Privacy Policy

Legatus Compliance takes privacy seriously. This policy describes what personal data we process, why we process it, and what rights you have.

Last updated: 1 April 2026

Data Controller

Legatus AS, organisation number 935 624 780, is the data controller for the personal data we collect. You can reach us at privacy@legatus.no or by post to our business address.

What data we collect

We only collect data that is necessary to deliver the service. This includes:

  • Contact information: name, email address, and phone number of users and contact persons at customer organisations.
  • Business information: company name, organisation number, industry, and address.
  • User data: login credentials, roles, and access rights within the platform.
  • User activity: login logs, actions taken in the platform, and change history.
  • Documents and reports uploaded or generated by users within the service.

Purposes of processing

The data is used for the following purposes:

  • Delivering, operating, and maintaining the Legatus Compliance platform.
  • Managing customer relationships, billing, and support.
  • Notifying about changes to the service, regulatory requirements, or important events.
  • Security: detecting and preventing unauthorised access and misuse.
  • Fulfilling legal obligations, including accounting legislation.

Legal basis

Processing is based on the following legal grounds under GDPR Article 6:

  • Contract (Art. 6(1)(b)): processing necessary to fulfil the agreement with the customer.
  • Legitimate interests (Art. 6(1)(f)): security, operational logging, and product improvement.
  • Legal obligation (Art. 6(1)(c)): compliance with accounting law and other statutory requirements.
  • Consent (Art. 6(1)(a)): where we explicitly request consent, e.g. for newsletters.

Processors and third parties

We share data only with vendors necessary to deliver the service, and always under a data processing agreement:

  • Supabase Inc. – database infrastructure and authentication (EU region).
  • Vercel Inc. – application hosting and delivery.
  • Resend Inc. – outbound email delivery (invitations and notifications).
  • Microsoft Azure – optional sign-in via Azure AD / Entra ID.

We do not sell personal data and do not share data with third parties for marketing purposes.

Your rights

As a data subject you have the following rights under GDPR:

  • Access: the right to know what data we hold about you.
  • Rectification: the right to correct inaccurate or incomplete data.
  • Erasure: the right to request deletion of your data ('right to be forgotten').
  • Restriction: the right to restrict processing under certain circumstances.
  • Data portability: the right to receive your data in a machine-readable format.
  • Objection: the right to object to processing based on legitimate interests.

You may also lodge a complaint with Datatilsynet (the Norwegian Data Protection Authority) at datatilsynet.no if you believe we are processing your data in violation of applicable privacy law.

Retention and deletion

Personal data is retained for as long as the customer relationship is active and for the period required to fulfil statutory obligations (typically 5 years under accounting legislation). After the customer relationship ends, data is deleted or anonymised within 90 days, unless otherwise required by law.

Contact

For questions about privacy, exercising your rights, or any other enquiries, please contact us at:

Emailprivacy@legatus.no
PostLegatus AS, c/o Data Controller, Oslo, Norway

Questions about privacy?

Get in touch and we will help you with whatever you need.

Contact us