Privacy Policy

Spant Labs AS, Organisation no. 934 658 477, business address Edvards Storms gate 2, 0166 Oslo, Norway ("Spant", "we", "our", "us") is the data controller for personal data processed through this website and our documentation site, unless otherwise stated.

This Privacy Policy sets out the categories of personal data we process, the purposes and legal bases for processing, retention, security measures, and your rights under the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven), together with applicable implementing regulations.

Where our Salesforce ISV applications run in your organisation's environment, your organisation will normally be the controller for CRM data. Section 03 below explains how our products relate to your organisation's own processing activities.

Document scope

This notice applies to visitors and business contacts who use spant.no and docs.spant.no. Use of our listed applications on Salesforce AppExchange is additionally governed by your agreement with Salesforce, our product terms where applicable, and any data processing agreement (DPA) concluded with us.

01

Personal data — websites

When you visit spant.no, submit a form, or otherwise contact us, we process personal data as described below. Processing is limited to what is necessary for the stated purposes.

•Contact and enquiry data: name, email address, telephone number, employer or company name, role or title where provided, and the content of your message (including attachments you choose to send).
•Technical and usage data: IP address, browser type and version, device category, pages viewed, session duration, referrer URL, and similar metadata collected through cookies, local storage, or analytics tools where permitted.

We use this information to respond to enquiries, operate and secure our sites, measure performance, and improve content and user experience.

02

Legal basis

We process personal data only where a lawful basis exists under Article 6 GDPR. The table below summarises the main processing activities on our websites and related channels.

Purpose	Legal basis
Handling contact forms, demo requests, and other inbound business enquiries	Legitimate interests (Article 6(1)(f)) — responding to requests addressed to us; balancing test applied
Analytics and aggregated usage statistics for our websites	Consent (Article 6(1)(a)) where required; otherwise legitimate interests where permitted by law
Customer administration, billing, and contract performance	Performance of a contract (Article 6(1)(b))
Temporary, access-limited support in a customer's Salesforce organisation	Performance of a contract (Article 6(1)(b)), strictly limited to the relevant support matter
Bookkeeping, tax, and other statutory compliance	Legal obligation (Article 6(1)(c))

03

Salesforce ISV applications

Architecture

Our listed applications execute within your Salesforce environment. Customer CRM records are not copied to infrastructure operated by Spant for ordinary product operation.

Our Salesforce ISV applications (including Proff Connect) are designed so that, in standard operation:

•Customer CRM data is not stored on servers operated by Spant for product delivery.
•We do not access your Salesforce organisation unless you explicitly grant time-limited access for agreed support purposes.
•Data supplied by third-party data providers is delivered into your Salesforce organisation under your configuration and access controls.

For personal data inside the customer's Salesforce organisation, the following roles apply in principle under the GDPR:

•The customer organisation is typically the controller for CRM data in its own org.
•Salesforce processes data in accordance with the agreement between the customer and Salesforce and applicable data protection terms.
•Third-party data providers process data under their own agreements with the customer or Salesforce, as applicable.
•Spant does not act as processor for customer CRM content in standard operation, because we do not host that content on our systems.

Where a customer grants Spant temporary access to a Salesforce organisation for support or incident handling, processing is limited to what is necessary for that matter and is governed by the applicable agreement between the parties, including any data processing agreement (DPA) where required.

04

Cookies and similar technologies

We use cookies and similar technologies where necessary to operate our sites and, where you consent, to measure traffic and usage. You may withdraw consent to non-essential cookies at any time through our cookie banner or your browser settings.

•Strictly necessary: required for security, load balancing, session continuity, and core functionality.
•Analytics (optional): used to produce aggregated statistics on how our sites are used, subject to your choices.

Blocking or deleting cookies may affect how certain features work. For browser-specific instructions, refer to your browser vendor's documentation.

05

Documentation (docs.spant.no)

The documentation site is subject to this Privacy Policy and the following supplementary disclosures. Where a third-party service is used, that provider's privacy notice applies in addition, to the extent relevant.

1. Albert AI assistant

Albert is our AI assistant for documentation. When you use Albert (chat or search):

•Processing: Your questions and relevant documentation are sent to a third-party AI provider to generate answers. The provider's Privacy Policy applies to this processing.
•By using Albert, you agree to our privacy policy and that your input may be processed as described here.

2. Question logging (optional analytics)

If you accept cookies, we may store anonymized data to improve our documentation:

What we store: Question text, number of sources found, source page URLs, which interface you used (chat or search), the page you were on, and a short preview of the answer.

What we do not store: IP address, user ID, or other identifiers linked to you.

Purpose: To identify recurring questions, documentation gaps, and prioritize improvements.

Storage: Data is stored in our database and used only for internal analysis.

If you choose "Only necessary", we do not log your questions.

3. Cookies and local storage

Type	Purpose	When
Cookie consent	Stores your choice (accepted/declined)	Always
Session storage	Keeps chat messages and UI preferences during your visit	During your session
Analytics cookies	Usage statistics	Only when you accept

4. Search

When you use the documentation search, your search query is sent to our search provider. The provider's Privacy Policy applies.

5. Bot protection

We use a bot protection service to reduce abuse. The service may collect data as described in the provider's Privacy Policy and Terms of Service.

6. Rate limiting

To protect our services, we temporarily use your IP address for rate limiting. This data is not stored for longer than necessary and is not used for other purposes.

7. Hosting and infrastructure

The site is hosted by our infrastructure provider. Data may be processed in accordance with the provider's Privacy Policy.

Enquiries (docs.spant.no)

To exercise rights or ask questions about processing described in this section, contact hello@spant.no. We will respond within a reasonable time and, where the GDPR applies, within one month unless extension is permitted by law.

Material changes to documentation-site processing will be reflected by updating the version date shown at the top of this notice.

06

Processors and disclosures

We do not sell personal data. Personal data is disclosed to subprocessors only where necessary to deliver the services described in this notice, and subject to appropriate contractual safeguards (including, where required, a data processing agreement under Article 28 GDPR).

Typical categories of recipients include hosting and infrastructure providers, email and communications services, customer relationship tools, analytics providers (where you have consented or another lawful basis applies), and professional advisers where engaged.

We may also disclose personal data where required by law, court order, or competent authority, or where necessary to establish, exercise, or defend legal claims.

07

Retention

Personal data is retained only for as long as necessary to fulfil the purposes set out in this notice, including any applicable statutory, accounting, or reporting requirements. Retention periods may vary depending on the nature of the data and our relationship with you.

Category	Indicative retention
Contact and demo enquiries	Up to 24 months from last interaction, or longer where an active contractual relationship requires it
Website analytics (where used)	In line with the relevant analytics configuration (often up to 14 months)
Customer and contract records	For the term of the agreement and thereafter as required by Norwegian bookkeeping legislation (Bokføringsloven) and related rules (typically up to five years)
Support correspondence and technical logs	Up to 12 months after closure of the ticket, unless a longer period is justified by a dispute or legal claim
Documentation question logs (pseudonymous / minimised)	Up to 12 months for internal quality analysis, where this processing is active

When retention periods expire, we delete or irreversibly anonymise personal data, unless a limited statutory exception applies.

08

Security measures

We implement appropriate technical and organisational measures designed to ensure confidentiality, integrity, and availability of personal data, taking into account the state of the art, implementation cost, and the nature, scope, and context of processing.

For data processed within Salesforce, customers benefit from the platform controls made available by Salesforce, including access management, encryption in transit, auditability, and organisational security certifications as described in Salesforce documentation.

09

Data subject rights

Where the GDPR applies and we act as controller, you may have the following rights, subject to conditions and exemptions in the GDPR or national law:

•Right of access (Article 15)

•Right to rectification (Article 16)

•Right to erasure (Article 17)

•Right to restriction of processing (Article 18)

•Right to object (Article 21), including in relation to direct marketing where relevant

•Right to data portability (Article 20), where processing is based on consent or contract and is automated

•Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal (Article 7(3))

•Right to lodge a complaint with a supervisory authority (Article 77)

To exercise any of these rights in respect of data we control, please use the contact details in section 10. We may need to verify your identity before responding.

For personal data held exclusively within your Salesforce organisation, your employer or organisation is typically responsible for responding to requests from individuals; we will direct you accordingly where we do not hold relevant information.