Privacy policy

Authority is operated by Authority AS, registered in Norway. We collect the minimum information needed to deliver the service, store it in EU-region infrastructure, and never sell or share it with third parties for marketing purposes. This policy explains what we collect, why, and how to remove it.

What we collect

When you run a free Shortlist Score: the domain and category you enter, your work email, and an optional ICP description. These are stored in our Supabase (EU region) database so we can email you the results and follow up if your score changes.

When you book the audit or a retainer: the information Stripe collects at checkout — your name, billing address, company name, VAT ID (for EU B2B), and payment method. Stripe stores the payment method; we only see metadata. We additionally store the data needed to deliver the engagement (your domain, category, primary contact, and any access you grant).

When you visit the site: aggregate analytics via Plausible (no cookies, no PII, GDPR-friendly) and event analytics via Posthog. Posthog respects Do Not Track. No fingerprinting.

Where data lives

• Authentication and customer data: Supabase, EU region (Frankfurt).
• Payments: Stripe. Stripe handles card data; we never see card numbers.
• Email: Resend (transactional). Beehiiv (newsletter, when launched).
• Customer deliverables: Notion. Shared with the customer via private link with expiration.
• Analytics: Plausible (EU-hosted) + Posthog.

We do not transfer data outside the EU/EEA except where strictly necessary for service delivery (e.g. Stripe's US infrastructure). All processors are GDPR-compliant.

What we don't do

• We don't sell or rent your data to anyone.
• We don't train any AI models on customer data.
• We don't use third-party trackers, ad pixels, or fingerprinting scripts.
• We don't require cookies for the site to work. Posthog uses local storage; you can disable it in your browser without breaking anything.

Your rights (GDPR)

• Access: request a copy of all data we hold about you. Email ivar@authority.as.
• Correction:ask us to fix anything that's wrong.
• Deletion: ask us to delete your data. We comply within 30 days, except where Norwegian law requires us to retain records (invoices, 5 years).
• Portability: get your data in a machine-readable format.
• Objection: stop us from processing for a specific purpose.

Cookies and storage

Plausible: no cookies, no local storage. Posthog: anonymous device ID in local storage. Stripe Checkout: session cookies for payment processing only. No advertising cookies, ever.

Email and outreach

If you give us your email through the Score tool or via the Index, we may email you when your score changes by 5+ points week-over-week (max once per 30 days), or for monthly Index report updates. Every email has a one-click unsubscribe. We do not send marketing email outside this scope.

Data retention

• Score data: retained 24 months unless you ask us to delete it.
• Customer deliverables: retained as long as the engagement is active, plus 12 months. After that, archived or deleted on request.
• Invoices: retained 5 years (Norwegian legal requirement).

Contact for privacy questions

Email ivar@authority.as with subject "Privacy". Norwegian residents: you can also lodge a complaint with Datatilsynet.

Changes to this policy

We update this page when our processing changes meaningfully. The "last updated" date at the top reflects the most recent revision. We'll notify customers by email for material changes that affect them.