Skip to main content

Privacy Policy

Last updated: 2026-05-10

This Privacy Policy describes how Preferium AS("we", "us") collects, uses, and shares personal information when you use app.preferium.com and our Service.

1. Who we are

Preferium AS, a Norwegian limited company. Address: [Office address], Norway. Contact: post@preferium.no. Data Protection Officer: post@preferium.nowith subject "DPO".

2. What data we collect

2.1 Customer account data

  • Email address (sign-in identifier)
  • Workspace name
  • Tenant role (owner / admin / member / sub-user)
  • OAuth tokens (Google Search Console + GA4 — encrypted at rest with AES-GCM)
  • Stripe customer ID (linked to Stripe-stored billing details)

2.2 Domain operational data

  • Hostname + origin URL
  • Crawled HTML metadata (titles, descriptions, headings, JSON-LD)
  • AI-generated rewrite suggestions
  • Deploy state per page-element

2.3 Visitor traffic data (transient)

  • AI crawler request paths + user agents (ai_traffic_referrals table — 14-day retention)
  • AI crawler visit logs (ai_crawler_visits — 30-day retention)
  • Edge worker access logs (Cloudflare-managed — 7-day retention)
  • We do not track end-user visitors with cookies, session IDs, or fingerprints.

2.4 Aggregate / derived data

  • Per-domain AI traffic histograms
  • Per-page audit issue counts
  • Per-keyword SERP positions
  • LLM citation tracking results

3. How we use the data

Processing purposes and GDPR Art. 6 legal basis for each category of customer data
PurposeLegal basis (GDPR Art. 6)
Provide the Service (account, domains, optimizations)Contract (Art. 6(1)(b))
Send transactional emails (invitations, password resets, alerts)Contract
Process paymentsContract
Improve the Service (aggregate analytics, no personal data)Legitimate interest (Art. 6(1)(f))
Comply with legal obligations (tax, audit)Legal obligation (Art. 6(1)(c))
Send product updates (opt-in)Consent (Art. 6(1)(a))

4. How we share data

We share Personal Data only with the Sub-Processors listed in our Data Processing Agreement. We do not sell Personal Data, and we do not share it with advertisers or data brokers.

We may disclose Personal Data when required by law, to protect our rights or safety, or in connection with a corporate transaction (merger, acquisition) — in which case we will notify customers in advance.

5. International transfers

The Service runs on Cloudflare's global edge network. Customer-account data is stored in EU (Frankfurt or Stockholm) via Supabase. LLM inference may transfer optimized HTML snippets to the US (Anthropic, OpenAI, Google) — these transfers use EU Standard Contractual Clauses.

6. Retention

Retention periods per data category before automatic deletion
DataRetention
Customer accountLifetime of subscription + 30 days
Audit logs24 months
AI traffic referrals14 days
AI crawler visits30 days
Edge worker access logs7 days (Cloudflare-managed)
Backups (Postgres)30 days
Backups (R2 weekly snapshots)90 days
Stripe dataPer Stripe's policies + Norwegian tax law (10 years for invoices)

After deletion (account closure), all Personal Data is removed from production systems within 30 days. Backup rotation completes within 90 days.

7. Your rights (GDPR)

You have the right to:

  • Access your data (export via API or written request)
  • Rectify inaccurate data
  • Erase your data (by written request to our DPO — see Contact below)
  • Restrict processing
  • Object to processing based on legitimate interests
  • Data portability (JSON export available via API)
  • Withdraw consent at any time (for processing based on consent)
  • Lodge a complaint with Datatilsynet (Norwegian DPA) at datatilsynet.no

Contact us at post@preferium.no to exercise any of these rights. We will respond within 30 days.

8. Cookies

The dashboard uses only functional cookies:

  • Supabase session cookie (authentication — required)
  • Locale preference cookie (UX — required)

We do notuse analytics cookies, advertising cookies, or third-party tracking cookies on the dashboard. The customer's own website (the one we optimize for AI search) is governed by the customer's own privacy policy — Preferium does not inject additional tracking into customer pages.

9. Children

The Service is not directed at children under 16. We do not knowingly collect Personal Data from children.

10. Changes

We may update this Privacy Policy. Material changes are notified via email (to the workspace owner) at least 30 days before the change takes effect.

11. Contact

  • Email: post@preferium.no
  • Subject for DPO requests:"DPO"
  • Mail: Preferium AS, [Office address], Norway

For complaints, you may also contact:

Datatilsynet (Norwegian Data Protection Authority)
Postboks 458 Sentrum
0105 Oslo, Norway
postkasse@datatilsynet.no