Skarpix
Start free assessment
Legal

Privacy policy

Last updated: 24 May 2026

This privacy policy describes how Skarpix processes personal data when you visit our website, complete a compliance assessment, or use our platform. It is written to satisfy the information requirements in Articles 13 and 14 of the General Data Protection Regulation (GDPR) and Norway's Personopplysningsloven.

Who is responsible for your data

For privacy questions, contact Email. We are not required to appoint a Data Protection Officer under GDPR Article 37, but the founder personally handles all privacy correspondence.

What data we collect and why

We collect only what is necessary to provide the service.

Account data: when you sign up, we store your email address, display name, hashed password, and the company name you associate with your account. Legal basis: performance of contract (GDPR Art. 6(1)(b)). Retention: for the lifetime of your account, plus 90 days after deletion to allow recovery.

Assessment data: when you complete a compliance assessment, we store your answers, the resulting score, and metadata (timestamp, assessment type). If you complete an assessment without signing up, we store the email address you provide on the report page so we can deliver the PDF. Legal basis: performance of contract (signed-in users) or legitimate interest in providing the requested report (anonymous users; GDPR Art. 6(1)(f)). Retention: assessment results for the lifetime of your account; anonymous lead emails for 24 months unless you ask us to delete them sooner.

Communications: if you email us, we store the message and any attachments for the duration needed to handle your enquiry, plus reasonable archive time (typically 24 months). Legal basis: legitimate interest in customer support (GDPR Art. 6(1)(f)).

Technical data: server logs include IP address, user agent, and request paths for security and debugging. Retained for 30 days unless flagged for a security investigation. Legal basis: legitimate interest in operating a secure service (GDPR Art. 6(1)(f)).

Analytics: Skarpix does not currently use third-party analytics or behavioural tracking. No cookies are set for marketing or profiling purposes. The only cookies we set are essential session cookies for authentication.

Who we share your data with

We do not sell your data and we do not share it with advertisers. We do use a small number of service providers (subprocessors) to operate the platform: hosting, email delivery, DNS. A current list with locations and data processing agreements is at /underleverandorer.

We may disclose data if required by Norwegian law or a binding court order. If this happens we will inform you unless legally prohibited from doing so.

Where we process your data

All personal data is stored within the European Economic Area (EEA). Our primary infrastructure is in Finland. Email delivery via Resend involves limited transfers to the United States under the EU-US Data Privacy Framework and standard contractual clauses; see the subprocessor list for details.

Your rights

Under GDPR you have the right to:

  • access your personal data (Art. 15)
  • rectify inaccurate data (Art. 16)
  • erase your data (Art. 17)
  • restrict processing (Art. 18)
  • data portability (Art. 20)
  • object to processing based on legitimate interest (Art. 21)
  • withdraw consent at any time where processing is based on consent

To exercise any of these rights, email Email. We respond within 30 days. You can also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Compliance assessments produce a score that is informational; it does not trigger any automated consequence on its own.

Children

Skarpix is a business-to-business service and is not directed at people under 18. We do not knowingly collect data from children.

Security

We follow standard practice for a service of our size: encryption in transit (HTTPS via Caddy and Cloudflare), encrypted storage at the hosting layer, bcrypt-hashed passwords via better-auth, and least-privilege database access. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you and the relevant authorities in line with GDPR Articles 33 and 34.

Changes to this policy

We may update this policy as the service evolves. Material changes will be communicated by email to active users at least 14 days before they take effect. Non-material changes (clarifications, typo fixes, contact updates) take effect on publication.

Contact

Privacy questions: Email.