Nordveil← Back to site

Data protection · GDPR summary

How Nordveil handles personal data

A short summary of how we handle personal data in client engagements. Provided for transparency, not as a substitute for the data-processing agreement.

Last updated · May 2026

01 — Controller & contact

Who is responsible

Nordveil is the data controller for information received through briefing requests, correspondence and client onboarding, and acts as a processor under written agreement when handling data on a client's behalf. For data-protection questions or to exercise your rights, write to privacy@nordveil.com — we respond within 30 days.

02 — What we process

Categories of data

Professional contact details, the content of your message and any documents you choose to share, engagement records, invoicing data and limited technical metadata. We do not seek special-category data and ask that classified, export-controlled or otherwise restricted material is not transmitted to us.

03 — Lawful basis

Why we may process it

Legitimate interest in conducting B2B dialogue, performance of a contract or pre-contractual steps you request, and compliance with legal obligations such as accounting and sanctions screening — Art. 6(1)(f), (b) and (c) GDPR. Consent is sought where required.

04 — Retention & minimisation

Only what is needed, only as long as needed

We collect the minimum required to respond and engage responsibly; optional fields stay optional and we do not enrich profiles or profile users. Briefing requests that do not lead to an engagement are removed within 12 months. Engagement records are kept for the engagement and up to 7 years thereafter where accounting or regulatory duties require it.

05 — Recipients & transfers

Who may see the data

Access is limited to Nordveil personnel with a clear need to know, and to vetted processors for hosting, email, document storage and accounting under written agreements. Transfers outside the EEA or the UK rely on Standard Contractual Clauses, the UK Addendum or equivalent safeguards, complemented by encryption in transit and at rest.

06 — Security, rights & incidents

Safeguards and your rights

Encryption, role-based access, mandatory multi-factor authentication, hardened endpoints, audit logging and vendor due diligence. You may request access, rectification, erasure, restriction, portability or object to processing, and lodge a complaint with your supervisory authority. Breaches likely to result in a risk to individuals are notified within 72 hours, in line with Art. 33–34 GDPR.

Request a confidential briefingDownload capabilities (PDF)