nordflak
DATA PROTECTION · GDPR

GDPR and your data
at Nordflak.

Nordflak is built to keep European data within Europe. Here we describe what personal data we process, where it is stored, and the rights you have under the General Data Protection Regulation (GDPR).

LAST UPDATED · 9 JUNE 2026
01

Overview

Nordflak is operated by Nordvy NextGen AB, which is the data controller for the data you provide when using the service. Our starting point is European sovereignty: your data is to be processed within the EU/EEA and must not depend on suppliers outside Europe.

We process only the data we need to deliver the service, and we store it encrypted at rest and in transit. This page explains how this works and the choices you have.

02

Personal data we process

We collect data you provide yourself and data generated when you use the service. In brief:

Expression of interest
Your email address, and optionally your company name, approximate number of users, and whether you are interested in taking part in the pilot phase. This is the only data we store from the expression of interest.
Investor contact
Name, email address, company, role, type of investor, and an optional message, when you contact us via the investor form.
Account details
Name, email address and organisation when you register an account in the service.
Content
The texts and documents you submit in order to receive responses from the model.
Technical data
Login events and security logs needed for operations and protection against misuse.
Invoicing details
Company registration number and invoicing address for paying customers.
03

Where your data is stored

All data is stored on European servers within the EU/EEA. We use no suppliers outside Europe in the chain, and your data does not leave the European area during normal operations.

Your data is stored encrypted on European servers, both at rest and in transit. The encryption protects the data during transfer and storage.

04

Legal basis

We process your data on the following bases under Article 6 of the GDPR:

Contract
To deliver and administer the service you have contracted for.
Legal obligation
To meet requirements laid down by law, for example accounting.
Legitimate interest
For security, operations and preventing misuse of the service.
Consent
When you submit an expression of interest, contact us via the investor form, or choose to receive newsletters. You may withdraw your consent at any time.
05

Your rights

Under the GDPR you have several rights over your personal data. You exercise them by contacting us, and we normally respond within one month.

Access
Receive a copy of the data we process about you.
Rectification
Have inaccurate data corrected.
Erasure
Have your data erased when there is no legal basis for retaining it.
Data portability
Receive your data in a machine-readable format.
Objection
Object to processing carried out on the basis of legitimate interest.
Restriction
Request that processing be restricted while a matter is being investigated.
06

Sub-processors and suppliers

We engage a limited number of suppliers to operate the service. All are bound by data processing agreements and process data within the EU/EEA.

We use models from the European company Mistral. We use no non-European suppliers anywhere in our infrastructure.

When you submit an expression of interest or contact us via the investor form, an internal notification is sent to our own mailbox so that we can follow up. This is an internal operator notice to ourselves, not a transfer to any external party in the chain. The sending mailbox is hosted within Europe.

07

Retention and erasure

We retain data for as long as you have an active account or for as long as required for the purpose. When you close your account, we erase or anonymise your data, with the exception of data we are legally required to retain, for example accounting records.

Data from expressions of interest and investor contacts is not linked to any account. It is erased no later than 24 months after it was collected, and earlier than that if you withdraw your consent or when the data is no longer needed, for example after launch and onboarding.

Security logs are erased on an ongoing basis in accordance with our internal erasure routine.

08

Contact and complaints

If you have questions about how we process your personal data, or wish to exercise any of your rights, contact us here:

DATA CONTROLLER    Nordflak
DATA PROTECTION   hej@nordflak.se

If you consider that we are processing your data incorrectly, you have the right to lodge a complaint with Integritetsskyddsmyndigheten (IMY), the Swedish Authority for Privacy Protection, which is the supervisory authority in Sweden.

8009349