Legal

Privacy Policy

Last updated: 13 June 2026

1. Who we are

Nordensite ("we", "us", "our") sells GPS fleet tracking kits and operates the NordenSite Operations Cloud, a software-as-a-service platform that processes vehicle location data for business customers within the European Union, EEA, and the United States. We are the data controller for account and billing data, and act as a data processor for the vehicle telemetry data that our business customers collect through the platform.

Contact: contact@nordensite.com

2. Data we collect

We collect and process the following categories of data:

2.1 Account and identity data

  • Identity data: full name, company name, email address
  • Authentication data:managed by Zitadel (our identity provider) — we do not store passwords for platform accounts
  • Contact data: email address, phone number, shipping and billing address (for hardware orders)

2.2 Vehicle telemetry and location data

When GPS tracking devices are activated on the platform, we process the following data on behalf of our business customers:

  • GPS position data: latitude, longitude, altitude, speed, heading, and timestamp
  • Vehicle diagnostics: ignition state, battery voltage, odometer readings, and device-specific I/O values
  • Device metadata: IMEI number, firmware version, connection timestamps, and source IP address

This data may constitute personal data under GDPR if the tracked vehicles can be linked to identifiable individuals (e.g. assigned company drivers). Our business customers are responsible for ensuring they have a lawful basis (such as legitimate interest or employee consent) for collecting this data. See Section 5 for details on data processing roles.

2.3 Payment data

  • Payment data:processed securely by Stripe — we do not store card numbers on our servers

2.4 Technical data

  • Technical data: IP address, browser type, device information, pages visited
  • Communication data: messages you send to us via email or our contact form

3. How we use your data

  • To provide and operate the NordenSite Operations Cloud platform, including real-time fleet tracking, trip history, and geofence alerts
  • To process and fulfil hardware orders
  • To manage your account, authentication, and subscription billing
  • To send order confirmations, shipping updates, and service notifications (e.g. device offline alerts)
  • To respond to your enquiries and support requests
  • To comply with legal and tax obligations
  • To protect the security and integrity of our platform and services

Our legal bases for processing under the GDPR are: performance of a contract (providing the platform service and fulfilling orders), legitimate interest (security, fraud prevention), and compliance with legal obligations (tax, accounting).

4. Third-party services

We share personal data only with the following service providers, solely for the purposes described above:

  • Stripe— payment processing. Stripe acts as an independent controller for payment data. See Stripe's Privacy Policy.
  • Zitadel— identity and authentication provider. Manages sign-in, account creation, and multi-factor authentication. Hosted within the EU.
  • Resend— transactional email delivery (order confirmations, service notifications).
  • Neon— database hosting. Your data is stored on servers within the EU.
  • Vercel— website and application hosting.
  • Railway— API and data ingest infrastructure hosting.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

5. Data processing roles (GDPR)

For the NordenSite Operations Cloud platform, data processing responsibilities are divided as follows:

  • Nordensite as controller: we are the data controller for account registration data, billing information, and platform usage data.
  • Nordensite as processor: we act as a data processor for vehicle telemetry and location data. Our business customers (the workspace owners) are the data controllers for this data and determine the purposes and means of processing.
  • Customer responsibilities: business customers who track vehicles with identifiable drivers must ensure they have a lawful basis under GDPR (e.g. legitimate interest, consent, or employment contract) and must inform their employees or drivers about the tracking.

We will enter into a Data Processing Agreement (DPA) with business customers upon request. Contact us at contact@nordensite.com to request a DPA.

6. Cookies

We use only essential cookies that are strictly necessary for the website and platform to function. We do not use analytics, advertising, or tracking cookies. For more details, please see our Cookie Policy.

7. Data retention

We retain data for the following periods:

  • Account data: retained for as long as your account is active, and for a reasonable period thereafter for legal and accounting purposes.
  • Vehicle telemetry data: retained for the duration of the active subscription. Upon account deletion or request, telemetry data is permanently deleted within 30 days.
  • Order and billing data: retained for a minimum of 5 years to comply with tax and accounting regulations.
  • Raw device messages: retained for diagnostic and reprocessing purposes for the duration of the subscription.

8. Your GDPR rights

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access— request a copy of the personal data we hold about you.
  • Right to rectification— request correction of inaccurate or incomplete data.
  • Right to erasure— request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability— receive your data in a structured, commonly used, machine-readable format.
  • Right to object— object to processing based on legitimate interest.
  • Right to restrict processing— request that we limit how we use your data in certain circumstances.

To exercise any of these rights, please email us at contact@nordensite.com. We will respond within 30 days.

If you are an employee or driver whose vehicle is tracked by your employer through our platform, please contact your employer (the data controller) to exercise your rights. We will assist your employer in fulfilling such requests.

You also have the right to lodge a complaint with your local data protection authority. In Norway, this is the Datatilsynet.

9. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction. These include:

  • All data is transmitted over encrypted HTTPS/TLS connections
  • Authentication is managed through Zitadel with support for multi-factor authentication and single sign-on
  • Session tokens are signed, HttpOnly, and have strict expiry controls
  • Payment data is handled exclusively by Stripe in PCI-DSS compliant environments
  • Platform access is controlled by role-based permissions (owner, admin, viewer)
  • All administrative actions are recorded in an immutable audit log

10. International transfers

Our primary database infrastructure is hosted within the EU. Some of our service providers may process data outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or reliance on adequacy decisions.

11. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.

12. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at contact@nordensite.com.

A business in Oslo ordered a 4-Camera Kit

3 min ago

Launch batch — limited stock

Buy now — from €799