Privacy Notice
Last updated: [DATE] · Effective date: [DATE]
Who we are
Seedli (“we”, “us”, “our”) is a decision intelligence platform operated by [LEGAL ENTITY NAME], [CVR NUMBER], registered in Denmark.
Contact for privacy matters:
Email: kontakt@flemmingrubak.com
Address: [BUSINESS ADDRESS]
What this notice covers
This notice explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have under the General Data Protection Regulation (GDPR) and applicable Danish data protection law (Databeskyttelsesloven).
What personal data we collect
Data you provide directly
Account information
- Email address (used for authentication via magic link)
- Name (if provided in account settings)
Project and workspace data
- Company name and website URL
- Market descriptions, industry selections, geographic preferences
- Competitor names and domains
- Buyer type selections and target audience descriptions
Data collected automatically
Authentication data
- Session tokens (stored in httpOnly cookies)
- Login timestamps
Technical data
- IP address (processed but not stored long-term by us; IP addresses are masked in analytics)
- Browser type and version (processed by error monitoring, with PII redacted)
- Device type, screen resolution, and operating system (collected via analytics, with consent)
- Pages visited, session duration, and interaction patterns (collected via analytics, with consent)
Data we generate
Analysis data
- AI-generated market intelligence, brand visibility metrics, decision journey analysis
- These are generated by querying third-party AI platforms with market descriptions (not personal data) and storing the structured results
Why we collect this data and the legal basis
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Providing the service — account creation and authentication | Email address, session tokens | Performance of contract (Art. 6(1)(b)) |
| Providing the service — generating market intelligence | Project data, market descriptions, competitor names | Performance of contract (Art. 6(1)(b)) |
| Error monitoring and service stability | Technical data, anonymized error traces | Legitimate interest (Art. 6(1)(f)) |
| Analytics — understanding how the platform is used and improving the user experience | Usage data, device data, pages visited (IP addresses masked) | Consent (Art. 6(1)(a)) — managed via Cookiebot |
| Communicating with you about your account | Email address | Performance of contract (Art. 6(1)(b)) |
Who we share your data with
We use the following third-party services (sub-processors) to operate Seedli. We have reviewed each provider’s data protection practices and, where applicable, ensured appropriate safeguards for international data transfers.
Infrastructure and data storage
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase (Supabase Inc.) | Database hosting, user authentication | Account data, project data, analysis results | EU (AWS Stockholm, Sweden) |
| Vercel (Vercel Inc.) | Web application hosting and delivery | HTTP requests, static assets | Global CDN (US-based company) |
| Google Cloud Platform | Background job execution (Cloud Run) | Project data during analysis processing | Configurable region |
AI model providers
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| OpenAI (OpenAI Inc.) | AI market analysis generation | Market descriptions, industry context, brand names, domain names | US |
| Anthropic (Anthropic PBC) | AI market analysis generation | Market descriptions, industry context, brand names, domain names | US |
Important: We send market descriptions, industry categories, geographic context, and brand/domain names to AI providers as part of generating analysis. We do not send user email addresses, passwords, or any account-level personal data to these providers. In most cases, brand names and domains do not constitute personal data. However, where a brand name is identical to a sole proprietor’s name, it may qualify as personal data under GDPR.
Error monitoring
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Sentry (Functional Software Inc.) | Error tracking and performance monitoring | Anonymized error traces, technical metadata | EU (Germany) |
We actively redact personal data from error reports, including email addresses, authentication tokens, and cookies.
Analytics and consent management
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Cookiebot (Usercentrics A/S) | Cookie consent management | Consent state, anonymized consent log | EU (Denmark) |
| Google Tag Manager (Google LLC) | Tag management and analytics orchestration | No personal data directly (container for other tags) | US |
| Google Analytics 4 (Google LLC) | Usage analytics with IP masking enabled | Anonymized usage data, pages visited, session data, device info (IP addresses masked before storage) | US (data processed with IP anonymization) |
Google Analytics 4 is configured with IP masking (anonymization) enabled, meaning full IP addresses are not stored by Google. Analytics cookies are only set after you provide consent via our cookie consent banner (Cookiebot). If you decline analytics cookies, no analytics data is collected.
Google Tag Manager acts as a container that manages the loading of analytics scripts. It does not independently collect personal data, but it controls when and how Google Analytics is activated based on your consent preferences.
Content and media services
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Sanity (Sanity AS) | Content management (editorial content) | No personal data | Norway |
| Gravatar (Automattic Inc.) | User avatar images | Email hash (MD5) | US |
International data transfers
Some of our sub-processors are based outside the EU/EEA, primarily in the United States. For these transfers, we rely on:
- The EU-US Data Privacy Framework (for providers certified under it)
- Standard Contractual Clauses (SCCs) where the Data Privacy Framework does not apply
How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | As long as your account is active. Deleted within 30 days of account deletion request. |
| Project data and analysis results | As long as the project exists. Deleted when you delete the project or your account. |
| Authentication logs | Managed by Supabase; subject to their retention policy. |
| Error monitoring data | Managed by Sentry; typically retained for 90 days. |
Your rights under GDPR
As a data subject, you have the following rights:
- Access — Request a copy of the personal data we hold about you
- Rectification — Request correction of inaccurate personal data
- Erasure — Request deletion of your personal data (“right to be forgotten”)
- Restriction — Request that we restrict processing of your data
- Data portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at kontakt@flemmingrubak.com. We will respond within 30 days.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at www.datatilsynet.dk.
Cookies
We use essential cookies required for authentication and service operation, and optional analytics cookies that are only activated with your consent. Cookie preferences are managed through Cookiebot, and you can change your preferences at any time. See our Cookie Policy for full details.
Changes to this notice
We may update this notice to reflect changes in our practices or legal requirements. We will notify you of material changes via email or through the platform.