Skip to main content

Privacy Policy

Last updated: 23 December 2025

Note: This is an English translation of our Norwegian privacy policy. In case of any discrepancy between the English and Norwegian versions, the Norwegian version shall prevail and is the legally binding document.

ytly takes your privacy seriously. This privacy policy explains how we collect, use, share and protect personal data in accordance with the GDPR and Norwegian data protection legislation.

This policy applies to:

  • visits to our websites
  • enquiries via our contact/order forms
  • communication with prospective and existing clients (email/phone/meetings)
  • execution of engagements (including the use of relevant IT and AI tools)

1. Data Controller

ytly is the data controller for personal data processed through our website and our sales/client communications, unless otherwise agreed (see section 6 regarding the data processor role).

Contact information:

Email: kontakt@ytly.no

Org. no.: 936 657 567

2. What personal data do we process?

We only process personal data that is necessary for the purposes described in this policy.

2.1 Information you provide directly

When you contact us, apply for a pilot programme, or enter into a collaboration/engagement, we may process:

  • Name
  • Email address
  • Phone number (optional)
  • Company name, role, and company size (for pilot/enquiry purposes)
  • Content of your enquiry (e.g. description of task, objectives, challenges)
  • Any attachments/documents or other materials you choose to share with us (text, images, reports, analyses, drafts, etc.)
  • Correspondence (emails, meeting notes, chat logs, agreement/delivery documents)

Important: Please do not send us special categories of personal data (e.g. health data), national identity numbers, payment card information, passwords, API keys or other security-critical information via open channels (contact forms/email). If you need to share such data, we must agree on a secure method of exchange in advance.

2.2 Information collected automatically (website)

When you visit our website, we may collect:

  • IP address (and/or other identifiers associated with your device)
  • Browser type and version
  • Operating system
  • Time and duration of visit
  • Pages visited and actions taken on the website
  • Referring website (where you came from)
  • Information via cookies and similar technologies (see section 10)

2.3 Information we may receive from others

If someone (e.g. a colleague) refers you or introduces you to us, we may receive contact details and context (typically name, email, role, and why the contact is relevant).

3. Purposes – what do we use the data for?

We use personal data for the following purposes:

  • Responding to enquiries and following up on requests (customer service and sales)
  • Evaluating and administering pilot programme applications
  • Delivering services and executing engagements (including advisory, analysis, drafting proposals/text, optimisation, etc.)
  • Communication and project execution (meetings, status updates, deliverables)
  • Improving our services, methods and internal processes (preferably based on anonymised/aggregated data where possible)
  • Operations, security, troubleshooting and abuse prevention (including logging)
  • Complying with statutory obligations (e.g. bookkeeping and accounting)

4. Legal basis (GDPR Art. 6)

We process personal data on the basis of one or more of the following grounds, depending on the situation:

  • Contract / pre-contractual measures (GDPR Art. 6(1)(b)): to handle enquiries and deliver services you request
  • Legitimate interest (GDPR Art. 6(1)(f)): to operate our business, improve services, secure IT operations and follow up on enquiries (we always assess privacy implications and your interests)
  • Consent (GDPR Art. 6(1)(a)): for example for non-essential/analytical cookies and where we explicitly request consent
  • Legal obligation (GDPR Art. 6(1)(c)): for example retention under the Norwegian Bookkeeping Act

5. Use of AI tools (ChatGPT, Claude, Perplexity, etc.)

5.1 Why we use AI

To deliver services more efficiently and with high quality, we may use recognised AI tools for tasks such as:

  • idea generation and text drafting, language improvement and structuring
  • summarising and analysing materials you provide to us
  • suggestions for improvements, SEO/content optimisation, technical assessments and code drafting
  • internal quality assurance and efficiency improvements

5.2 What this means for your data

When we use AI tools, parts of the content you share with us (text, excerpts from documents, or other relevant information) may be processed by a third-party AI service. This may mean that information:

  • is transmitted to and processed on the provider's infrastructure
  • is temporarily stored/logged by the provider in accordance with their security and operational procedures
  • may be processed in/connected to countries outside the EEA (see section 8)

5.3 Measures to reduce risk ("data minimisation")

We have procedures to reduce risk when AI is used:

  • We only share what is necessary for the task
  • We endeavour to remove/avoid directly identifying information (e.g. names, email addresses, phone numbers) where possible and appropriate
  • We do not enter passwords, API keys, payment information or other security-critical data into AI tools
  • We use AI as a support tool – final assessments and deliverables are quality-assured by humans

5.4 Opt-out / alternative processing

If you do not wish your materials to be processed by AI tools, you may notify us. We will then, to the extent practically possible, offer alternative processing (manual process or other tools), and agree on any consequences for the execution/delivery.

6. Confidentiality and role allocation in engagements

6.1 Confidentiality

We treat enquiries and materials you share with us confidentially. Access is granted only to authorised personnel and necessary suppliers (data processors) who assist us in delivering the services.

We can sign a non-disclosure agreement (NDA) upon request.

6.2 When ytly acts as data processor

In certain engagements, ytly may process personal data on behalf of the client (for example if we gain access to the client's systems, analytics tools or customer data). In such cases, the client is the data controller and ytly is the data processor, and the processing is governed by a data processing agreement.

7. Who do we share personal data with?

We do not sell personal data.

We may share personal data with:

  • IT and operational services: hosting, email, cloud services, security services that process data on our behalf
  • Analytics tools: for website statistics (e.g. Google Analytics, where activated with valid consent)
  • AI service providers: e.g. ChatGPT/OpenAI, Claude/Anthropic, Perplexity, etc. when necessary to carry out the engagement or respond to an enquiry (see section 5)
  • Auditors/accountants: and other professional advisors as needed
  • Public authorities: when required by law

We enter into data processing agreements where relevant, and we require adequate information security and confidentiality.

8. Transfer to countries outside the EEA

Some of our suppliers (including certain AI and cloud solutions) may process personal data outside the EEA. When this occurs, we ensure a valid transfer mechanism, which normally is:

  • EU Commission Standard Contractual Clauses (SCCs), and
  • assessment of supplementary measures where necessary (e.g. encryption, access controls, data minimisation)

9. Retention and deletion

We retain personal data for as long as necessary for the purpose for which it was collected, or as required by law. Typical retention periods:

  • Client enquiries / dialogue without a client relationship: normally up to 24 months after last contact (unless you request earlier deletion and we have no basis for further retention)
  • Agreements, deliverables and invoicing records: in accordance with the Norwegian Bookkeeping Act (normally a minimum of 5 years)
  • Consents (e.g. cookies/marketing): until consent is withdrawn or expires

When the data is no longer necessary, we delete or anonymise it.

10. Cookies and analytics

We use cookies and similar technologies to:

  • Essential cookies: ensure basic website functionality
  • Analytical cookies: measure traffic and improve the user experience (e.g. Google Analytics)
  • Functionality cookies: store your choices and preferences

Where required by law, we obtain consent for non-essential cookies via a cookie banner. You can change or withdraw your consent at any time via cookie settings or your browser.

11. Your rights

You have rights under the GDPR, including:

  • Access: obtain a copy of the data we hold about you
  • Rectification: have inaccurate data corrected
  • Erasure: ("the right to be forgotten") when the conditions are met
  • Restriction: of processing
  • Data portability: in relevant cases
  • Objection: to processing based on legitimate interest
  • Withdraw consent: where processing is based on consent

To exercise your rights, contact us at kontakt@ytly.no.

12. Automated decisions

We do not use personal data for fully automated decisions that have legal or similarly significant consequences for you. AI tools are used as support, and deliverables/assessments are quality-assured by humans.

13. Security

We take information security seriously and implement technical and organisational measures to protect data against unauthorised access, alteration, loss or disclosure. Measures may include:

  • HTTPS/TLS encryption in transit
  • Access management, role-based access and two-factor authentication where possible
  • Encryption and secure storage where relevant
  • Procedures for data minimisation and secure sharing
  • Updates, monitoring and backups
  • Procedures for handling incidents and potential personal data breaches

14. Changes to this privacy policy

We may update this policy as needed. The updated version will be published on this page with a new "Last updated" date.

15. Complaints

If you believe that our processing of personal data is in breach of applicable regulations, you may file a complaint with the Norwegian Data Protection Authority (Datatilsynet):

Datatilsynet (Norwegian Data Protection Authority)

Postboks 458 Sentrum

0105 Oslo, Norway

Phone: +47 22 39 69 00

Email: postkasse@datatilsynet.no

Website: www.datatilsynet.no

16. Contact us

If you have questions about this privacy policy or how we process personal data, please contact us:

Email: kontakt@ytly.no