NordFlow is operated by Josef Hellstenius as a sole proprietorship registered in Sweden. We take your privacy seriously — we only collect personal data we actually need, keep it only as long as required, and never share it without a clear reason. This policy explains exactly what we do with your data, how long, why, and what you have the right to demand from us.
Contents
- Who is responsible for your data
- What we collect and why
- How long we keep data
- Subprocessors we use
- International transfers
- AI and automated decision-making
- Special categories of personal data
- Marketing and newsletters
- Children and minors
- Your rights
- Cookies and tracking
- Security and incidents
- Changes to this policy
- Contact, DPO and complaints
1. Who is responsible for your data
NordFlow plays two different roles depending on whose data is involved:
Data Controller
We are the data controller for:
- Visitors to nordflow.online
- People who contact us via email, phone or form
- Customer accounts in our dashboard (login credentials)
- Information in our billing and support systems
Data Processor
When we process end-customer data on behalf of one of our customers, the customer is the data controller — we only do what they instruct us to do. For this role, we sign a separate Data Processing Agreement (DPA) with every customer before processing begins. The DPA specifies the nature and duration of processing, the categories of personal data and data subjects, and our obligation to assist the customer in complying with GDPR.
2. What we collect and why
On the public site (nordflow.online)
| What | Why | Legal basis |
|---|---|---|
| No cookies, no tracking, no analytics | — | — |
| Emails you send us (if you email) | Reply to your question | Legitimate interest (GDPR Art. 6.1.f) |
We use no Google Analytics, no advertising cookies, no tracking pixels. You can browse the site completely anonymously.
In the customer dashboard (app.nordflow.online)
| What | Why | Legal basis |
|---|---|---|
| Name, email, password (hashed) | Login and access control | Contract performance (Art. 6.1.b) |
| Company name | Show correct context in dashboard | Contract performance (Art. 6.1.b) |
| Session cookie (essential) | Keep you logged in | Contract performance (Art. 6.1.b) |
| Login history (IP, timestamp) | Security and abuse prevention | Legitimate interest (Art. 6.1.f) |
End-customer data (when we act as processor)
When a customer hires NordFlow, we read data from the customer's own Google Sheet — typically email address, message body and timestamp from end-customers who emailed in. This is visualized in the dashboard but not stored separately by us. The data belongs to and is entirely controlled by our customer.
For billing and accounting
Contact and payment details are kept for billing purposes. Legal basis: contract performance (Art. 6.1.b) and legal obligation under Swedish accounting law (Art. 6.1.c).
3. How long we keep data
| Category | Retention |
|---|---|
| Prospect emails and inbound enquiries | Until relationship ends, up to 24 months after last contact |
| Customer account and login credentials | Active contract; deleted 30 days after termination |
| Login history (security logs) | 12 months |
| Invoices and accounting records | 7 years (Swedish Accounting Act ch. 7 § 2) |
| End-customer lead data in customer's Sheet | Customer decides; we store nothing separately |
4. Subprocessors we use
We use the following services to deliver NordFlow. All are GDPR-compliant and have their own privacy policies:
| Service | What they do for us | Location |
|---|---|---|
| Hostinger International | Dashboard server | EU |
| Loopia AB | Domain, DNS, email forwarding | Sweden |
| Google LLC (Google Sheets) | Storage of customer's lead data | EU/USA (SCCs) |
| OpenAI Ireland Ltd. | AI processing of messages | EU/USA (SCCs) |
| n8n GmbH | Automation workflows (self-hosted) | Germany |
List may be updated. Active customers are notified at least 30 days in advance before a new subprocessor that processes their data is added.
5. International transfers
When data leaves the EU/EEA (for example when we call OpenAI's API in the US), it does so under the EU Commission's Standard Contractual Clauses (SCCs), which ensure a GDPR-equivalent level of protection.
No personal data is transferred to countries without adequate protection beyond this. We do not make transfers to countries that the EU Commission has classified as inadequately protective without first conducting risk assessments and implementing supplementary safeguards.
6. AI and automated decision-making
NordFlow uses AI to automatically classify and respond to incoming customer messages. This is considered "automated decision-making" under GDPR Art. 22.
The AI performs the following automated processing:
- Classifies incoming messages as hot, warm or cold lead
- Decides whether to reply automatically or escalate to a human
- Writes replies based on the customer's own templates and history
- Identifies spam, invoices and newsletters to filter out
These automated decisions do not have legal or similarly significant effects on the data subject. The AI never makes binding decisions about credit, employment, insurance, or access to essential services. Decisions about the business relationship as a whole always remain with the human business owner.
If you believe an automated decision has affected you incorrectly, under GDPR Art. 22 you have the right to:
- Request human review of the decision
- Express your point of view
- Contest the decision
Email josef.hellstenius@nordflow.online to exercise this right. We respond within 30 days.
7. Special categories of personal data
NordFlow does not knowingly process special categories of personal data under GDPR Art. 9 — such as health information, religious or philosophical beliefs, ethnic origin, political opinions, trade union membership, sexual orientation, genetic or biometric data.
If such information reaches us by mistake (for example via a customer enquiry), we delete it as soon as we identify it and do not process it further.
8. Marketing and newsletters
NordFlow currently sends no marketing emails or newsletters. If we ever start, we will obtain your explicit consent (Art. 6.1.a) first. You can withdraw consent at any time without negative consequences.
We never share contact details with third parties for their marketing purposes.
9. Children and minors
NordFlow is a B2B service intended for business owners and professionals. We do not knowingly collect personal data from individuals under 16 years of age.
If we become aware that personal data from a minor has been collected, we delete it promptly. If you as a guardian suspect that your minor has submitted information to us, please contact josef.hellstenius@nordflow.online.
10. Your rights
Under GDPR, you have the following rights:
- Right to information (Art. 13-14) — you have the right to know what we do with your data. This policy serves that purpose.
- Right of access (Art. 15) — receive a copy of all data we have about you.
- Right to rectification (Art. 16) — we correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — "right to be forgotten".
- Right to restriction (Art. 18) — restrict how we use your data.
- Right to data portability (Art. 20) — move your data to another provider in machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest.
- Right not to be subject to automated decision-making (Art. 22) — see section 6.
- Right to lodge a complaint with the supervisory authority (IMY).
Email josef.hellstenius@nordflow.online to exercise any of these rights. We respond within 30 days (may be extended by up to two further months for complex requests — you will be informed within 30 days if so).
We do not charge a fee for handling your request, unless it is manifestly unfounded or excessive.
11. Cookies and tracking
Public site (nordflow.online)
The public site uses no cookies at all. No advertising cookies, no analytics cookies, no third-party tracking. You don't need to accept anything.
Dashboard (app.nordflow.online)
The dashboard uses one essential session cookie to keep you logged in. This is strictly necessary for the service to function and does not require consent under the ePrivacy Directive.
| Cookie | Purpose | Duration | Third party |
|---|---|---|---|
| nordflow_session | Keep user logged in | Session (cleared on logout) | No |
| nf-lang | Remember language choice (SV/EN) | 365 days | No |
We use no Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag or other third-party tracking.
12. Security and incidents
Technical measures
- All traffic encrypted with HTTPS/TLS 1.2+.
- Passwords stored hashed with bcrypt — we can't see your password.
- Servers receive security patches on an ongoing basis.
- Access to customer data is logged and monitored.
- Daily backups taken and encrypted separately.
Organisational measures
- Only Josef Hellstenius personally has access to customer data.
- No external consultants or employees have access.
- Confidentiality obligations apply between us and all subprocessors.
In the event of a personal data breach
In the event of a personal data breach that may pose a risk to the rights and freedoms of natural persons:
- We notify IMY within 72 hours as required by GDPR Art. 33.
- Affected data subjects are informed without undue delay if the breach poses a high risk (Art. 34).
- We document all incidents, including those that don't need to be reported, for follow-up.
13. Changes to this policy
If we change anything material in this policy:
- We update the date at the top and the version number.
- We email active customers at least 30 days in advance.
- For changes requiring new consent, we obtain it explicitly.
- Minor language or editorial changes are made without specific notice.
Previous versions of this policy can be provided on request via josef.hellstenius@nordflow.online.
14. Contact, DPO and complaints
Data Controller
Data Controller
NordFlow · Sole proprietorship
Josef Hellstenius
Registration no. 20060213-6194
Holmbytorp 119, 247 97 Eslöv
Sweden
Data Protection Officer (DPO)
NordFlow is a small-scale operation and is not required to appoint a Data Protection Officer under GDPR Art. 37. Josef Hellstenius personally handles all data protection matters and can be contacted at the address above.
Supervisory authority
You have the right to contact the supervisory authority if you believe we mishandle your personal data:
Supervisory authority
Swedish Authority for Privacy Protection (IMY)
Box 8114, 104 20 Stockholm, Sweden
+46 8 657 61 00