CERES

Dashboard→Regions→Map→Sub-national→Methodology→API→About→Track Record→Validation→Impact→Data→Changelog→Sign In→

This Privacy Policy explains how Northflow Technologies AS (“Northflow”, “we”, “us”) collects, uses, and protects personal data in connection with the CERES platform at ceres.northflow.no. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and applicable Norwegian data protection law.

1. Data Controller

The data controller responsible for your personal data is:

Northflow Technologies AS
Norway
ceres@northflow.no

2. What Data We Collect

We collect only the data necessary to provide the CERES service:

Email address — when you subscribe to the free newsletter, sign up for a paid API tier, or contact us. Used to send the service you subscribed to and to manage your account.
Organisation name — optionally provided during API subscription. Used for billing and account management only.
Payment data — handled entirely by Stripe. We do not store card numbers or payment credentials. Stripe acts as an independent data processor under their own privacy policy.
Usage data — anonymised analytics via Google Analytics 4 (if enabled). Includes pages visited, session duration, and device type. No personally identifiable information is transmitted to Google Analytics.
API request logs — IP address and request timestamps for authenticated API calls. Retained for 30 days for security and abuse prevention.

3. Legal Basis for Processing

Contract performance (Art. 6(1)(b) GDPR) — processing your email and billing data to provide the API service or newsletter you signed up for.
Legitimate interests (Art. 6(1)(f) GDPR) — security logging, fraud prevention, and platform analytics.
Consent (Art. 6(1)(a) GDPR) — where you have given explicit consent, such as accepting cookie tracking for analytics.

4. How We Use Your Data

Sending the monthly CERES Intelligence Letter (free subscribers)
Sending your API key and Tier I/II alerts (paid subscribers)
Processing payments and managing subscriptions via Stripe
Responding to support and institutional enquiries
Monitoring platform health and preventing abuse
Improving the service through anonymised usage analytics

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Data Processors and Third Parties

Stripe Inc. — payment processing. Stripe Privacy Policy
Google LLC (Analytics) — anonymised website analytics. Data processed under a Data Processing Addendum. IP anonymisation enabled. Google Privacy Policy
Railway Inc. — cloud infrastructure hosting the API backend. Data processed within EU/EEA or under Standard Contractual Clauses.
Vercel Inc. — frontend hosting. Data processed under Vercel’s Data Processing Addendum.

6. Data Retention

Newsletter subscribers — retained until you unsubscribe.
API subscribers — retained for the duration of the subscription plus 2 years for accounting purposes.
API request logs — 30 days.
Analytics data — Google Analytics default retention (14 months).

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate data.
Right to erasure — request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
Right to data portability — receive your data in a machine-readable format.
Right to object — object to processing based on legitimate interests.
Right to withdraw consent — where processing is based on consent, you may withdraw at any time.

To exercise any of these rights, contact us at ceres@northflow.no. We will respond within 30 days.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

8. Cookies

CERES uses minimal cookies. See our Cookie Policy for full details. Essential cookies are required for the platform to function. Analytics cookies require your consent and can be declined.

9. International Data Transfers

Some of our processors (Stripe, Google, Vercel) may process data outside the EEA. Where this occurs, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions. Contact us for details.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including HTTPS encryption in transit, access controls, and regular security reviews. No system is completely secure — please contact us immediately if you suspect a data breach.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The date at the top of this page reflects the most recent revision. Material changes will be communicated by email to active subscribers.

12. Contact

For any privacy-related questions or requests:

Northflow Technologies AS
ceres@northflow.no

Cookie Policy →Terms of Use →