Privacy Policy

Digital Trend AS (Hulda) is the data controller for the information described in this policy. We process two distinct categories of personal data with different lawful bases, and this document explains both clearly.

By using Hulda, you agree to this policy. If you are an individual whose business contact information appears in Hulda via a customer’s upload (rather than an Hulda customer yourself), the section Your rights as a third-party data subject applies to you.

About Digital Trend AS

Digital Trend AS is a Norwegian technology company located at Havnevegen 3, 5918 Frekhaug, Norway. Hulda is our AI-native business manager — a unified system where AI agents work across CRM, meetings, calendar, knowledge, support, outreach, and other business domains using a single shared database.

The two categories of personal data we process

1. Customer data (you, our paying user)

Information you provide when you create and use a Hulda account. We process this on the lawful basis of contractual necessity (Article 6(1)(b) GDPR) — we cannot deliver the service without it.

• Account information: email address, password (hashed with bcrypt), name, profile preferences.
• Workspace and tenant data: your CRM contacts, deals, pipeline, calendar events, meetings, knowledge base articles, support tickets, automation rules, and other business records you create or import.
• OAuth integration data: when you connect a Google or Microsoft account, we receive access tokens and read emails, calendar events, and other resources you authorise. We store the minimum necessary; access tokens are encrypted at rest using AES-256.
• Outbound email content: the bodies of emailsHulda sends on your behalf as part of outreach sequences, replies drafted by AI, and related metadata.
• Usage and audit data: agent action logs, send events, error reports, and related operational data needed to run the service.
• Payment data: processed by Stripe (web) or Apple/Google (mobile, when those clients ship). We never store full card numbers.

2. Third-party business contact data (people you contact via Hulda)

When you upload a list of B2B prospects, send a cold-outreach email, or otherwise add a contact via Hulda, we process that contact’s information. We rely on the lawful basis of legitimate interest(Article 6(1)(f) GDPR; Recital 47) for B2B contact processing — the same basis used by every major B2B contact-data provider (e.g. ZoomInfo, Apollo, Cognism, Clearbit). We balance our and our customers’ legitimate interest in business communication against the data subject’s reasonable expectations and rights.

What we collect about third-party contacts:

• Business email address, name, job title, and employer (and changes to those over time, when observed).
• Public business profile data (e.g. LinkedIn URL, company domain, country, company size band).
• Phone numbers, when explicitly collected.
• Email-deliverability signals: whether email to that address bounces, is opened, is clicked, or generates a complaint.
• Verification status from third-party providers (deliverable, catch-all, undeliverable, spam-trap, abuse-prone, etc.).

Important: we do not collect, infer, or store special categories of data (health, race, religion, sexual orientation, political opinion, etc.) about third-party contacts.

Cross-tenant data pool (the Hulda master pool)

Huldamaintains a master pool of B2B contact data that accumulates across all of our customers’ uploads and interactions. This pool is the foundation of our prospecting skill (a future feature) and our cross-tenant deliverability intelligence. It works as follows:

• When a customer uploads a contact, we de-duplicate against the master pool and update its last-known information (latest title, latest employer, etc.).
• When a contact has not been engaged by any Hulda customer for 14 consecutive months, we mark the record as marketplace-eligible. Eligible records may be made available to other Hulda customers via prospecting and list-building features, subject to the rest of this policy.
• Verification results from third-party providers (e.g. ZeroBounce) are cached cross-tenant so that we do not re-query the same address for multiple customers. Cache lifetimes are: 90 days for valid addresses, 30 days for catch-all/unknown, 365 days for invalid/spam-trap/abuse, and permanent for opt-outs.
• Suppression signals (hard bounces, complaints, spam-trap hits) are shared cross-tenant to protect every Hulda customer’s deliverability. Suppression entries store a cryptographic hash of the email, not the address itself.

Customers can opt out of contributing their uploads to the master pool by disabling contribute_to_global_pool in their tenant settings. When disabled, the customer’s uploads remain scoped to their tenant only and are excluded from cross-tenant pooling.

Your rights as a third-party data subject

If you are an individual whose business contact information appears in Hulda (because an Hulda customer uploaded you, contacted you, or both), you have rights under GDPR and equivalent laws:

• Right to be informed (Article 14): you are reading the relevant disclosure now. We obtained your business contact information either from a Hulda customer’s upload, from publicly available B2B sources, or from a previous interaction.
• Right to access (Article 15): you can request a copy of all data we hold about you.
• Right to erasure(Article 17, “right to be forgotten”): you can request that we delete all data we hold about you. We honour these requests within 30 days. After erasure, we permanently suppress your address so no future Hulda customer can re-add you.
• Right to object (Article 21): you can object to our processing on legitimate-interest grounds at any time.
• Right to rectification (Article 16): you can request correction of inaccurate data.
• Right to lodge a complaint with a supervisory authority (Article 77).

To exercise any of these rights: use the public form at https://hulda.app/privacy/data-request, or email [email protected]. You do not need a Hulda account to exercise these rights and we never ask for one. We respond within 30 days.

How we use the data we collect

• Deliver the Hulda service: store, query, and process customer data to power the AI business manager.
• Run AI agents on a customer’s behalf, including AI drafting, classification, scoring, and decision-support.
• Send emails (outreach and replies) using the customer’s connected email integration.
• Verify deliverability of email addresses before sending.
• Cross-tenant deliverability intelligence (suppression signals, verification cache).
• Future prospecting features: enable customers to discover B2B contacts in the master pool that are eligible for contact.
• Operational, security, and audit purposes (error monitoring, fraud prevention, abuse mitigation).
• Service-related communications to customers (billing, changes, security notices).

AI processing

Customer data is processed by AI providers under written data processing agreements that prohibit them from training their models on it. The current providers we use:

• Anthropic Claude: the primary AI engine behind Hulda’s agent and skill system.
• OpenAI: embeddings and supplementary processing.
• Groq: fast transcription where applicable.

We never sell customer data, never use it to train AI models we operate, and never permit our AI subprocessors to use it for their own training.

Subprocessors

We use the following third-party services. All are bound by data-processing agreements where applicable.

• Hetzner (Germany, EU) — primary application and database hosting.
• AWS (eu-west-1, Ireland, EU) — file storage via S3.
• Anthropic, OpenAI, Groq — AI processing of customer content.
• ZeroBounce — email-address verification.
• Stripe — payment processing (web).
• Resend — transactional email (account emails, password resets, privacy-request confirmations).
• Sentry — error tracking.
• Google (Postmaster Tools, Workspace Send-As, Gmail API) and Microsoft (SNDS, Graph API) — sender reputation telemetry and OAuth-mediated email/calendar access.

When new subprocessors are added (e.g. for future features such as LinkedIn integration, SMS via Twilio, voice via Vapi or Retell), this policy will be updated and material changes will be communicated to existing customers.

Data storage, security, and transfers

• Primary application data and the master contact pool are stored on EU servers (Hetzner, Germany; AWS eu-west-1, Ireland).
• Some subprocessors (Anthropic, OpenAI, Stripe, Sentry, Resend) operate outside the EU. These transfers are covered by Standard Contractual Clauses or equivalent safeguards.
• Tenant isolation is enforced at the database layer using row-level security (RLS); a tenant cannot read or write another tenant’s data through the application.
• OAuth tokens, payment-provider credentials, and similar secrets are encrypted at rest with AES-256.
• All network traffic uses TLS in transit.
• Every write operation by an AI agent is recorded in an append-only audit log.

Data retention

• Customer account and tenant data: retained while the customer’s account is active. Upon account deletion, personal customer data is removed within 30 days; aggregate metrics needed for billing or fraud prevention may persist in anonymised form.
• Third-party contact data: retained indefinitely unless the data subject exercises the right to erasure or the relevant customer deletes their tenant. Retention beyond a customer’s active use supports the cross-tenant pool described above.
• Verification cache results: retained per the lifetimes listed above (90 days for valid, 30 for catch-all/unknown, 365 for invalid/spam-trap/abuse, permanent for opt-outs).
• Suppression hashes: retained permanently to protect against re-enrolment of bounced or complaint-flagged addresses.

International data subjects

Hulda is operated from Norway. We extend the rights described above to all third-party data subjects regardless of jurisdiction. Customers in California (CCPA / CPRA), Canada (PIPEDA), the UK (UK GDPR), Brazil (LGPD), and other regions with comparable laws have substantively the same rights of access, deletion, and objection described here.

Cookies

The Hulda web application uses essential cookies for authentication and tenant selection only. We do not use tracking cookies or third-party advertising pixels.

Children

Hulda is a B2B service intended for businesses and business professionals. It is not directed at children, and we do not knowingly collect data from anyone under 16.

Changes to this policy

We may update this policy as the product evolves or as the law requires. The current version is always available at https://hulda.app/privacy and the “Last updated” date is shown at the top. Material changes will be communicated to active customers in advance.

Contact

For privacy-related questions or to exercise any right under this policy:

• Public data-subject form (no account required): https://hulda.app/privacy/data-request
• Privacy contact: [email protected]
• General support: [email protected]
• Digital Trend AS, Havnevegen 3, 5918 Frekhaug, Norway.