NaborlyBack to naborly.io
All legal documents

Privacy notice.

Effective date: [to confirm on review].

Draft for review. Naborly ApS prepared this document for review by Danish legal counsel. It describes our intended practices and is not yet in force. Items in square brackets are pending confirmation. The binding version will be published here once reviewed.

This notice explains how Naborly ApS handles personal data when you use Naborly. It applies to the people who use the employee app at app.naborly.io, the administrators who manage an organisation at admin.naborly.io, and visitors to naborly.io. Naborly is a benefits platform: your employer or membership organisation connects you to a curated set of privileges from other organisations in the network.

1Who is responsible for your data

Naborly ApS (CVR [to confirm], [registered address], Copenhagen, Denmark) is the data controller for the personal data described here. For privacy questions, data requests, or to reach the person responsible for data protection, contact sander@naborly.io.

Where your employer or membership organisation decides which of its people may join and configures its own account, that organisation acts as an independent controller for those decisions. Naborly is the controller for operating the platform itself.

2The data we collect

Account and identity
Your name, work email address, preferred language, and the organisation you belong to. Most of this comes from your organisation or from you when you first sign in.
Preferences you tell us
The categories you choose during setup and how strongly you weight them, so your feed reflects what you care about. You can change these at any time.
How you use the app
Records of the privileges you view, save, and redeem, and similar activity, so the platform works and so your feed and reminders stay relevant.
Approximate location, if you provide it
A home or work area you set to find in-person privileges nearby. We round this to roughly 100 metres before storing it, and we never share it with partner organisations.
Communications
Emails and in-app notifications we send you, and your preferences for them, including whether you opted in to non-essential messages.
Technical data
Standard information your device sends, plus essential cookies and local storage needed to keep you signed in. See the cookie policy.

4What we never do

We do not sell your personal data. We do not share your identity or contact details with the partner organisations whose privileges appear in your feed. Partners receive only aggregate, de-identified activity, and only where the numbers are large enough that no individual can be recognised.

5Service providers who process data for us

We work with a small set of providers who process data on our instructions under data processing agreements: hosting and database (Supabase), application hosting and delivery (Vercel), transactional email (Resend and Amazon SES), error monitoring (Sentry), maps for the nearby view (MapTiler), and the AI services we use to prepare and translate the editorial content shown in the app (Anthropic and Voyage AI). Billing between Naborly and organisations is handled through Stripe and involves organisation billing contacts rather than members.

Some of these providers operate outside the EU and EEA. Where that is the case, transfers rely on an approved safeguard such as the European Commission’s Standard Contractual Clauses. [Counsel to confirm the per-provider transfer mechanism and complete the subprocessor list before publication.]

6How long we keep it

We keep your account and preference data while you have access through your organisation, and for a limited period afterwards so the experience is consistent if you return. Records required for accounting are retained for five years in line with the Danish Bookkeeping Act (Bogføringsloven). We remove or anonymise activity data on a rolling basis once it is no longer needed for the purposes above. [Specific retention periods to confirm on review.]

7Your rights

Under the GDPR you can ask us to give you a copy of your data, correct it, delete it, restrict or object to how we use it, and receive it in a portable form. Where we rely on consent, you can withdraw it at any time. To exercise any of these, contact sander@naborly.io and we will respond within the time the law allows.

If you believe we have handled your data incorrectly, you can complain to the Danish Data Protection Agency (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, dt@datatilsynet.dk.

8How we protect it

Data is encrypted in transit and at rest. Each organisation’s data is isolated at the database layer, access is limited to what each role needs, and staff accounts with access require multi-factor authentication. We log privileged actions for accountability.

9Children

Naborly is provided to people through their employer or membership organisation and is not directed at children. [Counsel to confirm the appropriate age statement for Denmark.]

10Changes to this notice

If we change how we handle your data, we will update this page and the effective date above, and tell you in advance where the change is significant.

11Contact

For anything in this notice, or to make a data request, contact sander@naborly.io.