Privacy Policy
Version 2.0 · Last updated 27 May 2026
1. Introduction
This Privacy Policy describes how TRY AS ("TRY", "we", "us") processes personal data in connection with the Svipp service. TRY is the controller for the processing activities described in this Policy, subject to the clarifications in section 8 (joint controllership with Meta) and section 9 (TRY as processor).
We comply with the General Data Protection Regulation (GDPR) and applicable national law.
2. Personal data we process
We process the following categories of personal data:
- Contact information — name, email address, phone number, organisation, and role. Collected at registration or via Mestergruppen's sign-in solution (Mester ID).
- Account data — username, password (stored hashed by our authentication provider), access roles, and settings.
- Usage data — actions in the Service, timestamps, IP address, device and browser information, session data.
- Campaign data — ad copy, images, audiences, budgets, channel choices, statistics on impressions and clicks.
- Payment data — invoice details, transaction IDs, payment status. Card details themselves are stored by the payment processor (Stripe), not by us.
- Communication history — content of support requests and other communication we receive from you.
- AI-generated content — text generated by artificial intelligence on your instructions, and prompts you provide.
- Data from ad platforms — account information, ad account details, and campaign statistics retrieved from Meta, LinkedIn, and Adnuntius after you connect your account.
3. Why we process personal data, and legal basis
We process personal data for the following purposes, with the following legal bases:
| Purpose | Personal data | Legal basis |
|---|---|---|
| Service delivery — creating and managing user accounts, campaigns, payments | Contact info, account data, campaign data, payment data | Contract performance (GDPR art. 6(1)(b)) |
| User support | Contact info, usage data, campaign data, communication history | Contract performance (GDPR art. 6(1)(b)) |
| Basic operational security — authentication, access control, logging | Account data, usage data | Contract performance (GDPR art. 6(1)(b)) |
| Publication on ad platforms (Meta, LinkedIn, Adnuntius) | Campaign data, data from ad platforms | Contract performance (GDPR art. 6(1)(b)) |
| Payment processing | Payment data | Contract performance (GDPR art. 6(1)(b)) |
| Proactive fraud prevention and abuse detection | Usage data, account data | Legitimate interest (GDPR art. 6(1)(f)) |
| Service improvement — pseudonymised product analytics | Usage data, technical info | Legitimate interest (GDPR art. 6(1)(f)) |
| Marketing of the Service to existing customers | Contact info | Legitimate interest (GDPR art. 6(1)(f)) |
| Statutory reporting (accounting, tax) | Payment and transaction data | Legal obligation (GDPR art. 6(1)(c)) |
Where we rely on legitimate interest, we have carried out a balancing assessment that is available on request. You have the right to object to such processing, see section 6.
4. Who we share personal data with
We share personal data with service providers that process data on our behalf (processors). The main categories are:
- Ad platforms — Meta (Facebook and Instagram), LinkedIn, and Adnuntius. These receive campaign data and audience data so we can publish ads on your behalf. The relationship with Meta is described in more detail in section 8, and with LinkedIn and Adnuntius in sections 8.2 and 8.3.
- Payment processor — Stripe handles card payments and refunds.
- Authentication — Clerk is used for authentication of users who are not Mestergruppen members. Mestergruppen members are authenticated via Mester ID (powered by Mestergruppen's own Auth0 solution), and Mestergruppen is the controller for the authentication itself.
- Hosting and infrastructure — Vercel hosts the application.
- AI providers — Anthropic (Claude). If OpenAI and/or Google AI are introduced for AI generation, the list will be updated accordingly.
- Product analytics and error tracking — PostHog (EU region).
- Customer communication and CRM — HubSpot.
An up-to-date list of all processors is set out in the Svipp Data Processing Agreement (DPA). We do not share personal data with third parties for marketing purposes.
5. Retention periods
We retain personal data for as long as necessary for the purpose:
| Data category | Retention period |
|---|---|
| User account | As long as the account is active + 12 months after deletion |
| Campaign history | 24 months |
| AI-generated text | 12 months (tied to campaign history) |
| Payment and transaction data | 5 years (Norwegian accounting law) |
| Support tickets | 24 months |
| Log data and product analytics | 12 months |
| Security logs | 12 months |
6. Your rights
Under the GDPR, you have the following rights:
- Access — you can request a copy of the personal data we hold about you.
- Rectification — you can ask us to correct inaccurate data.
- Erasure — you can ask us to delete data.
- Restriction — you can ask us to restrict processing.
- Data portability — you can ask for your data in a machine-readable format.
- Objection — you can object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, you can withdraw it at any time.
To exercise your rights, contact us at support@svipp.ai. We will respond within 30 days. You can also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no) or, if you are in Sweden, with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, imy.se).
7. Security measures
We have implemented technical and organisational measures to protect personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest.
- Access control on a least-privilege basis.
- Logging and monitoring of access.
- Periodic review of security measures and processors.
8. Relationship with Meta, LinkedIn, and Adnuntius
8.1 Joint controllership with Meta
When you publish an ad on Meta (Facebook or Instagram) via Svipp, we facilitate the transmission of campaign data and audience data to Meta through the Meta Marketing API. Meta processes this data both on your behalf (to deliver the ad) and for its own purposes (improving targeting, measurement, and its own commercial interests).
TRY and Meta therefore act as joint controllers for the collection and transfer of personal data to Meta, in line with CJEU case law (Case C-40/17 Fashion ID and Case C-210/16 Wirtschaftsakademie). The division of responsibilities follows from Meta's Joint Controller Addendum and our internal procedures. You can exercise your privacy rights with either party; for data Meta processes for its own purposes, contact Meta directly (see Meta's privacy notice at facebook.com/privacy).
8.2 LinkedIn — independent controllership
When you publish an ad on LinkedIn via Svipp, campaign data is sent to LinkedIn for delivery. LinkedIn classifies itself as an independent controller for Marketing Solutions and ad data, see LinkedIn's Independent Controller Addendum. TRY and LinkedIn therefore process the data in parallel on their respective legal bases and for their respective purposes. You can exercise your rights with either party — LinkedIn's privacy notice is available at linkedin.com/legal/privacy-policy.
8.3 Adnuntius — processor with limited joint responsibility
Adnuntius AS acts primarily as a processor for targeting, delivery, and reporting of ads. For certain purposes related to the IAB TCF 2.0 framework, Adnuntius may act as a joint controller. Adnuntius stores data primarily in the EU/EEA (Germany and Finland). Adnuntius' privacy notice is available at adnuntius.com/privacy-policy.
9. TRY as processor
For the processing of campaign data, audience data, and ad account administration on the instructions of the User, TRY acts as a processor. The terms of that processing are set out in the Svipp Data Processing Agreement, which is concluded automatically upon acceptance of the Terms of Service.
10. Transfers outside the EEA
Some of our processors are established in the United States. Transfers of personal data to the US are based on the EU–US Data Privacy Framework for certified vendors, and on Standard Contractual Clauses (SCC) as a supplementary or alternative transfer mechanism. A breakdown of the transfer basis per vendor is set out in the DPA.
11. Changes to this Policy
We may update this Privacy Policy. Material changes will be notified via email or in the Service. We encourage you to review the Policy periodically.
12. Contact information
TRY AS
Øvre Slottsgate 8, 0157 Oslo, Norway
Company registration number: 980 129 942
Email: support@svipp.ai
Privacy Advisor: Torgeir Boldvik, torgeir.boldvik@try.no