Privacy policy.

This policy explains what data Fyord collects, why, and how to reach us about it. We tried to keep it short and plain. If anything is unclear, email hello@getfyord.com.

1. Who we are

Fyord is operated by Blue House Technologies Sp. z o.o., a Polish limited liability company.

• Address: Wspólna 17, 16-300 Augustów, Polska
• VAT ID: PL8461666787
• Contact: hello@getfyord.com
• Marketing site: getfyord.com
• App: app.getfyord.com

Fyord is a B2B tool that reads order emails and drafts them into Fortnox for wholesalers.

2. Data we collect

Marketing site

Standard server logs (IP address, user agent, timestamp) kept briefly for security and abuse prevention, plus anonymous performance telemetry from Vercel Speed Insights for Core Web Vitals monitoring. No advertising trackers.

Account

When you sign up, we store your email, name, and organisation information through our authentication provider (Clerk), plus the organisation you belong to and your role in it.

Service data

• Email content you direct us to process. When you connect a mailbox, we read messages matching the rules you configure in order to draft orders from them.
• OAuth tokens for Fortnox and Microsoft (Outlook), stored encrypted. You can revoke them at any time from your settings or directly with the provider.
• Draft orders and processing logs produced by Fyord, kept so you can review, approve, and audit what the system did.

Billing

Subscription and payment data is handled by Polar.sh as our merchant of record (Polar uses Stripe under the hood). We receive the minimum needed to know which plan you are on and whether it is paid. We never see your card number.

3. Legal basis (GDPR Art. 6)

• Contract performance — Art. 6(1)(b): running the service you signed up for, including reading your connected mailbox and drafting orders into Fortnox.
• Legitimate interest — Art. 6(1)(f): security, fraud prevention, service logs, product support, anonymous performance metrics.
• Legal obligation — Art. 6(1)(c): tax and invoicing records we must keep under Polish law.
• Consent — Art. 6(1)(a): anything that asks you explicitly. You can withdraw consent at any time.

4. Controller and processor

For your account and billing data, and anything we collect on the marketing site, Fyord is the data controller.

For the email content you direct us to process — which often contains personal data about your own customers — you are the controller and Fyord acts as a processor on your instructions. You decide what we read, how long drafts are retained, and when we stop.

5. How we use data

• To run the service: read connected mailboxes, draft orders, push approved drafts to Fortnox.
• To bill you and keep required financial records.
• To respond to support requests.
• To keep the service secure and investigate abuse.
• To improve the product in aggregate, using anonymous metrics.

We do not sell personal data. We do not share it with advertisers.

6. AI processing and human approval

Fyord uses state-of-the-art large language models from OpenAI and/or Anthropic, called via API, to convert email content into draft Fortnox orders. Relevant email text is sent to the AI provider to generate the draft.

AI-generated drafts are suggestions, not finished orders. Every draft requires explicit human approval inside Fyord before anything is written to Fortnox. AI can make mistakes — wrong SKU, wrong quantity, wrong customer. You are responsible for reviewing each draft before approving it. Fyord is not liable for errors in AI output that are approved and acted upon. See our Terms for the full disclaimer.

7. Sub-processors

We use the following service providers to deliver Fyord. Each one processes data on our instructions, under contract.

• Convex — application database and backend functions. EU region.
• Vercel — Next.js hosting and Speed Insights. EU region for compute and storage.
• Clerk — authentication and user identity. Clerk is GDPR-compliant and DPF-certified; Clerk does not currently offer region selection, so identity data may be processed in the United States.
• Fortnox — your own ERP, connected by you via OAuth. We push approved orders to your Fortnox account.
• Microsoft Graph — your own Outlook mailbox, connected by you via OAuth. We read messages from it on your instruction.
• OpenAI and/or Anthropic — AI model providers used to draft orders. Email text relevant to a draft is sent to the configured provider via API; data may be processed outside the EU depending on provider routing.
• Polar.sh (using Stripe under the hood) — merchant of record for billing and payment processing.

Material additions to this list are announced to active customers in advance.

8. Data retention

• Account data: kept while your account is active.
• Email content and drafts: retained for as long as your workspace is active.
• Operational logs: a nightly job prunes per-tenant telemetry on the following fixed schedule:
  • Frontend errors — 90 days
  • External API calls (Fortnox, Microsoft Graph) — 180 days
  • AI agent runs — 365 days
  • Security audit log — 7 years
• Billing records: kept as long as Polish tax law requires (generally 5 years).
• On cancellation: email hello@getfyord.com to request workspace deletion — see section 10.

9. International transfers

Your primary service data is stored in the EU. Some sub-processors — notably the AI APIs and Clerk — may process data outside the EU. Where that happens, transfers rely on the European Commission's Standard Contractual Clauses, the EU–US Data Privacy Framework, or another lawful transfer mechanism.

10. Your rights

You have the rights GDPR gives you over your personal data, including access, rectification, erasure, restriction, portability, and objection.

Data export and deletion: To request a copy of your data or to delete your workspace, email hello@getfyord.com. We respond within 30 days per GDPR Article 12. The audit log is retained as required for legal accountability under Art. 5(2).

For any other right, email hello@getfyord.com and we will respond within the time GDPR allows.

For B2B customers who need a signed Data Processing Agreement, we publish a working DPA template based on the EU Standard Contractual Clauses (Module Two — controller-to-processor). Send a redline to hello@getfyord.com and we will counter-sign or counter-redline within ten business days under standard market terms.

11. Cookies

The marketing site uses no advertising or tracking cookies. The app uses essential cookies only — currently a session cookie from Clerk to keep you logged in.

12. Security

OAuth tokens are encrypted at rest. All traffic is TLS-only. Access to production data is limited to engineers who need it and is logged.

13. Changes to this policy

We may update this policy as the product evolves. The “Last updated” date below always reflects the current version. Material changes are communicated to active customers by email before they take effect.

14. Contact

Email hello@getfyord.com. For formal correspondence use the postal address in section 1.

Last updated: May 4, 2026
Version 1.3