Privacy

PrivacyPolicy

Your data, your rules. Here's exactly what we collect, why we collect it, and how we keep it safe.

February 2026
01

Data Controller

The data controller for all services provided by What If It Works? is Pitkevics IT Services (org. nr. 936 188 125), registered in Norway. All data processing follows the privacy standards described in this policy. If you have questions about how your data is handled, contact us at privacy@whatifitworks.com.

02

Data We Collect

We collect information you provide directly: your name, email address, company name, and project details when you fill out our contact form or engage our services. We also collect basic analytics data automatically: browser type, device type, pages visited, and approximate location (country level). We do not collect sensitive personal data such as financial information, health records, or government IDs unless specifically required for a project and explicitly agreed upon in writing.

03

How We Use Your Data

We use your data to respond to inquiries and provide our services, communicate with you about your projects and account, improve our website and service quality, send occasional updates about our services (only if you've opted in), and comply with legal obligations. We never sell your data. We never use your data for advertising. We never share your personal information with third parties for their marketing purposes. Full stop.

04

Legal Basis for Processing

Under GDPR, we process your data based on the following legal grounds: contract performance - when processing is necessary to deliver the services you've engaged us for; legitimate interest - for website analytics, service improvement, and fraud prevention; consent - for marketing emails and non-essential cookies, which you can withdraw at any time; and legal obligation - for tax records, accounting, and regulatory compliance. We only process data that is necessary for the stated purpose.

05

Third-Party Services

We use a limited number of trusted third-party services to operate our business: Vercel for website hosting, Supabase for database and authentication services, Stripe for payment processing, and Resend for transactional email delivery. We also use analytics tools to understand website traffic patterns. Each of these providers has their own privacy policies and is contractually obligated to protect your data through data processing agreements. We only work with providers that meet GDPR compliance standards and store data within the EU where possible.

06

Data Storage & Security

Your data is stored on secure servers located in the European Union and the United States, depending on which entity services you. European client data is primarily stored within the EU; US and international client data may be stored in US-based infrastructure. Regardless of location, we use industry-standard encryption (TLS 1.3) for all data in transit and AES-256 encryption for data at rest. Access to personal data is strictly restricted to team members who need it to perform their duties, with role-based access controls in place. We conduct regular security reviews, keep our systems and dependencies up to date, and follow security best practices. While no system is 100% bulletproof, we take every reasonable measure to protect your information.

07

International Data Transfers

Because we operate from both Norway and the United States, data may be transferred between the EU and the US as part of our normal operations. For European clients, we ensure that any data transferred outside the EU is protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions for countries with equivalent data protection standards, and binding corporate rules where applicable. For US-based clients, data is processed in accordance with applicable US federal and state privacy laws. We regularly review our data transfer mechanisms to ensure ongoing compliance with all applicable regulations.

08

Your Rights

Under GDPR and applicable privacy laws, you have the right to: access the personal data we hold about you, request correction of inaccurate data, request deletion of your data ("right to be forgotten"), object to or restrict processing of your data, request data portability - receive your data in a structured, machine-readable format, and withdraw consent at any time for consent-based processing. To exercise any of these rights, contact us at privacy@whatifitworks.com. We'll acknowledge your request within 48 hours and respond substantively within 30 days.

09

Cookies

We use essential cookies to keep our website functioning properly - things like remembering your language preference and maintaining your session. These are strictly necessary and don't require consent. We use analytics cookies to understand how visitors use our site, which helps us make it better - these require your opt-in consent. We do not use any third-party advertising or tracking cookies. You can manage your cookie preferences through our cookie banner or your browser settings. Our site works perfectly without analytics cookies.

10

US Privacy Rights

If you are a resident of California or another US state with consumer privacy legislation, you may have additional rights under applicable law, including the California Consumer Privacy Act (CCPA/CPRA). These may include the right to know what personal information we collect and how it is used, the right to request deletion of your personal information, the right to opt out of the sale or sharing of personal information (we do not sell or share your data for advertising), and the right to non-discrimination for exercising your privacy rights. To exercise any of these rights, contact us at privacy@whatifitworks.com. We will verify your identity and respond within the timeframes required by applicable law.

11

Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy. Contact form submissions are kept for 12 months, then deleted. Client project data is retained for the duration of our engagement plus 2 years for warranty, support, and legal compliance purposes. Analytics data is anonymized after 26 months. Financial records are retained as required by applicable tax law - typically 5 years in Norway and 7 years in the United States. You can request earlier deletion of your personal data at any time by contacting us - we'll comply unless we have a legal obligation to retain it.

12

Contact & Complaints

If you have questions about this privacy policy, want to exercise your data rights, or have concerns about how we handle your information, reach out to us at privacy@whatifitworks.com. Formal data protection inquiries can be directed to our Data Protection Officer at Pitkevics IT Services, reachable at the same email address. We take every complaint seriously and aim to resolve issues promptly. If you are in the EU and believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. The Norwegian Data Protection Authority (Datatilsynet) can be reached at datatilsynet.no.

Questions AboutYour Privacy?

Your data rights matter to us. Reach out if you have any questions or concerns.