// Privacy
PRIVACY POLICY
How we protect your personal data
// Last updated: 6 May 2026
1. Introduction
Mustvedt Sentinel (“we”, “us”) respects your privacy. This Privacy Policy explains what personal data we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.
We aim to collect as little data as possible — only what we need to deliver the service.
2. Data controller
The data controller is:
3. Data we collect
3.1 When you use the service anonymously
You can use the free version without signing up. In that case we collect:
- IP address (hashed with a salt, for anti-abuse)
- Scans you run (URLs, emails, IPs you check)
- Timestamps of scans
- Anonymous statistics via Umami (no cookies, no personal identifier)
3.2 When you register a PLUSS account
In addition to the above:
- Name
- Email address
- Phone number (optional, required for businesses)
- Company name and tax ID (businesses only)
- Address (businesses only)
- Industry (businesses only)
- Login history (PIN codes, timestamps)
3.3 When you use monitoring features
- Domains you register for monitoring
- Email addresses you register for leak checks
- IPs and assets you register for security scans
- Results from automated checks
3.4 When you pay
- Payment metadata (amount, timestamp, invoice number)
- We never store card details — these are handled by Stripe (card) or Vipps (mobile payment, Norway only)
- Phone number is passed to Vipps for authentication but not stored by us
3.5 When you use the mobile app
- Push token (Firebase Cloud Messaging) — an anonymous device token that lets us send push notifications about leaks, SSL expiry, and domain changes. Processed by Google Firebase as a sub-processor. You can disable push in the app at any time, and the token is deleted on log-out.
- Device info (platform, model, OS version, app version) tied to the push token, used only to deliver and troubleshoot notifications.
- Biometric app-lock is handled locally on the device by the operating system. We never receive or store fingerprints or biometric data.
- Data deletion in the app — you can download all your data or permanently delete your account directly under Settings → Privacy & data.
4. Purpose of processing
We process your personal data to:
- Deliver the service you requested (scans, monitoring, etc.)
- Send relevant alerts (security alerts, monthly reports, invoices)
- Bill and manage subscriptions
- Protect the service from abuse and attacks
- Improve the service based on anonymous statistics
- Meet legal obligations (accounting, tax)
5. Legal basis
Our processing relies on:
- Contract (GDPR art. 6(1)(b)) — to deliver the service
- Legitimate interest (GDPR art. 6(1)(f)) — anti-abuse, security, statistics
- Consent (GDPR art. 6(1)(a)) — for newsletter and marketing
- Legal obligation (GDPR art. 6(1)(c)) — Norwegian Bookkeeping Act, tax law
6. Retention
| Data type | Retention |
|---|
| Anonymous scans | 30 days (statistics only) |
| PLUSS account data | Active subscription + 6 months |
| Invoice data | 5 years (Norwegian Bookkeeping Act §13) |
| Monitoring data | Active subscription |
| Logs and IP addresses | 90 days |
| Trial data (no purchase) | 30 days after trial ends |
| Marketing consent | Until you withdraw it |
7. Sharing with third parties
We do not share your personal data with anyone other than:
- Sub-processors that help us deliver the service (see §8)
- Public authorities, if required by Norwegian or EU law
- Law enforcement, if there is suspicion of a criminal offence
We never sell your data to third parties for marketing.
8. Sub-processors
We use the following sub-processors:
| Service | Purpose | Location |
|---|
| Namecheap | Server hosting | USA |
| Anthropic | AI analysis (Claude API) | USA |
| Stripe | Payment processing (card) | Ireland / USA |
| Vipps MobilePay | Payment processing (mobile) | Norway |
| Brevo | Email delivery | France |
| UptimeRobot | Domain uptime monitoring | USA |
| Umami Cloud | Anonymous visitor analytics | EU |
| VirusTotal | URL/file scanning | EU |
| LeakCheck | Email-breach lookup | EU |
| Have I Been Pwned (HIBP) | Password / email-breach lookup | Australia |
| Shodan | Port / exposure scanning | USA |
| ThreatFox (abuse.ch) | Threat intelligence | Switzerland |
9. International transfers
Some of our sub-processors are located outside the EU/EEA (e.g. USA, Australia). For these transfers we rely on:
- EU Standard Contractual Clauses (SCCs) for all vendors outside the EU/EEA
- EU-US Data Privacy Framework (DPF) — Anthropic, Stripe, and Brevo are DPF-certified (publicly verifiable at dataprivacyframework.gov)
- Technical and organisational measures (encryption in transit and at rest)
10. Security
We take data security seriously and use:
- HTTPS/TLS for all connections
- Strong password hashes (bcrypt) for sensitive data
- Need-to-know access principles
- Regular security updates on servers
- Strict Content Security Policy (CSP)
- Rate limiting and anti-abuse mechanisms
- Daily backups
If we discover a data breach, we will notify affected users within 72 hours in line with GDPR art. 33.
11. Your rights
You have the following rights under GDPR:
11.1 Right of access
You can request a copy of all information we hold about you. Send a request to Christer@mustvedt.net.
11.2 Right to rectification
If we hold incorrect or incomplete information about you, you can ask us to correct it.
11.3 Right to erasure (“right to be forgotten”)
You can ask us to delete your personal data. We will delete it as soon as we can, unless we have a legal obligation to retain it (e.g. invoice data for 5 years).
11.4 Right to restriction
You can ask us to restrict processing of your data, e.g. while a complaint is being resolved.
11.5 Right to data portability
You can ask to receive your data in a machine-readable format (JSON/CSV).
11.6 Right to object
You can object to processing based on legitimate interest or marketing.
11.7 Right to withdraw consent
If processing relies on consent, you can withdraw it at any time without affecting the lawfulness of past processing.
📧 How to exercise your rights: Send an email to
Christer@mustvedt.net with “Privacy request” as the subject. We reply within 30 days.
12. Cookies and local storage
Mustvedt Sentinel uses:
12.1 Technical cookies (necessary)
- localStorage to remember your settings (theme, login state, etc.)
- Session cookies when logged into PLUSS
- Language cookie (
msec-lang) to remember NO/EN preference
12.2 Analytics cookies
We use Umami, which is privacy-friendly:
- No cookies are used for tracking
- No IP addresses are stored
- No personal data is collected
- Only anonymised visit statistics (pages viewed, geographic region)
12.3 Marketing cookies
We use no marketing cookies or third-party trackers.
13. Children under 13
Mustvedt Sentinel is not directed at children under 13. We do not knowingly collect personal data from children. If you are a parent and discover that we hold data about your child, contact us immediately for deletion.
14. Changes to this policy
We may update this policy as needed. Material changes will be communicated via:
- Email to registered users
- Banner on the site
- Updated “Last updated” date
By continuing to use the service after changes, you are deemed to have accepted the new policy.
15. Complaints to a supervisory authority
If you believe we are processing your personal data in violation of GDPR, you can lodge a complaint with the Norwegian Data Protection Authority:
EU residents may also contact the data protection authority in their own country of residence. We encourage you to contact us first so we can resolve the issue together.
16. Contact us