases be linked to an individual (e.g. a sole trader).
- Technical data: IP address (stored only as a one-way hash for abuse prevention), timestamps for requests and email sends.
3. Purposes and Legal Basis
| Purpose | Legal basis (GDPR art.) |
|---|---|
| Deliver a free SEO report to visitors who request one | Art. 6(1)(b) — performance of a contract / request by you |
| Deliver and operate the subscription service | Art. 6(1)(b) — performance of a contract |
| Send transactional emails (reports, alerts) | Art. 6(1)(b) — performance of a contract |
| Prevent abuse and fraud (rate limiting) | Art. 6(1)(f) — legitimate interests |
| Comply with accounting obligations | Art. 6(1)(c) — legal obligation |
We do not send marketing emails without explicit consent.
4. Processors (Sub-processors)
- Supabase Inc. (USA/EU) — database and authentication. Data stored in EU region (AWS Frankfurt). Standard Contractual Clauses (SCC) are in place.
- Resend Inc. (USA) — email delivery. Processes email address and email content. SCC are in place.
- Firecrawl / Mendable Inc. — web crawling of the websites we analyse. Only crawls publicly accessible URLs.
- Google LLC — Google OAuth (sign-in) and optionally Google Search Console / Analytics API for customers who connect Google data.
- Hetzner Online GmbH (EU) — cloud provider for parts of our infrastructure. GDPR-compliant, EEA-based.
5. International Transfers
Supabase and Resend are based in the USA. Transfers take place on the basis of EU Standard Contractual Clauses (SCC), pursuant to GDPR art. 46(2)(c). We do not transfer personal data to countries without adequate protection without such safeguards.
6. Retention Periods
- Leads (free report): Email address and URL deleted 12 months after submission, unless you have become an active customer.
- Customer data: Retained for the duration of the subscription, plus 3 years for accounting purposes.
- Email logs: 24 months.
- IP hashes: 90 days.
7. Your Rights
Under the GDPR you have the right to:
- Access the data we hold about you (art. 15)
- Rectify inaccurate data (art. 16)
- Erasure ("right to be forgotten", art. 17)
- Restriction of processing (art. 18)
- Data portability (art. 20)
- Object to processing based on legitimate interests (art. 21)
Send requests to privacy@fundinn.no. We respond within 30 days.
You may also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).
8. Cookies
fundinn uses only technically necessary cookies for the login session (Supabase auth token). We do not use third-party tracking, and we do not run Google Analytics or similar tracking tools.
9. Google API Data and Limited Use
fundinn's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Customers who voluntarily connect their Google account to fundinn grant us access to the following API data on behalf of their own website:
- Google Search Console (GSC): queries, URLs, clicks, impressions, CTR, average position and sitemap status — all tied to the property the customer themselves verifies in Search Console.
- Google Analytics 4 (GA4): sessions, users, sources/mediums, engagement rate and other aggregated metrics for the property the customer connects.
- Google Business Profile (GBP) (phase 2, before general availability): profile data, categories, opening hours, reviews and aggregated local-search statistics for the location the customer owns.
This data is used solely to deliver and improve the SEO analysis, scoring and recommendations the customer receives through the fundinn dashboard. We do not use Google API data for advertising, we do not sell it, and we do not allow humans to read it except (a) with the customer's explicit consent, (b) when required for security or for troubleshooting the customer has requested, or (c) where required by applicable law. OAuth tokens are stored encrypted (AES-GCM). You can revoke fundinn's access at any time directly from your Google account (myaccount.google.com/permissions), or ask us to delete stored tokens by contacting privacy@fundinn.no.
10. Security
We use TLS for all data transfers, AES-GCM encryption for stored OAuth tokens, and one-way hashing for IP addresses. Access to the production database is limited to authorised personnel.
11. Changes to This Policy
We may update this policy. Material changes will be notified by email to registered customers. The date of the last update is shown at the top.
12. Contact
Privacy questions: privacy@fundinn.no