Home/Privacy Policy

Privacy Policy

Last updated: 2026-04-18

This Privacy Policy describes how Shopsy AS (org. no. 933 666 603) processes personal data when you use Onebase or visit our websites. Processing is carried out in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.

1. Data Controller

Shopsy AS is the data controller for personal data collected through our services. Contact details:

  • Shopsy AS
  • Norwegian organisation number: 933 666 603
  • Gustav Bjerkes veg 4 E
  • 2040 Kløfta, Norway
  • Email: [email protected]

2. Personal Data We Process

We process the following categories of personal data:

  • Account information: Name, email address, hashed password, language preference and tenant membership.
  • Usage data: IP address, browser type, login and activity logs, and the actions you perform in the service (for auditing and troubleshooting).
  • Content you enter: Data you store in the CRM, HR, project and sales modules, including records about your own employees, customers and contacts.
  • Communications: The content of emails or requests you send us, including waitlist signups.
  • Technical data: Cookies and similar technologies – see our Cookie Policy.

3. Purposes and Legal Basis

We process personal data for the following purposes, with the legal basis under GDPR Article 6 indicated:

  • Delivering the service – performance of contract (Art. 6(1)(b)).
  • Authentication and security – legitimate interest in protecting the service from abuse (Art. 6(1)(f)).
  • Audit logs – legal obligation and legitimate interest (Art. 6(1)(c) and (f)).
  • Customer support – performance of contract and legitimate interest.
  • Waitlist and marketing – consent (Art. 6(1)(a)). You can withdraw consent at any time.
  • Bookkeeping – legal obligation under the Norwegian Bookkeeping Act.

4. Processors and Recipients

We share personal data with selected processors who provide necessary services on our behalf. All processors are bound by data processing agreements in accordance with GDPR Article 28. Typical categories:

  • Cloud infrastructure and database providers
  • Transactional email provider (Postmark)
  • AI service providers (e.g. Anthropic)
  • Error monitoring and analytics providers

We do not sell personal data to third parties. We disclose data to public authorities only where legally required.

5. Transfers Outside the EEA

Some of our sub-processors are located outside the EEA, including in the United States. Such transfers rely on the European Commission's Standard Contractual Clauses (SCCs) or other valid transfer mechanisms under Chapter V of the GDPR, combined with supplementary safeguards where required.

6. Retention

  • Account data: For as long as your account is active, and deleted no later than 90 days after the customer relationship ends, unless otherwise required by law.
  • Audit logs: Up to 24 months, to document changes and handle security incidents.
  • Accounting records: At least 5 years after the end of the financial year, as required by the Norwegian Bookkeeping Act.
  • Waitlist: Until you withdraw consent, or up to 24 months of inactivity.

7. Your Rights

You have the following rights under the GDPR, and we normally respond within 30 days:

  • Right to access the personal data we hold about you
  • Right to rectification of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing based on legitimate interest
  • Right to withdraw consent

Rights requests can be sent to [email protected].

8. Right to Lodge a Complaint

If you believe our processing of personal data violates applicable law, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet): datatilsynet.no.

9. Security

We implement technical and organisational measures to protect personal data from unauthorised access, alteration, loss or disclosure. This includes TLS encryption in transit, access controls, logging and regular backups.

10. Automated Decisions and AI

Onebase includes AI features that help users process content. These features operate as decision support and do not make autonomous legal decisions about you under GDPR Article 22. AI prompts and outputs may be processed by our AI sub-processors under data processing agreements.

11. Changes to This Policy

We may update this policy as our service or applicable law changes. For material changes, we will notify registered users by email or inside the product before the changes take effect.

12. Contact

For privacy questions, contact us at [email protected].

Shopsy AS

Org. no. 933 666 603

Gustav Bjerkes veg 4 E

2040 Kløfta, Norway

[email protected]