Privacy & personal data processing

1. Scope and data subjects

This policy applies to the processing of personal data by Norvik Tech SAS in connection with the Semsei product: use of the public website (Spanish and English routes), contact forms, account registration, support, and provision of the SaaS (content generation and optimization, integrations with customer stores or sites).

Data subjects may include natural persons who register, contract, use forms, or interact with the platform on behalf of an organization (where contractual duties may also apply to the customer company).

2. Legal framework

In Colombia, processing follows the Political Constitution, Law 1581 of 2012, Decree 1074 of 2015 (commerce, industry, and tourism provisions replacing in relevant part Decree 1377 of 2013), and other applicable rules.

Where the data subject is in the EEA, UK, or other jurisdictions with data protection laws, additional provisions (e.g. GDPR) may apply to the extent Norvik is required to comply as controller or processor, including access, rectification, erasure, restriction, objection, portability, and complaints to supervisory authorities.

3. Product definitions (SEO, GEO, SEM)

Besides legal definitions (data subject, personal data, processing, controller, processor, authorization, etc.), for this policy:

• GEO:Optimization for generative search engines (AI), which may involve processing search-intent or content-structure data supplied by the customer.
• SEM:Management or analysis of paid search when the customer configures it, using aggregated or customer-supplied performance data.
• Integration (API / plugin / app): Technical connection between Semsei and the customer environment (e.g. Shopify, WordPress, or other systems the customer authorizes).

4. Data we collect

Depending on your interaction with Semsei:

• Identity and contact: name, email, role, company, phone, or other fields you provide in registration, billing, or contact forms.
• Store or site data: URLs, product or page metadata, categories, posts, template structure, and content needed for authorized generation or publishing.
• AI and brand settings: keywords, descriptions, tone, content instructions; API keys only if you choose to supply them to connect your own providers.
• Account and authentication: technical identifiers managed via providers such as Clerk (sign-in and security).
• Browsing and device data: IP address, cookies, session IDs, technical logs, and — if you accept our cookie notice — analytics or campaign data (UTM, aggregated events).
• Payments: payment processing is usually handled by payment providers; Norvik may receive transaction or billing identifiers without storing full card numbers on Semsei unless the checkout flow states otherwise.

We do not ask for more data than reasonably necessary for each purpose.

5. Purposes of processing

• SaaS delivery: generating, editing, and publishing authorized content; SEO/GEO analysis; recommendations and dashboards per your plan.
• Technical integration: syncing with your platforms via approved APIs or connectors.
• Billing and contract: subscriptions, taxes, and applicable accounting duties.
• Support and security: incident handling, fraud and abuse prevention, service stability.
• Communications: responding to contact requests; operational or legal notices; marketing only where permitted by law or consent.
• Legal compliance: responding to lawful requests from authorities when required.

6. Authorization and legal bases

Processing is based, as applicable, on your consent (where required), contract performance or pre-contract steps at your request, legal obligations on Norvik, legitimate interests (e.g. network security, abuse prevention, aggregated product improvement), and consent for optional purposes (non-essential cookies or extra marketing), which you may withdraw without affecting prior lawful processing.

8. Processors and subprocessors

Norvik may use processors for hosting, authentication, transactional email, analytics (if you consent), payment gateways, anti-fraud captcha, and other auxiliary services. Examples, depending on configuration:

• Cloud infrastructure and CDN.
• Clerk — authentication and sessions.
• AI model providers (e.g. Google, Anthropic).
• hCaptcha or similar verification on forms.
• Email providers for notifications or contact forms.
• Payment processors per active billing flow.

Processors are contractually bound to process data only on Norvik's instructions and with appropriate security.

9. International transfers

Some servers and providers may be located outside Colombia (e.g. United States or EU). Where Colombian law requires authorization or safeguards for transfers, Norvik will seek to comply. For GDPR, Standard Contractual Clauses, adequacy decisions, or other recognized mechanisms may apply.

Using the service acknowledges that cloud and AI operations often involve cross-border flows necessary to deliver the SaaS.

10. Retention

We keep data while the contractual relationship exists or a legitimate interest applies, and thereafter as needed to defend claims, meet legal duties, or audit. When periods expire, we delete or anonymize where possible unless law requires longer retention.

Cookie and analytics retention follows our Cookie Policy.

11. Data subject rights (habeas data and others)

You may exercise, among others:

• Access, update, rectification, and erasure.
• Proof of authorization where applicable.
• Withdraw consent and/or object to certain processing, without undue retroactive effect.
• Lodge complaints with Colombia's Superintendence of Industry and Commerce (SIC) (sic.gov.co) or the authority in your jurisdiction.

12. How to exercise your rights

Email admin@norvik.tech with subject line: Data subject request — Semsei, identifying yourself, describing your request, and attaching reasonable proof of identity where needed to prevent impersonation.

We will respond within applicable legal timeframes (as a reference, up to 10 business days for queries and 15 business days for complaints under Colombian rules, unless a different rule or justified complexity applies).

13. Security

We apply technical, administrative, and human measures appropriate to risk: encryption in transit (HTTPS), access controls, environment separation, backups, and review of critical vendors. Integrations (e.g. Shopify, WordPress) should use least-privilege credentials and permissions.

14. Minors

Semsei is not directed at people under 18. If we learn we have collected data from a child without valid parental or guardian consent, we will delete or block it where feasible.

15. Cookies and similar technologies

Cookie use and consent on the marketing site is described in our Cookie Policy. Analytics or advertising tags load only according to your choices in the preferences panel.

16. Changes and validity

We may update this policy for legal or product changes. The current version is published on this page with its update date. Continued use after material changes may require renewed acceptance where law or contract requires.

Informational text:this document summarizes Norvik's practices for Semsei and is not a substitute for individual legal advice. B2B relationships may be subject to additional contract terms.