Privacy Policy
ZeroSubnet AS is the data controller for personal data collected through this website and connected services. This policy describes what we collect, why, the legal basis, retention periods, and your rights under the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.
1. Data controller
ZeroSubnet AS
Sandvika, Norway
Privacy contact: privacy@zerosubnet.no
2. What we collect
- Contact data: name, email, company, and message content when you fill in a contact form or request a quote.
- Subscriptions: email address and selected product categories for newsletter and threat-intelligence alerts.
- Technical data: IP address (short-lived, for security and debugging), browser and operating system strings, referrer page.
- Usage data (consent-based only): aggregate session data from Zoho PageSense. See the cookie policy.
- Security logs: verification tokens, rate-limit events, and security incidents, retained up to 12 months to protect the service.
3. Legal basis
- Contract (GDPR Art. 6(1)(b)): when you request a quote or engage with our sales team.
- Legitimate interest (Art. 6(1)(f)): security logging, rate limiting, abuse prevention, and basic technical operation of the website.
- Consent (Art. 6(1)(a)): newsletter, threat alerts, analytics, and any marketing tooling. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): retention of invoicing records as required by the Norwegian Bookkeeping Act.
4. Retention
- Contact form submissions: up to 24 months after the last interaction, then deleted.
- Newsletter and threat-alert subscriptions: until you unsubscribe, then deleted within 30 days.
- Security logs: up to 12 months, longer only while a specific incident is under investigation.
- Analytics (PageSense, consent-based): maximum 13 months.
- Invoicing records: 5 years per the Norwegian Bookkeeping Act.
5. Processors and sub-processors
We use the following processors to deliver the service. Where processing happens outside the EEA, EU Standard Contractual Clauses (SCCs) are in place under GDPR Art. 46.
| Provider | Purpose | Processing location |
|---|---|---|
| Cloudflare Pages | Hosting, CDN, DDoS protection | EU edge (global, SCC) |
| Cloudflare Turnstile | Bot protection on forms | EU edge (SCC) |
| Postmark | Transactional email delivery | EU (SCC) |
| Zoho PageSense | Analytics (consent-based) | EU (Netherlands) |
| Zoho SalesIQ | Live chat (consent-based) | EU (Netherlands) |
6. Sharing with third parties
We do not sell or rent personal data. Data is shared only with (a) processors listed above, (b) public authorities where legally required, or (c) during a specific security investigation involving your organisation, under a written agreement with you.
7. Your rights
Under the GDPR you have the right to:
- Access the data we hold about you (Art. 15).
- Request correction of inaccurate data (Art. 16).
- Request deletion (Art. 17).
- Restrict processing (Art. 18).
- Receive your data in a structured, machine-readable format (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent at any time.
- Lodge a complaint with the Norwegian Data Protection Authority: datatilsynet.no.
To exercise any of these rights, email privacy@zerosubnet.no. We will respond within 30 days.
8. Automated decision-making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
9. Security
ZeroSubnet provides cybersecurity services and handles its own data with equivalent rigour: encryption in transit (TLS 1.3) and at rest, role-based access control, audit logging of administrative actions, 24/7 incident monitoring, and continuous supply-chain review.
10. Changes to this policy
We may update this policy as the service evolves or as regulations change. Material changes will be announced on the site homepage and emailed to active subscribers where relevant. The date at the top reflects the most recent revision.