Your data is yours. Full stop.

Vigdis is operated from Norway. When we say “we,” “us,” or “Vigdis” in this policy, that's who we mean. We are the data controller for the personal data processed through our service.

Account information. Your email address and name when you sign up. That's the minimum we need to give you an account.

Workspace data. The contacts, companies, deals, notes, and any other content you and your team create inside Vigdis. This is your data — we store it so you can use the product.

Usage data. Basic information about how you interact with the app: pages visited, features used, browser type, and device info. We collect this through Rybbit, a cookieless, privacy-focused analytics tool hosted in the EU. No cookies, no fingerprinting, no personal identifiers. We use this to understand what works and what needs fixing — not to build an advertising profile on you.

Log data. Server logs that include IP addresses, request timestamps, and error information. We keep these for security and debugging purposes and rotate them regularly.

Connected accounts. If you choose to connect a third-party account like Gmail, we access data from that service on your behalf. For Gmail, this includes email message content, metadata (sender, recipients, subject, dates), and attachments from your inbox, as well as the ability to send emails on your behalf. We also store the OAuth credentials needed to maintain the connection. This only happens when a workspace administrator explicitly connects an account — we never access your email without your permission.

We use your data to:

• Run the service and keep your account working
• Send you transactional emails (password resets, workspace invitations, that kind of thing)
• Improve the product based on how it's actually being used
• Detect and prevent security issues
• Respond to your support requests

When you connect a Gmail account, we use the data from that account to:

• Display inbound emails in the Vigdis inbox so your team can manage conversations in one place
• Send replies to those conversations on your behalf
• Link email threads to contact records in your CRM

We do not use your Gmail data for advertising, market research, or to build user profiles. We do not sell your data. We do not share it with third parties for their own marketing purposes.

Vigdis's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Your data is stored and processed within the European Union. We use Hetzner (Germany and Finland) for server infrastructure, Bunny.net (EU network) for content delivery, and Brevo (France) for transactional emails.

We chose these providers deliberately. They're European companies with strong privacy track records and GDPR compliance — not the default Silicon Valley picks.

Exception: if you connect a third-party account like Gmail, email data transits through that provider's servers (Google's infrastructure, which includes the US) before being stored in our EU infrastructure. This only applies to integrations you explicitly enable.

We keep our list of sub-processors short on purpose. The services that process your data:

• Hetzner — hosting and database infrastructure (EU)
• Bunny.net — content delivery and static assets (EU)
• Brevo — transactional emails (EU)
• Rybbit — cookieless website analytics (EU)

The following services are used only when you explicitly connect an integration:

• Google (Gmail API) — reading inbox messages and sending replies on your behalf. Only active when a workspace administrator connects a Gmail account. Google's own privacy practices govern data on their servers.

If this list ever changes, we'll update this page. No sneaking new providers in through the back door.

We use essential cookies to keep you logged in and to make the application work. That's it. No tracking cookies, no third-party advertising cookies, no cookie consent banner that's more annoying than the cookies themselves. Our analytics (Rybbit) are fully cookieless — they don't set any cookies or use browser fingerprinting.

You're in the EU. We're in the EU. GDPR applies, and we take it seriously. You have the right to:

• Access your personal data and get a copy of it (Art. 15)
• Correct inaccurate data we hold about you (Art. 16)
• Delete your account and personal data (Art. 17)
• Export your data in a portable format (Art. 20)
• Object to processing based on legitimate interests (Art. 21)
• Restrict processing while we resolve a complaint (Art. 18)

To exercise any of these rights, email us. We won't make you jump through hoops, fill out a seven-page form, or wait 29 days because we can.

We keep your data for as long as your account is active. If you delete your account, we remove your personal data within 30 days. Workspace data is retained for a short grace period in case of accidental deletion, then permanently removed.

Connected accounts. Synced email data is stored for as long as the mailbox remains connected. When you disconnect a Gmail account, OAuth credentials are deleted immediately. Previously synced conversations and messages are retained in your workspace so you don't lose context on past interactions. If you want that data removed too, contact us and we'll take care of it.

Server logs are rotated on a rolling basis and are not kept longer than 90 days.

All data is encrypted in transit (TLS) and at rest. We use row-level security at the database level so tenants cannot access each other's data, even in the event of an application-level bug. Authentication is handled by a dedicated identity service with passwordless and passkey support. Credentials for connected accounts (like Gmail OAuth tokens) are encrypted with AES-256-GCM, separate from general database encryption.

We're a small team, which means fewer people have access to production systems. That's a feature, not a limitation.

Vigdis is a business tool. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we'll remove it promptly.

If we make meaningful changes, we'll update this page and notify you via email or an in-app notice. We won't quietly rewrite things and hope you don't notice.

Questions about your privacy or want to exercise your rights? Reach us at privacy@vigdis.app. Real humans read that inbox.