Last updated: February 21, 2026
FRITS AI ApS, CVR DK45733785 (“Nordvig,” “we,” “us,” or “our”) operates the nordvig.ai platform, including our website, mobile applications, SMS, Telegram, voice, and web messenger channels (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service.
Privacy Contact: privacy@nordvig.ai
1. Data Controller
The data controller responsible for your personal data is:
- Company: FRITS AI ApS
- CVR: DK45733785
- Address: Nyhavn 38, 5. tv, 1051 København K, Denmark
- Email: privacy@nordvig.ai
- Website: nordvig.ai
Supervisory authority: Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, Denmark — datatilsynet.dk.
2. Data We Collect
2.1 Account & Identity Data
- Your name (as you provide it)
- Phone number (for SMS delivery and account identification)
- Telegram user ID (if using Telegram channel)
- Timezone preference
- Subscription and payment status
2.2 Conversation Data
- Messages you send to and receive from the AI assistant (text, voice transcriptions, attachments)
- AI-generated responses
- Conversation metadata (timestamps, channel used, message role)
2.3 Memory & Preferences
When you ask the assistant to remember something, we store:
- Facts, goals, preferences, and projects you create or ask the assistant to track
- Lists and observations
- Contact profiles and relationship information you provide
2.4 Usage Data
- AI model token usage (input/output counts per conversation)
- Feature usage (web searches, SMS segments, voice minutes)
- IP address (recorded in audit logs for security purposes)
2.5 Payment Data
- Stripe customer ID and subscription ID
- Subscription status and billing cycle
- We do not collect or store your credit card number, CVV, or banking details — these are handled entirely by Stripe
2.6 Cookies
- Session cookies (essential): Used for dashboard authentication. HttpOnly, Secure, 3-day expiry for owners, 24-hour for administrators.
- Language preference cookie: Stores your language selection. 365-day expiry.
We do not use advertising or third-party tracking cookies.
3. How We Use Your Data
| Purpose | Lawful Basis (GDPR) |
|---|---|
| Providing AI assistant conversations | Consent (Art. 6(1)(a)) |
| Storing conversation memory and preferences | Consent (Art. 6(1)(a)) |
| SMS and voice communication delivery | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Proactive reminders and scheduled messages | Legitimate interest (Art. 6(1)(f)) |
| Service analytics and performance monitoring | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, and abuse detection | Legitimate interest (Art. 6(1)(f)) |
We do not sell your personal data. We do not use your data for advertising.
4. AI Processing Disclosure
Our Service uses artificial intelligence to generate responses. When you send a message:
- Your message and conversation history are sent to Mistral AI (Paris, France) via their API for processing
- Mistral processes data in the EU and retains API inputs/outputs per their data processing terms
- If voice input is used and transcription is enabled, your voice audio may be sent to OpenAI for speech-to-text conversion
- If semantic search is enabled, message text may be sent to OpenAI for text embedding generation
By using the Service, you consent to this processing. You may withdraw consent at any time by discontinuing use and requesting data deletion.
5. Third-Party Service Providers
We share personal data with the following service providers (data processors), solely to operate the Service:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Mistral AI | AI conversation processing | Messages, conversation history | EU (France) |
| Twilio | SMS & voice delivery | Phone numbers, message body | US |
| Telnyx | SMS delivery (primary carrier) | Phone numbers, message body | US |
| Stripe | Payment processing | Customer ID, subscription data | US (DPF-certified) |
| Railway | Infrastructure hosting | Application data (server-side) | US |
| OpenAI (if enabled) | Voice transcription, text embeddings | Audio files, message text | US |
We maintain Data Processing Agreements with our sub-processors as required by GDPR Article 28.
6. International Data Transfers
Your data may be transferred to the United States where our service providers operate. We ensure adequate protection through:
- EU–US Data Privacy Framework (DPF) — Stripe is DPF-certified
- Standard Contractual Clauses (SCCs) — included in our Data Processing Agreements
- EU Processing — Mistral AI processes all API data within the EU (France)
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Trial account data (all data) | Deleted automatically upon trial expiry (default: 5 days) plus a short grace period |
| Paid account conversations & memory | Duration of active subscription; deleted upon account closure |
| AI processing logs | 30 days (auto-deleted) |
| Session tokens | 3 days (owner) / 24 hours (admin) |
| Audit logs | Duration of account; deleted with account |
| Payment redirect tokens | 48 hours (auto-deleted) |
| Blocked phone records (abuse prevention) | Up to 1 year |
8. Your Rights
8.1 Rights Under GDPR (EU/EEA Residents)
If you are located in the EU/EEA, you have the following rights:
- Right of Access (Art. 15) — Request a copy of your personal data
- Right to Rectification (Art. 16) — Correct inaccurate personal data
- Right to Erasure (Art. 17) — Request deletion of your personal data
- Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format
- Right to Restrict Processing (Art. 18) — Restrict how we process your data
- Right to Object (Art. 21) — Object to processing based on legitimate interest
- Right to Withdraw Consent — Withdraw consent at any time without affecting prior processing
To exercise any of these rights, contact us at privacy@nordvig.ai. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet) — datatilsynet.dk.
8.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know — Request what personal information we collect, use, and disclose
- Right to Delete — Request deletion of your personal information
- Right to Correct — Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising
- Right to Non-Discrimination — We will not discriminate against you for exercising your rights
Categories of personal information collected: Identifiers (name, phone number, Telegram ID), internet/electronic activity (conversation history, usage data), financial information (subscription data; not payment card details).
Sensitive personal information: Phone numbers (used solely for service delivery).
Sources: Directly from you (messages, account registration).
Business purpose: Providing and improving the AI assistant service.
To exercise your rights, contact privacy@nordvig.ai. We will respond within 45 days.
8.3 SMS Opt-Out (US Residents)
You may opt out of SMS messages at any time by replying STOP to any message. You may also opt out by contacting privacy@nordvig.ai. We honor all opt-out requests immediately.
9. Data Security
We implement the following security measures:
- API keys encrypted at rest using AES-256-GCM
- Authentication tokens hashed with SHA-256 (irreversible)
- Webhook signature verification for all inbound data (Twilio, Telnyx, Stripe)
- Rate limiting and prompt injection detection
- Role-based access control enforced in code
- HTTPS/TLS encryption for all data in transit
- HttpOnly, Secure session cookies with SameSite protection
10. Children’s Privacy
Our Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@nordvig.ai.
11. Automated Decision-Making
Our Service uses AI to generate conversational responses. This constitutes automated processing but does not produce legal or similarly significant effects on users. The AI does not make decisions about your access to services, creditworthiness, employment, or any other consequential matter.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via the Service before they take effect. The “Last updated” date at the top indicates the most recent revision.
13. Contact Us
- Company: FRITS AI ApS (CVR DK45733785)
- Address: Nyhavn 38, 5. tv, 1051 København K, Denmark
- Privacy inquiries: privacy@nordvig.ai
- General support: support@nordvig.ai
- Website: nordvig.ai
- Supervisory authority: Datatilsynet — datatilsynet.dk