Privacy Policy

The data controller responsible for your personal data is:

We collect the following categories of personal data when you interact with our website or services:

• Contact Information: Name, email address, phone number, company name — when you fill out a contact or demo booking form.
• Communication Data: Messages, emails, and chat history when you contact us directly or through our AI assistant.
• Usage Data: IP address, browser type, pages visited, session duration, and device information collected automatically when you visit our website.
• Business Information: Details about your business, industry, and automation needs that you provide during consultation calls or demos.
• Payment Data: Billing information processed securely by our payment providers — we do not store raw card details.
• AI Conversation Data: When you or your end users interact with an AI chat or voice agent deployed by Nordicdesh, the content of those conversations (text messages, voice transcripts, metadata) may be collected and processed to deliver the service, improve agent performance, and generate analytics reports.
• Voice Data: If you use our AI voice agent services, voice recordings and their transcriptions may be processed in real time. Voice data is processed by third-party speech recognition providers and is not stored permanently by Nordicdesh beyond what is required for service delivery.

We use your personal data for the following purposes:

• To respond to your enquiries and schedule demo calls
• To deliver our AI automation and web development services to you
• To send service-related communications, updates, and invoices
• To improve our website, services, and AI systems
• To send marketing communications — only with your explicit consent
• To comply with legal and regulatory obligations in Finland and the EU
• To prevent fraud and ensure the security of our platform

We will never sell, rent, or trade your personal data to third parties for marketing purposes.

Under GDPR, we process your personal data on the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing is necessary to deliver the services you have requested.
• Legitimate Interests (Art. 6(1)(f)): To improve our services, conduct business development, and maintain security.
• Consent (Art. 6(1)(a)): For marketing emails and non-essential cookies — you may withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c)): To comply with Finnish and EU laws including tax, accounting, and regulatory requirements.

We may share your data with trusted third-party service providers solely to operate our business. These include:

• Cloud Infrastructure: Hosting and server providers (e.g., Vercel, AWS) operating within the EEA or under EU-approved safeguards.
• CRM & Communication Tools: Tools used to manage client relationships and service delivery.
• Analytics: Website analytics tools to understand site performance (data is anonymised where possible).
• Payment Processors: Secure payment gateways compliant with PCI-DSS standards.
• AI Platform Infrastructure: Our AI chat and voice agent services are delivered through a white-label enterprise SaaS platform. Conversation data passes through this platform's infrastructure for generating responses, storing analytics, and managing client dashboards. This platform operates under strict contractual data protection obligations and GDPR-compliant data handling standards.
• AI Model Providers: Conversations with our AI agents are processed by third-party LLM providers — which may include OpenAI (GPT-4o), Anthropic (Claude), Google (Gemini), and similar providers — solely for the purpose of generating AI responses. These providers do not use your conversation data to train their public AI models under our enterprise agreements.
• Voice & Speech Providers: AI voice agent services involve real-time speech-to-text and text-to-speech processing. Voice data is processed transiently for response generation and is not retained for longer than operationally necessary.
• Integration Partners: Where AI agents are connected to your CRM, calendar, or other third-party tools, relevant data may be shared with those platforms as part of the service workflow, based on your instructions as the data controller.

We will never sell, rent, or trade your personal data to third parties for marketing purposes. All third-party processors are bound by contractual data protection obligations consistent with GDPR requirements.

We retain your personal data only for as long as necessary:

• Client Data: Retained for the duration of the service agreement plus 5 years for legal and accounting purposes under Finnish law.
• AI Conversation Logs: Retained for up to 12 months for service improvement, analytics, and dispute resolution. Earlier deletion requests will be actioned within 30 days subject to legal retention obligations.
• Voice Transcripts: Retained for up to 90 days for quality assurance purposes, unless a shorter retention period is agreed in the client's SOW.
• Marketing Data: Retained until you withdraw consent or unsubscribe.
• Website Analytics: Retained for up to 24 months in anonymised form.
• Job Applicants: Retained for 12 months after the application process unless you consent to longer retention.

After the applicable retention period, data is securely deleted or permanently anonymised.

As a data subject, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data where there is no compelling reason for continued processing.
• Right to Restriction: Request that we limit the processing of your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at info@nordicdesh.com. We will respond within 30 days. If you are unsatisfied, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

We take the security of your personal data seriously. Our security measures include:

• SSL/TLS encryption for all data transmitted through our website
• Access controls limiting data access to authorised personnel only
• Regular security reviews and updates of our systems
• Secure cloud infrastructure with GDPR-compliant providers

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay, as required by GDPR.

Our website uses cookies and similar tracking technologies. These include:

• Essential Cookies: Required for the website to function correctly. Cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our site. Used only with your consent.
• Marketing Cookies: Used to deliver relevant content and track campaign performance. Used only with your consent.

You can manage your cookie preferences through our cookie consent banner or your browser settings. Withdrawing consent for non-essential cookies does not affect the functionality of core services.

Some of our third-party service providers may process data outside the European Economic Area (EEA). This is particularly relevant for our AI agent services, where conversation data may be processed by AI model providers based in the United States — including but not limited to OpenAI, Anthropic, and Google.

In all such cases, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, which impose GDPR-equivalent obligations on data recipients.
• EU adequacy decisions for transfers to countries with a valid decision.
• Enterprise-level Data Processing Agreements (DPAs) with all AI model and platform providers, which include commitments that your data will not be used to train public AI models.
• Other legally recognised transfer mechanisms under GDPR Chapter V.

For further information about specific safeguards in place for any international transfer, please contact us at info@nordicdesh.com.

Our services are intended for businesses and individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 16. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify active clients by email where required

Your continued use of our website after changes are posted constitutes acceptance of the updated policy.

For any questions, requests, or concerns about this Privacy Policy or your personal data, please contact us: