Privacy Policy and Cookie Policy

Privacy Policy

Last updated: March 12, 2026

This Privacy Policy describes how Megadeals International AB (trading as Njord) (“Njord”, “we”, “us”, or “our”) collects, uses, shares, and protects personal information when you visit njord.io, request a demo, use the Njord Deal Orchestration Platform, or interact with our marketing communications.

‍

1. About Njord and This Policy

Megadeals International AB (trading as Njord) operates the world’s first Deal Orchestration Platform, helping B2B companies win complex, high-value deals. Our primary website is njord.io.

This policy applies when you:

• Visit or interact with njord.io
• Submit a contact form, demo request, newsletter sign-up, event registration, or content download
• Use the Njord platform as a customer or authorised user
• Engage with our advertisements on LinkedIn, Meta, Google, or programmatic channels

We comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable privacy legislation.

‍

2. Data Controller

Megadeals International AB (trading as Njord) is the data controller for all personal information processed through our website and platform.

Company: Megadeals International AB (trading as Njord)

Privacy contact: legal@njord.io

Website: njord.io

If you are in the EU/EEA and have concerns about how your data is handled, please contact us at the email address above.

Data Controller vs Data Processor

This Privacy Policy governs Njord’s activities as a Data Controller — that is, when we collect and process personal data for our own marketing, sales, and operational purposes (for example, when you visit njord.io, submit a form, or receive communications from us). Visitors to our website interact with us in this capacity and their consent preferences are managed accordingly.

When Njord processes personal data on behalf of a customer within a contracted engagement, Njord acts as a Data Processor. In that capacity, processing is governed by a separate Data Processing Agreement (DPA) entered into with that customer, not by this Privacy Policy. If you are a Njord customer and have questions about data processing within your engagement, please refer to your DPA or contact legal@njord.io.

3. Information We Collect

‍

3.1 Information you provide directly

We collect information you voluntarily give us, including:

• Contact and identity information: name, email address, phone number, job title, and company name
• Account information: login credentials, preferences, and communication history
• Demo and enquiry details: your business challenges, use case descriptions, and questions submitted via forms
• Communications: content of messages sent to us via email, contact forms, or in-platform chat

‍

3.2 Information collected automatically

When you visit our website, we automatically collect:

• Technical data: IP address, browser type and version, device type, operating system, screen resolution, and time zone
• Usage and behavioural data: pages visited, features used, time spent, links clicked, and navigation paths
• Referral data: the URL that directed you to our website
• Cookie and tracking data: information collected by cookies and similar technologies (see our Cookie Policy for full details)

‍

3.3 B2B company identification

We use Dealfront (formerly Leadfeeder) to identify the organisation associated with a visiting IP address. This service operates at the company level—it identifies which businesses are browsing our site, not which individual you are. We use this information for B2B lead generation and account-based marketing.

‍

3.4 Advertising interaction data

Our advertising partners—including LinkedIn, Meta, Google Ads, Adform, Influ2, and Inzynk—may share aggregated data about how you engaged with our ads, such as ad impressions, clicks, and conversion events. Please see Section 5 for a full list of partners.

‍

3.5 Data from third-party sources

We may receive information about your company or professional profile from third-party data providers, including:

• Apollo.io, for B2B prospecting (business contact details and company information)
• LinkedIn and other professional networks, when you engage with our content or complete a Lead Gen Form
• Business directories and publicly available professional sources

Art. 14 notice — third-party sourced data: Where we obtain personal information about you from third-party sources (such as Apollo.io or LinkedIn) rather than directly from you, we limit that data strictly to professional and publicly available information — such as business email addresses, job titles, employer names, and publicly shared professional profiles. We rely on legitimate interests as the lawful basis for this processing, having assessed that this use of professional contact data for B2B outreach does not override your fundamental rights. If you receive outreach from us and would prefer not to be contacted, you have the right to object at any time by emailing legal@njord.io.

‍

3.6 Platform and application data

When you use the Njord Deal Orchestration Platform (DOE), including the mobile application, we may collect:

• Device permissions: camera, device storage, microphone, and contacts list — only where you have explicitly granted the relevant permission on your device
• Device and diagnostic data: device model, operating system version, unique device identifiers, and crash reports collected via Firebase Analytics and Crashlytics
• Usage data: feature interactions, session duration, and in-app events used to support product improvement and stability

We do not store passwords within the Njord platform. File attachments are deleted from our servers immediately after successful delivery to the intended recipient.

4. How and Why We Process Your Information

The following sets out the purposes for which we process personal data and the corresponding legal basis under GDPR.

• Providing our platform and services (account management, customer support, platform functionality) — Legal basis: Contract performance
• Responding to enquiries and demos (form submissions, scheduling demonstrations, pre-sales conversations) — Legal basis: Pre-contractual steps / Legitimate interests
• Email marketing and communications (newsletters, product updates, event invitations) — Legal basis: Consent (where required) / Legitimate interests (B2B)
• Targeted digital advertising (LinkedIn, Meta, Google Ads, Adform, Influ2, Inzynk campaigns) — Legal basis: Consent (via cookie preferences)
• Website analytics and optimisation (understanding traffic patterns, improving UX, A/B testing) — Legal basis: Legitimate interests / Consent
• B2B lead identification (identifying visiting companies by IP address via Dealfront) — Legal basis: Legitimate interests
• B2B prospecting (enriching contact records via Apollo.io for outbound outreach) — Legal basis: Legitimate interests
• Security and fraud prevention (detecting misuse, protecting systems and users) — Legal basis: Legitimate interests / Legal obligation
• Legal and regulatory compliance (responding to legal requests, maintaining required records) — Legal basis: Legal obligation

Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. You may object to such processing at any time (see Section 8).

‍

4a. Profiling (Art. 13(2)(f) GDPR)

The Njord platform builds stakeholder maps and contact segments as part of its core deal orchestration functionality. This activity constitutes profiling under Art. 4(4) GDPR. Specifically, the platform analyses contact attributes — including organisational role, seniority level, and engagement signals — to assign stakeholders to tiers and map their likely influence on a purchasing decision.

This profiling is used to generate deal strategy recommendations within the platform. It does not produce automated decisions that have legal or similarly significant effects on individuals. You have the right to object to this profiling at any time by contacting legal@njord.io (see also Section 8).

‍

4b. Legitimate Interest Assessments (LIA)

Before relying on legitimate interests as a lawful basis for any processing activity, we conduct a Legitimate Interest Assessment (LIA) to weigh our interests against the potential impact on your rights and freedoms. A summary of our LIA documentation is available on request at legal@njord.io.

‍

4c. Data Processing Agreement (DPA)

If you are a Njord customer or authorised platform user, the processing of personal data within your contracted engagement is governed by a separate Data Processing Agreement (DPA) in addition to this Privacy Policy. The DPA is the operative document for all processing activities carried out by Njord as Data Processor on your behalf. Please contact your account manager or legal@njord.io to obtain or review your DPA. The DPA is also available at [DPA URL — to be added].

‍

5. Third-Party Service Providers

We work with the following third-party processors and advertising partners. All processors are contractually required to process personal data solely on our instructions and in accordance with applicable law.

• HubSpot: CRM and marketing automation — contact management, email marketing, forms, lead tracking, website analytics. Location: USA (SCCs)
• Google Tag Manager: Tag management — manages and deploys all tracking scripts on our website. Location: USA (SCCs)
• Google Analytics 4: Website analytics — traffic analysis, user behaviour, conversion measurement. Location: USA (SCCs)
• Google Ads: Paid search advertising — search ad campaigns, conversion tracking, remarketing audiences. Location: USA (SCCs)
• LinkedIn (Microsoft): LinkedIn advertising — B2B ad campaigns, Lead Gen Forms, audience targeting, conversion tracking. Location: USA (SCCs)
• Meta (Facebook / Instagram): Social media advertising — social ad campaigns, pixel-based tracking, lookalike audiences. Location: USA (SCCs)
• Dealfront (formerly Leadfeeder): B2B website intelligence — company-level IP identification for B2B lead generation. Location: EU (Germany / Finland)
• Influ2: Person-based B2B advertising — targets named individuals within B2B accounts with display ads. Location: USA (SCCs)
• Inzynk: Account-based advertising — account-based B2B advertising and targeting. Location: EU
• Adform: Programmatic display advertising — programmatic display advertising and retargeting. Location: EU (Denmark)
• Apollo.io: B2B prospecting and enrichment — B2B contact and company data for outbound sales prospecting. Location: USA (SCCs)
• Google Search Console: SEO monitoring — search performance monitoring (aggregated data; no personal visitor data). Location: USA (SCCs)
• Bing Webmaster Tools: SEO monitoring — search performance monitoring (aggregated data; no personal visitor data). Location: USA (SCCs)
• Firebase Analytics (Google): Mobile app analytics — app usage analytics, in-app events, and session data for the DOE mobile application. Location: USA (SCCs)
• Crashlytics (Google): Crash reporting — automatic crash and error reporting for the DOE mobile application to support stability and performance. Location: USA (SCCs)
• Google Play Services (Google): Mobile platform services — core platform services required for the DOE Android application to function. Location: USA (SCCs)
• Amazon Web Services (AWS): Cloud infrastructure — cloud hosting and infrastructure for the DOE platform (servers, storage, compute, networking). Location: USA (SCCs)
• Sentry: Error and performance monitoring — real-time error tracking, performance monitoring, and diagnostics for the DOE platform and application. Location: USA (SCCs)

SCCs = Standard Contractual Clauses approved by the European Commission. We do not sell your personal information to third parties for monetary consideration.

6. International Data Transfers

Megadeals International AB (trading as Njord) is based in the European Union. Several of our third-party service providers are located in the United States or other countries outside the European Economic Area (EEA).

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions issued by the European Commission, where applicable
• Other approved transfer mechanisms required under applicable law

You may request a copy of the relevant safeguards by contacting legal@njord.io.

7. Data Retention

We keep personal data for as long as necessary to fulfil the purposes described in this policy, or as required by law.

• Website visitor analytics: 26 months — Aligned with Google Analytics 4 default retention
• Contact / lead data: 3 years from last interaction — B2B sales cycles and follow-up periods
• Customer account data: Duration of contract + 5 years — Contractual and legal obligations
• Marketing email interactions: Until unsubscription or 3 years of inactivity — Consent management and anti-spam compliance
• Invoice and financial records: 7 years — Statutory accounting and tax requirements
• Security and system logs: 12 months — Security monitoring and incident response
• Client platform data (Processor role): Max. 90 days post-contract termination — DPA commitment: all client personal data is deleted or returned within 90 days of contract end

When data is no longer required, it is securely deleted or anonymised. Where Njord acts as a Data Processor within a client engagement, all personal data is deleted or returned to the client within 90 days of contract termination, in accordance with the Data Processing Agreement.

8. Your Rights Under GDPR

If you are located in the EU, EEA, or UK, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”): Request deletion of your personal data, subject to certain legal exceptions.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Receive your personal data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests, or to direct marketing at any time.
• Right to withdraw consent: Withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of prior processing.
• Rights related to automated decision-making: Not be subject to a decision based solely on automated processing that produces significant legal effects.

To exercise any of these rights, contact us at legal@njord.io. We will respond within 30 days (extendable by a further two months where necessary, with prior notice).

You also have the right to lodge a complaint with your local supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY): www.imy.se.

9. Your California Privacy Rights (CCPA / CPRA)

If you are a California resident, the CCPA as amended by the CPRA grants you additional rights.

9.1 Categories of personal information collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers – name, email address, IP address, unique online identifiers
• Professional / employment information – job title, company name, industry
• Commercial information – products or services considered
• Internet activity – browsing history on our website, interactions with our ads
• Geolocation data – approximate location derived from IP address
• Inferences – marketing segments and interest profiles drawn from the above

9.2 Your rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, used, or disclosed about you.
• Right to Delete: Request deletion of personal information we collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale / Sharing: Opt out of the sale or sharing of your personal information for cross-context behavioural advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

9.3 Do Not Sell or Share My Personal Information

We do not sell personal information for monetary consideration. However, our use of advertising cookies and tracking pixels (LinkedIn, Meta, Google Ads) may constitute “sharing” under the CCPA for cross-context behavioural advertising purposes.

To opt out of such sharing, you may:

• Use our cookie preference centre to decline marketing cookies
• Email legal@njord.io with the subject line “Do Not Sell or Share My Personal Information”

9.4 How to submit a request

Submit a verifiable consumer request to legal@njord.io. We will respond within 45 calendar days. If we require more time, we will notify you within the initial 45-day period.

‍

10. Security

We implement appropriate technical and organisational security measures to protect personal information processed through our website and platform. Our controls include:

Authentication and access control

• OAuth 2.0 with JWT (JSON Web Tokens): Platform authentication uses short-lived, cryptographically signed, stateless tokens — minimising the risk of session hijacking or credential theft
• Role-based access controls (RBAC): Data access is restricted to authorised personnel based on their role and need-to-know
• Multi-factor authentication (MFA): Enforced for internal systems and administrative access

Monitoring and detection

• Anomaly detection: Conducted on a regular basis to identify unusual access patterns or suspicious activity across our systems
• Audit trails and access log reviews: All platform operations are logged; access logs are reviewed regularly
• Error and performance monitoring: Real-time diagnostics via Sentry and Firebase Analytics / Crashlytics

Testing and assurance

• Penetration testing: Regular penetration testing of the DOE platform and associated infrastructure
• Internal security reviews: Regular risk assessments and internal audits
• Staff training: All staff receive training on data protection obligations, confidentiality, and security awareness

Infrastructure and encryption

• Data in transit: All communications are encrypted via TLS / HTTPS
• Cloud infrastructure: The DOE platform is hosted on Amazon Web Services (AWS), utilising enterprise-grade physical, network, and logical security controls
• SHA-256 hashing: Used for identity-matching operations (for example, ad audience matching). Hashed data is deleted immediately upon completion of the matching process

Certification status

Njord is not currently ISO 27001 or SOC 2 certified. However, our security controls and internal documentation are aligned with both frameworks. Security documentation is available on request for enterprise customers and prospects undertaking due diligence.

Breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals without undue delay and, where feasible and consistent with Art. 33–34 GDPR, within 72 hours of becoming aware of the breach. Notifications will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

No method of internet transmission is entirely secure. If you believe your data has been compromised, please contact us immediately at legal@njord.io.

‍

11. Children’s Privacy

Our website and services are designed for business users and are not directed at anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, please contact us and we will delete it promptly.

‍

12. Links to Third-Party Websites

Our website may contain links to third-party websites, plug-ins, and applications. We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policy of every website you visit.

‍

13. Changes to This Privacy Policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date and, where appropriate, notify you by email or by placing a notice on our website. We encourage you to review this policy periodically.

‍

14. Contact Us

For questions or to exercise your rights, please contact:

Email: legal@njord.io

Website: njord.io

We aim to respond to all privacy-related enquiries within 30 days.

Cookie Policy

Last updated: March 12, 2026

This Cookie Policy explains how Megadeals International AB (trading as Njord) uses cookies and similar tracking technologies on njord.io. It forms part of our Privacy Policy, which you should also read.

Consent management: We use Usercentrics as our Consent Management Platform (CMP). When you first visit njord.io, Usercentrics displays a cookie consent banner that allows you to accept, reject, or customise your preferences by category. Analytics and marketing cookies — including all tracking, advertising, and performance technologies listed in Section 3 — are loaded only after you have given explicit consent through the Usercentrics banner. Strictly necessary cookies are activated without consent as they are essential for the website to function.

1. What Are Cookies?

Cookies are small text files placed on your device (computer, tablet, or mobile phone) when you visit a website. They are widely used to make websites work more efficiently, remember your preferences, and provide information to website owners.

We also use related tracking technologies, which we refer to collectively as “cookies” throughout this policy:

• Pixels / web beacons: Invisible 1x1 images embedded in web pages or emails that signal when content has been loaded or an ad has been seen.
• JavaScript tags: Code snippets (often deployed via Google Tag Manager) that enable tracking, analytics, and advertising functionality.
• Local and session storage: Data stored in your browser to support website functionality, cleared at session end or when you clear your cache.

2. Types of Cookies We Use
‍

2.1 Strictly Necessary

Essential for the website to function. They enable core features such as navigation, forms, and security. You cannot opt out of strictly necessary cookies.

2.2 Functional / Preference

Allow the website to remember your choices and provide enhanced features, such as remembered form entries or language preferences.

2.3 Analytics and Performance

Help us understand how visitors interact with our website by collecting anonymised, aggregated information. Used to improve site structure, content, and performance.

2.4 Marketing and Advertising

Used to track your activity across websites and serve you relevant advertisements on other platforms. Set by us and our advertising partners. Require your consent.

3. Our Cookies and Third-Party Services

The following lists the specific cookies and tracking technologies active on njord.io, organised by provider.

HubSpot

• hubspotutk: Tracks and identifies visitors across sessions for CRM deduplication and analytics — Type: Marketing — Duration: 13 months
• __hstc: Tracks visitor session counts, timestamps, and original referral source — Type: Analytics — Duration: 13 months
• __hssc: Tracks session activity since the last __hstc cookie was set — Type: Analytics — Duration: 30 minutes
• __hssrc: Detects when a visitor has restarted their browser session — Type: Functional — Duration: Session
• hs-messages-*: Supports the HubSpot live chat and messaging widget — Type: Functional — Duration: Session / 13 months

Google Analytics 4 (via Google Tag Manager)

• _ga: Distinguishes unique users by assigning a randomly generated ID — Type: Analytics — Duration: 2 years
• _ga_<container>: Persists session state for GA4 data collection — Type: Analytics — Duration: 2 years
• _gid: Distinguishes users; resets daily to track day-level sessions — Type: Analytics — Duration: 24 hours
• _gat_gtag_*: Throttles the request rate to limit data collection in high-traffic scenarios — Type: Analytics — Duration: 1 minute

Google Ads

• _gcl_au: Measures ad conversion events from Google Ads campaigns — Type: Marketing — Duration: 3 months
• IDE: Used by Google for display ad targeting and measurement via DoubleClick — Type: Marketing — Duration: 13 months
• DSID: Identifies a signed-in Google user for ad personalisation — Type: Marketing — Duration: 2 weeks

LinkedIn Ads

• li_fat_id: First-party tracking cookie for LinkedIn conversion attribution — Type: Marketing — Duration: 30 days
• bcookie: Browser ID cookie used for LinkedIn ad delivery and measurement — Type: Marketing — Duration: 2 years
• bscookie: Secure browser ID for signed-in LinkedIn members — Type: Marketing — Duration: 2 years
• lidc: Facilitates data centre routing for LinkedIn services — Type: Functional — Duration: 24 hours
• UserMatchHistory: LinkedIn ad retargeting and audience matching — Type: Marketing — Duration: 30 days
• AnalyticsSyncHistory: Syncs analytics data for the LinkedIn Insight Tag — Type: Analytics — Duration: 30 days

Meta Ads (Facebook / Instagram)

• _fbp: Used by Meta to identify browsers for ad delivery and measurement — Type: Marketing — Duration: 3 months
• _fbc: Stores the Meta click ID from ad clicks for conversion attribution — Type: Marketing — Duration: 2 years
• fr: Contains a unique browser and user ID for targeted advertising on Facebook — Type: Marketing — Duration: 3 months

Dealfront (Leadfeeder) – B2B Website Intelligence

• _lfa: Tracks visits for company-level B2B intelligence reporting — Type: Marketing — Duration: 2 years

Note: Dealfront primarily uses IP address data to identify visiting companies at the organisational level, not individual users.

Adform – Programmatic Display Advertising

• C: Unique user ID for programmatic display ad targeting, frequency capping, and measurement — Type: Marketing — Duration: 60 days
• CM: Cookie matching for cross-platform audience targeting — Type: Marketing — Duration: 60 days

Influ2 – Person-Based B2B Advertising

• Influ2 platform cookies: Enables person-level targeting within B2B accounts by matching website visitors to LinkedIn profiles. Used to serve display ads to specific named individuals within target companies — Type: Marketing — Duration: Varies

Inzynk – Account-Based Advertising

• Inzynk platform cookies: Account-based B2B advertising and targeting. Uses IP address and behavioural signals to identify and target employees of named accounts with relevant display ads — Type: Marketing — Duration: Varies

Apollo.io – B2B Sales Intelligence

• Apollo.io platform: Used for B2B prospecting and contact enrichment. When integrated with HubSpot or other tools, it may track form fills and interactions for sales intelligence purposes — Type: Marketing — Duration: Varies

Google Search Console & Bing Webmaster Tools

These tools are used by Njord to monitor how our website performs in Google and Bing search results. They collect aggregated, non-personal search performance data (impressions, clicks, keyword rankings) about our site as a whole. They do not set cookies on individual website visitors and do not collect personally identifiable information about you.

4. Managing Your Cookie Preferences
‍

4.1 Usercentrics Consent Centre

When you first visit njord.io, you will see a cookie consent banner powered by Usercentrics, our Consent Management Platform. The banner lets you accept, reject, or customise your preferences by category. Analytics and marketing cookies are not activated until you give your consent. You can change your preferences at any time by clicking “Cookie Settings” in our website footer.

Your consent applies to this website only. It should be renewed if you clear your browser cookies or visit from a different device.

4.2 Browser Controls

You can control or delete cookies through your browser settings. Note that disabling certain cookies may affect website functionality. Instructions for major browsers:

• Google Chrome: Settings → Privacy and security → Cookies and other site data
• Mozilla Firefox: Options → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Manage Website Data
• Microsoft Edge: Settings → Cookies and site permissions

4.3 Industry Opt-Out Mechanisms

Opt out of interest-based advertising from participating companies:

• Your Online Choices (EU): www.youronlinechoices.eu
• Network Advertising Initiative (US): optout.networkadvertising.org
• Digital Advertising Alliance (US): optout.aboutads.info

4.4 Platform-Specific Opt-Outs

• Google Ads: myaccount.google.com/data-and-privacy → Ad personalisation
• Meta / Facebook: facebook.com/ads/preferences
• LinkedIn: linkedin.com/psettings/guest-controls/retargeting-opt-out

4.5 Google Analytics Opt-Out

To opt out of Google Analytics tracking across all websites, install the Google Analytics Opt-out Browser Add-on: tools.google.com/dlpage/gaoptout

5. “Do Not Track” Signals

Some browsers support a “Do Not Track” (DNT) signal. Because there is no consistent industry-wide standard for responding to DNT signals, our website does not currently alter its behaviour based on them. We encourage you to use the cookie preference centre or browser controls described above to manage your tracking preferences.

6. Updates to This Cookie Policy

We may update this policy periodically to reflect changes in the cookies and technologies we use, or for legal and regulatory reasons. The “Last updated” date at the top of this page will reflect any changes. Where required by law, we will seek your renewed consent for material changes.

7. Contact Us

If you have questions about our use of cookies, please contact:

Email: legal@njord.io

Website: njord.io

‍