Skip to main content

Legal

Privacy Policy

See also our Terms of Service and Data Processing Agreement.

Toolboks needs to process personal data in connection with its operations. We are committed to processing personal data in a secure, reassuring and trust-inspiring manner.

As a controller of personal data, the way we process data is based on the business we run and the purpose of our business. Information on personal data we process about you, the legal basis for this processing, the purpose of this processing, and how long we process this personal data for, etc., is also included below.

We may also process personal data in other ways than those mentioned below. In this case, we will inform the person to whom the personal data relates by other means than through this declaration.

We may also act as a data processor for our customers and in connection with our services. In this case, our customers are responsible for data processing. You can read more about this below.

If you have any questions or want to know more about how we process personal data, you can contact us (see contact details below).

Responsibility for processing personal data

Toolboks is the data controller, meaning we decide why and how personal data is to be processed for the processing described below. However, this does not apply where Toolboks acts as a data processor and processes personal data on behalf of our customers (see section on processing as part of our services).

Contact details for the data controller:

Toolboks AS
c/o Lingu AS, Gartnerveien 4, 4016 Stavanger, Norway

Email: [email protected]

Organisation number: 899 065 492

Processing of personal data

We collect and use personal data for various purposes, depending on who you are and how we come into contact with you.

All processing of personal data takes place in accordance with the personal data protection rules in force at all times, including the Personal Data Act and the Personal Data Protection Regulation (GDPR).

"Personal data" means all information that can be linked to a natural person (who is referred to as "the registered person").

"Processing" means everything that is done with personal data, such as collection, registration, organisation, structuring, storage, adaptation or change, retrieval, consultation, use, disclosure by transfer, dissemination, and all other forms of making available, compilation or combination, limitation, deletion and destruction.

Where we act as the data processor (i.e., processing personal data on behalf of others), you will receive information about data processing from the controller. You can still contact us about the processing of your personal data, and we will refer you to the correct data controller. More on our role as a data processor is provided below.

Processing of personal data through Toolboks CRM

When you register and use the Toolboks CRM platform, we collect and process personal data about your use of our services. During this processing, we collect:

When you register an account with us:

  • Name
  • Email address
  • Company name

When you use the Toolboks CRM platform:

  • Identity: name, email address, profile image, locale preference.
  • Contact information: email address.
  • User Activity: user activity on the Toolboks platform, e.g., records created or modified, features used, time spent, reading and action history on the platform, as well as technical information on the devices used to access our services.
  • Login data: IP address, login history, OAuth provider and UID.
  • Purchase history and information relating to complaints, claims, or other matters relating to our services.

The above is processed in order to fulfil our agreement with you so that you can use our services (GDPR Article 6 (1) b).

The information will be processed for as long as is necessary to fulfil the agreement, if a complaint is made, and for accounting purposes. The information will therefore be processed for approximately five years.

Information relating to your account with us will be stored and processed for as long as your account is active, or until you decide to delete it. We will delete your account if it remains inactive for more than three years.

We also store behavioural patterns on our platform, i.e., information about how individual users navigate our pages. This data processing helps us to manage our relationship with our customers, secure and develop our services, and protect our rights, etc., according to GDPR article 6 (1) f. We believe that we have a legitimate interest in processing this type of information, and that this interest outweighs individual privacy.

Technical logs are also processed for troubleshooting and security purposes, and in connection with our services for security purposes, to improve our service, and to gather statistics. We process this information so we can fulfil our duty to comply with privacy regulations and secure personal data (see GDPR article 6 (1) c, cf. article 32), as well as our duty to secure your personal data according to our agreement with you.

Communication and contact

We process personal data on anyone who contacts us so that we can respond, keep a record of this communication and refer it on to others. This applies to all forms of communication: physical and digital, written and spoken.

In such cases, we process names, telephone numbers, email addresses and any personal data that may result from the enquiry, including history/logs of the enquiry.

We process this information on the basis that we have a legitimate interest in processing personal data relating to the above (see GDPR article 6 (1) f). We consider our ability to maintain contact with the public, document the business we run, respond to those who contact us and register such contact to be an important part of our business. We therefore consider this processing to be necessary in order for us to handle the inquiries we receive, and that our legitimate interest in this comes before individual privacy.

Providing us with personal information is voluntary. However, you may need to do this in order for us to be able to respond to any inquiries.

We process this information until we expect that no further follow-up of the contact will be required, which is normally after three years.

Email

We use email as a communication tool, and this contains personal data. We process this data on the basis that we have a legitimate interest to do so (see GDPR article 6 (1) f) in order to operate and communicate, and we have assessed that individual privacy does not come before this interest. The type of personal data processed in our emails depends on the purpose and content of the email. Emails are deleted when they are no longer needed, and we have measures in place to ensure regular deletion of emails.

Information and marketing

If you request information or sign up for a newsletter, or are an existing customer of ours, we will send out information about our products and services, newsletters, and other information and marketing. We will process your name and email address as a result. We process this information on the basis that you have consented, or that we have entered into an agreement with you. The processing of this data will take place until you have received the requested information, have withdrawn your consent, or are no longer a customer with us. Your personal data will then be deleted.

We process this personal data so we can inform you about services and products that may be of interest to you, and this processing is performed on the basis that you have consented to it (GDPR Article 6 (1) a). You can withdraw your consent at any time by using any of the cancellation options provided in any correspondence you receive, or by contacting us to opt out of direct marketing and/or profiling, according to GDPR Article 21 (2).

If information we send on our services you use does not contain marketing, we will send this to you regardless of whether you have consented, and your personal data will be processed in accordance with GDPR article 6 (1) b. We process this data so we can keep you updated about the services you receive and fulfil our agreement with you.

Existing and potential customers, suppliers and collaboration partners

We process personal data on contact persons for existing and potential customers (in business relationships), suppliers and other collaboration partners in order to carry out sales and marketing activities, manage our relationships with suppliers and other parties, and to prepare, implement and document our services, as well as evaluate the use of these services. In these cases, we will process the name, contact details, company name and information relating to our contact with the company in which they work.

We process this personal data on the basis that we have a legitimate interest (GDPR Article 6 (1) f) in managing our relationships with our customers, partners and suppliers, and that this interest outweighs individual privacy.

We also store and disclose information whenever we have a legal obligation to do so; for example, as required by accounting and tax legislation.

We store this information until the relationship with the customer, supplier or partner ends, or until the contact person ceases to be a contact person, unless one of the exceptions mentioned above applies.

Recruitment

When recruiting for new positions, we process CVs, applications, certificates, notes from interviews and results from investigations into references, etc., all of which contain personal data.

Personal data is processed during recruitment on the basis that this is necessary in order to carry out certain measures before we have entered into an employment contract with the job seeker (GDPR article 6 (1) b).

Personal data is deleted as soon as the recruitment process is complete, unless you have consented to this being stored for longer.

Social media

We maintain contact with stakeholders and other parties through social media. We process personal data held on social media on the basis that we believe we have a legitimate interest in communicating with the public via social media and need to process personal data in order to do so (GDPR article 6 (1) letter f). We have assessed that we must be able to communicate with the public and handle any inquiries we receive, and that individual privacy does not come before this interest.

This information will be processed for as long as the related posts/comments are published on our social media pages, and you are free to delete these at any time.

Use of websites

Cookies are used on our websites and as part of our services, e.g., to collect information that will improve customer experience of our websites and services, as well as to guarantee the functionality of our services. We also use this information to provide visitors with relevant recommendations and service adaptations.

A cookie is a text file that is placed in your browser's internal memory when visiting or interacting with a website, or a number/number series that can identify your browser or the device you use to access a website.

You can opt to block us from placing cookies in your browser. Many browsers or devices are set to accept cookies automatically, but you can change the settings yourself so that they won't be accepted. The disadvantage of disabling cookies in your browser is that the websites you visit will not function optimally.

We also use tools other than cookies to obtain information on your IP address, the type of browser you use, your broadband provider, operating system, date and time of visit to our website and services. We use this information to analyse trends so we can make our website and services more user-friendly.

We process the personal data above on the basis that we have a legitimate interest (GDPR Article 6 (1) f) in adapting our website to our users, and that this interest outweighs individual privacy. However, we safeguard the privacy of visitors to our website by only using this information for statistical purposes.

Storage and deletion of personal data

We keep personal data for as long as is necessary for the purpose for which it was collected, and we delete this data in line with the requirements laid out in the regulations. The period of time we keep personal information varies depending on how the information was obtained and the purpose for which it was obtained. How long we keep this information before we delete it is provided above for each individual case. The storage period is also based on the following criteria:

  • If we have a legal or contractual need to keep the information, as claims may be brought against us
  • If the information is necessary for our business
  • If consent is withdrawn, where the basis for us processing it is consent

When we no longer have an ongoing legitimate need to process your personal data, it will be deleted or anonymised as soon as possible in accordance with the applicable law.

In some cases, it may be relevant for personal data to be anonymised instead of deleted. Anonymisation means removing all identifying or potentially identifying characteristics from data sets that are held.

Processing of personal data as part of our services

Customers of ours that use the Toolboks CRM platform act as the controller of any personal data related to the use of our services. We then process this personal data on behalf of the customer, and therefore act as the data processor. We enter into data processing agreements with our customers to regulate how we process personal data on their behalf.

The information in this privacy policy also applies to how we process the personal data of our customers' contacts in the case of disclosure or transfer of personal data and security/technical matters. This personal data is deleted when our customers choose to delete it. We never use information or data from our services without first requesting or obtaining approval from our customers to do so.

Below is a general description of the data processing that takes place as part of our services. Individual data controllers may process or have personal data processed differently as part of their service. The data controller is the party responsible for informing its customers about how it processes data, despite the fact that we are the data processor.

The purpose of data processing

Personal data is processed as part of our services in order to provide the functions and perform the tasks associated with delivering the Toolboks CRM platform, including customer and contact management, sales pipeline and opportunity tracking, contract and order management, billing and invoicing, proposal generation, time tracking, activity logging, and AI-assisted data enrichment.

The personal data that is collected and processed

The following categories of personal data are processed:

  • Identification of users: Name, email, profile image, OAuth provider and UID, locale preference.
  • User Activity: Users' activity on the Toolboks platform, e.g., records created or modified, features used, time spent, and technical information on the devices used to access our services.
  • Login data: IP address, login history, identifier with third-party login services (login with Google etc.).

System monitoring, error correction, etc.

We monitor our systems for errors and problems. A part of these processes involves the storage and processing of personal data. The legal basis for processing personal data for this purpose is our legitimate interest in ensuring that our systems and solutions do not contain any errors or problems.

Security

We process personal data as part of our tasks to protect our solutions and services, users and ourselves against security gaps, fraudulent activity and abuse, etc. The legal basis for processing personal data for this purpose is our legitimate interest, together with the fact that we are obliged by privacy regulations to secure personal data (e.g., see GDPR articles 24 and 32), as well as our obligations as stated in the data processing agreement we hold with our customers.

Transfer or disclosure of personal data to others

We do not pass on personal data to others in cases other than those mentioned in this declaration, and unless there is a legal basis for this. Examples of such a basis typically include an agreement with or consent from the data subject, or a legal obligation that requires us to release the information.

We use data processors to collect, store or otherwise process personal data on our behalf. In such cases, we have entered into agreements to safeguard your rights and to secure your personal data at every stage of the process.

If required by law, or if there is suspicion that an offence has been committed in connection with the use of our services, personal data we have stored about you may be handed over to the public authorities.

Transfer of personal data to recipients in countries outside the EEA

It is our goal that all processing of personal data will be carried out within the EEA. However, at some point we may have to use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA (in a third country) will take place in a country approved by the European Commission, or in accordance with a valid legal basis for the transfer of personal data according to GDPR chapter V. If transfer does not take place to a country approved by the European Commission, transfer will only take place according to the guarantees set out in GDPR article 46 (2). You can contact us to find out which basis is used for the transfer of personal data.

There may be links on our websites to other websites or third parties that offer products or services, or other places that are not under our control. These links are provided only as an opportunity for users to obtain more information. Websites that are not part of our own website process personal data as the data controller themselves, and will have separate and independent privacy guidelines. We are not responsible for any content or activities on these websites.

Security of data processing

We place high priority on the security of personal data in our business, and will implement all necessary technical and organisational measures in order to secure your personal data.

We handle information so that it is correct, accessible, and handled according to the degree of sensitivity of the information. We also use a number of security technologies and information security procedures to protect personal data from unauthorised access, use or dissemination. Risk assessments are carried out for the processing of personal data.

We have entered into data processing agreements with all our suppliers who process personal data, in which they undertake the same level of security as we uphold for our processing of personal data.

We limit access to personal data to staff or third parties who will process the data on our behalf. These parties are subject to confidentiality obligations.

Routines have been established for handling breaches of information security and routines (breach of privacy), and if there is a breach that entails a risk to the privacy of the personal data concerned, we will send a notice of deviation to the Norwegian Data Protection Authority as quickly as possible, and at the latest within 72 hours of the breach being discovered. If the breach entails a high probability of risk to the privacy of those to whom the breach applies, we will also notify them.

Your rights

Below are your rights for the processing of personal data. Where we are the data controller, you must contact us to exercise your rights (see contact details above). If we are not the controller, follow the guidance below.

We will respond to your enquiry as soon as possible, and within one month at the latest. If this will take longer than one month, you will be notified.

We will ask you to confirm your identity or provide additional information before we allow you to exercise your rights with us. We do this to be sure that we only give access to your personal data to you and not to someone pretending to be you.

Your rights below apply in cases where we are the data controller (see above). We are a data processor for our customers, and if you use services from one of our customers, they are the party responsible for the processing of your personal data (data controller). In this case, you must contact the company you receive the service from in order to exercise your rights in relation to the processing of your personal data.

Information

You have the right to receive information about the personal data we process about you. We inform you about our processing of personal data through this declaration. You can also contact us if you wish to receive further information.

Access

You have the right to demand access to the personal data processed about you. Please contact us if you would like access to this.

You can also request a copy of the personal data we process about you. We can ask you to specify which information you would like a copy of in order to make this task easier. When handing over copies of your personal data, we can demand that you identify yourself so we can ensure that we do not hand over personal data to unauthorised parties.

Change and deletion

You can ask us to correct any incorrect information we have about you, or ask us to delete your personal data. We will accommodate any requests to delete personal data as far as possible, but we are unable to do this if we still need the data for other purposes.

Processing on the basis of consent

If we process personal data on the basis of your consent, you can withdraw your consent at any time. The easiest way to do this is to use the method indicated when you gave your consent, or to contact us directly.

Right to restrict or object to processing

You can demand that our processing of your personal data be limited in certain cases, if the conditions for this are met. If the processing is restricted, the personal data will only be stored (see more in GDPR article 21).

Where our processing is based on a legitimate interest, you have the right to object to the processing of your personal data. If you object, we shall stop the processing in question, unless there are compelling legitimate reasons to continue.

You can also object to the processing of personal data about you for marketing purposes, including profiling to the extent that this is linked to direct marketing (see GDPR article 22 no. 2).

The right to data portability

For information you have provided to us that is necessary in order to carry out an agreement with us, and which is processed automatically (i.e., not manually by us), you can request to have the personal data about you handed over or transferred to another supplier in a structured, commonly used and machine-readable format (data portability).

Automated processing

There will be no automated processing, including profiling, based on your personal data that has any legal effect or that significantly affects those to whom the personal data applies (see GDPR article 22 no. 1 and 4).

Complaints

If you feel that our processing of personal data is not in accordance with what we have described here, or that we are in breach of privacy legislation in other ways, you can complain to the Norwegian Data Protection Authority. However, we ask you to contact us first so that we can rectify any incorrect processing as quickly as possible.

You can find information about your rights and how to contact the Norwegian Data Protection Authority on their website: www.datatilsynet.no.

Changes

If there are any changes to the way we process personal data or changes to the regulations on processing personal data, this may result in changes to the information provided here. We can inform you of any changes that concern you directly and that have an impact on your privacy if we have your contact details. Otherwise, you will always be able to find an updated version of this privacy policy on our website.

We use cookies to improve your experience and analyze site traffic. You can accept all cookies or only those required for the site to function.