Gotham: Privacy Policy

Last updated: January 4, 2026 1. Controller and contact details Example AS (orgnr 999 999 999) is the data controller for the personal data described in this policy. Contact: privacy@gotham.app, Examplegata 1, 0001 Oslo, Norway. Data protection officer: We have not appointed a DPO. If we do, we will publish the contact details here. 2. Scope and roles This policy covers our public website and the Gotham SaaS service. For Customer Data that you upload to the service, the Customer is the controller and Example AS acts as the processor. The Customer's privacy policy applies to its processing. We enter into a Data Processing Agreement (DPA) with Customers. 3. Personal data we process We process the following categories: - Account and contact data (name, work email, phone, job title) - Organization and billing data (company name, org number, invoices, payment status) - Usage and log data (logins, actions, IP address, device and browser info) - Support data (messages, files, troubleshooting information) - Customer Data (content and business contact data submitted to or generated in the service) - Business contact data (names, roles, work emails, phones) sourced from third-party data providers based on customer queries - Telemetry identifiers (user or account identifiers sent to monitoring tools) 4. Sources of personal data We collect data from: - You or your employer when you sign up, use the service, or contact support - Publicly available sources relevant to business data (for example company registries and corporate websites) - Third-party data providers that supply business contact data on request 5. Purposes and legal bases We process personal data to: - Provide and administer the service, including authentication and support (contract) - Secure the service, prevent abuse, and maintain reliability (legitimate interests) - Improve product quality and diagnostics (legitimate interests) - Provide AI-assisted features based on user queries (contract/legitimate interests) - Provide contact data and enrichment results based on customer queries (contract/legitimate interests) - Comply with legal obligations, such as bookkeeping (legal obligation) 6. Recipients and sub-processors We share data only with service providers that help us operate the service, such as hosting and infrastructure, database hosting, email delivery, customer support, error monitoring, payments, AI infrastructure, and data enrichment providers. An up-to-date list of sub-processors is available on request. We minimize and avoid personal data in AI prompts. If a user includes personal data in a query, that data will be processed by the AI provider. Analytics: We do not use analytics tools today. If we introduce analytics (for example PostHog), we will update this policy before activation and collect consent where required. 7. International transfers Some service providers may process data outside the EEA. Where applicable, we rely on valid transfer mechanisms such as EU Standard Contractual Clauses. 8. Retention We keep personal data only as long as needed for the purposes above or as required by law. - Customer Data: deleted or returned within 30 days after contract end unless otherwise agreed. - Account data: retained while the account is active and deleted or anonymized within 30 days after termination. - Security logs: typically retained for up to 90 days for security and auditing, then deleted. - Accounting records: retained for the statutory period under the Norwegian Bookkeeping Act and regulations (typically 5 years for primary documentation and 3 years and 6 months for secondary documentation; some sectors and transactions require longer retention, including 10 years). Backups containing accounting records follow the same statutory retention period. 9. Cookies We use essential cookies for authentication and security. We do not use analytics cookies today. 10. Automated decision-making We do not use automated decision-making that produces legal or similarly significant effects for individuals. 11. Your rights You can request access, correction, deletion, restriction, portability, or object to processing. Where we rely on consent, you can withdraw it at any time. Contact us at privacy@gotham.app or submit a request at /privacy-request. You can also complain to the Norwegian Data Protection Authority (Datatilsynet). 12. Whether you must provide data Some data is required to create an account and use the service. If you do not provide required data, we may not be able to deliver the service. 13. Changes We will update this policy from time to time and change the "Last updated" date.