1. Who We Are

Graivon is an AI automation agency based in Kristiansand, Norway, providing services to businesses in Norway and internationally. We help clients automate customer communication, booking, follow-up and marketing through AI-powered technology. Our website is graivon.no.

For any privacy-related questions, contact us at: [email protected]

2. Information We Collect

We collect the following categories of personal data depending on how you interact with us:

• Contact information — name, email address, phone number
• Business information — company name, legal business name, business address, tax ID, website
• Payment information — billing details processed securely through Stripe. We do not store card numbers directly.
• Usage data — pages visited, time spent, browser type, IP address (collected via cookies and analytics tools)
• Communication data — messages you send us, responses through our AI systems, onboarding form submissions

3. How We Use Your Data

We use your personal data for the following purposes:

• To deliver and manage the services you have purchased
• To set up and operate AI automation systems on your behalf
• To process payments and issue invoices
• To communicate with you regarding your account or service updates
• To send marketing communications where you have given consent
• To improve our services and analyse usage patterns
• To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data to train AI models without explicit consent.

4. AI Data Handling

As an AI agency, we build and operate automated systems that process conversations and customer data on behalf of our clients. In this context:

• Graivon acts as a data processor on behalf of our clients (who are the data controllers)
• Automated messaging systems may process names, phone numbers and conversation content
• No automated decisions with significant legal effects are made without human oversight
• Conversation data is used solely to deliver the agreed service and is not shared beyond what is necessary

5. Third-Party Services

We use the following third-party services which may process your data:

• GoHighLevel (CRM) — used for contact management, automation, and communication. Data is stored on GoHighLevel's servers in the US (covered by Standard Contractual Clauses under GDPR).
• Stripe — used for payment processing. Stripe is PCI-DSS compliant and operates under its own privacy policy.
• Google Analytics / Meta Pixel — may be used to analyse website traffic. These services use cookies.
• Azure (Microsoft) — used for AI infrastructure, providing robust uptime and end-to-end encryption.

6. Cookies

Our website uses cookies to improve your experience. These include:

• Essential cookies — required for the website to function
• Analytics cookies — help us understand how visitors use our site
• Marketing cookies — used to show relevant ads on third-party platforms

You can control cookies through your browser settings at any time.

7. International Data Transfers

Some of our third-party service providers are based outside the European Economic Area (EEA). Where personal data is transferred internationally, we ensure appropriate safeguards are in place — including Standard Contractual Clauses approved by the European Commission.

8. Data Retention

We retain your personal data for as long as is necessary to fulfil the purposes outlined in this policy. In practice:

• Client data is retained for the duration of our business relationship and for up to 1 year after the contract ends
• Payment records are retained for 5 years to comply with accounting regulations
• Website analytics data is retained for up to 26 months

After these periods, data is securely deleted or anonymised.

9. Your Rights

Under GDPR and applicable laws, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restriction — request that we limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where processing is based on consent, you may withdraw at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Security

We take the security of your data seriously. Our measures include end-to-end encryption, secure cloud infrastructure (Azure), access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the date at the top of this page. We encourage you to review this policy periodically.

12. Contact

For any questions, concerns or requests related to this Privacy Policy, please contact:

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Norway, this is Datatilsynet (datatilsynet.no).