Privacy Policy
Last updated: 2025-09-02
1. Introduction
This Privacy Policy explains how Trendomic AS (“we”, “us”, “our”, or “Trendomic”) collects, uses, shares, and protects personal data when you visit our website trendomic.com (the “Website”) or use our services.
We are committed to protecting your privacy and ensuring that your personal data is handled in a safe and responsible manner in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.
Data Controller Information
Company Name: Trendomic AS
Organization Number: 834 968 142
Registered Address: Siljustølvegen 33, 5239 Rådal, Bergen, Norway
Data Protection Contact: privacy@trendomic.com
Website: https://trendomic.com
2. Data We Collect
We collect and process the following categories of personal data:
2.1 Information You Provide Directly
When you sign up for our services or newsletter, we collect:
- Account Information: Name, email address, password (encrypted), and any other information essential to provide our service
- Authentication Data: Login timestamps, authentication tokens, password reset requests
- Newsletter Subscription: Name and email address for marketing communications
- Communication Data: Information you provide when contacting us via email or contact forms
- Service Usage Data: Information you input while using our authenticated services (excluding any data processed by AI features)
2.2 Information Collected Automatically
When you visit our Website, we automatically collect:
- Technical Data: IP address (anonymized), browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- Usage Data: Information about how you use our Website, including pages visited, time spent on pages, links clicked, and navigation paths
- Cookie Data: Information collected through cookies and similar tracking technologies (see Section 7)
2.3 Google Analytics Data
We use Google Analytics 4 to analyze Website usage. Google Analytics collects:
- Anonymized IP addresses
- Device and browser information
- Geographic location (country/city level)
- Pages visited and interaction data
- Traffic source information
- Session duration and bounce rates
- Advertising identifiers and remarketing data
- Cross-device tracking information
- Google Ads conversion data
- Audience segment data for targeted advertising
3. Legal Basis for Processing
We process your personal data based on the following legal grounds under Article 6 of the GDPR:
3.1 Contract (Article 6(1)(b))
Processing necessary for the performance of a contract when you:
- Register for an account on our Website
- Use our services
3.2 Consent (Article 6(1)(a))
We rely on your explicit consent for:
- Sending marketing communications and newsletters
- Setting non-essential cookies (analytics, marketing)
- Processing data through Google Analytics
3.3 Legitimate Interests (Article 6(1)(f))
We process data based on our legitimate interests for:
- Ensuring network and information security
- Fraud prevention and detection
- Basic website functionality and essential cookies
- Internal administrative purposes
3.4 Legal Obligation (Article 6(1)(c))
Processing necessary to comply with legal obligations, including:
- Tax and accounting requirements
- Responding to lawful requests from authorities
4. How We Use Your Data
We use your personal data for the following purposes:
4.1 Service Provision
- To create and manage your account through Supabase authentication
- To provide the services you have requested
- To enable AI-powered features for authenticated users
- To communicate with you about your account and services
- To send transactional emails and service notifications
- To provide customer support
4.2 Marketing and Communications
- To send newsletters and marketing communications (with your consent)
- To inform you about new features, services, or updates
- To conduct surveys and gather feedback
4.3 Website Improvement and Analytics
- To analyze Website usage and improve user experience
- To measure the effectiveness of marketing campaigns
- To understand user preferences and behavior patterns
- To optimize Website performance and functionality
4.4 Legal and Security
- To comply with legal obligations
- To protect our rights and prevent fraud
- To ensure the security of our systems and data
- To maintain authentication security and prevent unauthorized access
5. Data Sharing and Transfers
5.1 Service Providers
We share your data with trusted third-party service providers who assist us in operating our Website and providing services:
- Google LLC (Google Analytics) - Website analytics and measurement
- CookieYes Limited - Cookie consent management
- Hosting Provider - Server infrastructure in Amsterdam, Netherlands
- Supabase Inc. - Authentication and user account management
- SendGrid (Twilio Inc.) - Email delivery for transactional and marketing communications
- OpenAI, L.L.C. - AI-powered features for authenticated users (no personal data is included in AI processing)
All service providers are contractually obligated to protect your data and use it only for the purposes we specify. We have Data Processing Agreements (DPAs) in place with each service provider.
5.2 International Data Transfers
Your personal data may be transferred outside the European Economic Area (EEA):
Google Analytics: Data is transferred to Google LLC in the United States. Google is certified under the EU-U.S. Data Privacy Framework, and we have implemented Google's Data Processing Terms including Standard Contractual Clauses.
Supabase: Data may be transferred to Supabase Inc. in the United States. We ensure appropriate safeguards through their Data Processing Agreement and Standard Contractual Clauses.
SendGrid: Data is transferred to Twilio Inc. (SendGrid) in the United States. SendGrid is certified under the EU-U.S. Data Privacy Framework, and we have executed their Data Processing Addendum.
OpenAI: When using AI features, requests are processed by OpenAI, L.L.C. in the United States. We have implemented OpenAI's Data Processing Agreement. No personal data is intentionally included in AI processing requests.
Server Location: Our primary servers are located in Amsterdam, Netherlands (within the EEA).
We ensure appropriate safeguards are in place for any international transfers in accordance with Chapter V of the GDPR, including Standard Contractual Clauses where applicable.
5.3 Other Disclosures
We may disclose your personal data:
- To comply with legal obligations or court orders
- To protect our rights, property, or safety
- In connection with a business sale, merger, or acquisition
- With your explicit consent
6. Data Retention
We retain personal data only for as long as necessary to provide the service, meet legal obligations, and resolve disputes. Default periods are listed below; shorter or longer periods may apply where you instruct us in the DPA or where law requires otherwise.
| Data Category | Retention Period |
|---|---|
| Account Data (Supabase) | For the life of the account, plus 12 months after closure |
| Authentication Logs | 90 days (security and abuse prevention) |
| Newsletter / Waitlist Subscription | Until you unsubscribe or request deletion |
| Email Engagement Data (SendGrid) | 12 months |
| Google Analytics Data (GA4) | 14 months |
| Server Logs | 90 days |
| Cookie Consent Records (CookieYes) | 2 years from consent date |
| AI Feature Usage Logs | 90 days (no personal data retained) |
| Legal/Tax Records | As required by Norwegian law (typically 5–10 years) |
| Google Ads Configurations & Mappings | For the life of the customer relationship, plus 12 months after termination (e.g., customer_id, account hierarchy refs, Trendomic↔Google Ads ID mappings, campaign drafts/configs created in Trendomic) |
| Aggregated Performance Summaries (Google Ads) | 90 days rolling (configurable per customer). Aggregated reporting snapshots only; no raw click logs stored indefinitely. |
| Operational & API Logs (Google Ads) | 90–180 days for security, troubleshooting, and abuse detection (may be retained longer if needed for an investigation or legal claim) |
| Backups & Snapshots | Up to 35 days (encrypted). Backups are immutable and age out on schedule. |
6.1 Google Ads data (details)
When you link a Google Ads account to Trendomic, we access campaign structure and performance metrics via the Google Ads API solely to provide Trendomic’s features (reporting, recommendations, and campaign updates at your instruction). We do not sell Google user data. If you unlink our MCC or close your account, data retrieval stops immediately and Google-Ads–derived data is deleted within 30 days (subject to backup aging). As to this processing, Trendomic acts as your processor under our Data Processing Agreement and will follow your deletion/retention instructions.
7. Cookies and Tracking Technologies
7.1 Cookie Consent Management
We use CookieYes as our Consent Management Platform (CMP) to manage cookie consent in compliance with GDPR and ePrivacy Directive requirements. CookieYes is integrated with:
- Google Consent Mode v2
- IAB Europe Transparency & Consent Framework (TCF) v2.2
7.2 Types of Cookies We Use
Strictly Necessary Cookies
- Required for basic Website functionality
- Cannot be disabled
- Examples: Session cookies, security cookies, cookie consent preferences
Analytics Cookies
- Google Analytics (ga, _ga*) - 2-year expiration
- Help us understand how visitors use our Website
- Only set with your consent
Advertising/Marketing Cookies
- Google Ads conversion tracking (_gcl_au, _gcl_gb) - 90 days
- Remarketing cookies for targeted advertising
- Cross-device tracking identifiers
- Used to measure advertising effectiveness
- Track conversions from Google Ads campaigns
- Create audiences for personalized advertising
- Only set with your explicit consent
7.3 Managing Cookie Preferences
You can manage your cookie preferences at any time:
- Through the CookieYes consent banner when you first visit
- Via the cookie settings widget/button on our Website
- Through your browser settings
For detailed information about cookies, please see our Cookie Policy.
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
8.1 Right to Access (Article 15)
You can request a copy of your personal data we hold.
8.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data.
8.3 Right to Erasure (Article 17)
You can request deletion of your personal data in certain circumstances.
8.4 Right to Restrict Processing (Article 18)
You can request limitation of processing in specific situations.
8.5 Right to Data Portability (Article 20)
You can receive your data in a structured, machine-readable format.
8.6 Right to Object (Article 21)
You can object to processing based on legitimate interests or direct marketing.
8.7 Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time.
8.8 Right to Breach Notification (Article 34)
If a data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.
8.9 Exercising Your Rights
To exercise any of these rights, please contact us at privacy@trendomic.com. We will respond to your request within 30 days.
For account deletion, you can also use the account deletion feature in your account settings, which will initiate the removal of your personal data according to our retention schedule.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption: Data transmitted between your browser and our servers is encrypted using SSL/TLS
- Password Security: Passwords are hashed using industry-standard algorithms (via Supabase)
- Access Controls: Limited access to personal data on a need-to-know basis with role-based permissions
- Authentication Security: Secure session management and token-based authentication
- Regular Updates: Security patches and updates applied regularly
- Secure Hosting: Servers hosted in secure data centers with physical and digital security measures
- API Security: Secure API keys and encrypted communication with third-party services
- Incident Response: Procedures in place to detect and respond to data breaches within 72 hours
Despite our security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.
10. Children's Privacy
Our Website and services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.
11. Third-Party Links
Our Website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to read the privacy policies of any third-party sites you visit.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:
- Posting the updated policy on our Website
- Updating the “Last updated” date
- Sending an email notification (for registered users)
13. Data Protection Authority
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates the GDPR.
Norwegian Data Protection Authority (Datatilsynet)
Website: https://www.datatilsynet.no
Email: postkasse@datatilsynet.no
Phone: +47 22 39 69 00
You may also contact the data protection authority in your country of residence.
14. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:
Data Protection Contact:
Email: privacy@trendomic.com
Company: Trendomic AS
Address: Siljustølvegen 33, 5239 Rådal, Bergen, Norway
We aim to respond to all privacy-related inquiries within 30 days.
15. Google Ads and Remarketing
15.1 Remarketing and Advertising
We connect Google Analytics with Google Ads to provide targeted advertising and remarketing services. This integration allows us to:
- Track conversions from our advertising campaigns
- Create remarketing audiences based on Website behavior
- Optimize campaigns across devices and platforms
- Deliver personalized advertising content
- Measure advertising effectiveness and ROI
15.2 Consent Requirements for Advertising
For remarketing and personalized advertising features, we require your explicit consent for:
- ad_user_data: Collection and processing of user data for advertising purposes
- ad_personalization: Using your data to create personalized advertising experiences
- Cross-device tracking and audience matching
- Behavioral targeting based on Website interactions
15.3 Google Consent Mode v2
We have implemented Google Consent Mode v2, which is mandatory for EEA traffic since March 2024. This system:
- Respects your consent choices for advertising and analytics
- Adjusts data collection based on your consent status (granted/denied)
- Enables privacy-friendly measurement while honoring your preferences
- Passes consent signals (
ad_user_dataandad_personalization) to Google services
15.4 Opt-Out of Remarketing
You can opt out of Google's personalized advertising by:
- Declining advertising cookies in our cookie consent banner
- Visiting Google Ads Settings to manage your advertising preferences
- Using the Digital Advertising Alliance opt-out tool
- Adjusting your browser settings to block tracking cookies
16. Google Analytics Specific Information
16.1 Google Analytics Configuration
We have configured Google Analytics 4 with the following privacy settings:
- IP anonymization enabled by default in GA4
- Data retention set to 14 months
- Google Signals disabled for enhanced privacy
- User and event data deletion available upon request
- Google's Data Processing Terms accepted
16.2 Opt-Out Options
You can opt out of Google Analytics tracking by:
- Declining analytics cookies in our cookie banner
- Installing the Google Analytics Opt-out Browser Add-on
- Adjusting your browser settings to block cookies
16.3 Google's Privacy Practices
For information about how Google processes data:
17. Newsletter and Marketing Communications
17.1 Subscription
When you subscribe to our newsletter, we collect your name and email address with your explicit consent.
17.2 Unsubscribe
You can unsubscribe from marketing communications at any time by:
- Clicking the “unsubscribe” link in any marketing email
- Contacting us at privacy@trendomic.com
- Managing preferences in your account settings
17.3 Marketing Preferences
We will only send marketing communications to users who have explicitly opted in. We do not sell or rent your email address to third parties.
17.4 Transactional Emails
Separate from marketing communications, we send transactional emails that are essential for service delivery, including:
- Account creation confirmations
- Password reset requests
- Important service updates or security alerts
- Billing and payment confirmations
These transactional emails are sent based on our contractual relationship or legitimate interests and cannot be opted out of while maintaining an active account.
18. AI-Powered Features and Automated Decision-Making
18.1 How We Use AI
Our authenticated services include AI-powered features provided through OpenAI's API. These features are designed to enhance functionality without processing your personal data.
18.2 Automated Content Generation (Article 22)
We use automated processing to generate marketing content for our services. This automated decision-making is:
- Based on your consent or necessary for contract performance
- Subject to your control - You maintain full control over generated content before publication
- Overridable - You can modify, reject, or manually create content at any time
Your Rights Regarding Automated Decisions:
- Right to human intervention in the automated process
- Right to express your point of view regarding automated decisions
- Right to contest automated decisions that affect you
- Right to request explanation of the logic involved in automated decision-making
To exercise these rights or request human review of automated content generation, contact us at privacy@trendomic.com.
18.3 Data Minimization
When using AI features:
- We do not send any personal information to OpenAI
- Only functional data necessary for the AI feature is transmitted
- User identifiers are anonymized or excluded from AI requests
- AI-generated content is not linked to your personal profile
18.4 OpenAI's Data Processing
OpenAI processes requests according to their API terms and does not train their models on API input data. For more information, see OpenAI's API Data Usage Policies.
Document Version: 1.0
Effective Date: 2025-09-02 Language:This Privacy Policy is provided in English. In case of translations, the English version prevails.