Last updated: April 1, 2026
GDPR & Data Compliance
NordicB2B is committed to GDPR compliance and responsible data practices. This page explains how we ensure compliance and protect the rights of data subjects.
Our Commitment to Compliance
As a company headquartered in Finland and serving the Nordic region, we are fully committed to compliance with the General Data Protection Regulation (GDPR) and local data protection laws in Sweden, Denmark, Norway, and Finland. Data protection is fundamental to how we build and operate our platform.
Key Compliance Measures
Standard DPA available for all enterprise customers
All data stored and processed within the EEA
Annual third-party security and compliance audits
Dedicated DPO overseeing compliance activities
Legal Basis for Processing
We process business contact data under the following legal bases:
- Legitimate Interest (Article 6(1)(f)): For processing publicly available business data and professional contact information. We conduct balancing tests to ensure our interests do not override data subject rights.
- Contractual Necessity (Article 6(1)(b)): For processing customer account data necessary to provide our services.
- Consent (Article 6(1)(a)): For marketing communications and optional analytics.
Data Sources
Our B2B data is compiled from legitimate sources including:
- Official company registries (Bolagsverket, CVR, Brønnøysund, PRH)
- Publicly available company websites and publications
- Press releases and news sources
- Professional networking platforms (publicly available information)
- Direct submissions from data subjects
We do not use data brokers or purchase data from unverified sources.
Data Subject Rights
We respect and facilitate the exercise of all data subject rights under GDPR:
Right of Access (Article 15)
Individuals can request a copy of their personal data we hold. We respond within 30 days.
Right to Rectification (Article 16)
Individuals can request correction of inaccurate data. Updates are processed promptly.
Right to Erasure (Article 17)
Individuals can request deletion of their data. We honor all valid erasure requests.
Right to Object (Article 21)
Individuals can object to processing based on legitimate interests. We cease processing upon valid objection.
Right to Data Portability (Article 20)
Individuals can receive their data in a machine-readable format.
How to Exercise Your Rights
To exercise any of your data protection rights, please contact us with your request. We will verify your identity and respond within 30 days. For complex requests, we may extend this period by an additional 60 days with notice.
Data Security Measures
We implement comprehensive technical and organizational measures:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Role-based access controls with principle of least privilege
- Multi-factor authentication for all staff
- Regular penetration testing and vulnerability assessments
- Incident response procedures with 72-hour breach notification
- Employee training on data protection
Sub-processors
We use a limited number of sub-processors, all bound by GDPR-compliant data processing agreements:
- Cloud infrastructure (EU region): AWS (Frankfurt)
- Payment processing: Stripe (EU)
- Customer support: Intercom (EU data processing)
- Analytics: Plausible Analytics (EU-based, privacy-focused)
International Transfers
We minimize international data transfers. When transfers outside the EEA are necessary, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and conduct Transfer Impact Assessments as required.
Supervisory Authority
Our lead supervisory authority is the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). You have the right to lodge a complaint with them or your local supervisory authority if you believe your rights have been infringed.
For GDPR-related inquiries or to exercise your rights, please contact us.