MAMikoAdviser

Privacy Policy

Last updated: February 20, 2026

Uldal Tech ("we", "us", "our"), trading as MikoAdviser, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven).

Data Controller

Uldal Tech is the data controller for the personal data processed through this Service.

  • Company: Uldal Tech
  • Organization number: 937 136 536 (Foretaksregisteret)
  • Address: Gøteborggata 26, 0566 Oslo, Norway
  • Email: privacy@mikoadviser.com

1. Information We Collect

1.1 Information You Provide

We collect information that you provide directly to us:

  • Account Information: Name, email address, password, organization name
  • Customer Data: Customer names, contact information, assessment answers
  • Payment Information: Billing address, payment method details (processed by our payment provider)
  • Communications: Support requests, feedback, correspondence with us

1.2 Information Collected Automatically

When you use our Service, we automatically collect:

  • Usage Data: Pages visited, features used, time spent on the Service
  • Device Information: Browser type, operating system, device identifiers
  • Log Data: IP address, access times, referring URLs

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information
  • Send you technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyze trends, usage, and activities
  • Detect, investigate, and prevent fraudulent or unauthorized activities
  • Personalize and improve your experience

3. Legal Basis for Processing (GDPR Art. 13)

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases, mapped to each processing purpose:

Processing PurposeLegal Basis
Account creation and authenticationContract performance (Art. 6(1)(b))
Providing license recommendations via the assessment engineContract performance (Art. 6(1)(b))
Payment processing and billingContract performance (Art. 6(1)(b))
Sending transactional emails (order confirmations, password resets)Contract performance (Art. 6(1)(b))
Sending product update and notification emailsLegitimate interests (Art. 6(1)(f))
Security monitoring, fraud prevention, and abuse detectionLegitimate interests (Art. 6(1)(f))
Service improvement and usage analyticsLegitimate interests (Art. 6(1)(f))
Setting non-essential cookies (analytics, functional)Consent (Art. 6(1)(a))
Retaining financial records (invoices, payment history)Legal obligation (Art. 6(1)(c)) — Norwegian bookkeeping law

3.1 Legitimate Interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights. Our legitimate interests include:

  • Security: Protecting the Service and our users from unauthorized access, fraud, and abuse (e.g., rate limiting login attempts, monitoring for suspicious activity)
  • Service improvement: Analyzing aggregated usage patterns to improve features and user experience
  • Communication: Sending product updates and feature announcements relevant to your subscription (you may opt out at any time via the unsubscribe link in each email)

3.2 Provision of Personal Data

Providing your name, email address, and organization name is a contractual requirement necessary to create an account and use the Service. If you do not provide this information, we cannot provide the Service to you. All other data (e.g., customer assessment data, preferences) is voluntary and provided at your discretion.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information with:

  • Service Providers: Third parties that perform services on our behalf (hosting, payment processing, email delivery)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you have given us permission

4.1 Sub-processors

We use the following sub-processors to operate the Service. Data Processing Agreements (DPAs) are in place with each provider:

  • Vercel Inc.: Application hosting and infrastructure (USA, EU-US DPF certified)
  • Supabase Inc.: Database hosting (EU region, DPA with SCCs)
  • Resend Inc.: Email delivery (USA, EU-US DPF certified)
  • Stripe Payments Europe Ltd.: Payment processing (Ireland/USA, EU-US DPF certified). Stripe processes payment information directly; we do not store credit card numbers.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specific retention periods:

  • Account data: Retained while your account is active. After account deletion, data is soft-deleted and permanently purged within 7 days.
  • Assessment data: Retained while the associated customer record exists.
  • Audit logs: Retained for 2 years for security and compliance purposes.
  • Payment records: Retained for 5 years as required by Norwegian bookkeeping law (bokforingsloven).
  • Cookie consent records: Retained for 1 year from the date of consent.

You can request deletion of your data at any time by contacting privacy@mikoadviser.com. We will respond within 30 days as required by GDPR Article 12.

6. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request restriction of processing
  • Portability: Request transfer of your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@mikoadviser.com.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Regular security assessments
  • Access controls and authentication
  • Employee training on data protection

8. Automated Decision-Making (GDPR Art. 22)

The Service includes a license recommendation engine that analyzes your assessment answers and produces ranked Microsoft 365 license suggestions. This processing is:

  • Not solely automated: Recommendations are advisory and presented to the consulting user for review. No binding decisions are made without human involvement.
  • Rule-based: The engine uses predefined scoring rules (coverage, security, productivity, cost) based on publicly known Microsoft license features. It does not use machine learning or profiling.
  • Transparent: Each recommendation includes a breakdown of why licenses were scored as they were, allowing the user to evaluate and override the suggestion.

Because no decisions with legal or similarly significant effects are made solely by automated means, Art. 22 restrictions do not apply. However, we disclose this processing for full transparency.

9. International Data Transfers

Your information may be transferred to and processed in countries outside the EEA, primarily the United States. We ensure appropriate safeguards are in place for all transfers:

  • EU-US Data Privacy Framework (DPF): Our US-based sub-processors (Vercel, Resend, Stripe) are certified under the DPF, recognized by the European Commission as providing adequate protection.
  • Standard Contractual Clauses (SCCs): All sub-processor agreements include SCCs as an additional safeguard.
  • Database hosting: Our primary database (Supabase) is hosted in the EU region to minimize international transfers.

We monitor developments regarding international data transfers, including guidance from Datatilsynet and the European Data Protection Board (EDPB). The EU-US DPF adequacy decision is subject to periodic review and potential legal challenges. Should the DPF be invalidated, we will rely on the Standard Contractual Clauses already in place with all sub-processors as a fallback safeguard. We will update our transfer mechanisms as necessary.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours of becoming aware of the breach, as required by GDPR Art. 33
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Art. 34
  • Document the breach, its effects, and remedial actions taken

11. Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy. We only set non-essential cookies after you have given explicit consent, in accordance with the Norwegian Electronic Communications Act (ekomloven). You can manage your cookie preferences at any time via the "Cookie Settings" link in the website footer.

Note: We use Vercel Web Analytics for aggregated traffic insights. Vercel Analytics does not use cookies and does not collect personally identifiable information.

12. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We will also send email notification for material changes, as required by GDPR Art. 13.

14. Data Protection Contact

For questions about this Privacy Policy or our data practices, contact our data protection contact person:

Email: dpo@mikoadviser.com

As a small B2B SaaS provider, we are not required under GDPR Art. 37 to appoint a formal Data Protection Officer. However, we have designated a data protection contact to handle all privacy-related inquiries with the same level of care.

15. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the Norwegian Data Protection Authority:

Datatilsynet
Postboks 458 Sentrum, 0105 Oslo, Norway
Phone: +47 22 39 69 00
www.datatilsynet.no

16. Contact Us

For any questions about this Privacy Policy, please contact us at:

Uldal Tech
Gøteborggata 26, 0566 Oslo, Norway
Email: privacy@mikoadviser.com