Legal
Privacy Policy
This policy explains how Klokk Nettablering ("OrgLens", "we") collects, uses, shares, and protects personal data when you visit our website, use the OrgLens platform, or connect a Salesforce organisation. It also describes your rights under the GDPR, the CCPA/CPRA, and other applicable laws.
1. Who is responsible
The data controller for personal data processed through the OrgLens website and account system is Klokk Nettablering ("the Controller"), Norway. Where we process Salesforce metadata and account content on your behalf as part of delivering the Service, we act as a data processor and you are the controller of that Customer Data. Our processing as a processor is governed by our Data Processing Addendum, available on request and incorporated into our Terms of Service.
2. Data we collect
Information you provide
Account and contact details (name, work email, organisation name), authentication credentials, billing and tax identifiers (processed by Stripe), and any content you submit through forms or support requests.
Customer Data & Salesforce metadata
When you connect a Salesforce organisation, we process metadata such as object, field, class, and flow definitions, and a limited set of field characteristics needed to generate descriptions and risk findings. OrgLens is designed to document metadata, not to bulk-export your records; where field values are surfaced for documentation, you remain the controller and are responsible for the lawfulness of that processing.
Usage & device data
Log data, IP address, browser and device information, pages viewed, and product interactions, collected to operate, secure, and improve the Service. We use strictly necessary cookies for authentication and a minimal set of analytics; we do not sell personal data.
3. How & why we use it
- To create and administer your account and provide the Service;
- To generate AI-assisted descriptions and risk findings from your metadata;
- To process payments, prevent fraud, and meet tax and accounting obligations;
- To provide support and send service and security communications;
- To secure, monitor, debug, and improve the Service; and
- To comply with legal obligations and enforce our Terms.
4. Legal bases (GDPR)
Where the GDPR applies, we rely on: performance of a contract (to provide the Service you requested); legitimate interests (to secure and improve the Service, balanced against your rights); legal obligation (tax, accounting, responding to lawful requests); and consent (for optional analytics or marketing, which you may withdraw at any time). For Customer Data processed on your behalf, the legal basis is determined by you as controller.
5. Sharing & sub-processors
We do not sell personal data. We share data only with vetted sub-processors that help us run the Service, under contractual confidentiality and data-protection terms. Our current sub-processors are:
| Sub-processor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting & infrastructure | EU (Germany) |
| Stripe, Inc. | Payment processing & tax | US / EU |
| Anthropic, PBC | AI description & risk generation | US |
| Amazon Web Services (SES) | Transactional email delivery | EU / US |
| Cloudflare, Inc. | DNS & edge protection | Global |
We maintain an up-to-date list and will provide reasonable prior notice of new sub-processors so that controllers may object on reasonable data-protection grounds.
6. International transfers
Some sub-processors are located outside the EEA. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where available, adequacy decisions, together with supplementary technical measures including encryption in transit and at rest.
7. Retention
We retain personal data for as long as your account is active and as needed to provide the Service, then delete or anonymise it within a reasonable period, subject to legal retention obligations (for example, invoices retained for statutory accounting periods). Webhook and event logs are retained on a short rolling window for audit and debugging. You can export and delete Customer Data as described below.
8. Your GDPR rights (including erasure)
Subject to applicable law, you have the right to:
- Access a copy of the personal data we hold about you (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erasure / "right to be forgotten" — request deletion of your personal data where it is no longer necessary, you withdraw consent, or you object and there is no overriding ground (Art. 17). On a verified request we will delete your account data and instruct our sub-processors to do the same, except where we must retain limited records to comply with a legal obligation;
- Restrict or object to certain processing (Arts. 18, 21);
- Data portability — receive your data in a structured, machine-readable format (Art. 20); and
- Withdraw consent at any time, without affecting prior lawful processing.
To exercise any right, email privacy@orglens.app. We will respond within one month, as extended where permitted. If you are using OrgLens under an organisation's account, we may direct your request to that organisation as the controller.
9. California privacy rights (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it, to request deletion and correction, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use sensitive personal information for purposes requiring an opt-out. You will not be discriminated against for exercising your rights. To make a request, contact privacy@orglens.app; we will verify your identity before responding.
10. Billing, tax & EU VAT/MOSS
Payments are processed by Stripe; we do not store full card numbers. For customers in the EU, we collect the billing country and, where provided, a VAT identification number to determine the correct VAT treatment. Where applicable we account for VAT on business-to-consumer digital services through the EU One-Stop-Shop (OSS, formerly MOSS) scheme. Tax identifiers are processed solely for invoicing and compliance and retained for the statutory accounting period.
11. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit and at rest, database-level tenant isolation (row-level security), least-privilege access, and ongoing monitoring. A fuller description is on our Trust & Security page. No method of transmission or storage is perfectly secure; we will notify affected parties and authorities of qualifying personal data breaches as required by law.
12. Contact & complaints
For any privacy matter, contact privacy@orglens.app or write to Klokk Nettablering, attention: Privacy, Norway. If you are in the EEA/UK and believe we have not addressed your concern, you have the right to lodge a complaint with your local supervisory authority (in Norway, Datatilsynet).
We may update this policy; material changes will be notified by email or in-app notice before they take effect.