Privacy Policy

Last updated: September 16, 2025

Diri AS takes privacy seriously. This Privacy Policy explains how we process personal data when providing our services, operating our website, and carrying out other activities that involve the processing of personal data.

We comply with applicable privacy legislation, including the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.

1. Who we are

Diri AS (company reg. no. 925 336 556) is headquartered in Gjøvik, Norway.
We provide a SaaS platform for risk management and compliance, as well as related services.

Contact details

Email: contact@diri.ai or privacy@diri.no (regarding privacy)
Phone: +47 400 00 343
Address: Diri AS, Studievegen 16, 2815 Gjøvik

2. Scope of this policy

This Privacy Policy applies to:

Visitors to our websites and applications (including app.diri.ai)
Customer, supplier, and partner contact persons
Individuals we engage with in sales and marketing processes
Job applicants
Anyone else we interact with when acting as a data controller.
‍

When we process personal data on behalf of our customers in our SaaS platform, we act as a data processor. The customer is the data controller, and this relationship is governed by a Data Processing Agreement.

3. How we process personal data

a) When we are the data controller

We act as a data controller in the following situations:

your Website usage
We collect information about website usage (e.g. via Google Analytics and Hubspot) to improve user experience, respond to inquiries, and customize content.
Data may include IP addresses, device information, and browsing patterns.
Sales and marketing
We process contact information (name, email, phone number, company/organization) to manage customer dialogue, send relevant information, and follow up prospects. Sending electronic marketing communications requires valid consent.
Recruitment
When you apply for a job with us, we process the information you provide in your application, including your CV, contact details, education, and work experience. In some cases, we may process special categories of data (e.g. health information or trade union membership) if you voluntarily provide it.
Suppliers and partners
We process contact details of suppliers and partners for contract management, invoicing, and communication.

b) When we are the data processor

When you or your organization use our platform (app.diri.ai), we process personal data on behalf of the customer. This may include:

Creating and managing user accounts (name, email, phone number, username, IP addresses).
Sending notifications and providing customer support.
Hosting and storing customer data in the platform.
‍

We only process personal data in line with the customer’s instructions and the applicable Data Processing Agreement.

4. Legal basis for processing

We process personal data on the following bases:

Consent (GDPR Art. 6(1)(a)), e.g. for newsletters or certain recruitment activities.
Contract (GDPR Art. 6(1)(b)), when necessary to deliver a service or perform a contract.
Legal obligation (GDPR Art. 6(1)(c)), e.g. accounting obligations.
Legitimate interest (GDPR Art. 6(1)(f)), e.g. improving services or communicating with existing customers.

5. What data may we process

We may process the following types of personal data:

Contact details (name, email, phone, address)
Employment-related information (employer, position)
User data (login details, IP address, activity logs)
Payment and billing details (e.g. subscription invoices)
Information you share with us in communications, applications, or via the platform
‍

We generally do not process sensitive personal data, except where you voluntarily provide such information in recruitment processes.

6. Your rights

You have the right to:

Access your personal data and obtain a copy
Request correction of inaccurate data
Request deletion of data (subject to legal retention requirements)
Restrict processing in certain circumstances
Object to processing based on legitimate interests
Withdraw consent at any time
Request data portability, where applicable
‍

You may exercise these rights by contacting us at privacy@diri.no. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

7. Data retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as long as we are legally required.

User data in the platform is deleted no later than 30 days after termination of the customer relationship, unless otherwise agreed.
Marketing data is deleted when you withdraw your consent.
Job applications are normally deleted after the recruitment process ends, unless you consent to further storage.

8. Data security

We use organizational, technical, and physical security measures to protect personal data, including access control, encryption, backup routines, logging, and regular security audits.

9. Sharing and transfer of personal data

a) Sub-processors

We rely on sub-processors to deliver our services. All are subject to Data Processing Agreements. As of today, these include:

Microsoft – data centers and hosting (Norway/EU)
ProISP – data centers (Norway/Denmark)
Tripletex – invoicing and project management (Norway)
Mailjet – email notifications (EU)
Sleekplan – feedback service (EU)
Stripe Payments Europe – subscription billing (EU)
Hubspot – CRM and helpdesk (EU)
Offcenit AS – infrastructure security, operations, and maintenance (Norway)

An up-to-date list is always available in our Data Processing Agreement.

b) Transfers outside the EU/EEA

As a rule, personal data is processed within the EU/EEA. Some services (e.g. LinkedIn for recruitment) may involve transfers to the United States. In such cases, we use valid transfer mechanisms, such as the EU Standard Contractual Clauses (SCCs).

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be published on our website, with the date of last update. If significant changes are made, we will provide additional notice.

11. Contact us

If you have questions about privacy or wish to exercise your rights, please contact us at:

Email: privacy@diri.no
Post: Diri AS, Studievegen 16, 2815 Gjøvik

‍