Home
Privacy & GDPR

Privacy Policy

Last updated: 31 January 2026

GDPR & Privacy Policy

Last updated: 31 January 2026

At Com2.ai AS ("we", "us", or "the company"), we are committed to protecting your privacy.

This statement explains how we collect, use, store, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Norwegian law. It covers data collected via cookies, email inquiries, our booking system, chatbot, analytics, variant management, and other log files, as well as how third-party providers are involved.

Data Controller

Types of Data Collected

  • Account Data: Name, email address, phone number, avatar, and other profile information.
  • Payment Data: Processed via Stripe; we do not store complete payment information.
  • Chatbot Data: Conversational inputs and chat history.
  • Website Usage Data: Cookies, log files, analytics, and A/B testing data.
  • Other Data: Any information you provide via email or forms.

Cookies and Tracking

Cookies are small text files stored on your device. We use:

  • Essential Cookies: For site functionality (legitimate interest, GDPR Art. 6(1)(f)).
  • Preference, Statistics, and Functional Cookies: For user experience and analytics (consent, GDPR Art. 6(1)(a)).
  • Performance Cookies: To optimise site loading and functionality.
  • Analytics & Variant Cookies: For A/B testing and usage analysis.

You can manage your cookie preferences via browser settings or our consent tools.

Email Inquiries

When you contact us via email, we process the information you send in order to respond to your inquiry and potentially execute or prepare a contractual relationship.

  • Data Collected: Name, email address, phone number, and any other information you provide.
  • Purpose: Processing your inquiry, customer follow-up, and fulfilment of contractual obligations.
  • Legal Basis: GDPR Article 6(1)(b) (performance of a contract) or 6(1)(f) (legitimate interest in maintaining communication).
  • Retention: Kept as long as necessary to fulfil the stated purposes or in accordance with applicable legal requirements.

Chatbot and Data Processing

We operate our AI chatbot service using the OpenAI API integrated into our own infrastructure. When you interact with our chatbot, we process your conversational inputs through OpenAI's technology to provide personalised responses while maintaining your chat history on our secure servers for continuity.

We follow the principle of data minimisation and only collect the personal data necessary to offer and improve the chatbot service.

We encourage users to avoid sharing sensitive personal data in the chat, including financial details, addresses, contact information, health information, or passwords.

Your conversational data is encrypted and stored securely on our infrastructure within the EU/EEA in accordance with GDPR requirements.

Any data you share with the chatbot is not used to train OpenAI's models. Chat data will not be used for external marketing or shared with third parties without your explicit consent.

Your chat data is processed only for purposes necessary to:

  • Provide and operate the chatbot service
  • Maintain conversation continuity and context
  • Ensure security and compliance with our Terms of Service
  • Improve functionality and user experience
  • Comply with applicable legal obligations

You retain full rights under GDPR including access, rectification, erasure, restriction, objection, and data portability.

Website Log Files and Security Logs

We maintain server-stored log files to ensure the operation and security of our website and services.

  • Content: IP addresses, browser type, timestamps, visited pages, referrer information, and other technical information.
  • Purpose: Security monitoring, troubleshooting, performance optimisation, fraud prevention, and ensuring service availability.
  • Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) in maintaining secure and reliable services.
  • Retention: Maximum of 3 months, after which they are automatically deleted.
  • Location: EU/EEA servers, under data processing agreements consistent with GDPR.

User Profile Data

We may store your profile avatar and phone number to personalise your experience and facilitate account management. This data is processed securely and is not shared with third parties without your explicit consent.

Analytics and A/B Testing

We use analytics tools and A/B testing to optimise our website and user experience.

  • Data Collected: Page views, clicks, time on site, variant assignment, device type, browser information, and general usage patterns. Typically anonymised or pseudonymised.
  • Purpose: Improve our services, test new features, and enhance user experience.
  • Consent: Non-essential analytics and A/B testing cookies are only activated with your explicit consent.
  • Data Sharing: Analytics data are not shared with third parties for marketing purposes.

Third-Party Data Processing

We ensure all third-party providers are bound by data processing agreements consistent with GDPR:

  • OpenAI API: Powers our AI chatbot. We maintain primary control and storage of your data on our own infrastructure. OpenAI does not use your data to train their models.
  • Hosting Providers: Our services are hosted on secure EU/EEA servers under strict security measures and contractual guarantees.
  • Stripe: Handles subscription payments. We do not store complete payment information. Stripe maintains PCI DSS compliance.
  • Email Communications: Processed via third-party providers that meet GDPR requirements.
  • Analytics Tools: Configured to respect user privacy and comply with data protection requirements.

Security and Storage

We implement technical and organisational measures to protect your personal data against unauthorised access, alteration, or loss. Data is stored for a limited period as necessary for its stated purpose or in accordance with statutory requirements.

Your Rights

You have the right to:

  • Access the information we have about you.
  • Have inaccurate information corrected.
  • Request deletion of your personal data (except where legally required to retain).
  • Request a restriction on the processing of your data.
  • Object to the processing of your data, especially regarding direct marketing.
  • Request data portability in a structured, machine-readable format.
  • Withdraw consent where processing is based on consent, without affecting prior processing.

To exercise your rights, contact us at [email protected]. You also have the right to lodge a complaint with the Data Protection Authority.

Changes to This Statement

We reserve the right to amend this statement as needed. Significant changes will be published on this page with an updated date and, if necessary, you will be notified directly.

Contact

If you have questions regarding this privacy statement or our data processing practices:

Have a question?

Reach our privacy team at [email protected] or our support team at [email protected].