Privacy notice.
Effective date: [to confirm on review].
This notice explains how Naborly ApS handles personal data when you use Naborly. It applies to the people who use the employee app at app.naborly.io, the administrators who manage an organisation at admin.naborly.io, and visitors to naborly.io. Naborly is a benefits platform: your employer or membership organisation connects you to a curated set of privileges from other organisations in the network.
1Who is responsible for your data
Naborly ApS (CVR [to confirm], [registered address], Copenhagen, Denmark) is the data controller for the personal data described here. For privacy questions, data requests, or to reach the person responsible for data protection, contact sander@naborly.io.
Where your employer or membership organisation decides which of its people may join and configures its own account, that organisation acts as an independent controller for those decisions. Naborly is the controller for operating the platform itself.
2The data we collect
- Account and identity
- Your name, work email address, preferred language, and the organisation you belong to. Most of this comes from your organisation or from you when you first sign in.
- Preferences you tell us
- The categories you choose during setup and how strongly you weight them, so your feed reflects what you care about. You can change these at any time.
- How you use the app
- Records of the privileges you view, save, and redeem, and similar activity, so the platform works and so your feed and reminders stay relevant.
- Approximate location, if you provide it
- A home or work area you set to find in-person privileges nearby. We round this to roughly 100 metres before storing it, and we never share it with partner organisations.
- Communications
- Emails and in-app notifications we send you, and your preferences for them, including whether you opted in to non-essential messages.
- Technical data
- Standard information your device sends, plus essential cookies and local storage needed to keep you signed in. See the cookie policy.
3Why we use it, and our legal basis
We use your data to run the platform: to sign you in, show you a relevant feed, let you save and redeem privileges, send the notifications you expect, and keep the service secure. The legal basis is performance of the arrangement that gives you access through your organisation, and our legitimate interest in operating, securing, and improving the service.
We personalise your feed from the preferences you declare and from your activity. This keeps a small, curated set relevant to you. It does not make decisions with legal or similarly significant effects about you. You can adjust or reset your preferences at any time.
Where we rely on consent, such as optional notifications or non-essential cookies, you give it freely and can withdraw it at any time without affecting your use of the platform.
4What we never do
We do not sell your personal data. We do not share your identity or contact details with the partner organisations whose privileges appear in your feed. Partners receive only aggregate, de-identified activity, and only where the numbers are large enough that no individual can be recognised.
5Service providers who process data for us
We work with a small set of providers who process data on our instructions under data processing agreements: hosting and database (Supabase), application hosting and delivery (Vercel), transactional email (Resend and Amazon SES), error monitoring (Sentry), maps for the nearby view (MapTiler), and the AI services we use to prepare and translate the editorial content shown in the app (Anthropic and Voyage AI). Billing between Naborly and organisations is handled through Stripe and involves organisation billing contacts rather than members.
Some of these providers operate outside the EU and EEA. Where that is the case, transfers rely on an approved safeguard such as the European Commission’s Standard Contractual Clauses. [Counsel to confirm the per-provider transfer mechanism and complete the subprocessor list before publication.]
6How long we keep it
We keep your account and preference data while you have access through your organisation, and for a limited period afterwards so the experience is consistent if you return. Records required for accounting are retained for five years in line with the Danish Bookkeeping Act (Bogføringsloven). We remove or anonymise activity data on a rolling basis once it is no longer needed for the purposes above. [Specific retention periods to confirm on review.]
7Your rights
Under the GDPR you can ask us to give you a copy of your data, correct it, delete it, restrict or object to how we use it, and receive it in a portable form. Where we rely on consent, you can withdraw it at any time. To exercise any of these, contact sander@naborly.io and we will respond within the time the law allows.
If you believe we have handled your data incorrectly, you can complain to the Danish Data Protection Agency (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, dt@datatilsynet.dk.
8How we protect it
Data is encrypted in transit and at rest. Each organisation’s data is isolated at the database layer, access is limited to what each role needs, and staff accounts with access require multi-factor authentication. We log privileged actions for accountability.
9Children
Naborly is provided to people through their employer or membership organisation and is not directed at children. [Counsel to confirm the appropriate age statement for Denmark.]
10Changes to this notice
If we change how we handle your data, we will update this page and the effective date above, and tell you in advance where the change is significant.
11Contact
For anything in this notice, or to make a data request, contact sander@naborly.io.