Convier Privacy & Data Protection Policy

Last updated: 12. september 2025

1. Introduction

At Convier AS (“Convier”), we take privacy and data protection seriously.

This policy explains how we handle personal data when:

  • You visit our website,
  • You interact with us as a prospect or client, or
  • You use the Convier platform, which is deployed within your own infrastructure.

Our goal is simple: to give you clarity about what data we process, why we process it, and how the Convier platform is built to help our clients comply with the General Data Protection Regulation (GDPR).

2. Roles and Responsibilities

  • Clients as Controllers: Clients are the data controllers for any personal data they process through the Convier platform. Convier does not, as a general rule, access or process this data.
  • Convier as Controller: We act as a controller for personal data related to our own business operations, including website visitors, prospects, and client representatives.
  • Convier as Processor (limited cases): In rare situations — for example, if a client engages Convier for managed hosting or troubleshooting that requires access to sample data — Convier may act as a processor. In such cases, a Data Processing Agreement (DPA) will be put in place.

3. What Data We Process

Website Visitors

When you visit our website, we may process:

  • Technical information such as your IP address, browser type, operating system, and referring URLs.
  • Usage information such as pages visited and time spent.

Our website is hosted by Webflow, which processes visitor requests (including IP addresses) to deliver the site securely.

We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies and does not collect personal data. All measurements are aggregated and hosted in the EU.

Currently, our website does not set cookies. Cookies may only be set in the future if you interact with embedded third-party services (e.g. forms).

Prospects and Leads

When you engage with us through forms or marketing channels, we may process:

  • Your name, company, role, and contact details.
  • Communication history and preferences.

Customer Representatives

For licensing, support, and billing, we may process:

  • Name, job title, email address, and other contact details.
  • Support communications and any personal data shared with us in that context.

Recruitment Applicants

If you apply for a position at Convier, we may process:

  • Name, contact details, CV/resume, cover letter, references, and other information you choose to provide.
  • Notes and evaluations made during the recruitment process.

We use this information solely for recruitment purposes and to assess your candidacy. If your application is unsuccessful, we will delete your data within 18 months unless you consent to a longer retention period.

Client Platform Data

Clients may use the Convier platform to retrieve, process, and analyze personal data for anti-money laundering and compliance purposes. The categories of personal data are determined entirely by the client.

Convier does not decide what personal data is processed and does not store this data. All storage remains within the client’s own infrastructure. Clients are responsible for ensuring GDPR compliance in relation to the data they manage.

We process personal data on the following bases:

  • Consent – for marketing subscriptions and any optional cookies (if enabled in the future).
  • Contractual necessity – to perform contracts with clients (e.g. licensing, account management, support).
  • Legitimate interest – for day-to-day business communications and improving our services.

5. Privacy by Design & GDPR Support

The Convier platform is designed with privacy by design and by default. Key features that support GDPR compliance include:

  • No storage of client data – The platform does not retain personal data. All data retrieved, processed, or analyzed is stored within the client’s own infrastructure. This minimizes the amount of data stored and processed, and reduces the number of individuals impacted.
  • Client-controlled deployment – Clients retain full control over their environment and the personal data processed.
  • Authentication via client systems – Convier integrates with client-managed identity providers such as Microsoft Active Directory, Entra ID, or Keycloak.
  • Granular access controls – Role-based access ensures only authorized client users can view sensitive data.
  • Audit trails – Logging and monitoring support accountability.
  • Data minimization – The platform only processes the data configured by the client for AML and compliance purposes.
  • Encryption – All data handled by the platform can be encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption keys are managed securely by the client within their environment.

For the personal data Convier controls (e.g. client contacts, support data, marketing data):

  • Data is stored in the EEA (Norway and Germany).
  • Data is encrypted at rest using AES-256 and transmitted securely using TLS 1.2 or higher.

6. Sub-processors

Convier uses carefully selected service providers to support its business operations. The current list of sub-processors is maintained here.

Convier ensures that all sub-processors are bound by data protection agreements and provide appropriate safeguards under GDPR.

7. Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under very rare circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose your Personal Data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation
  • Protect and defend the rights or property of the Company
  • Prevent or investigate possible wrongdoing in connection with the Service

8. Data Retention

  • Website & marketing data: retained in line with your consent and marketing best practices.
  • Client contact data: retained as long as the client relationship exists or as legally required.
  • Support data: retained as long as needed to resolve the issue and maintain records.
  • Client platform data: retention and deletion are entirely controlled by the client.

9. Your Rights

You have the right to request:

  • Access to your personal data,
  • Correction of inaccurate data,
  • Deletion of data (where legally permitted),
  • Restriction or objection to processing,
  • Data portability.

To exercise these rights, please contact our Data Protection Officer.

10. Contact

Data Protection Officer (DPO):

Andreas P. Engstrand

Email: support@convier.com

Address: Convier AS, Storgata 5, 0155 Oslo, NORWAY

11. Policy Updates

We may update this policy from time to time. The latest version will always be available in the Convier Trust Center.

If we make material changes, we will notify affected clients directly, for example by email or in-app notice.