Privacy Policy
Last updated: 2026-05-10
This Privacy Policy describes how Preferium AS("we", "us") collects, uses, and shares personal information when you use app.preferium.com and our Service.
1. Who we are
Preferium AS, a Norwegian limited company. Address: [Office address], Norway. Contact: post@preferium.no. Data Protection Officer: post@preferium.nowith subject "DPO".
2. What data we collect
2.1 Customer account data
- Email address (sign-in identifier)
- Workspace name
- Tenant role (owner / admin / member / sub-user)
- OAuth tokens (Google Search Console + GA4 — encrypted at rest with AES-GCM)
- Stripe customer ID (linked to Stripe-stored billing details)
2.2 Domain operational data
- Hostname + origin URL
- Crawled HTML metadata (titles, descriptions, headings, JSON-LD)
- AI-generated rewrite suggestions
- Deploy state per page-element
2.3 Visitor traffic data (transient)
- AI crawler request paths + user agents (
ai_traffic_referralstable — 14-day retention) - AI crawler visit logs (
ai_crawler_visits— 30-day retention) - Edge worker access logs (Cloudflare-managed — 7-day retention)
- We do not track end-user visitors with cookies, session IDs, or fingerprints.
2.4 Aggregate / derived data
- Per-domain AI traffic histograms
- Per-page audit issue counts
- Per-keyword SERP positions
- LLM citation tracking results
3. How we use the data
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Service (account, domains, optimizations) | Contract (Art. 6(1)(b)) |
| Send transactional emails (invitations, password resets, alerts) | Contract |
| Process payments | Contract |
| Improve the Service (aggregate analytics, no personal data) | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (tax, audit) | Legal obligation (Art. 6(1)(c)) |
| Send product updates (opt-in) | Consent (Art. 6(1)(a)) |
4. How we share data
We share Personal Data only with the Sub-Processors listed in our Data Processing Agreement. We do not sell Personal Data, and we do not share it with advertisers or data brokers.
We may disclose Personal Data when required by law, to protect our rights or safety, or in connection with a corporate transaction (merger, acquisition) — in which case we will notify customers in advance.
5. International transfers
The Service runs on Cloudflare's global edge network. Customer-account data is stored in EU (Frankfurt or Stockholm) via Supabase. LLM inference may transfer optimized HTML snippets to the US (Anthropic, OpenAI, Google) — these transfers use EU Standard Contractual Clauses.
6. Retention
| Data | Retention |
|---|---|
| Customer account | Lifetime of subscription + 30 days |
| Audit logs | 24 months |
| AI traffic referrals | 14 days |
| AI crawler visits | 30 days |
| Edge worker access logs | 7 days (Cloudflare-managed) |
| Backups (Postgres) | 30 days |
| Backups (R2 weekly snapshots) | 90 days |
| Stripe data | Per Stripe's policies + Norwegian tax law (10 years for invoices) |
After deletion (account closure), all Personal Data is removed from production systems within 30 days. Backup rotation completes within 90 days.
7. Your rights (GDPR)
You have the right to:
- Access your data (export via API or written request)
- Rectify inaccurate data
- Erase your data (by written request to our DPO — see Contact below)
- Restrict processing
- Object to processing based on legitimate interests
- Data portability (JSON export available via API)
- Withdraw consent at any time (for processing based on consent)
- Lodge a complaint with Datatilsynet (Norwegian DPA) at datatilsynet.no
Contact us at post@preferium.no to exercise any of these rights. We will respond within 30 days.
8. Cookies
The dashboard uses only functional cookies:
- Supabase session cookie (authentication — required)
- Locale preference cookie (UX — required)
We do notuse analytics cookies, advertising cookies, or third-party tracking cookies on the dashboard. The customer's own website (the one we optimize for AI search) is governed by the customer's own privacy policy — Preferium does not inject additional tracking into customer pages.
9. Children
The Service is not directed at children under 16. We do not knowingly collect Personal Data from children.
10. Changes
We may update this Privacy Policy. Material changes are notified via email (to the workspace owner) at least 30 days before the change takes effect.
11. Contact
- Email: post@preferium.no
- Subject for DPO requests:"DPO"
- Mail: Preferium AS, [Office address], Norway
For complaints, you may also contact:
Datatilsynet (Norwegian Data Protection Authority)
Postboks 458 Sentrum
0105 Oslo, Norway
postkasse@datatilsynet.no