Norvik Cloud
Last updated 2026-02-14

Privacy policy

This document explains what personal data Norvik Cloud OY (“we”) collects, why, and what your rights are under the GDPR and the Finnish Data Protection Act.

Data we collect

  • Account data — name, email, billing address, VAT ID. Used to create the account and issue invoices. Legal basis: contract.
  • Service usage data — resource metrics (CPU, RAM, disk), API request logs, error events. Used to operate the service, bill correctly, and debug incidents. Legal basis: contract + legitimate interest.
  • Customer payload — the data you store in your databases / object storage. We don’t inspect content. Legal basis: contract; you are the data controller, we are the processor.
  • Web analytics — we use a self-hosted Plausible instance. No cookies, no fingerprinting. Aggregated counts only.

Where data is stored

Inside the EEA, on hardware we operate ourselves in Helsinki, Stockholm and Amsterdam. We do not transfer personal data outside the EEA. We do not subcontract to US-based hyperscalers.

Retention

Account and billing records: 6 years after termination (Finnish accounting law). Service logs: 90 days. Customer payload: deleted within 30 days after account termination, with cryptographic erasure of associated keys.

Your rights

You may request access, correction, export or deletion of your personal data by emailing privacy@norvik.cloud. We respond within 30 days. You may also lodge a complaint with the Office of the Data Protection Ombudsman of Finland.

Sub-processors

Our current list of sub-processors:

  • Hetzner Online GmbH (DE) — primary colocation
  • GleSYS AB (SE) — secondary colocation
  • LeaseWeb Netherlands B.V. (NL) — DR colocation
  • Stripe Payments Europe Ltd (IE) — payment processing
  • Postmark / ActiveCampaign EU (NL) — transactional email

We notify customers 30 days in advance of any change to this list.

Contact

privacy@norvik.cloud for any data-protection question.