Gold CEOTXT logomark

CEOTXT Privacy Policy

Introduction

Last Updated: April 21, 2025
Your privacy is important to us. This Privacy Policy explains how Rokter AS (“we”, “us”, or “our”) collects, uses, discloses, and safeguards your personal data in connection with the use of CEOTXT (the “Service”). CEOTXT is a SaaS tool operated by Rokter AS in Norway and includes our website (e.g., marketing site, landing pages, waitlist sign-up, and content pages) as well as our web/mobile application (provided via the Adalo platform). This Policy applies to all personal data we collect through our Service, whether you are a visitor to our website or a registered user of our app.

We are committed to protecting your data and being transparent about our privacy practices. CEOTXT is designed to comply with applicable privacy laws, including the European Union General Data Protection Regulation (GDPR) and relevant United States laws such as the California Consumer Privacy Act (CCPA). We provide the details below so you know exactly what information we collect, what we do with it, and what rights you have regarding your data.

By using CEOTXT or by providing us with your personal information (for example, by signing up on our waitlist or creating an account), you agree to the terms of this Privacy Policy. If you do not agree with this Policy, please do not use the Service. We encourage you to read this Policy carefully and contact us if you have any questions.

Who is Responsible for Your Data?

For the purposes of European data protection law, Rokter AS (address: Teknologiveien 11, 8517 Narvik, Norway) is the “data controller” of your personal data. This means Rokter AS determines the purposes and means of processing personal data collected through CEOTXT. You can contact us using the information at the end of this Policy for any questions or requests regarding your personal data.

If you are using CEOTXT as an authorized user on behalf of an organization (e.g., your employer), that organization may also be a data controller of your personal data. Please ensure you have permission from your organization to use CEOTXT and share any required personal information with us.

Information We Collect

We collect several types of information from or about you, including:

1. Information You Provide to Us

You may directly give us information in various situations, such as:

  • Account Registration: When you sign up for CEOTXT or join a waitlist, we ask for basic contact and identity information. This typically includes your name, email address, and may include your phone number (for SMS features) and company name. If a password is required for account login, we store a hashed (encrypted) version of your password, not the plaintext.
  • Profile and Usage Data: Within the CEOTXT app, you may input data related to your business metrics, goals, notes, and other content. For example, you might enter weekly figures or personal notes. Any such data you actively enter into the Service is stored to provide you functionality (e.g., generating a weekly summary). This data might include personal information if you choose to input it (for instance, if you input names of team members or financial figures identifiable to a person), but generally it is business-related information.
  • Payment Information: If you subscribe to a paid plan, you will provide payment details. We use Stripe to process payments, so you will typically provide your credit card number, billing address, and other payment details directly to Stripe in our integrated checkout form. We do not receive or store your full card number. We do receive information such as the last four digits of your card, card brand, expiration, and a payment token or transaction ID, which we store to keep track of your subscription status. We also record your subscription plan selections, payment history, and account status.
  • Communications: If you communicate with us directly (for example, by sending an email to support, filling out a contact form, or participating in surveys/feedback requests), we will collect the information you provide. This could include your contact information, the content of your message, and any attachments or other information you choose to provide. If we offer a chat support feature or respond via SMS or email, those communications will be stored.
  • Waitlist or Marketing Sign-up: If you sign up for a waitlist or newsletter on our website, we will collect your email and possibly your name or other info you submit for that purpose. We will use this to send you updates about CEOTXT (e.g., launch announcements or marketing communications) as per your request.

Please note: We do not intentionally collect any sensitive personal data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, or data concerning sexual orientation) from users. We also do not require any government-issued identification numbers or financial account numbers outside of payment processing. We ask that you do not upload or provide sensitive personal data in using CEOTXT, as the Service is not intended to process such data. Any payment-related sensitive data (like credit card details) should only be entered in the secure Stripe payment form, not elsewhere.

2. Information We Collect Automatically

When you use our website or app, we and our third-party partners automatically collect certain information about your device and usage of the Service:

  • Device and Usage Data: We collect log data about your interactions with CEOTXT. This may include your IP address, device type (e.g., laptop, smartphone), operating system, browser type, browser language, and time zone. We also log information such as the pages or screens you view, the dates/times of your visits, the features you use, clickstreams (the path you take through our pages), and how you interact with elements of the Service.
  • Cookies and Similar Technologies: We use cookies (small text files stored on your browser or device) and similar tracking technologies (such as web beacons, pixels, and local storage) to collect information about your website usage and to remember your preferences. For example, we use cookies to keep you logged in to your account, to understand how you navigate our site, and to personalize your experience. We also use cookies for analytics purposes (described below). You can manage cookie preferences through your browser settings, and you can read more in the “Cookies and Tracking” section below.
  • Analytics Data: We partner with analytics providers to better understand how users engage with CEOTXT. Google Analytics is used on our website to gather information like what site you came from, how much time you spend on each page, and what kind of device you are using. Google Analytics may set cookies or collect device identifiers to track user interactions. We have configured Google Analytics in compliance with Google’s policies and, where applicable, have enabled settings like IP anonymization (to truncate your IP address within the EU). Hotjar is another tool we use on our website to gain insights into user behavior. Hotjar might record anonymized user sessions, capturing mouse movements, clicks, scrolling, and form inputs (excluding sensitive fields) to help us identify usability issues. Hotjar also may deploy cookies for its operation. HubSpot is used for customer relationship management and marketing analytics: if you have given us your email via a form, HubSpot helps us track your site visits, email opens/clicks, and interactions with our content. HubSpot may place a tracking cookie to associate your site usage with your email once you identify yourself by filling a form.
  • Mobile App Data: If you use our app (including if accessed through a mobile browser or an Adalo-built app), we may collect device identifiers (such as your device’s unique ID or advertising ID), and crash/diagnostic information if the app crashes or encounters errors. The app might store data locally on your device (via local storage or database) to improve performance, but that data syncs with our servers.
  • Location Information: We do not specifically request or track your precise geographic location (e.g., via GPS) in the Service. However, we may infer general location information (such as city or country) based on your IP address to understand where our users are located globally, for purposes like language settings, compliance (e.g., GDPR jurisdiction), or analytical insights.

3. Information from Third Parties

In general, we collect data directly from you or through your use of CEOTXT. We do not purchase personal data from data brokers, nor do we obtain information about you from public databases or other external sources, except in a few cases:

  • Third-Party Authentication: (Note: Currently, CEOTXT uses its own sign-up; if in the future we allow sign-in via Google, LinkedIn, or other providers, we would receive basic profile info from them. As of the last updated date, we do not use third-party login, so this does not apply.)
  • Referrals: If someone refers you to CEOTXT (for example, by using a referral link or by inputting your email to invite you), we collect the information provided about you (such as your email). We will use it to send an invitation or informational message, and we will identify the person who referred you in that communication where required by law. If you receive an email invite and do not wish to join or be contacted further, you can ignore or opt out, and we will remove your information on request.
  • Service Providers & Partners: We might receive some information from service providers in the course of providing service to us. For instance, when we send an SMS via ClickSend, we get delivery status information (like whether the SMS was delivered or failed). Or if you make a payment via Stripe, we get a confirmation from Stripe of your payment and possibly updated billing info (e.g., updated card expiry or a billing address that you provided to Stripe).
  • Aggregate Analytics Reports: Our third-party analytics tools (Google Analytics, Hotjar, HubSpot) might provide us aggregated information or benchmarks (which do not identify individuals) – e.g., “X% of users accessed via mobile,” or “opening rate of onboarding emails.” This helps us understand usage patterns.

We do not knowingly collect personal information from any children under the age of 13, and CEOTXT is not intended for minors (see “Children’s Privacy” below for more detail).

How We Use Your Information

We use the collected information for the following purposes:

  • To Provide and Maintain the Service: We process your registration information to create and maintain your account. We use your inputted data to display it back to you and compute any summaries or analytics within the app. Your phone number and email are used to deliver the automated weekly SMS summaries, reminders, and other notifications that are a core feature of CEOTXT. Essentially, all the core features of the Service (like saving your metrics, sending you nudges, showing you dashboards) require us to process your data in one way or another.
  • To Process Payments: If you subscribe to a paid plan, we use personal data to manage billing. For example, we use your provided payment information (via Stripe) to charge subscription fees, and your contact information to send receipts or billing notices. We may also use your address or tax-related information if needed for invoicing or tax calculations (for instance, determining if VAT applies).
  • To Communicate with You:
    • Service and Account Communication: We use your contact information (email, and phone for SMS) to send transactional communications: such as account verification emails, password reset messages, subscription confirmations, billing receipts, alerts about important changes or security events (e.g., new device login), and customer support responses. These communications are necessary for operating the Service and safeguarding your account.
    • Reminders and Nudges: As part of our Service’s functionality, we send periodic reminder messages (via SMS or possibly email/push notifications) to encourage you to enter your metrics or review your performance. These are automated based on your usage (for example, if it’s time to input weekly data, the system may send you a nudge). You can configure some of these reminders within the app (where that option is provided) or opt out by contacting us, but note that they are integral to the CEOTXT experience.
    • Marketing and Newsletters: With your consent or as otherwise permitted, we may send you marketing communications to inform you about new features, content (like blog posts or guides for CEOs), or promotions we think might interest you. If you were on our waitlist or expressly agreed to receive updates, we will send you announcements such as when CEOTXT launches or special offers. You always have the choice to opt out of marketing emails or texts (unsubscribe links in emails, or replying STOP to SMS marketing if ever sent). We will not spam you; our aim is to send valuable content infrequently. We do not use your phone number for marketing calls or unsolicited texts outside the scope of the Service.
  • For Analytics and Service Improvement: We use data (mostly aggregated or pseudonymized) to understand how users interact with CEOTXT so we can improve it. Tools like Google Analytics and Hotjar help us see which features are used most, how users navigate, and where they encounter problems. This informs design decisions and feature improvements. We might also analyze metrics like user retention, conversion rates from our waitlist to signups, or the effectiveness of our nudges (e.g., do users who receive SMS reminders update their metrics more regularly?). Additionally, we may run A/B tests or pilot new features with small user groups and use data to decide whether to roll them out to everyone.
  • To Prevent Fraud and Ensure Security: We process personal data as needed to monitor, investigate, and prevent fraudulent or illegal activities on the Service. For example, we might use IP addresses and login history to detect multiple accounts abuse or to flag suspicious logins. We keep activity logs which can be audited if we suspect violations of our Terms of Service or if needed for security diagnostics. If necessary, we may use information like device data or account information to enforce our Terms, such as banning a user who is misusing the platform or launching attacks.
  • To Comply with Legal Obligations: We will use and retain your information as needed to fulfill our legal and regulatory obligations. For example, financial regulations may require us to keep transaction records (which include personal data like name, transaction amount, date) for a certain number of years. If we receive a lawful subpoena or court order, we may need to preserve and disclose data as required by law. We also may use your data to respond to rights requests under privacy laws (for instance, using your email to verify your identity when you request data access or deletion).
  • To Facilitate Corporate Transactions: Although not an everyday use, if Rokter AS is involved in a merger, acquisition, investment, or sale of all or a portion of its assets, your information may be reviewed as part of due diligence or transferred to the parties involved with appropriate safeguards and notice (see "Data Sharing" below). In such cases, we would use your data to the extent necessary to evaluate or execute the transaction while maintaining confidentiality.
  • With Your Consent (for specific purposes): In certain situations, we might ask for your consent to use your information for a purpose that is not already covered by the ones above. If you provide consent, you can always withdraw it later by contacting us. One example could be if we ever wanted to use a testimonial or success story – we would ask your permission to quote your experience or results on our website.

We will not use your personal data for completely unrelated purposes without notifying you and, if required, obtaining your consent. We do not use automated decision-making, such as profiling, that produces legal effects or similarly significant effects on you without human involvement – except the automated features you signed up for (like sending a reminder if you haven’t updated a metric, which does not have legal effect).

Legal Bases for Processing (GDPR Compliance)

If you are located in the European Economic Area (EEA) or United Kingdom, we must have a legal basis for processing your personal data. Depending on the specific situation, our legal basis may be one of the following:

  • Performance of a Contract: Most of our data processing is justified by the fact that it is necessary to perform the contract between you and us. When you sign up for CEOTXT, you enter into an agreement (our Terms of Service) with us, and we need to process your data to provide the Service as promised. For example, using your email to create an account, your phone number to send SMS summaries, and your inputs to generate outputs are all part of providing the contracted Service.
  • Consent: We will rely on your consent in certain cases. For instance, sending marketing emails or text messages to you is based on your consent (or soft opt-in in some cases if you provided your email in the context of a sale or negotiation of a sale, as permitted by law). Also, placing non-essential cookies or using Hotjar to record sessions might be based on consent (depending on how we implement cookie consent on our site). Wherever we rely on consent, you have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing done before the withdrawal.
  • Legitimate Interests: We process some data for purposes that are in our legitimate interests, provided those are not overridden by your data protection rights. Our legitimate interests include improving and ensuring the stability of our Service, understanding our user base, and communicating with our users to enhance their experience. For example, analyzing usage data to improve features, or contacting existing customers with product updates may be based on legitimate interest. When we process on this basis, we take steps to minimize the impact on your privacy (such as anonymizing data for analysis where feasible, or providing easy opt-outs for communications).
  • Legal Obligation: In cases where we need to comply with a legal obligation, such as retaining certain records for tax, accounting, or complying with a binding law enforcement request, we will process and retain data as required. For example, Norwegian accounting laws might require us to keep invoice data (which includes personal data like name and address on the invoice) for a set number of years.
  • Vital Interests or Public Interest: These bases are unlikely to apply for CEOTXT’s typical operations. We do not normally process personal data to protect someone’s life (vital interests) or to perform a task carried out in the public interest. If such a scenario ever arose (e.g., an emergency situation where data processing could prevent harm), we would only do so in compliance with the law.

If you have questions about the legal basis of how we process your data, contact us and we will explain which basis applies to a particular processing activity.

How We Share and Disclose Information

We understand that your personal data is important, and we are not in the business of selling it to third parties. We share information in the following circumstances:

  • With Service Providers (“Processors”): We employ third-party companies and individuals to facilitate our Service, to perform certain tasks on our behalf, or to assist us in analyzing how our Service is used. These third parties are subprocessors who provide a variety of services, and they are contractually bound to access personal data only as needed to perform their functions and to keep it confidential. The key subprocessors we use include:
    • Stripe: for payment processing. Stripe handles your payment transactions securely. They will have access to personal and financial information necessary to process payments, such as your name, card details, billing address, and email. Stripe is PCI-DSS compliant and also offers GDPR compliance via standard contractual clauses for data transfers.
    • ClickSend: for sending SMS messages. We share your phone number and the content of the SMS (e.g., your summary or reminder text) with ClickSend to deliver the message to your phone carrier. ClickSend may process this data through servers possibly located outside the EU (e.g., in the US or Australia), but they have committed to GDPR and CCPA compliance. They act on our instructions to send you the messages you expect.
    • Adalo (and underlying hosting providers): Our application is built on Adalo’s platform, which means that Adalo acts as a data processor by hosting our app and database. Your data in CEOTXT (account info, metrics, etc.) is stored on Adalo’s servers (which may be hosted on Amazon Web Services). As of our last information, Adalo’s primary servers are located in the United States. Adalo has implemented Standard Contractual Clauses (SCCs) and other measures to comply with GDPR for EEA data transfers. Adalo and its cloud providers (like AWS) only access your data as needed for hosting and technical operations.
    • Google Analytics: for website analytics (as described above). Google may process certain user data (like IP, cookies, device identifiers) to provide aggregated insights. In doing so, data might be transferred to Google’s servers in the United States. We have a data processing agreement with Google and rely on their standard contractual clauses for GDPR compliance. Google does not get to use our site’s analytics data for their own purposes beyond providing services to us.
    • Hotjar: for user experience analytics. Hotjar stores data (like recordings and heatmaps) on servers in the EU (Hotjar is based in the EU, Malta). They act as our processor to analyze user interaction on our site. Personal data such as IP (which Hotjar anonymizes by default), device info, and usage behavior are collected for our internal analysis only.
    • HubSpot: for customer relationship management (CRM) and email communications. We use HubSpot to manage our contact list (e.g., waitlist and users) and to send out emails and updates. If you fill a form or interact with our emails, HubSpot records that information. HubSpot might store data on servers in the US, but they also provide Standard Contractual Clauses for GDPR and are certified under privacy frameworks. HubSpot acts as a processor, meaning they only use your data per our instructions (for example, sending you an email we schedule, or showing us analytics on email open rates).
    • Other Providers: We may use additional cloud services or tools for purposes like: email delivery (SMTP services), data backup, file storage, error tracking (e.g., a service like Sentry, which could capture error logs including user ID or device info), or customer support ticketing. We will update our Privacy Policy or provide a list on our website if we engage significant new subprocessors that handle personal data. All such providers will be vetted for security and privacy commitments.
  • Within Our Corporate Group: If Rokter AS has affiliate companies or subsidiaries that require access to data to help process it (for example, if we have a subsidiary assisting in development or support of CEOTXT), we may share data with them. Such affiliates would be bound by the same privacy commitments and this Privacy Policy. As of now, CEOTXT is primarily operated by Rokter AS in Norway, and any internal sharing is limited to our own team members and contractors under confidentiality agreements.
  • For Legal Reasons: We may disclose your information if required to do so by law or in response to valid legal requests (such as a subpoena, court order, or government demand). We may also disclose data if we believe in good faith that such disclosure is necessary to (1) comply with a legal obligation, (2) protect or defend our rights, property, or safety, or that of our users or the public, (3) investigate and address violations of our Terms of Service or this Privacy Policy (including cooperating with law enforcement or regulators regarding potential violations), or (4) detect, prevent, or otherwise address fraud, security, or technical issues.
  • Business Transfers: If Rokter AS is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction. In such an event, we will ensure the confidentiality of any personal data involved and give affected users notice before personal data becomes subject to a different privacy policy (if the new entity’s handling differs materially). The successor entity would either continue to be bound by this Privacy Policy or you would be given a chance to consent to any new terms.
  • With Your Consent: In situations where you explicitly consent to or request a form of data sharing not covered above, we will share your information accordingly. For example, if we were to publish a testimonial on our site with your name, we would only do so with your approval. Or if you use a feature that integrates CEOTXT with another service (say, exporting data to a spreadsheet service via an integration you enable), we will share data at your direction as needed for that integration.
  • Aggregate or De-Identified Data: We may also share information that has been aggregated or de-identified in such a way that it no longer reasonably identifies you. For instance, we might publish general statistics about our user base or usage patterns (e.g., “Our average user tracks 5 metrics” or “CEOTXT has users in 10 countries”). Such information will not contain any personal data and is not subject to data protection laws.

No Selling of Personal Information: We do not sell or rent your personal data to third parties for their independent use. In the context of CCPA (California law), “sell” is broadly defined, but we do not exchange your data for money or valuable consideration for others to use for their own purposes. The data we share with third parties is only to help us run our business (as described above), and those third parties are restricted from using the data beyond providing services to us.

Subprocessor List: If you would like a full list of our current subprocessors and third-party service providers who handle personal data, you may contact us and we will be happy to provide an updated list. We aim to be transparent with whom we entrust your data.

Cookies and Tracking Technologies

Cookies are small text files placed on your device to store data that can be recalled by a web server in the domain that placed the cookie. CEOTXT and our service providers use cookies and similar technologies for several reasons:

  • Essential Cookies: These are necessary for our website or app to function properly. For example, we might use a session cookie to keep you logged in as you navigate through the dashboard. If you disable these through your browser, some parts of the Service may not work correctly (such as requiring you to log in repeatedly or not being able to add items to a waitlist form).
  • Preference Cookies: These remember your preferences (such as language or time zone, if applicable) to provide a more personalized experience.
  • Analytics Cookies: As mentioned, Google Analytics and Hotjar set cookies to collect information about how visitors use our site. These cookies collect information in an anonymous form (in the case of GA, we may have demographic tracking enabled which can give aggregate info on age/gender interests, but that too is not identified to an individual). We use the information to compile reports and to help us improve the site. Examples include cookies that track how long you stay on a page or if you have visited before.
  • Marketing Cookies: HubSpot may use cookies to track visitors across our site and possibly to other sites, especially once you have interacted with our marketing (like clicked an email). This helps us tailor follow-up communications or determine what content is of interest. At present, we do not display third-party ads on our site that would use targeting cookies, and we do not allow third-party ad networks to collect information about you from our site.

When you first visit our website, you may see a cookie banner or notice. We will use that to obtain any necessary consent for non-essential cookies, as required by law. If you opt out of certain cookies, those should not be placed (our banner or settings will allow you to toggle categories of cookies).

Managing Cookies: You have the right to decide whether to accept or reject cookies (aside from strictly necessary ones). You can set or amend your web browser controls to accept or refuse cookies. If you choose to reject cookies, you can still use our website but some functionality might be limited. Each browser is a little different; look at your browser’s help menu for instructions on how to change cookie settings. For more information about cookies and how to disable them, you can visit third-party information sites such as aboutcookies.org.

Do Not Track Signals: “Do Not Track” (DNT) is a privacy preference that users can set in some web browsers to signal that they do not wish to be tracked across different sites. Currently, there is no agreed-upon standard for interpreting DNT signals. Our website does not respond to Do Not Track signals in a standardized way. However, as described, you can manage cookies to control tracking. We will continue to monitor the development of DNT standards and may revisit this policy if a standard emerges.

Global Privacy Control (GPC): Similar to DNT, GPC is a setting or browser extension some users enable to indicate a general opt-out of sale/sharing under CCPA. Since we do not sell data, and we only share data for our own business purposes, GPC signals currently do not change our data collection practices. If we detect a GPC signal, we will treat it in accordance with CCPA requirements, meaning we would not sell personal information (which we already do not do). If any tracking on our site could be construed as “sharing” under CCPA (for targeted advertising, for example, but we currently do not do targeted advertising via third parties), we would honor the signal as an opt-out.

For more details on cookies specific to Google Analytics or HubSpot: You can opt out of Google Analytics specifically by installing Google’s opt-out browser add-on. HubSpot cookies can be controlled via our site’s cookie settings or by clearing cookies.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to meet legal requirements. The exact duration may vary depending on the type of data and the purpose of processing:

  • Account Information: We keep your account data (like your name, email, profile info, and the data you have stored in CEOTXT) for as long as you have an active account. If you choose to delete your account or if your account becomes inactive for an extended period, we will initiate deletion of your personal data. We may retain certain minimal information after account deletion as described below, but generally, user-generated content and personal details will be purged from active databases.
  • User Content: The business metrics and notes you store in CEOTXT will be retained while your account is active. If you delete specific content from within the app, we will remove it such that it’s not accessible to you, though it may remain for a short period in backups. If you delete your account entirely, your content should be deleted from our production systems within a reasonable time frame (often within 30 days). Backup copies might persist longer but are typically overwritten in the normal backup rotation cycle.
  • Communications: Emails or support tickets you send us may be retained until we no longer need them to assist you or improve our services. We may keep a record of support correspondence for some time after resolution, in case you reconnect with issues or for training our support team.
  • Marketing Data: If you have subscribed to our newsletter or waitlist, we will retain your contact info for marketing until you unsubscribe or request deletion. If you opt out of emails, we may keep your email on a suppression list to ensure we respect your no-contact request.
  • Analytics Data: Data collected via Google Analytics, Hotjar, and similar tools is typically retained for a certain period for trend analysis. For instance, we might set Google Analytics data retention to 14 or 26 months (as per Google’s settings options) or even “do not automatically expire,” depending on our needs. However, this data is aggregated, and any user-level data is either pseudonymized or not directly identifiable to your personal profile in our system. You can of course clear cookies or use opt-outs to avoid new analytics data collection on you.
  • Transaction and Payment Records: We are required by financial regulations to keep payment transaction records. This means invoice records, subscription history, and related personal data (like name, company, transaction amount) will be retained for a number of years as mandated by law (for example, Norwegian law may require keeping records for 5 years, while other jurisdictions might require longer). We will retain those records securely and only use them for compliance (e.g., audits) or any necessary financial dispute resolution.
  • Legal Compliance and Protection: If we are dealing with a legal issue or enforcement of terms (e.g., an unresolved dispute, a claim, or an investigation of misuse), we will retain relevant information until the issue is resolved and no longer actively or potentially needed. Additionally, if required by law to keep data for a certain time (such as data preservation orders or statutory retention periods for certain types of data), we will comply with those requirements.
  • Backup retention: Our system backups might store snapshots of data including personal information. These backups are secured and only accessed if needed for disaster recovery. Data in backups is typically overwritten or deleted on a rolling basis after a certain duration (e.g., backups might be kept for 30-90 days). We do not access data in backups for any active purpose except restoration.
  • Post-termination retention: After you cease using CEOTXT or your account is deleted, we may still keep some anonymized or aggregated data derived from your usage (which no longer identifies you) for statistical purposes. For example, overall metrics or trends that include your usage as part of an aggregate won’t be deleted because they no longer identify you.

In summary, we will either delete or anonymize personal data once it’s no longer needed for the purposes for which it was collected. If complete deletion is not immediately feasible (for instance, data stored in certain long-term archives), we will ensure the data is isolated and protected from further use until deletion is possible.

If you have specific questions about retention for certain data, you can contact us for more detail.

Data Security

We take security measures seriously to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. While no system can guarantee complete security, we implement a range of technical and organizational measures to safeguard your information, such as:

  • Encryption: All communications between your browser/app and CEOTXT are encrypted using HTTPS/TLS. This means data (including personal data) is encrypted in transit. We also ensure that sensitive data at rest (like passwords, which are hashed, and any secret keys) are stored encrypted or hashed. For example, any payment information we store (like the Stripe token or last4 of card) is protected, and the actual credit card numbers are handled only by Stripe.
  • Access Controls: We restrict access to personal data to authorized personnel of Rokter AS and our trusted subcontractors who need it to operate or improve the Service. Access is granted on a least-privilege basis (only the minimum necessary rights). Our staff are bound by confidentiality obligations and trained on data protection. Administrative access to systems requires authentication (and we employ security best practices like strong passwords and 2-factor authentication where applicable).
  • Monitoring and Testing: We regularly monitor our systems for vulnerabilities or breaches. We may use intrusion detection systems and keep audit logs of access to infrastructure. Our team applies security updates and patches promptly to known vulnerabilities. We also periodically test our applications and infrastructure (potentially through security audits or penetration testing) to identify and fix security issues.
  • Physical Security: The personal data we handle is stored on cloud servers (via providers like Adalo/AWS, etc.). These providers have their own rigorous physical security at data centers (guards, access control, surveillance, etc.). Within our offices (if any on-premise data was stored or accessed), we ensure that systems are locked and that only authorized team members have access.
  • Isolation: Within the Adalo platform or our architecture, your data is logically separated from other customers’ data. This prevents other clients from accessing your data and vice versa, even if multiple apps are hosted on the same platform.
  • Secure Development Practices: We follow secure coding guidelines to minimize common security flaws (like injection attacks, cross-site scripting, etc.). We review code and design with security in mind, especially for authentication, data handling, and integration points.
  • Subprocessor Safeguards: We choose reputable service providers (like Stripe, AWS, etc.) that have strong security measures. We also have data protection agreements in place with them requiring appropriate security of personal data. For instance, Stripe is PCI compliant for card data; AWS has robust certifications (ISO 27001, SOC 2) for cloud security.
  • Data Breach Response: Despite best efforts, if a data breach were to occur, we have a response plan to contain and assess the incident. In the event personal data is compromised, we will notify affected users and the relevant authorities (like the Norwegian Data Protection Authority or other EU supervisory authorities, and individuals as required by GDPR/CCPA and other laws) within the timeframes mandated by law. We would also take steps to mitigate the breach and prevent future incidents.

It’s important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security. You also play a role in keeping your personal information secure. We encourage you to choose a strong password for your CEOTXT account and not share it. Also, be cautious about phishing attempts — Rokter will not ask you for your password via email or unsolicited messages.

If you have reason to believe that your interaction with us or the Service is no longer secure (for example, you feel your account has been compromised), please contact us immediately so we can assist.

International Data Transfers

Rokter AS is based in Norway (which is part of the European Economic Area), and we primarily operate from Norway. However, the nature of cloud services and the internet means that personal data we collect may be transferred to and stored in countries outside of your own, including countries outside the EEA or your home jurisdiction.

  • EEA/UK Users: When we transfer personal data out of the EEA/UK, we ensure a similar degree of protection is afforded to it by implementing appropriate safeguards. Many of our service providers (Stripe, Google, HubSpot, etc.) are based in the United States or other countries outside Europe. The U.S. and some other jurisdictions are not deemed by the European Commission to provide an adequate level of data protection. Therefore, for such transfers, we rely on measures like Standard Contractual Clauses (SCCs) (which are contracts approved by the EU/UK that legally bind the receiver of the data to protect it to EU GDPR standards) or other legally recognized transfer mechanisms. For example:
    • Stripe, Google, and HubSpot have incorporated SCCs into their data processing terms for European data.
    • Adalo, as our app platform, uses SCCs for data it processes outside the EU (as mentioned in their terms).
    • ClickSend, if transferring data outside the EEA (e.g., sending an SMS through a telecom in a third country), would similarly be bound by data processing terms ensuring GDPR compliance.
  • We also look at certifications and frameworks. For instance, some providers may be certified under the (now outdated) EU-U.S. Privacy Shield or the newer EU-U.S. Data Privacy Framework. While these frameworks might not by themselves be sufficient post-Schrems II decision, companies that adhered to them typically are serious about privacy and now rely on SCCs as well.
  • Your Acknowledgment: By using CEOTXT or providing us with your information, you understand that your personal data may be transferred to our facilities and those third parties with whom we share it as described in this Policy, which may be in countries other than your own. We will always take steps to ensure such transfers comply with applicable privacy laws and that your data remains protected.
  • If you are outside the EEA: If you are located outside of the EEA (for example, in the USA), note that your data will be transmitted to and stored in servers that could be in the EEA (Norway) and/or the United States. By using the Service, you consent to your data being transferred to Norway, the United States, and other jurisdictions as necessary. We will process your data in accordance with this Privacy Policy no matter where it is stored.

We understand the concerns around international data transfers and continually monitor guidance from regulatory bodies. If there are significant changes in the law (for example, if new standard contractual clauses are issued or if other transfer mechanisms become available), we will adapt our practices accordingly.

If you would like more information about the safeguards we use for international data transfers or copies of the relevant contractual agreements, you can contact us using the details provided. We may require an NDA before sharing copies of certain documents for confidentiality reasons, but we can provide summaries.

Your Rights and Choices

You have various rights regarding your personal data. We are committed to upholding these rights. Below, we outline the rights applicable to different regions and how you can exercise them:

Rights for Individuals in the EEA, UK, and Switzerland (GDPR and equivalent laws):

If you are in the European Economic Area, United Kingdom, Switzerland, or other jurisdictions with similar laws, you have the following rights with respect to your personal data:

  • Right to Access: You have the right to request a copy of the personal data we hold about you, as well as information about how we use it. This is often called a “Data Subject Access Request.” We will provide you with a copy of your data in a common format (unless doing so adversely affects the rights of others, for example, releasing data that includes someone else’s personal info).
  • Right to Rectification: If any of your personal data that we have is inaccurate or incomplete, you have the right to have it corrected or updated. You can often do this directly by logging into your account (e.g., update your profile info). If not, you can ask us to correct it.
  • Right to Erasure: You can request that we delete your personal data. This is sometimes known as the “right to be forgotten.” We will honor such requests to the extent required by applicable law. For example, if you withdraw consent or if you object to processing (see below) and we have no overriding legitimate grounds to continue, or if we no longer need your data, we will delete it. Note that this right is not absolute – sometimes we may retain certain information if we have a legal obligation or compelling legitimate interest to keep it (we will inform you if that’s the case).
  • Right to Restrict Processing: You can ask us to limit or “pause” the processing of your personal data in certain circumstances. For instance, if you contest the accuracy of the data, or you have objected to processing (see below), you can request restriction while the issue is being resolved. During restriction, we can still store your data but will not use it for the purpose you objected to.
  • Right to Data Portability: You have the right to obtain your personal data from us in a structured, commonly used, and machine-readable format, and to have that data transmitted to another data controller where technically feasible. This right applies to personal data you provided to us, which is processed by automated means and where the processing is based on your consent or the performance of a contract. In simpler terms, for example, you could request an export of the data you input into CEOTXT, so you can import it into another service.
  • Right to Object: You have the right to object to our processing of your personal data in certain situations:
    • If we are processing your data based on legitimate interests, you can object to that processing, and we will consider your request. We will then either stop processing or explain why we believe we have overriding legitimate grounds to continue.
    • Specifically, you have an absolute right to object to direct marketing. If we send you marketing emails or SMS, you can opt out at any time (as described earlier, via unsubscribe links or contacting us). Once you object or opt out, we will stop using your data for direct marketing.
  • Right to Withdraw Consent: If we rely on consent for any processing of your personal data, you have the right to withdraw that consent at any time. For example, if you consented to receive newsletters, you can unsubscribe (withdraw consent) and we will stop that processing. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it won’t affect processing under other legal bases.
  • Right to Lodge a Complaint: If you believe we have infringed your data protection rights or mishandled your personal data, you have the right to lodge a complaint with a supervisory authority. Rokter AS is under the jurisdiction of the Norwegian Data Protection Authority (Datatilsynet). You can contact Datatilsynet or your local EU/EEA data protection authority. We would, however, appreciate the chance to address your concerns directly before you do this, so we encourage you to contact us first.

To exercise your rights, you may contact us at the email or address provided in the “Contact Us” section. Please clearly state what right you want to exercise and provide relevant details (like the data you want access to, or the correction needed). For security reasons, we may need to verify your identity before fulfilling your request (for example, by asking you to confirm from your registered email or by providing information that we have on file). We will respond to your request within one month, or inform you if we need more time (an extension of up to two additional months is allowed by GDPR for complex requests, but we will inform you and explain why if that is the case).

Generally, fulfilling these requests is free of charge. However, if a request is manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on the request (with explanation).

Rights for California Residents (CCPA/CPRA):

If you are a resident of California, USA, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include:

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell (if applicable). More specifically, you can request the categories of personal information we have collected about you, the categories of sources of that information, the business or commercial purpose for collecting (or selling/sharing, if applicable) the information, the categories of third parties with whom we share personal information, and the specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: You have the right to request deletion of personal information that we have collected from you (and direct our service providers to do the same). There are some exceptions; for example, if the information is needed to complete a transaction you requested, to detect security incidents, to comply with legal obligations, or other reasons allowed by law, we may retain necessary information.
  • Right to Correct: Under CPRA, California residents also have the right to request correction of inaccurate personal information maintained about them. If you believe we hold incorrect information about you, you can request that we correct it.
  • Right to Opt-Out of Sale/Sharing: You have the right to opt out of the “sale” or “sharing” of your personal information. However, we do not sell personal information (as we’ve stated, we don’t provide your data to third parties for their own marketing or monetary benefit). We also do not “share” personal information for cross-context behavioral advertising (targeted advertising) because we currently do not engage in such advertising. Therefore, there is no need for you to submit a request to opt out of sale/sharing — as we do not perform those activities. If in the future this changes, we will update our Privacy Policy and provide a “Do Not Sell or Share My Personal Information” link as required.
  • Right to Limit Use of Sensitive Personal Information: The CPRA introduces a right to limit the use of “sensitive personal information” if a business uses it beyond certain purposes. CEOTXT does not collect or process sensitive personal information for purposes that would trigger this right (we do not use sensitive data like precise geolocation, social security numbers, etc., for inferring characteristics or for any use outside the direct services requested by you). Therefore, this right is not applicable in a meaningful way for our services at this time. We only use any limited sensitive info (like payment card details) for the services you expect (processing payment).
  • Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we won’t deny you our Service, charge you different prices, or provide a different level of quality just because you exercised your rights. (However, note that if you request deletion of data that is necessary for us to provide the Service, we might not be able to continue providing you the Service — for instance, if you delete your account data, you cannot continue using the account. But that’s a consequence of the deletion, not discrimination.)
  • Shine the Light: Separately from CCPA, California’s “Shine the Light” law allows users to request certain information about our disclosure of personal information to third parties for their direct marketing purposes during the previous calendar year. We do not disclose personal information to third parties for their own direct marketing purposes without your consent. If that changes, we will update you. California residents may also send inquiries about any such compliance to our contact email.

Exercising California Rights: If you are a California resident and wish to exercise your Right to Know, Delete, or Correct, you may contact us via the methods in the “Contact Us” section. You can also send an email specifically with subject “CCPA Request” for clarity. We will need to verify your identity to process these requests, which may involve asking you to provide information that matches our records or using a verification service. If you have an account, logging into the account to make the request is one way to verify. If you do not have an account or have lost access, we may ask for additional info to confirm you are the person about whom we collected information.

For a request to know or delete, you may also designate an authorized agent to make the request on your behalf. If you do so, we will need to verify that the agent is duly authorized (e.g., through a power of attorney or other written authorization) and may still ask you (or the agent) for information to verify your identity with us.

We aim to respond to California consumer requests within 45 days as the law requires. If we need more time (up to an additional 45 days, totaling 90 days), we will inform you of the reason for the delay.

Children's Privacy

CEOTXT is not directed to children, and we do not knowingly collect personal information from individuals under the age of 13 (or under 16 in the European Union, unless parental consent is obtained, as per GDPR). Our Service is intended for use by adults in a professional/business context.

If you are under 13 years old, please do not use CEOTXT or provide any personal information about yourself to us. If we learn that we have inadvertently collected personal data from a child under 13 (or under the applicable minimum age in your jurisdiction) without proper consent, we will take steps to delete that information as soon as possible.

Parents or legal guardians: If you become aware that your child has provided us with personal information without your consent, please contact us immediately. We will work with you to remove the information and terminate the child’s account if necessary.

Even for users who are between 13 and 18 (minors but not children under COPPA), we advise that CEOTXT is designed for business professionals and may not be suitable for individuals under 18. We require that any user creating an account be of legal age to form a contract (which is generally 18 in most countries). By accepting the Terms of Service, users represent that they are at least 18 or have reached the age of majority in their jurisdiction.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. When we do make changes, we will:

  • Post the updated Privacy Policy on our website (and within the app, if applicable) with a new “Last Updated” date.
  • If the changes are material, we will notify you in a more prominent way. This may include sending an email to the address associated with your account, or posting a notice on our website or within the app. Material changes could include, for example, using your personal data for new purposes, or sharing it with new categories of third parties that you have not been informed of.
  • Where required by law, we will obtain your consent for significant new uses of personal data (for instance, if we ever planned to collect new types of data not previously collected, or if we were to start selling personal information, we would first get opt-in consent as needed or at least provide opt-out options before the changes take effect).

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of CEOTXT after any changes to this Policy constitutes your acceptance of the updated terms.

If you do not agree to any updates or changes, you should stop using the Service and, if applicable, unsubscribe from communications and consider deleting your account. We will always indicate the date of the latest revision, and we will keep prior versions of this Privacy Policy available upon request for reference.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Rokter AS (CEOTXT) – Privacy Team
Address: Teknologiveien 11, 8517 Narvik, Norway
Email: privacy@ceotxt.com (for privacy-specific inquiries)
Alternate Email (general support): support@ceotxt.com
Contact Form: You may also reach out through any contact form on our website, indicating that your inquiry is about privacy.

We will do our best to respond promptly and help resolve any issues or answer any questions you may have. Your trust is extremely important to us, and we welcome feedback on how we can improve our privacy practices.

By using CEOTXT, you acknowledge that you have read and understood this Privacy Policy. Thank you for entrusting CEOTXT with your data – we are committed to keeping that trust through transparency and security.

Powered by ClickSend & Stripe
Data encrypted · Secure servers · GDPR‑compliant

© 2025 CEOTXT®. All rights reserved.
Rokter AS | Org.nr: 934 839 005 | Solbakken 2, 8516 Narvik, Norway | +47 481 27 341 | post@ceotxt.com | Terms | Privacy Policy