CEOTXT
Privacy Policy

Introduction

Last Updated: July 4, 2025

‍

Your privacy is important to us. This Privacy Policy explains how Rokter AS (“we,” “us,” or “our”) collects, uses, discloses, and safeguards your personal data in connection with the use of CEOTXT (the “Service”). CEOTXT is a SaaS tool operated by Rokter AS in Norway and includes our website (e.g., marketing site, landing pages, waitlist sign-up, and content pages) as well as our web/mobile application. This Policy applies to all personal data we collect through our Service, whether you are a visitor to our website or a registered user of our app.

We are committed to protecting your data and being transparent about our privacy practices. CEOTXT is designed to comply with applicable privacy laws, including the European Union General Data Protection Regulation (GDPR) and relevant United States laws such as the California Consumer Privacy Act (CCPA) (as amended by the CPRA). We provide the details below so you know exactly what information we collect, what we do with it, and what rights you have regarding your data.

By using CEOTXT or by providing us with your personal information (for example, by signing up on our waitlist or creating an account), you agree to the terms of this Privacy Policy. If you do not agree with this Policy, please do not use the Service. We encourage you to read this Policy carefully and contact us if you have any questions.

‍

‍

Who is Responsible for Your Data?

For the purposes of European data protection law, Rokter AS (address: Solbakken 2, 8516 Narvik, Norway) is the “data controller” of your personal data. This means Rokter AS determines the purposes and means of processing personal data collected through CEOTXT. You can contact us using the information at the end of this Policy for any questions or requests regarding your personal data.

If you are using CEOTXT as an authorized user on behalf of an organization (e.g., your employer), that organization may also be a data controller of your personal data. Please ensure you have permission from your organization to use CEOTXT and share any required personal information with us.

‍

‍

Information We Collect

We collect several types of information from or about you, including:

‍

1. Information You Provide to Us

You may directly provide us with information in various situations, such as:

• Account Registration: When you sign up for CEOTXT or join a waitlist, we ask for basic contact and identity information. This typically includes your name and email address, and may include your phone number (for SMS features) and company name. If a password is required for account login, we store a hashed (encrypted) version of your password, not the plaintext.
• Profile and Usage Data: Within the CEOTXT app, you may input data related to your business metrics, goals, notes, and other content. For example, you might enter weekly figures or personal notes. Any such data you actively enter into the Service is stored to provide you functionality (e.g., generating a weekly summary). This data might include personal information if you choose to input it (for instance, if you input names of team members or financial figures identifiable to a person), but generally it is business-related information.
• Payment Information: If you subscribe to a paid plan, you will provide payment details. We use Stripe to process payments, so you will typically provide your credit card number, billing address, and other payment details directly to Stripe in our integrated checkout form. We do not receive or store your full card number. We do receive information such as the last four digits of your card, card brand, expiration date, and a payment token or transaction ID, which we store to keep track of your subscription status. We also record your subscription plan selections, payment history, and account status.
• Communications: If you communicate with us directly (for example, by sending an email to support, filling out a contact form, or participating in surveys/feedback requests), we will collect the information you provide. This could include your contact information, the content of your message, and any attachments or other information you choose to provide. If we offer a chat support feature or respond via SMS or email, those communications will be stored.
• Waitlist or Marketing Sign-up: If you sign up for a waitlist or newsletter on our website, we will collect your email address and possibly your name or other info you submit for that purpose. We will use this to send you updates about CEOTXT (e.g., launch announcements or marketing communications) as per your request.

Note: We do not intentionally collect any sensitive personal data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, or data concerning sexual orientation) from users. We also do not require any government-issued identification numbers or financial account numbers outside of payment processing. Please do not provide sensitive personal data when using CEOTXT, as the Service is not intended to process such data. Any payment-related sensitive information (like credit card details) should only be entered into the secure Stripe payment form, not elsewhere in CEOTXT.

‍

‍

2. Information We Collect Automatically

When you use our website or app, we (and our third-party partners) automatically collect certain information about your device and your usage of the Service. This includes:

• Device and Usage Data: We collect log data about your interactions with CEOTXT. This may include your IP address, device type (e.g., laptop, smartphone), operating system, browser type and version, browser language, and time zone. We also log information such as the pages or screens you view, the dates/times of your visits, the features you use, your clickstream (the path you take through our pages), and how you interact with elements of the Service.
• Cookies and Similar Technologies: We use cookies (small text files stored on your browser or device) and similar tracking technologies (such as web beacons, pixels, and local storage) to collect information about your website usage and to remember your preferences. For example, we use cookies to keep you logged in to your account, to understand how you navigate our site, and to personalize your experience. We also use cookies for analytics purposes (described below). You can manage cookie preferences through your browser settings (see the “Cookies and Tracking” section below for more detail).
• Analytics Data: We partner with analytics providers to better understand how users engage with CEOTXT. For example:
  • Google Analytics: Used on our website to gather information like what site you came from, how long you spend on each page, and what kind of device you are using. We have configured Google Analytics in compliance with Google’s policies and enabled features like IP anonymization (to truncate your IP address within the EU).
  • Hotjar: Helps us gain insights into user behavior on our site by recording anonymized user sessions (mouse movements, clicks, scrolling, form inputs excluding sensitive fields) to help identify usability issues. Hotjar may also set cookies to aid its analysis. (Hotjar stores data like recordings and heatmaps on servers in the EU.)
  • HubSpot: Serves as our customer relationship management and marketing analytics platform. If you provide your email via a form, HubSpot can track your site visits, email opens/clicks, and interactions with our content. HubSpot may place a tracking cookie to associate your site usage with your email once you identify yourself by filling out a form. (HubSpot may store data on servers in the US, but it offers GDPR safeguards such as Standard Contractual Clauses and adheres to privacy frameworks.)
• Mobile App Data: If you use our app (including if accessed through a mobile browser or an app built on Adalo), we may collect device identifiers (such as your device’s unique ID or advertising ID) and diagnostic information if the app crashes or encounters errors. The app might also store data locally on your device (using local storage or a database) to improve performance, which then syncs with our servers.
• Location Information: We do not specifically request or track your precise geographic location (e.g., via GPS) through the Service. However, we may infer general location information (such as city or country) based on your IP address. This helps us understand where our users are located globally for purposes like setting language or regional defaults, ensuring compliance (e.g., determining GDPR jurisdiction), or gaining analytical insights.

‍

‍

3. Information from Third Parties

In general, we collect data directly from you or through your use of CEOTXT. We do not buy personal data from data brokers or pull information about you from public databases or other external sources, except in a few cases:

• Third-Party Authentication: (Note: As of the last update, CEOTXT uses its own sign-up.) If in the future we allow sign-in via third parties (like Google or LinkedIn), we would receive basic profile information from those providers when you authorize such login. Currently, since we do not offer third-party login, this scenario does not apply.
• Referrals: If someone refers you to CEOTXT (for example, by sending you an invitation or using a referral link), we collect the information provided about you (such as your email address). We will use it to send you an invitation or informational message, and we will identify the person who referred you in that communication where required by law. If you receive an email invite and do not wish to join or be contacted further, you can ignore the invitation or opt out, and we will remove your information upon request.
• Service Providers & Partners: We might receive some information indirectly from service providers in the course of running our Service. For instance, when we send an SMS via ClickSend, we get delivery status information (like whether the SMS was delivered or failed). Or if you make a payment via Stripe, we receive confirmation of your payment and possibly updated billing details (for example, an updated card expiration date or a billing address that you provided to Stripe). We use this information to ensure our records are up to date (e.g., your subscription status) and to troubleshoot or improve our services.
• Aggregate Analytics Reports: Our analytics tools (like Google Analytics, Hotjar, HubSpot) may provide us with aggregated information or industry benchmarks that do not identify individuals — for example, “X% of users access the site via mobile devices” or average email open rates. Such aggregate data helps us understand overall usage patterns and improve our Service, but it cannot be traced back to any specific user.

Note: We do not knowingly collect personal information from children under the age of 13, and CEOTXT is not intended for minors. (See the Children’s Privacy section below for more detail.)

‍

‍

How We Use Your Information

We use the information we collect for various purposes, including:

• To Provide and Maintain the Service: We process the information you provide (like your registration and profile details) to create and maintain your account and to deliver the features of CEOTXT. For example, we use the data you input to display it back to you and to compute any summaries or analytics within the app. Your phone number and email address are used to deliver core Service features such as automated weekly SMS summaries, reminders, and other notifications. In short, most of the data processing we do is necessary to operate the core features of CEOTXT (saving your metrics, sending you nudges, showing you dashboards, etc.).
• To Process Payments: If you subscribe to a paid plan, we use personal data to manage billing and payments. For instance, we use the payment information you provided (via Stripe) to charge your subscription fees, and we use your contact information to send receipts or billing notices. We may also use your address or tax-related information if needed for invoicing or tax calculations (for example, determining if VAT applies based on your location).
• To Communicate with You:
  • Service and Account Communication: We use your contact information (email and, when applicable, phone for SMS) to send you essential communications about the Service. This includes emails for account verification, password resets, subscription confirmations, billing receipts, and alerts about important changes or security events (e.g., notice of a new device login). These communications are necessary for operating the Service and protecting your account.
  • Reminders and Nudges: As part of CEOTXT’s functionality, we send periodic reminder messages (via SMS, email, or in-app notifications) to encourage you to input your metrics or review your performance. For example, if it’s time to enter your weekly data, the system may send you a nudge. You can configure some of these reminders within the app (when that option is available) or opt out by contacting us. However, note that these reminders are an integral part of the CEOTXT experience designed to help you stay on track.
  • Marketing and Newsletters: With your consent (or as otherwise permitted by law), we may send you marketing communications to inform you about new features, content (such as blog posts or guides for CEOs), or promotions we believe might interest you. For example, if you joined our waitlist or explicitly agreed to receive updates, we might email you when CEOTXT launches or about special offers. You can always opt out of marketing emails or texts—each marketing email will include an “unsubscribe” link, and you can reply “STOP” to any marketing SMS to prevent future messages. We do not use your phone number for telemarketing calls or unsolicited texts beyond the scope of the Service.
• For Analytics and Service Improvement: We use data (mostly in aggregate or de-identified form) to understand how users interact with CEOTXT so we can improve it. Analytics tools like Google Analytics and Hotjar help us see which features are used most, how users navigate through our site/app, and where they might encounter problems. These insights inform our design decisions and feature improvements. For example, we might analyze user retention rates, conversion rates from waitlist sign-ups to active usage, or how effective our reminder messages are (e.g., do users who receive SMS reminders update their metrics more regularly?). We may also conduct A/B tests or pilot new features with small user groups and use the resulting data to decide whether to roll out changes to everyone.
• To Prevent Fraud and Ensure Security: We process personal data as needed to monitor, investigate, and prevent fraudulent or illegal activities and to ensure the integrity of our Service. For example, we might use IP addresses and login history to detect and block suspicious logins or multiple account abuse. We keep activity logs which can be audited if we suspect violations of our Terms of Service or if needed for diagnosing security issues. If necessary, we may use information like device data or account details to enforce our Terms (for instance, banning a user who is misusing the platform or attempting to disrupt our service).
• To Comply with Legal Obligations: We will use and retain your information as required to fulfill our legal and regulatory obligations. For example, financial regulations might require us to keep transaction records (which include personal data like names and transaction amounts) for a certain number of years. If we receive a lawful subpoena or court order, we may need to preserve and disclose specific data as mandated by law. Additionally, we might use your data to respond to your exercise of privacy rights under law (for instance, using your email to verify your identity when you request access to or deletion of your data).
• To Facilitate Corporate Transactions: In the event that Rokter AS is involved in a merger, acquisition, sale of assets, financing, or similar transaction, your information may be reviewed or transferred as part of that process. We would ensure appropriate confidentiality protections during such a process. If a transaction results in a change of ownership or transfer of the Service to another provider, your personal data may be transferred to the successor entity. In such cases, we would notify you (for example, via email or a notice on our site) of the change and any choices you may have. The new entity would continue to be bound to protect your information in line with this Privacy Policy or we would obtain your consent if required for any materially different use.
• With Your Consent (for Specific Purposes): In certain situations, we may ask for your consent to use your information for a purpose that isn’t already covered by the above. If you give consent, you can withdraw it at any time by contacting us (see “Contact Us” below). For example, if we ever wanted to feature a customer testimonial or success story that includes your personal data, we would seek your permission to do so.

We will not use your personal data for completely unrelated purposes without notifying you and, if required, obtaining your consent. We also do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you without human involvement – apart from the automated features you expect as part of the Service (like an automatic reminder if you haven’t updated a metric, which does not have any legal effect on you).

‍

‍

Legal Bases for Processing (GDPR Compliance)

If you are located in the European Economic Area (EEA) or the United Kingdom, our processing of your personal data must be justified under a “legal basis” under applicable law. Depending on the context, we may rely on different legal bases for different processing activities:

• Performance of a Contract: In most cases, we process your data because it is necessary to perform the contract between you and us. When you sign up for CEOTXT, you agree to our Terms of Service, and we need to process certain personal data to provide the Service as promised. For example, we use your email to create and maintain your account, your phone number to send SMS summaries, and the data you input to generate outputs (like your weekly summary). All these actions are necessary to deliver the core functionality of CEOTXT that you have signed up for.
• Consent: In some situations, we rely on your consent to process your data. For instance, we would seek your consent before sending you marketing emails or text messages (in jurisdictions where consent is required, or under a “soft opt-in” where applicable). Similarly, for non-essential cookies or certain analytics tools like Hotjar that record user sessions, we obtain your consent through the cookie banner (where required by law). Whenever we process data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing that occurred prior to your withdrawal.
• Legitimate Interests: We process some personal data for purposes that are in our legitimate interests (or those of third parties), provided these are not overridden by your rights and interests. Our legitimate interests include improving and ensuring the stability and security of our Service, understanding our user base and how CEOTXT is used, and communicating with users to enhance their experience. For example, analyzing usage data to improve features, or sending product updates to existing customers, might be based on legitimate interests. When we rely on this basis, we take steps to minimize the impact on your privacy — such as anonymizing data for aggregate analysis where feasible, or providing clear opt-out mechanisms for communications.
• Legal Obligation: We may process or retain your data when necessary for compliance with a legal obligation. For instance, applicable laws may require us to keep certain financial records for a number of years (e.g., for tax or accounting purposes). If we are served with a court order or subpoena that compels us to disclose data, we will process and share data as required by law. In such cases, the legal obligation is our basis for processing.
• Vital Interests or Public Interest: In very unlikely scenarios, we might process data to protect someone’s vital interests (i.e., to prevent an imminent threat to life or serious injury) or if it’s needed in the public interest (for a task set by a government, for example). These bases are generally not applicable to CEOTXT’s day-to-day operations; they would only be relevant in exceptional circumstances such as an emergency. If we ever do process data on these bases, it would be in compliance with the strict conditions set out by law.

If you have questions about the legal basis on which we process your personal data for a specific activity, please contact us and we will explain how the law applies to that situation.

‍

‍

How We Share and Disclose Information

We understand that your personal data is important, and we are not in the business of selling it. We only share your information in the following circumstances:

• With Service Providers (“Processors”): We employ trusted third-party companies and individuals to perform certain services on our behalf or to help us provide and improve the Service. These third parties act as our data processors and are contractually required to only use personal data as needed to perform their tasks, and to keep it confidential. Key service providers we use include:
  • Stripe: for payment processing. Stripe handles your payment transactions securely and is PCI-DSS compliant. They have access to personal and financial information necessary to process payments (e.g., your name, card details, billing address, email). We have a data processing agreement with Stripe, and they commit to GDPR compliance (including via Standard Contractual Clauses for EU data transfers). We do not see or store your full credit card number—Stripe provides us a token or ID for the transaction and the last 4 digits of your card for reference.
  • ClickSend: for sending SMS messages. We share your phone number and the content of the SMS (for example, your weekly summary or reminder text) with ClickSend so that it can be delivered through your mobile carrier. ClickSend may process this data via servers outside the EU (such as in the US or Australia), but they have committed to GDPR and CCPA compliance in their role as our processor. They act only on our instructions to send you the messages you expect from CEOTXT.
  • Adalo (and underlying hosting providers): Our application is built on the Adalo platform, which means Adalo hosts our app and its database. Your data in CEOTXT (account info, metrics, etc.) is stored on Adalo’s servers (which may be hosted on infrastructure like Amazon Web Services). As of our last information, Adalo’s primary servers are in the United States. Adalo has implemented Standard Contractual Clauses (SCCs) and other safeguards for EU data, and only accesses our data as needed for hosting and technical operations.
  • Google Analytics: for website analytics (as described in the Analytics section above). Google may process certain data (like your IP (anonymized), cookies, and device identifiers) to provide us with aggregated site usage insights. This may involve transferring data to Google’s servers in the United States. We have a data processing agreement with Google and rely on their SCCs for GDPR compliance. Google is not permitted to use our site’s analytics data for any purpose other than providing services to us.
  • Hotjar: for user experience analytics on our website. Hotjar records behavioral data (such as clicks, scrolls, and keystrokes on non-sensitive fields) to help us improve usability. Hotjar’s data is stored in the EU (the company is based in Malta) and IP addresses are anonymized by default. Hotjar acts as our processor and only uses the data to generate analytics for us.
  • HubSpot: for customer relationship management (CRM) and communications. We use HubSpot to manage our user and contact lists (e.g., waitlist members, newsletter subscribers) and to send emails. If you fill out a form or interact with our emails, HubSpot logs that interaction. HubSpot may store data on servers in the US, but they have measures (like SCCs and participation in relevant frameworks) to protect EU data. HubSpot only processes your data per our instructions (for example, sending out an email we scheduled or analyzing email open rates).
  • Other Providers: We may use additional service providers for specific functions, such as email delivery (SMTP services), cloud storage and backups, error monitoring (e.g., Sentry for logging errors, which might capture contextual user data like user ID or device info), or customer support ticketing systems. We vet all such subprocessors for strong security and privacy practices. If we engage a new significant subprocessor that will handle personal data, we will update this Privacy Policy or otherwise inform our users, and ensure that appropriate data protection agreements are in place.
• Within Our Corporate Group: If Rokter AS expands to have affiliate companies or subsidiaries (for example, a subsidiary assisting with development or customer support for CEOTXT), we may share data within our corporate family. Any such affiliates would be bound by confidentiality and data protection obligations equivalent to those in this Privacy Policy. (As of now, CEOTXT is operated by Rokter AS in Norway, and any internal data sharing is limited to our own team members and contractors who are all under strict confidentiality agreements.)
• For Legal Reasons: We may disclose your information when we have a good-faith belief that such disclosure is necessary to comply with a legal obligation or process. This includes responding to valid legal requests from authorities (such as subpoenas, court orders, or government demands), or disclosing information to investigate or protect against legal claims. We may also share data if we believe it’s necessary to: enforce our Terms of Service or other agreements; protect the rights, property, or safety of Rokter AS, our users, or the public; or detect, prevent, or address fraud or security issues. For example, if required by law enforcement as part of an investigation, we might preserve and provide relevant data.
• Business Transfers: If we engage in or negotiate a business transaction like a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be disclosed to the involved parties (e.g., to auditors or potential investors) as part of due diligence, and transferred to a successor or affiliate as part of completing the transaction. In such cases, we would ensure that any recipient of your personal data commits to respect this Privacy Policy (or else provides you notice and obtains your consent if required by law for any materially different handling of your data). You would also be notified, for example via email or a prominent notice on our website, of any change in ownership or new use of your personal information.
• With Your Consent: We will share your information in any ways you specifically direct us to or consent to. For example, if you use a feature that exports data to an outside service (and you initiate that export), we will send the data as instructed by you. Similarly, if we ever want to post a user’s testimonial or share their success story publicly, we would do so only with that user’s explicit permission.
• Aggregate or De-Identified Data: We may also share information that has been aggregated or de-identified so that it can no longer be associated with you. Such information is not considered personal data. For instance, we might publish blog posts or reports that include general statistics about CEOTXT usage (e.g., average number of metrics tracked per user, or total users in various regions) — none of which would identify any individual.
• No Selling of Personal Information: We do not sell or rent your personal data to third parties for their independent use. “Selling” in the context of privacy laws like the CCPA is broadly defined, but we interpret it as transferring personal information to a third party for their own commercial use (unrelated to providing services to us) in exchange for money or equivalent value. We do not engage in such exchanges. Any information we share with third parties is solely to help run, improve, and secure our own Service as described above. Those third parties are restricted from using your data for any purpose other than providing services to us (or as required by law).

Subprocessor List: If you would like a full list of our current subprocessors and third-party service providers who handle personal data on our behalf, you may contact us and we will be happy to provide an updated list. We aim to be transparent about whom we entrust with your data and will promptly answer any inquiries in this regard.

‍

‍

Cookies and Tracking Technologies

Cookies are small text files placed on your device to store data that can be recalled by a web server in the domain that placed the cookie. CEOTXT and our service providers use cookies and similar technologies for several reasons:

• Essential Cookies: These cookies are necessary for our website or app to function properly. For example, we might use a session cookie to keep you logged in as you navigate through the dashboard. If you disable these cookies via your browser, some parts of the Service may not work correctly (for instance, you may be required to log in repeatedly, or certain features might not function).
• Preference Cookies: These cookies remember your preferences (such as language or time zone settings) to provide a more personalized experience. They ensure that when you return to our Service, it’s configured in the way you prefer.
• Analytics Cookies: These cookies help us understand how visitors use our site. For example, Google Analytics and Hotjar set cookies to collect information about what pages users visit, how long they stay, and how they interact with our site. The information collected is generally aggregated and not identifying you individually. We use it to compile reports and to improve the site — for example, by identifying which features are popular or finding areas of the site that might be confusing to users. (Note: We have configured Google Analytics to anonymize IP addresses where applicable, and Hotjar similarly respects Do-Not-Track headers if you have those enabled.)
• Marketing Cookies: HubSpot may use cookies to track visitors across our site and potentially to recognize visits across other sites, especially after you have interacted with our marketing materials (like clicking a link in one of our emails). This helps us tailor follow-up communications or determine what content is most interesting to our audience. Currently, we do not display third-party ads on our site and we do not allow third-party ad networks to collect information about you from our site for advertising purposes. HubSpot’s cookies are used for our own analytics and marketing follow-ups only.

When you first visit our website, you may see a cookie banner or notice. We use this banner to obtain any necessary consent for non-essential cookies, as required by law. If you choose to opt out of certain categories of cookies (e.g., analytics or marketing cookies), those cookies will not be placed on your device. Our cookie settings or banner allow you to manage your preferences (such as toggling off analytics cookies if you don’t want them).

Managing Cookies: You have the right to decide whether to accept or reject cookies (aside from strictly necessary ones). You can set or modify your web browser controls to accept or refuse cookies. If you choose to reject non-essential cookies, you can still use our website, but some functionality might be limited. Each browser is a little different, so check your browser’s help menu for instructions on how to change cookie settings. For more information about cookies and how to disable them, you can also visit third-party information sites such as aboutcookies.org which provide helpful guidance.

"Do Not Track" Signals: “Do Not Track” (DNT) is a privacy preference that users can set in some web browsers to signal that they do not wish to be tracked across different websites. Currently, there is no consensus or standardized way that websites must respond to DNT signals. As a result, our website does not respond to DNT signals in any special way beyond normal cookie settings. However, as described above, you can control tracking through our cookie management options. We will continue to monitor the development of DNT standards and may re-evaluate our approach if an industry or legal standard for responding to DNT is established.

Global Privacy Control (GPC): GPC is a setting or browser extension that some users enable to signal a general opt-out of the “sale” or “sharing” of personal data under laws like the CCPA. Since we do not sell personal data and we only share data for our own operational purposes (as described in this Policy), a GPC signal currently does not change our data collection practices. If we detect a GPC signal from a California resident’s browser, we will treat it in accordance with CCPA requirements — meaning we would not sell that user’s personal information (which we don’t do anyway). If any of our site’s usage of cookies or trackers could be construed as a “sharing” of personal information for cross-context behavioral advertising (targeted ads), we would honor the GPC signal as an opt-out of that processing.

Note: You can opt out of Google Analytics tracking specifically by installing Google’s official browser opt-out add-on. HubSpot cookies can be managed via our website’s cookie consent tools or by clearing your browser cookies if you wish to disassociate your site usage from your email address.

‍

‍

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The exact retention periods vary depending on the type of information and the context in which it was collected:

• Account Information: We keep your core account data (such as your name, email address, and profile information) for as long as you maintain an active account. If you delete your account or if your account is inactive for an extended period, we will initiate the deletion of your personal data from our active systems. (Generally, user-generated content and personal details will be removed from our production database within roughly 30 days after account deletion, barring any legal requirement to retain it longer.) We may retain certain minimal information after account deletion, like records of your request or aggregated data that no longer identifies you, as described below.
• User Content: The business metrics, notes, and other data you store in CEOTXT are retained while your account is active so that you have ongoing access to it. If you delete specific content items (e.g., remove a note or a metric entry), we will make that content inaccessible to you and others, though it may linger temporarily in system backups. If you delete your account entirely, all content associated with your account will be deleted from our production systems after a short period (often within 30 days). Backup copies of data might persist for a longer period until those backups are rotated out or deleted, but they are retained in a secure manner and are only used if needed for disaster recovery.
• Communications: If you correspond with us (for example, through support emails or chat logs), we may retain those communications for a period of time, even after your account is deleted, to help us in training our support staff, to reference in case of future issues, or to improve our services. Once such communications are no longer needed, we will delete or anonymize them. Generally, routine support emails and tickets may be retained for a year or two unless we need to keep them longer for a specific reason.
• Marketing Data: If you have signed up to receive marketing emails or newsletters, we will retain the necessary contact information (like your email address) until you unsubscribe or ask us to delete it. If you opt out of emails, we may keep your email on a “do not contact” list to ensure we honor your opt-out. We only send marketing communications in accordance with your preferences and applicable law, and you can unsubscribe at any time.
• Analytics Data: Data collected via analytics cookies and tools (Google Analytics, Hotjar, etc.) is typically retained by those providers for a set duration that we determine in our settings. For example, we might instruct Google Analytics to retain data for 14 or 26 months before it is automatically deleted from analytics records, or we might choose a longer retention for certain aggregated data. This data is generally not personally identifiable by the time it reaches our analytics dashboards (it’s aggregated or pseudonymized). You can of course clear your cookies or use browser settings to prevent new analytics data from being collected on you.
• Transaction and Payment Records: We are required by law to keep certain financial and transaction records for set periods (often for accounting and tax compliance). For example, in Norway (where Rokter AS is based), accounting laws might require us to keep invoice and payment records for 5 years. These records may include personal data such as your name, the amount paid, and date of transaction. We store such records securely and restrict access to them. We will retain these as long as legally mandated, after which we will delete or anonymize them.
• Legal Compliance and Protection: If we are involved in a legal dispute or receive an allegation of wrongdoing, we might retain relevant information until the issue is resolved. For example, if we terminate an account for violating our Terms, we may keep information about that account to defend against a potential dispute or to support our claim that terms were violated. Also, if we receive a preservation order or similar legal request to keep data (for example, from law enforcement in connection with an investigation), we will retain the data specified for as long as instructed.
• Backup Retention: Our system backups can contain snapshots of your data which are taken at certain intervals (for reliability and disaster recovery purposes). These backups are stored securely and generally have a rolling retention (e.g., we might keep daily backups for X days, weekly backups for Y weeks, etc.). Data in backups isn’t easily accessible for normal operations, and we only retrieve data from backups if it’s needed for system restoration. Backup files are automatically overwritten or deleted after the retention period elapses.
• Post-Termination Retention: After you stop using CEOTXT or delete your account, we may retain non-personal data (or anonymized personal data) for analytical purposes. For instance, we might keep aggregated metrics that include your usage as a data point (e.g., total number of metrics input by all users over time) because that information no longer identifies you personally. Similarly, we might retain a hashed value of your email to prevent re-registering or to ensure a deleted account’s data isn’t re-imported — but such a hash cannot be used to contact you or identify you directly.

In summary, we aim to either delete or anonymize personal data once it’s no longer needed for the purposes for which it was collected. If immediate deletion (from all systems, including backups) is not feasible, we isolate and secure the data until deletion is possible. If you have specific questions about how long we keep a certain type of data, feel free to contact us for more details, and we will provide information tailored to your inquiry.

‍

‍

Data Security

We take security very seriously and implement a range of technical and organizational measures to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. While no website or internet service can guarantee complete security, we continuously work to protect your information. Our security practices include:

• Encryption: All communications between your browser (or app) and CEOTXT servers are encrypted using HTTPS (TLS). This means that data transmitted to us or back to you is encrypted in transit and cannot be easily intercepted. Additionally, sensitive data at rest is protected: for example, passwords are stored using one-way hashing (we never store plaintext passwords), and any sensitive tokens or secrets are stored encrypted. Payment information is handled by Stripe, but any payment-related data we do store (like the Stripe customer ID, card last4, etc.) is stored securely.
• Access Controls: We limit access to personal data to only those team members, employees, and contractors who need that access to operate or improve the Service. Access is granted on a least-privilege principle, meaning each person is given the minimum access necessary for their role. Administrative access to our systems and databases is protected by strong authentication (such as two-factor authentication and unique credentials) to prevent unauthorized access. Our staff and contractors are all bound by confidentiality agreements and are trained in data protection best practices.
• Monitoring and Testing: We regularly monitor our systems for possible vulnerabilities and attacks. We use tools and services (such as intrusion detection systems and log monitoring) to alert us to unusual activity. Security patches and updates are applied to our software and dependencies promptly when vulnerabilities are disclosed. We also periodically test our systems — this may include internal code reviews for security issues, as well as engaging third-party security experts to perform penetration testing or security audits of our application and infrastructure. Any findings are addressed with high priority.
• Physical Security: The personal data we process is stored on secure cloud servers (for example, via Adalo’s hosting on AWS). These cloud providers maintain robust physical security measures at their data centers, including 24/7 monitoring, controlled access, biometric entry, and redundancy to protect against physical threats. Within any physical office spaces we use, we also maintain security measures (such as locked computers, alarm systems, and access controls) to ensure that no unauthorized person can access our systems.
• Isolation: Within our platform architecture, your data is logically separated from other customers’ data. Even if multiple applications or services are hosted on the same infrastructure, robust controls are in place to prevent data from one customer being accessed by another. For instance, our databases enforce tenant-based separation of data, and our application code is designed to fetch data only for the authenticated user’s account.
• Secure Development Practices: We follow secure coding guidelines when building CEOTXT. This includes protecting against common web vulnerabilities (like SQL injection, XSS, CSRF, etc.) by using modern frameworks and security libraries. We conduct code reviews to catch security issues early, and we employ automated tests and static analysis tools where appropriate to enforce security requirements. Before new features are deployed, they are tested for security implications.
• Subprocessor Safeguards: We choose reputable service providers who demonstrate strong security practices. For example, Stripe is certified as a PCI Level 1 Service Provider (the highest standard of payment security), and AWS (used by Adalo) holds industry-standard certifications like ISO 27001 and SOC 2. We have data processing agreements in place with our subprocessors that contractually require them to implement appropriate security measures and to notify us promptly in the event of any security incident affecting user data.
• Data Breach Response: In the unlikely event of a data breach (an incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data), we have a response plan in place. This plan involves immediately containing the breach, assessing the scope and impact, and notifying affected parties and authorities as required. If your personal data is involved in a breach that poses a significant risk to your rights and freedoms, we will notify you without undue delay (and within any timeframes required by applicable law, such as 72 hours under GDPR for notifying authorities). We will also provide information on the steps we are taking to address the breach and any steps you might take to protect yourself.

It’s important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal data using the measures described above (and more), we cannot guarantee its absolute security. You also play a role in keeping your information safe. We encourage you to use a strong, unique password for your CEOTXT account and to keep it confidential. Be vigilant against phishing attempts — Rokter AS will never ask you for your password via email or unsolicited messages. If you ever suspect an email claiming to be from us is fraudulent, please ignore it and let us know.

If you have reason to believe that your interaction with us or the security of your CEOTXT account is no longer secure (for example, if you suspect your account has been compromised), please contact us immediately so we can assist and take appropriate steps.

‍

‍

International Data Transfers

‍

‍

Your Rights and Choices

You have various rights regarding your personal data. We are committed to upholding these rights. Below, we outline the rights applicable to different regions and how you can exercise them:

‍

Rights for Individuals in the EEA, UK, and Switzerland (GDPR and equivalent laws):

If you are in the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with similar data protection laws, you have certain rights with respect to your personal data. In particular, subject to applicable law, you have the right to:

• Right to Access: Obtain a copy of the personal data we hold about you, and receive information about how we use it. This is often called a “Data Subject Access Request.” We will provide you with a copy of your data in a commonly used electronic form, unless doing so would adversely affect the rights and freedoms of others (for example, releasing data that includes another person’s personal information).
• Right to Rectification: Have inaccurate personal data corrected or incomplete data completed. If any personal information we have is incorrect (for example, if you change your name or email address), you have the right to update it. You can often do this yourself by logging into your account settings, or you can ask us to correct it for you.
• Right to Erasure: Request the deletion of your personal data, under certain conditions. This is sometimes known as the “right to be forgotten.” You can ask us to delete your personal data, and we will do so unless we have a lawful reason to keep it. For example, we might retain certain information if we’re legally required to (such as transaction records for tax purposes), or if we have an overriding legitimate interest to keep it (we will inform you if this is the case). Once your data is deleted, your account will be closed and you may lose access to the Service features that rely on that data.
• Right to Restrict Processing: Ask us to suspend the processing of your personal data under certain scenarios. You might exercise this right if you contest the accuracy of your data (while we are verifying it), or if you’ve objected to our processing (while we evaluate your request), or if you need us to preserve data for legal reasons but not otherwise process it. When processing is restricted, we can still store your data but will not use it for the purpose you’ve restricted, unless you consent or further processing is required for legal claims or protection of others’ rights.
• Right to Data Portability: Receive personal data that you have provided to us in a structured, commonly used, machine-readable format, and have the right to transmit that data to another controller. This right applies when our processing is based on your consent or on a contract with you, and the processing is carried out by automated means. In practice, this could mean you can request an export of the data you have input into CEOTXT so that you could import it into another service if you choose.
• Right to Object: Object to our processing of your personal data in certain circumstances:
  • If we are processing your data based on legitimate interests, you can object to that processing. We will then stop processing the data in question unless we have compelling legitimate grounds to continue (grounds that override your rights and interests) or if we need to continue processing for the establishment, exercise, or defense of legal claims.
  • You have an absolute right to object to direct marketing. This means if you no longer want to receive marketing emails or SMS messages from us, you can opt out at any time and we will stop sending them. The easiest way to do this is to click the “unsubscribe” link in a marketing email or reply “STOP” to a marketing SMS. You can also contact us to be removed from our marketing list. Once you object or opt out, we will promptly stop using your contact information for direct marketing purposes.
• Right to Withdraw Consent: If we are processing any personal data based on your consent, you have the right to withdraw that consent at any time. For example, if you consented to receive a newsletter, you can later choose to unsubscribe. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it won’t affect processing that is based on other legal grounds (for instance, it won’t undo the processing that was done as part of performing our contract with you).
• Right to Lodge a Complaint: If you believe we have infringed your data protection rights or processed your personal data unlawfully, you have the right to file a complaint with a supervisory authority. Rokter AS, as a Norwegian company, falls under the jurisdiction of the Norwegian Data Protection Authority (Datatilsynet). You can contact Datatilsynet, or you may reach out to your country’s data protection authority if you’re in the EEA/UK. We kindly ask that you consider raising any concerns with us first, so we can try to resolve them directly, but you are not obligated to do so.

To exercise any of your rights, please contact us using the details in the Contact Us section. Clearly describe which right you want to exercise and, where applicable, what personal data your request refers to. For your security, we will need to verify your identity before fulfilling your request — usually by confirming ownership of the email associated with your account or by asking for information that matches our records. We will respond to your request as soon as possible, and in any event within one month of receiving it. If your request is complex or if we have received a large number of requests, we are allowed to extend this period by up to two further months; if we need to do this, we will inform you about the delay and the reasons.

We generally do not charge a fee for exercising your rights. However, if a request is manifestly unfounded or excessive (for example, if you make repetitive requests without good reason), we may charge a reasonable fee to cover the administrative costs of responding, or we might refuse to act on the request. We will explain our reasoning in such cases.

‍

‍

Rights for California Residents (CCPA/CPRA):

If you are a resident of California, USA, you have specific privacy rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). These rights include:

If you are a California resident, you have the following rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the personal information we have collected, used, disclosed, and (if applicable) sold or shared about you over the past 12 months. This includes the right to ask for the categories of personal information we collected, the categories of sources of that information, the business or commercial purposes for collecting (or selling/sharing) the information, the categories of third parties with whom we shared the information, and specific pieces of personal information we have collected about you.
• Right to Delete: You have the right to request that we delete personal information we have collected from you (and direct our service providers to do the same), subject to certain exceptions. Once we receive and confirm your verifiable deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. For example, we might retain information needed to complete a transaction you initiated, to detect security incidents, to comply with a legal obligation, or other reasons allowed by the CCPA. We will inform you if any such exception applies to your request.
• Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you. Upon verifying the validity of a correction request, we will correct (and direct our service providers to correct) your personal information in our records.
• Right to Opt-Out of Sale/Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. However, as mentioned above, we do not sell personal information, nor do we share it for targeted advertising in the manner defined by the CCPA/CPRA. We do not disclose your personal data to third parties for their own marketing or other uses except as described in this Policy (which are service-related uses). Therefore, there is no need for you to submit a request to opt out of sale or sharing at this time. If this policy changes in the future, we will update this Privacy Policy and provide a “Do Not Sell or Share My Personal Information” link on our website to enable such choices.
• Right to Limit Use of Sensitive Personal Information: The CPRA grants California residents the right to limit how a business uses “sensitive personal information” (SPI) if it’s used for reasons beyond what’s necessary to provide the services. CEOTXT does not collect or use sensitive personal information for purposes that would trigger this right. We do not collect precise geolocation, Social Security numbers, driver’s license or passport numbers, financial account passwords, or other highly sensitive data as defined by CPRA, except for payment card details which are used strictly for processing your payments. Any limited sensitive information we handle (like payment details) is used only for the service you request and not for inferring characteristics about you. Therefore, there is no special limitation needed beyond what we already do — we automatically limit our use of sensitive data to the service provision purposes.
• Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means that if you choose to exercise your privacy rights, we won’t deny you our services, charge you a different price, or provide a different level or quality of service just because of your choice. However, please note that if the exercise of your rights impacts our ability to provide the service (for example, if you request deletion of essential data or decline certain necessary processing), we might not be able to continue providing you with CEOTXT in the same way. In such cases, we’ll explain the situation to you (for example, deletion of your account data means we can no longer maintain your account). This is not intended as retaliation or discrimination, but rather a consequence of your data choices.
• "Shine the Light": California’s “Shine the Light” law (Civil Code Section § 1798.83) allows California users to request information once a year about certain types of personal information we have disclosed to third parties for their direct marketing purposes in the preceding calendar year, and the identities of those third parties. As noted above, we do not share personal information with unaffiliated third parties for their own direct marketing purposes without your consent. If this ever changes, we will update this Policy and provide the relevant information. California residents may send inquiries about any request under the “Shine the Light” law to us via the contact information provided below.

Exercising California Rights: If you are a California resident and wish to exercise your Right to Know, Right to Delete, or Right to Correct, please contact us using the methods listed in the Contact Us section below. To ensure we process your request correctly, you may also email us with the subject line “CCPA Request” and specify the nature of your request. We will need to verify your identity before fulfilling these requests, which may involve asking you to provide information that matches our records (for instance, verifying your email address or other account details). If you have an account with us, we may ask you to make the request from within your logged-in account or to verify via information we have on file. If you do not have an account or can’t access it, we will ask for additional information to reasonably verify you are the person about whom we collected the personal information.

You may also designate an authorized agent to make these requests on your behalf. If you choose to do so, we will need to verify both you (to confirm the request is legitimate) and the authority of your agent (for example, by requesting signed permission demonstrating the agent’s authority to act for you or a power of attorney). We may still require you to directly confirm with us that the agent has permission to submit the request on your behalf.

We aim to respond to California privacy requests within 45 days. If we need more time (up to an additional 45 days, for a total of 90 days), we will inform you of the reason and extension in writing. Our response will cover the information requested for the preceding 12 months, consistent with the CCPA’s requirements. If we deny a request, we will explain the reason in our response. As stated above, we will not provide discriminatory treatment for exercising your rights.

‍

Rights for Residents of Other U.S. States

Residents of other U.S. states that have enacted consumer privacy laws (such as Virginia, Colorado, Connecticut, Utah, and others) may have similar rights to access, delete, or correct their personal information, as well as to opt out of certain data processing activities. We are committed to honoring these rights as required by applicable state laws. If you are a resident of one of these states and wish to exercise any privacy rights provided under your state’s law, please contact us through the methods in the Contact Us section below. We will handle your request in accordance with the relevant state regulations and will not deny or limit your use of CEOTXT for exercising your privacy rights.

‍

Children's Privacy

CEOTXT is not directed to children, and we do not knowingly collect personal information from individuals under the age of 13 (or under 16 in the European Union without parental consent, in accordance with GDPR). The Service is intended for use by adults in a professional/business context.

If you are under 13 years old, please do not use CEOTXT or provide any personal information about yourself to us. We do not knowingly allow children under 13 to register or use the Service. If we discover that we have inadvertently collected personal data from a child under 13 (or under the applicable minimum age in other jurisdictions) without proper consent, we will promptly delete that data.

If you are a parent or legal guardian and you believe that your child under 13 has provided us with personal information, please contact us immediately. We will work with you to investigate and, if necessary, delete the information and terminate the child’s account.

Even for minors who are old enough to use online services (for example, teenagers between 13 and 18), CEOTXT is designed for business professionals and may not be suitable for individuals under 18. We require that anyone creating an account is able to form a binding contract with us (which generally means being at least 18 years old, or the age of majority in your jurisdiction). By accepting our Terms of Service, users represent that they are at least 18 or have reached the age of majority where they live. If we learn that someone under 18 is using CEOTXT without appropriate consent or authorization, we may ask them to provide proof of parental consent or discontinue their use of the Service.

‍

‍

Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will do the following:

• Posting Updates: We will post any updated Privacy Policy on our website (and within the app, if applicable) with a new "Last Updated" date at the top.
• Notifying Material Changes: If any changes are material, we will notify you in a more prominent way (such as by sending an email to the address associated with your account or by placing a notice on our website/app). Material changes could include using your personal data for new purposes not previously identified, or sharing it with new categories of third parties not previously disclosed.
• Consent for New Uses: Where required by law, we will obtain your consent before implementing significant changes in how we use your personal data. For instance, if we plan to collect new types of data not previously collected, or if we were to start “selling” personal information (as defined by applicable law), we would first seek your opt-in consent or, at a minimum, provide you with a clear ability to opt out before those changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of CEOTXT after any changes to this Policy will constitute your acceptance of the updated terms. If you do not agree to an update, you should stop using the Service (and you can unsubscribe from communications or delete your account if applicable). We will always indicate the date of the latest revision, and prior versions of this Privacy Policy can be provided upon request for your reference.

‍

‍

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us via one of the methods below:

• Email (Privacy Inquiries): post@ceotxt.com
• Mailing Address: Rokter AS (CEOTXT) – Privacy Team, Solbakken 2, 8516 Narvik, Norway

We will respond as promptly as possible and do our best to resolve any concerns. We value your trust and welcome feedback on how we can improve our privacy practices.

‍

By using CEOTXT, you acknowledge that you have read and understood this Privacy Policy. Thank you for entrusting CEOTXT with your data – we are committed to keeping that trust through transparency and security.

‍