Draft. This text is under legal review and is not final. Nothing here is binding until it is published as a numbered version.
Privacy policy
This policy explains what personal data Zero One Security processes, why, and the rights you have. It covers our readiness product at ai.01s.no and this website.
The reviews are generated by AI, and they are not legal advice
The readiness review is produced by an AI system reading public sources and the law. It is information to help you act, not legal advice, and it does not create a lawyer-client relationship. For a binding legal opinion, speak to a qualified lawyer.
Who we are
Zero One Security is the security practice behind ai.01s.no and this website. We decide why and how your personal data is processed, which makes us the data controller.
You can reach us by email for any question about your data or this policy.
TODO (Alf / lawyer): Confirm the exact legal entity (name, organisation number, registered address) that is the data controller, and whether it is a Norwegian AS or another entity. Governing law and the controller identity both depend on this.
TODO (Alf / lawyer): Confirm the contact address for privacy requests (proposed: post@01s.no) and whether a formal data protection contact or representative is required.
What data we process
We process the following personal data:
- Account details: the name, work email, and company you give us when you sign up.
- Your company profile: public register data we look up from Brønnøysundregistrene (Brreg) and public information about your firm.
- Documents you choose to upload: any files you add to a review, and the text we read from them.
- The review itself: the report we generate for your company and the record of it.
- Usage and log data: basic technical data such as your device, browser, and the actions you take, used to run and secure the service.
Why we process it, and our legal basis
We process your data to deliver the readiness review you asked for, to run and secure the service, and to reach you about it.
Our legal bases under the GDPR are: performance of a contract, to provide the review you request; our legitimate interest, to run, secure, and improve the service; and your consent, for anything optional such as documents you choose to upload. You can withdraw consent at any time.
TODO (Alf / lawyer): Confirm the legal-basis mapping per purpose with a lawyer, in particular the split between contract and legitimate interest, and the consent wording for uploads.
Reviews are AI-generated, not legal advice
The review is written by an AI system, grounded in public sources and the text of the law. It is built to cite what it can and to refuse what it cannot source, but it can still be incomplete or wrong.
Treat it as a starting point, not a legal opinion. It does not create a lawyer-client relationship. For a binding view on your obligations, consult a qualified lawyer.
Who else processes your data
We use a small set of service providers (sub-processors) to run the service. They process data only on our instructions and only for the purposes below. The full list is in the table further down.
Transfers outside the EU and EEA
Some of our providers are based in the United States or process data outside the EEA. Where that happens, personal data is transferred outside the EEA and needs a valid transfer safeguard under the GDPR.
For those transfers we rely on the EU Standard Contractual Clauses, and, where the provider is certified, the EU-US Data Privacy Framework. Anthropic, Exa, and Perplexity each transfer personal data to the United States under the EU Standard Contractual Clauses, with a data processing agreement in place. Anthropic, Cloudflare, Vercel, and Resend are additionally certified under the EU-US Data Privacy Framework. Files you upload stay in an EU-jurisdiction bucket at Cloudflare. The basis for each provider is shown in the sub-processor table below.
Our database is in the EU (Neon, Frankfurt), so your account and review data stays inside the EEA, and the functions that handle personal data run in the EU (Vercel, Frankfurt). Our transactional email provider (MailPace) hosts your email data in France, inside the EU.
How long we keep your data
We keep personal data only as long as we need it for the purposes above, and then we delete or anonymise it.
TODO (Alf / lawyer): Set the exact retention periods per data type (account data, uploaded documents, generated reviews, and logs), and state them here. Confirm the deletion timeline for uploaded documents in Cloudflare R2.
How uploaded documents are handled
Documents you upload are stored in a private, access-controlled bucket in EU jurisdiction (Cloudflare R2). We use them only to produce your review. You can ask us to delete them at any time, and we delete them on request.
To read the text from a document we use Mistral's OCR API, which runs in the EU (France). Mistral does not train on content sent to the paid API, and we run it with zero data retention, so an uploaded document is not kept on Mistral's side once the text has been returned.
TODO (Alf / lawyer): Confirm the R2 bucket is created and accessed through the EU-jurisdiction endpoint in code, and set the deletion timeline for uploaded documents (on request, and any automatic expiry after the review is delivered).
Your rights
Under the GDPR you have the right to access your data, to correct it, to have it deleted, to restrict or object to processing, to data portability, and to withdraw consent where we rely on it.
To exercise any of these, email us. We will respond within the time the law allows.
TODO (Alf / lawyer): Confirm the response window stated to users (the GDPR default is one month) and the identity-verification step before acting on a request.
How we keep data secure
We keep access to personal data limited to what is needed, store uploaded files in a private access-controlled bucket, and use reputable providers for hosting, storage, and email. Security is the core of what we do, and we hold our own systems to the standard we set for customers.
Complaints
If you think we have handled your data wrongly, please tell us first so we can put it right. You also have the right to complain to the Norwegian Data Protection Authority (Datatilsynet).
Changes to this policy
When we change this policy we update the version and effective date at the top. The current version is shown there.
Sub-processors
These are the service providers that process data to run the service, with what they do and where they sit. This list is accurate as built on the effective date above.
| Provider | Purpose | Region |
|---|---|---|
| Anthropic (Claude) | The AI that generates the review. Does not train on our data. | United States · EU-US DPF and SCCs, DPA in place |
| Mistral | Reads text from uploaded documents (OCR). Does not train on the paid API, run with zero data retention. | France (EU) |
| Exa | Reads your company's public website | United States · EU Standard Contractual Clauses, DPA in place |
| Perplexity | Builds a public background summary of your company | United States · EU Standard Contractual Clauses, DPA in place |
| Cloudflare R2 | Private storage of uploaded files | EU-jurisdiction bucket · SCCs + EU-US DPF |
| Cloudflare DNS-over-HTTPS | Public DNS lookups | No personal data |
| MailPace (OhMySMTP Ltd) | Transactional email and report PDF delivery | France (EU) hosting · UK company, SCCs with sub-processors |
| Resend | Marketing-audience contacts, only if you opt into marketing | United States · SCCs + EU-US DPF |
| Neon | Application database | EU · Frankfurt |
| Vercel | Application hosting and compute | EU · Frankfurt (fra1) |
| Brønnøysundregistrene (Brreg) | Public company register lookup | Norway, public data |
| Store norske leksikon / Wikipedia | Term and reference lookups | No personal data |
Providers marked with no personal data are used for public lookups only and do not receive your personal data.
TODO (Alf / lawyer): Confirm this list is complete and accurate before launch, and keep it in sync with the product as it changes.