Legal information

Last updated20/05/2026

Privacy Policy

Privacy Policy — LYNKODE LLC

Last updated: 2026-05-19
Effective date: 2026-05-19
Version: v3.0

1. Identity and contact details of the Controller

For the purposes of Regulation (EU) 2016/679 (“GDPR“) and the Bulgarian Personal Data Protection Act (Закон за защита на личните данни, “ZZLD“), the Controller of personal data described in this Policy is:

LYNKODE LLC
Commercial form: Bulgarian limited liability company (ООД / OOD), registered under the Bulgarian Commercial Act (Търговски закон)
Bulgarian Unified Identification Code (ЕИК): 2281488228
Registered seat: 1 Vitosha Blvd., 5th floor, 1000 Sofia, Bulgaria
Managing director: Artem Nazarko
Registered in: Bulgarian Commercial Register (Търговски регистър при Агенция по вписванията)
Privacy contact (e-mail): privacy@lynkode.no
General contact: hei@lynkode.no
Website: https://lynkode.no

Data Protection Officer (DPO): not appointed. LYNKODE LLC does not meet the mandatory-appointment thresholds in GDPR Art. 37(1). Privacy queries are handled by the Managing Director through privacy@lynkode.no.

EU representative under GDPR Art. 27: not applicable. LYNKODE LLC is established in Bulgaria (an EU Member State); Art. 27 obliges representatives only for controllers not established in the Union.

2. Scope of this Policy

This Policy applies to all personal data LYNKODE LLC processes in connection with:

  1. The public marketing website at https://lynkode.no (the “Website“), including all language variants (/en/, /ru/, /pl/).
  2. Contact forms, project-brief forms and other modal forms offered on the Website.
  3. The automated website-quality audit tool offered to visitors of the Website (the “Audit Tool“).
  4. The operator-only dashboard at https://dashboard.lynkode.no (the “Dashboard“) and all backend services it depends on.
  5. Outreach e-mails sent from @lynkode.no and @mail.lynkode.no addresses (the “Outreach Platform“).
  6. The contractual relationship with paying customers of LYNKODE LLC.

This Policy does not cover personal data that customers of LYNKODE LLC process on their own websites and platforms operated independently of LYNKODE LLC infrastructure, nor independent third-party websites linked from lynkode.no.

3. What personal data we process, why, and on what lawful basis

This section is the master record required by GDPR Art. 13–14 and ZZLD Art. 19. The corresponding RoPA (Art. 30) is maintained internally and made available to KZLD or Datatilsynet on request.

3.1 Website visitors (general browsing)

Data: IP address (truncated for analytics where/if enabled), browser user-agent, referrer URL, page-view timestamps, language preference, theme preference, consent state for cookies.
Source: the visitor’s browser.
Purposes: operate and secure the Website, remember language/theme.
Lawful basis: GDPR Art. 6(1)(f) — legitimate interest in operating and securing the Website. Strictly-necessary cookies do not require consent (ePrivacy Directive 2002/58/EC Art. 5(3) second sentence; Norwegian ekomloven §2-7b second paragraph).
Retention: server access logs 14 days; consent state and preferences as documented in the Cookie Policy.

3.2 Contact form submissions

Data: full name, e-mail address, optional phone number, message text, optional attachments, IP address and timestamp of submission, anti-spam tokens if active.
Source: the visitor who submits the form.
Purposes: respond to the enquiry, prepare quotes, route to the responsible team member, prevent spam and abuse.
Lawful basis: Art. 6(1)(b) GDPR — pre-contractual steps at the request of the data subject; Art. 6(1)(f) — legitimate interest in responding to general enquiries and in spam prevention.
Retention: 24 months from the last interaction; longer where the message becomes part of an active customer file (§3.9). Spam-classified submissions: 30 days.

3.3 Project brief form

Data: company name, contact name, e-mail, phone, project description, budget range, timeline, technical preferences, attached files (mood boards, briefs, sample sites).
Source: the prospect who submits the brief.
Purposes: evaluate the proposed engagement, prepare a quote, scope a delivery plan, schedule a kick-off.
Lawful basis: Art. 6(1)(b) — pre-contractual steps; Art. 6(1)(f) — legitimate interest in evaluating prospective engagements.
Retention: 24 months from the last contact; if the engagement materialises, the brief becomes part of the customer file (§3.9).

3.4 Audit Tool

Data: the URL submitted for analysis (which may belong to the requester or a third-party site), the requester’s e-mail when provided, IP address, timestamp, results of the technical scan (performance, accessibility, SEO metrics, rendered screenshot).
Source: the visitor who initiates the audit.
Purposes: generate and deliver the audit report; improve the audit logic; allow operator follow-up where the requester explicitly opts in.
Lawful basis: Art. 6(1)(b) — performance of the service requested by the data subject; Art. 6(1)(f) — legitimate interest in service improvement.
Third-party URLs: the audit accesses only publicly available technical information about the URL. No login, no scraping behind authentication. If a third party objects to inclusion of their URL in audit history, they may exercise their rights under §7.
Retention: 24 months for audit results; the requester’s e-mail (if provided) follows the same rule unless the requester becomes a lead (§3.6).

3.5 Cookie-consent records

Data: consent decision (accepted / rejected / partial), category granularity, version of the Cookie Policy at the moment of consent, timestamp, anonymised consent ID, IP-derived region.
Source: the consent banner (Complianz GDPR / CCPA Cookie Consent) on the Website.
Purposes: demonstrate compliance with GDPR Art. 7(1) (burden of proof of consent) and ePrivacy Art. 5(3).
Lawful basis: Art. 6(1)(c) GDPR — legal obligation.
Retention: 5 years after withdrawal or expiry.

3.6 Lead-generation platform — prospect data (LYNKODE as Controller)

When LYNKODE LLC conducts outreach for its own services, it is the Controller of the prospect data. Sources:

  • Brønnøysundregistrene (Norwegian public business register) — company name, organisation number, registered address, NACE industry code.
  • Public company websites — contact information published in plain text or mailto: links.
  • Public professional profiles (LinkedIn) — name, title, company, URL.
  • Direct interaction — replies, opt-out clicks, right-to-be-forgotten requests.

Categories of data: company identifiers; contact identifiers; technical metrics about the prospect’s website (PageSpeed scores, Cloudflare Workers audit results); messages we send and receive; suppression and consent state; HMAC tokens used for opt-out and erasure links.

Purposes: identify potential B2B customers; prepare and send outreach communication; record replies; respect opt-outs.

Lawful basis:
– Art. 6(1)(f) GDPR — legitimate interest. The Legitimate Interest Assessment (LIA) summarised in §3.6.1 documents the balancing test.
– Marketingsloven §16 (Norwegian Marketing Control Act, LOV-2009-01-09-2) — B2B carve-out from the §15 prior-consent rule.
– Art. 6(1)(c) GDPR — legal obligation, for suppression of opted-out / bounced / complained recipients indefinitely.

3.6.1 Legitimate-Interest Assessment (summary)

LYNKODE LLC’s processing of B2B contact data from public sources for one outbound commercial e-mail per recipient passes the three-part LIA test:

  1. Purpose test. Contacting decision-makers at Norwegian businesses with a B2B offer is a legitimate, lawful and clearly articulated business purpose. Recital 47 GDPR expressly contemplates direct marketing as a legitimate interest.
  2. Necessity test. B2B e-mail is the least intrusive viable channel. Processing is limited to publicly listed business contact data; no scraping behind authentication; no enrichment combining sensitive attributes.
  3. Balancing test. Intrusion on the data subject is minimal:
    – Single text e-mail per prospect; no follow-up without a positive trigger.
    – Sent only during Norwegian business hours, excluding Norwegian public holidays.
    – No tracking pixels, no open/click tracking.
    – One-click opt-out via HMAC-signed link in every footer; effective immediately and indefinitely.
    – Clear sender identification (company name, ЕИК, link to this Policy) — meeting Marketingsloven §16 second paragraph and ePrivacy Art. 13(4).
    – Per-domain throttling (one e-mail per 24h per domain by default).
    – Auto-archive on bounce or unsubscribe; restore-blocked for unsubscribed and bounced_email categories.
    – No special-category data (Art. 9 GDPR).
    – The data subject is a professional whose public business contact details were published precisely to enable business contact.

The balance favours the Controller’s legitimate interest, conditional on the mitigations remaining in force.

3.7 Lead-generation platform — reply data

Data: reply e-mail body, sender e-mail, message identifiers (RFC 5322 Message-ID, References), delivery and read status, an AI classification label.
Source: the recipient who replies to outreach.
Purposes: conversation tracking; route the recipient through the operator workflow; honour unsubscribe immediately.
Lawful basis: Art. 6(1)(f) GDPR for conversation tracking; Art. 6(1)(c) for unsubscribe processing.
Retention: 24 months from the date of receipt.

3.8 Lead-generation platform — Customer’s prospects (LYNKODE as Processor)

Where a paying customer engages LYNKODE LLC to run a lead-generation programme on the customer’s behalf, the customer is the Controller and LYNKODE LLC is the Processor under GDPR Art. 28. In that case:

  • A separate Data Processing Agreement (DPA) is concluded under Art. 28(3).
  • LYNKODE LLC processes the customer’s prospect data only on documented instructions of the customer.
  • The same sub-processor chain applies; the customer is informed in advance of changes (Art. 28(2)) and may object.
  • All Art. 28(3) clauses (confidentiality, security, deletion / return on termination, audit rights, breach notification within 24 hours, assistance with data-subject rights) are included.

This Policy does not govern that processing; the customer’s own privacy policy does.

3.9 Paying customer relationship

Data: company name, registration details (ЕИК / org.nr / VAT number), invoicing address, contact persons (name, title, work e-mail, work phone), bank/payment routing data, contract documents, communication history, billing records.
Source: the customer at engagement formation and during the contract.
Purposes: contract performance (Art. 6(1)(b) GDPR), invoicing and accounting (Art. 6(1)(c) — Norwegian bokføringsloven LOV-2004-11-19-73 §13 requires 5 years’ retention; Bulgarian Закон за счетоводството §12 similarly), service delivery, support.
Retention: 5 years for accounting documents (statutory minimum); 10 years for documents subject to the Norwegian limitation period under foreldelsesloven (LOV-1979-05-18-18); contract documents 10 years from termination; non-statutory operational data 24 months from termination.

3.10 Operational logs and security data

Data: system logs (minimised to exclude personal data), webhook delivery records, queue events, audit trail for GDPR right-of-erasure executions (e-mail hash only — Art. 4(5) pseudonymisation), database backup metadata.
Purposes: debugging, security incident response, demonstrating accountability (Art. 5(2), Art. 24).
Lawful basis: Art. 6(1)(f); Art. 6(1)(c) for retention required by law.
Retention: application logs 90 days; database backups 30 days; GDPR erasure audit log indefinite (hash only).

4. Recipients of personal data — sub-processors

LYNKODE LLC uses the following sub-processors. A Data Processing Agreement under GDPR Art. 28(3) is in force with each.

Sub-processor Service Country Transfer mechanism Role
Hetzner Online GmbH Server and database hosting (production + backups) DE (EEA) None required Infrastructure processor (Outreach Platform, Dashboard)
WordPress / cPanel hosting provider Marketing site hosting EEA None required Infrastructure processor (Website)
Cloudflare, Inc. CDN/DNS for the Website; Cloudflare Workers for the Audit Tool (executes LYNKODE-authored audit scripts against publicly accessible target URLs) US EU SCC (Commission Implementing Decision (EU) 2021/914) + EU–U.S. Data Privacy Framework Infrastructure + audit compute processor
Complianz B.V. Cookie banner, consent record storage, cookie scanning NL (EEA) None required Consent management processor
Google LLC Gemini API (AI reply classification); PageSpeed Insights API (audit scoring) US EU SCC + EU–U.S. Data Privacy Framework + Google Cloud DPA Processor (AI + audit)
Resend, Inc. Transactional e-mail send + inbound webhook receipt US EU SCC + EU–U.S. Data Privacy Framework + Resend DPA Processor (Outreach Platform)
Hunter, S.A.S. (Email Hunter) Email-discovery API FR (EEA) None required Processor — currently disabled; re-enable requires explicit DPA acceptance
Telegram (Telegram FZ-LLC) Operator-side operational alerts AE / Global Not used for lead or visitor PII; operator-bound infrastructure signals only Not a Processor for this Policy’s purposes; documented for transparency

LYNKODE LLC does not sell personal data and does not disclose it to third parties for their own marketing or profiling purposes. Disclosure is limited to: (i) the sub-processors above, strictly on documented instructions; (ii) competent public authorities where compelled by law; (iii) professional advisers bound by confidentiality, only where strictly necessary.

5. International transfers

Some sub-processors operate outside the European Economic Area (EEA) — Resend (US), Google (US), Cloudflare (US). Transfers rely cumulatively on:

  1. EU Standard Contractual Clauses — Commission Implementing Decision (EU) 2021/914 — incorporated by reference in each Processor’s DPA.
  2. EU–U.S. Data Privacy Framework — Commission Implementing Decision (EU) 2023/1795 — where the sub-processor is certified.
  3. Supplementary technical and organisational measures — TLS in transit, encryption at rest, minimisation of personal data sent to each Processor, restriction of metadata, periodic re-assessment.

LYNKODE LLC will re-assess transfers if the European Commission or the CJEU invalidates them, consistent with the Schrems II judgment (Case C-311/18).

6. Retention periods

Data Retention Legal basis for the period
Server access logs (Website + Dashboard) 14 days Operational necessity
Application logs (Dashboard, Outreach Platform) 90 days Operational necessity + incident-response window
Database backups (encrypted) 30 days rolling Disaster-recovery necessity
Cookie-consent records 5 years after withdrawal / expiry Demonstration of consent (GDPR Art. 7(1))
Contact-form submissions 24 months from last interaction; 30 days if classified as spam Service necessity
Project-brief submissions 24 months from last interaction; longer if engagement materialises Service necessity
Audit Tool results 24 months Service necessity + improvement
Active lead records (Outreach Platform) 24 months from last activity Service necessity + LIA balancing
Archived leads additional 12 months in cold storage, then deletion Statute-of-limitations safety margin
Outbound message bodies 24 months Conversation continuity
Outreach delivery / bounce / complaint events 5 years Bokføringsloven §13
Inbound reply bodies 24 months from receipt Conversation continuity
Suppression list (opt-out / bounce / complaint) Indefinite GDPR Art. 21 (must remember the objection)
GDPR erasure audit log Indefinite (e-mail hash only) Accountability (Art. 5(2))
Accounting records / invoices 5 years minimum Bokføringsloven §13; Bulgarian Закон за счетоводството §12
Contract documents 10 years from termination Norwegian foreldelsesloven §3
Tax records Per applicable statutory period Statutory

7. Your rights as a data subject

Right GDPR Art. How to exercise
Information 13–14 This Policy
Access 15 E-mail privacy@lynkode.no; response within one month, extendable by two months for complex requests (Art. 12(3))
Rectification 16 E-mail
Erasure / right to be forgotten 17 Public endpoint at https://dashboard.lynkode.no/gdpr-forget.php with an HMAC-signed link, or by e-mail. Erasure is transactional and immediate.
Restriction of processing 18 E-mail
Data portability 20 E-mail; response in machine-readable JSON
Object 21 One-click opt-out link in every outreach e-mail; effective immediately and indefinitely. Also e-mail.
Withdraw consent (where relied on) 7(3) LYNKODE LLC does not rely on consent for outreach. Withdrawal applies to cookie consent.
Not be subject to solely automated decisions with legal or similarly significant effect 22 Not applicable — no Art. 22 decisions are made (see §9)
Complain to a supervisory authority 77 See §8

Responses are free of charge, except where a request is manifestly unfounded or excessive under Art. 12(5).

Identity verification may be requested where necessary to prevent disclosure to an impostor (Art. 12(6)).

8. Supervisory authorities

LYNKODE LLC is established in Bulgaria; the lead supervisory authority under the GDPR one-stop-shop mechanism (Art. 56) is:

Комисия за защита на личните данни (КЗЛД) — Bulgarian Commission for Personal Data Protection
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Telephone: +359 2 915 3 518
E-mail: kzld@cpdp.bg
Website: https://www.cpdp.bg/

A data subject located in Norway may also lodge a complaint with the Norwegian concerned supervisory authority Datatilsynet — https://www.datatilsynet.no/ — under the cooperation procedure of GDPR Art. 60.

Matters concerning Norwegian marketing-law compliance (Marketingsloven §15/§16) may be brought to the Norwegian Consumer Authority Forbrukertilsynet — https://www.forbrukertilsynet.no/.

You may complain to any of these authorities; the GDPR cooperation mechanism allocates the matter internally.

9. Automated processing and AI

LYNKODE LLC uses Google’s Gemini API to classify inbound replies into one of six categories (positive / negative / out-of-office / unsubscribe / spam / unknown). The classification:

  • is operator-facing only — the human operator reads every reply and makes all outreach decisions;
  • has no legal effect on the data subject and no similarly significant effect within the meaning of GDPR Art. 22;
  • therefore GDPR Art. 22 does not apply.

Lead scoring (an internal numeric score from publicly available website metrics) is likewise an operator-triage aid and not an Art. 22 decision.

This AI use is disclosed here in accordance with the transparency obligation in Art. 13(2)(f). LYNKODE LLC monitors Regulation (EU) 2024/1689 (the EU AI Act) for any obligations becoming applicable as the integration evolves.

10. Cookies and similar technologies

The Website uses cookies and similar technologies governed by ePrivacy Directive 2002/58/EC, Norwegian Ekomloven §2-7b (LOV-2003-07-04-83) and the Bulgarian Electronic Communications Act. The granular table, the consent mechanism and the withdrawal procedure are described in the separate Cookie Policy.

11. Security of processing (GDPR Art. 32)

LYNKODE LLC implements appropriate technical and organisational measures including:

  • TLS 1.2+ for all data in transit, TLS 1.3 preferred where supported.
  • Encryption at rest for production databases (Hetzner volume encryption).
  • Database access restricted to operator IP addresses and the internal Hetzner network.
  • Dashboard protected by HTTP basic authentication and, where supported by the operator’s browser, two-factor authentication.
  • HMAC-SHA256 signatures for opt-out and right-of-erasure links (single-use tokens).
  • Webhook signature verification (Svix) for the inbound e-mail webhook.
  • Strict input validation and parameterised SQL queries throughout the application.
  • Application-level audit log of every right-of-erasure execution.
  • Operator-only access to production; no external API keys committed to source control; secrets stored in operator credential vault.
  • Periodic backup verification.
  • Sub-processor compliance tracked and re-evaluated on every new vendor integration.
  • Incident-response procedure documented and tested.

12. Personal data breaches (GDPR Arts 33–34)

In the event of a personal data breach as defined in Art. 4(12) GDPR:

  1. LYNKODE LLC notifies KZLD (lead supervisory authority) without undue delay and where feasible not later than 72 hours after becoming aware (Art. 33(1)), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  2. Where the breach is likely to result in a high risk to data subjects’ rights and freedoms, affected data subjects are notified without undue delay (Art. 34(1)), unless Art. 34(3) conditions are met.
  3. Internally, the breach is logged with cause, scope, mitigation, follow-up and notification timeline.

13. Children

The Website, the Outreach Platform and the Audit Tool are directed exclusively at adult professional audiences. LYNKODE LLC does not knowingly collect personal data of children below the age of 13 (Norwegian Personopplysningsloven §5 threshold). If you believe personal data of a child has reached us, contact privacy@lynkode.no and we will delete it without undue delay.

14. Changes to this Policy

This Policy is updated whenever the underlying processing changes materially. The “Last updated” date at the top reflects the current version; the version number is incremented on each material change. Previous versions are archived internally for audit.

15. Governing law

This Policy and any non-contractual obligations arising out of or in connection with it are governed by Bulgarian law, with mandatory provisions of Norwegian data-protection law (Personopplysningsloven LOV-2018-06-15-38) and Norwegian Marketingsloven (LOV-2009-01-09-2) continuing to apply to processing directed at Norwegian data subjects. The GDPR and the Bulgarian ZZLD apply directly.

16. Contact

For any matter related to this Policy or to the processing of your personal data:

privacy@lynkode.no

LYNKODE LLC, 1 Vitosha Blvd., 5th floor, 1000 Sofia, Bulgaria, ЕИК 2281488228.

Scroll to Top