Privacy Policy

Last updated: June 12, 2026

1. Who are we?

Vyrdis is a service for structuring and analyzing user feedback. We are committed to protecting the privacy of both you who use Vyrdis and your users who give you feedback.

Data controller:
Vyrdis AS
Org. no. 837864712
Nestvikveien 25b, 3135 Torød, Norway
Email: privacy@vyrdis.com

2. What personal data do we collect?

2.1 Account information

When you create an account, we collect:

  • Email address
  • Full name
  • Password (stored hashed)
  • Organization affiliation

2.2 User research data

Data you upload or register in the service may contain:

  • Feedback and observations from user tests
  • Quotes and comments
  • URLs where feedback was given
  • Source references
  • Times of observations

For this research data, your organization is the data controller and Vyrdis is the data processor (GDPR Art. 28). The processing is governed by the data processing agreement between your organization and Vyrdis, not by this privacy policy.

Important: You are responsible for ensuring that you have the right to process personal data uploaded to Vyrdis, and that the data subjects are informed about the processing.

2.3 Technical data

We log limited technical information for operations and troubleshooting:

  • Login times
  • General error logs (without personally identifiable information)
  • Anonymized usage statistics (which pages are visited), via our own analytics solution

3. Why do we process personal data?

The table below covers processing where Vyrdis is itself the data controller — that is, account and operational data about the users in your organization. Research data uploaded about third parties is processed by Vyrdis as a data processor on behalf of your organization (see section 2.2), and the legal basis for that data is determined by your organization.

PurposeLegal basis
Create and manage user accountContract (Art. 6(1)(b))
Send emails (password, invitations)Contract (Art. 6(1)(b))
Operations and troubleshootingLegitimate interest (Art. 6(1)(f))
Web analytics to improve the serviceLegitimate interest (Art. 6(1)(f))

For the research data, Vyrdis does not state its own legal basis here — Vyrdis processes it only on the instructions of your organization, governed by the data processing agreement between you.

4. Use of AI and third-party services

4.1 Mistral (AI)

Vyrdis uses Mistral to provide AI features such as:

  • Automatic tagging of insights
  • Grouping of similar feedback
  • Connection between facts and hypotheses

When you use these features, relevant text data is sent to Mistral's servers in France. Mistral is a French company subject to EU data protection law and processes data in accordance with its privacy policy(opens in new tab).

Note: Vyrdis uses Mistral's Scale plan, under which API requests are explicitly not used to train Mistral's models. Mistral retains API data for up to 30 rolling days to detect abuse, unless Zero Data Retention is activated.

Consent at organization level

Using AI analysis requires active consent from the organization. Consent is given by an administrator or owner in the organization, and can be withdrawn at any time under Organization Settings → AI Analysis. Until consent is given, AI features are disabled for the entire organization, and no data is sent to Mistral.

Avoid entering personal data (names, email addresses, national ID numbers) in free-text fields that are sent for analysis. Account data such as email and password is never sent to Mistral.

4.2 Hosting and infrastructure

Vyrdis is hosted on Hetzner Cloud (a German company) in Nuremberg, Germany. The entire application — backend, database, and frontend — runs in the EU. Hetzner is subject to GDPR and German data protection law.

4.3 Email service

We use Brevo (a French company, formerly Sendinblue) for sending emails (user invitations, password reset). Brevo processes data in accordance with EU data protection regulations.

4.4 Data transfer and location

Vyrdis uses Mistral, Hetzner, and Brevo as sub-processors, all established in the EU/EEA. Vyrdis does not transfer personal data outside the EU/EEA. A complete and current overview is available on the sub-processor list.

5. Your rights

According to GDPR, you have the following rights:

  • Access: You can view and download all your data yourself under Settings → 'Download my data'.
  • Rectification: You can correct information about yourself in your profile settings, or ask us to fix errors.
  • Erasure ('right to be forgotten'): You can delete your account yourself under Settings → Delete account. Content you have created is anonymized.
  • Data portability: You can download your data in a structured, machine-readable format (JSON or CSV) under Settings.
  • Objection: You can object to processing based on legitimate interest
  • Withdraw consent: An administrator or owner in the organization can withdraw consent to AI processing at any time under Organization Settings. The consent applies to the entire organization.

Access, export, and deletion are self-service under Settings. For the other rights or any questions, contact us at privacy@vyrdis.com.

6. Security

We take data security seriously and have implemented the following measures:

  • Passwords are stored hashed with bcrypt (one-way, not encrypted)
  • All communication is over HTTPS
  • Access control with role-based authorization
  • Organization-based data isolation (multi-tenancy)
  • Automatic security updates

7. Data retention

We retain personal data as long as necessary for the purpose for which it was collected:

  • Account information: As long as the account is active, plus 30 days after deletion
  • Research data: As long as the account/organization is active
  • Logs: Maximum 90 days
  • Invoice data: Kept for up to five years due to bookkeeping obligations, even after you delete your account. This is a statutory limitation on the right to erasure.

8. Cookies

Vyrdis only uses necessary cookies to:

  • Keep you logged in (authentication token)
  • Remember user preferences

We do not use tracking or marketing cookies.

To understand how the service is used and to improve it, we use Matomo — an analytics solution we host ourselves on our own infrastructure in the EU. Matomo runs without cookies, anonymizes IP addresses, and respects your browser's 'Do Not Track' setting. No data is shared with third parties.

9. Changes to the privacy policy

We may update this privacy policy as needed. For significant changes, we will notify you via email or upon login. The last update date is shown above.

10. Right to complain

If you believe we are processing personal data in violation of privacy regulations, you can complain to the Norwegian Data Protection Authority: Submit complaint to Datatilsynet(opens in new tab)

11. Contact us

Do you have questions about how we process personal data? Contact us at privacy@vyrdis.com