Privacy Policy
EHForder Platform
Skiwo AS · Pilestredet 17, 0164 Oslo · privacy@ehforder.com
Effective date: 25 May 2026
Skiwo AS wants you to understand what data we collect about you and how we process it. We process your personal data in accordance with our obligations under applicable privacy legislation, including the EU General Data Protection Regulation (GDPR).
In this privacy policy we explain what personal data we collect and process, and for what purposes, when you use the EHForder platform (the "platform"). We also provide information about your rights.
What is personal data?
Personal data is any information that can be directly or indirectly linked to an individual — for example a name, email address, phone number, IP address, or signature on a purchase order.
Who is the data controller?
Skiwo AS (org. no. 916 636 660) ("we" or "Skiwo") is the data controller for the processing of personal data described in this privacy policy. Our contact information is:
- Postal address: Pilestredet 17, 0164 Oslo, Norway
- Email: privacy@ehforder.com
We also process personal data on behalf of our Customers in the role of "data processor". This includes processing personal data contained in the inbound purchase orders the Customer receives — for example names of contact persons at the senders, signatures, delivery instructions, and any personal data the sender chose to include. For these processing activities, the Customer is the data controller. The terms governing our processing as data processor are set out in our Data Processing Agreement.
Whose personal data do we process (as controller)?
This privacy policy covers our processing of personal data about the following people:
- Authorised users at Customer organisations — administrators, Reviewers, finance team members.
- Contact persons at prospective customers, partners, and suppliers.
- Skiwo employees and authorised support staff with access to the platform.
- Visitors to our marketing website at www.ehforder.com.
- Anyone who otherwise contacts us by email or other channels.
What personal data do we process (as controller)?
The personal data we collect and process can be divided into the following categories:
- Basic information: name and contact details of users at Customers, prospects, or partners.
- Account and authentication information: email address, role within the tenant, access level, login timestamps, IP address at login, browser and device metadata.
- Usage data: actions you take in the platform — for example which orders you reviewed, which fields you edited, which rules you created — logged for security and audit purposes.
- Billing information: where applicable, contact and payment details of the Customer billing entity (handled by Skiwo's PoP accounting service as the billing processor).
- Support and inquiry information: any details you provide when contacting us by email or web form, plus the content of related correspondence.
How do we receive personal data about you?
We may receive your personal data in the following ways:
- Directly from you when you sign up for the Service, log in, or contact us.
- From your employer (our Customer) when a tenant administrator adds you as a member of an EHForder workspace.
- Indirectly when you use the platform — for example logs of which pages you visited or which orders you actioned.
- From public registries (e.g. Brønnøysundregistrene / the Norwegian Brreg, or the Peppol Directory) when we verify a Customer's organisation details during signup.
For what purposes and on what legal basis do we process your personal data?
We collect and use your personal data for the purposes below. For each purpose we identify the legal basis under the GDPR.
| Purpose | Processing activity | Personal data | Legal basis |
|---|---|---|---|
| Provide the Service | Create your user account, authenticate your login, deliver platform functionality. | Name, email, tenant membership, role, login metadata. | Article 6(1)(b) — Contract |
| Customer support | Respond to your questions, troubleshoot issues, follow up on incidents. | Contact details, inquiry content, communication history. | Article 6(1)(f) — Legitimate interest in supporting our Customers |
| Sales and onboarding | Process signup, verify your organisation, configure your tenant, run Reviewer training. | Contact details, company info, Peppol participant ID, signup form responses. | Article 6(1)(b) — Contract / pre-contractual |
| Security and abuse prevention | Monitor platform use to detect, investigate, and prevent unauthorised access, fraud, or other misuse. | Timestamps, user identifiers, IP addresses, browser and device details, session and access logs. | Article 6(1)(f) — Legitimate interest in maintaining information security |
| Billing and accounting | Issue invoices via Skiwo's PoP accounting service, maintain accounting records as required by Norwegian bokføringsloven. | Customer billing entity details, invoice contact, transmitted-line counts. | Article 6(1)(c) — Legal obligation (bokføringsloven) |
| Compliance with legal requirements | Respond to lawful requests from public authorities and meet statutory record-keeping obligations. | All categories strictly necessary to fulfil the obligation. | Article 6(1)(c) — Legal obligation |
| Other purposes | Any other purpose to which you have specifically consented. | Article 6(1)(a) — Consent |
How do we secure your personal data?
We implement technical and organisational measures designed to protect personal data, including: TLS in transit; AES-256 at rest for TOTP secrets (other authentication material is stored as one-way SHA-256 digests); role-based access control; audit logging of all significant actions; device fingerprint binding on every session (cookie-theft defence); regular security testing; secure software development following OWASP guidelines; and EU-only data residency for all production data.
Who do we share personal data with?
We share personal data only as described below, and never sell it.
Personal data is shared with the following categories of recipient:
- Your own organisation, to administer your account and access.
- Data sub-processors engaged by Skiwo (listed in the next section), under a data processing agreement.
- Public authorities where there is a statutory obligation to disclose.
- Recipients of transmitted EHF Order documents over the Peppol network, where required to deliver the Service (purchase-order content only, never platform user accounts).
Sub-processors
We engage the following sub-processors. All are bound by data processing agreements equivalent to those Skiwo is bound by with you, and all process data within the EU/EEA.
- Heroku (Salesforce, Inc.) — application hosting and EU-resident AI inference. EU region.
- Amazon Web Services (AWS) — inbound email ingestion (SES), attachment storage (S3), outbound EHF XML storage (S3), and transactional email delivery (SES SMTP for login tokens and signup notifications). EU regions only.
- efacto — Peppol Access Point providing AS4 transmission of EHF Order documents to recipients on the Peppol network.
- Anthropic (via Heroku managed inference) — large-language-model inference for order classification and structured extraction, EU endpoints only.
- PayoutPartner (Skiwo product) — billing and invoicing, where applicable.
Do we transfer personal data to other countries?
As a general rule, we do not transfer your personal data to countries outside the EU/EEA.
If such transfers nevertheless occur — for example if a sub-processor's parent entity is located outside the EU/EEA — we ensure the transfer is carried out in accordance with the requirements of GDPR Chapter V and that adequate safeguards are in place, e.g. through EU Standard Contractual Clauses (SCCs) or an adequacy decision.
How long do we store personal data?
We store your personal data only for as long as necessary for the purposes set out above, or where storage is required by law (e.g. Norwegian bokføringsloven requires retention of commercial-flow source records for 7 years).
Default retention periods:
- Source documents (raw .eml and attachments) and generated EHF XML: 7 years (bokføringsloven).
- User accounts and audit logs: for the duration of the service agreement, plus up to 12 months after termination.
- Billing records: as required by Norwegian accounting law (5–10 years depending on document type).
- Marketing-site analytics: we do not run third-party analytics. Access logs persist for the retention window configured at the platform layer (typically a few days on Heroku's default log drain) and are used only for security investigation, not for behavioural tracking.
What are your rights?
Under applicable privacy law, you have the right to:
- Request access to the personal data we hold about you.
- Request rectification of inaccurate personal data.
- Request erasure of your personal data (subject to legal retention requirements).
- Request data portability — receive a copy of your personal data in a machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
- Lodge a complaint with a supervisory authority — in Norway, Datatilsynet (datatilsynet.no).
To exercise any of these rights, contact privacy@ehforder.com. We may verify your identity before responding.
Use of cookies
We use a minimal set of strictly necessary cookies for authentication and session state. We do not run third-party trackers, analytics, or advertising cookies. See our Cookie Policy for details.
Changes to this privacy policy
Our services evolve, so this privacy policy may need to be updated. The current version is always available at www.ehforder.com/privacy. Material changes will be notified to Customer administrators by email.
How to contact us
If you have questions about how we process your personal data, or wish to exercise your rights, email privacy@ehforder.com or write to Skiwo AS, Pilestredet 17, 0164 Oslo, Norway.