Nordlys

Privacy Policy

Last updated: 25 January 2026

1. Data Controller

Nordlys ApS ("Nordlys", "we", "us", or "our") is the data controller responsible for your personal data.

  • Company: Nordlys ApS
  • CVR: 12345678
  • Address: Nørrebrogade 45, 2200 København N, Denmark
  • Email: privacy@nordlys.io
  • Data Protection Officer: dpo@nordlys.io

2. Data We Collect

We collect the following categories of personal data:

2.1 Information You Provide

  • Account Information: Name, email address, password (hashed)
  • Profile Information: Username, profile picture, preferences
  • Purchase Information: Billing address, shipping address, payment method (processed by Stripe)
  • Support Communications: Messages sent to our support team

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent on platform
  • Device Information: Browser type, operating system, device type
  • Log Data: IP address, access times, referring URLs
  • Cookies: See our Cookie Policy for details

2.3 Platform Data

  • Growing Environment Data: Sensor readings (temperature, humidity, etc.)
  • Project Data: Growing logs, notes, photos you upload
  • AI Interactions: Questions asked to our AI assistant (processed to improve service)

3. Legal Basis for Processing (GDPR Art. 6)

We process your data based on:

  • Contract Performance (Art. 6(1)(b)): To provide our services to you
  • Legitimate Interests (Art. 6(1)(f)): To improve our services, prevent fraud, ensure security
  • Consent (Art. 6(1)(a)): For marketing communications and non-essential cookies
  • Legal Obligation (Art. 6(1)(c)): To comply with tax and accounting requirements

4. How We Use Your Data

  • Provide, maintain, and improve our platform and services
  • Process transactions and send related information
  • Send technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyze trends, usage, and activities
  • Detect, investigate, and prevent fraudulent transactions and other illegal activities
  • Personalize and improve your experience
  • Send promotional communications (with your consent)

5. Data Sharing

We may share your data with:

  • Service Providers: Stripe (payments), AWS (hosting), SendGrid (email)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with merger, acquisition, or sale of assets

We do NOT sell your personal data to third parties.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the EEA. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules where applicable

7. Data Retention

We retain your data for:

  • Account Data: As long as your account is active, plus 30 days after deletion
  • Transaction Data: 7 years (legal/tax requirements)
  • Support Communications: 2 years
  • Analytics Data: 26 months

8. Your Rights (GDPR Articles 15-22)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request limited processing of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@nordlys.io.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption at rest and in transit (TLS 1.3)
  • Regular security assessments and penetration testing
  • Access controls and authentication measures
  • Employee training on data protection
  • Incident response procedures

10. Automated Decision-Making

Our AI growing assistant provides recommendations based on data you provide. These recommendations are informational only and do not constitute automated decision-making that produces legal or similarly significant effects.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

12. Complaints

If you have concerns about our data practices, you have the right to lodge a complaint with a supervisory authority. For Denmark, this is:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
www.datatilsynet.dk

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

14. Contact Us

For questions about this Privacy Policy or our data practices, contact us at:
privacy@nordlys.io

Your Cart

0 items

Your cart is empty

Looks like you haven't added any gear for your setup yet.