Last updated: April 2026
De-Risk Matrix Company AS, org.nr 937 716 125 ("we", "us", "our") is the data controller responsible for personal data processed through the De-Risk Matrix application (app.deriskmatrix.com).
Contact: hello@deriskmatrix.com
| Category | Data | Source |
|---|---|---|
| Account | Full name, email address | You provide at registration |
| Organisation | Company name, organisation number, website | You provide or fetched from public registries |
| Usage | Goals, targets, data points, risk drivers, actions, strategies | You enter in the application |
| AI analysis input | Company website content, uploaded annual reports (PDF), financial context | You initiate analysis |
| Technical | IP address, browser type, session data | Automatically — for security and operation |
We do not collect payment card data directly — payments are handled by our payment processor.
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide and operate the Service | Performance of contract (Art. 6(1)(b)) |
| User authentication and account management | Performance of contract |
| AI-assisted goal and risk analysis | Performance of contract / Legitimate interest |
| Improve and develop the Service | Legitimate interest (Art. 6(1)(f)) |
| Service-related communications (security, updates) | Performance of contract / Legal obligation |
| Marketing emails (only with explicit consent) | Consent (Art. 6(1)(a)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not sell your data to third parties. We do not use your data for advertising.
When you use AI-powered features (Company Analyzer, AI Goal Generator), content you provide — such as website URLs, uploaded PDF documents, and company context — is transmitted to Anthropic, PBC (provider of Claude AI) for processing. Anthropic acts as a data processor on our behalf.
Anthropic does not use data submitted via the API to train its models. A Data Processing Agreement (DPA) is in place with Anthropic. See anthropic.com/legal/privacy.
Do not upload documents containing sensitive personal data (identity numbers, health data, confidential employee information) unless you have a lawful basis to do so.
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt, Germany) |
| Anthropic, PBC | AI language model (Claude) | USA — Standard Contractual Clauses |
| Vercel Inc. | Application hosting, serverless functions | USA — Standard Contractual Clauses |
| Brønnøysundregistrene | Public company data (org.nr lookups) | Norway — public API, no personal data |
Where processors are located outside the EU/EEA, transfers take place under Standard Contractual Clauses (SCCs) approved by the European Commission.
We retain your data for as long as your account is active. If you close your account, we will delete or anonymise your personal data within 90 days, unless we are required to retain it longer by applicable law.
Under GDPR you have the right to:
Email us at hello@deriskmatrix.com. We will respond within 30 days. You may also lodge a complaint with the Norwegian data protection authority: datatilsynet.no.
We use browser localStorage to store session preferences and draft data locally on your device. We use session cookies required for authentication (managed by Supabase Auth). We do not use third-party tracking or advertising cookies.
We may update this policy from time to time. We will notify you of material changes by email at least 30 days before they take effect.
De-Risk Matrix Company AS · Org.nr 937 716 125
hello@deriskmatrix.com