Privacy Policy

Last updated: 19 June 2026

This is a general template provided for transparency. It should be reviewed by the operator and qualified legal counsel, and localised, before being relied upon.

Who we are (data controller)

Webently ERP (“Webently”, “the Service”, “we”) is operated by Ambient Lounge Norge AS, a Norwegian private limited company (aksjeselskap), organisation number 916 815 700, registered at Ilaveien 35, 1605 Fredrikstad, Norway.

For the personal data described below, Ambient Lounge Norge AS acts as the data controller for account and billing data, and as a data processor for the content your workspace stores in the Service (the CRM records, tasks, messages and files you and your team create), which your organisation controls.

Questions about this policy or your data: info@webently.com.

What data we collect and why

Webently ERP is a multi-tenant CRM/ERP. Each workspace’s data is stored in its own isolated database. We collect only what the Service needs to work:

  • Account & profile. Your name, email address, a hashed password (bcrypt — we never store the plaintext), role, timezone, and an assigned avatar colour. Used to authenticate you and run your workspace.
  • Workspace content you create. CRM contacts and companies (name, position, company, email, phone, website, address, notes), sales leads (contact name, company, email, phone, website, Facebook/social links, city, free-text descriptions and notes), tasks and subtasks, projects, time entries, checklist items, chat messages and reactions, comments, and uploaded file/image/audio attachments.
  • Sign-in identifiers.If you use Google (or Microsoft) sign-in, we store the provider’s stable account id and the email captured at link time so we can recognise you on return.
  • Connected Google Calendar. If you enable calendar sync, we store OAuth tokens (encrypted at rest with AES-256-GCM) and a map of which ERP items have been synced, so tasks and events can appear in your Google Calendar.
  • Sessions & security tokens. A session cookie (only a SHA-256 hash of the session token is stored server-side), password-reset and email-change verification tokens (also stored only as hashes), and per-workspace API keys (stored hashed).
  • Billing. Subscription and payment status. Card details are handled by Stripe — we do not store full card numbers.

Legal bases (GDPR Art. 6)

  • Performance of a contract — to provide the Service to you and your workspace (accounts, content, calendar sync you enable).
  • Legitimate interests — to keep the Service secure, prevent abuse, and operate and improve it, balanced against your rights.
  • Legal obligation — to retain billing and accounting records as required by Norwegian law.
  • Consent — where you opt in to an optional feature such as connecting your Google Calendar. You can withdraw consent at any time.

Sub-processors

We use a small set of trusted providers to run the Service. Each processes personal data only on our instructions:

  • DigitalOcean — cloud hosting and storage of the application and databases.
  • Google — Google sign-in (OAuth) and, if you enable it, Google Calendar sync.
  • Stripe — subscription billing and payment processing.
  • Brevo — sending transactional emails (e.g. invitations, confirmations, password resets).

International transfers

We aim to host and process data within the EU/EEA. Some sub-processors (for example Google and Stripe) may process data outside the EEA. Where that happens, transfers are protected by appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, where applicable, the EU–U.S. Data Privacy Framework.

Retention

We keep your account and workspace content for as long as your workspace is active. When a workspace is closed, its data is deleted or anonymised within a reasonable period, except where we must retain certain records (such as billing/accounting data) to meet legal obligations. Session and verification tokens expire automatically.

Your rights

Under the GDPR you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) of your data, subject to legal exceptions.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction of, or objection to, certain processing.
  • Withdraw consent at any time for processing based on it.

To exercise any of these, contact info@webently.com. If your data is held inside a workspace operated by your employer or another organisation, that organisation is the controller and we will direct your request to them. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

Cookies & sessions

Webently ERP uses a small number of strictly necessary cookies: a session cookie to keep you signed in, and a cookie that remembers your language preference. We do not use advertising or third-party tracking cookies.

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the current version, and material changes will be communicated through the Service.

Contact

Ambient Lounge Norge AS (org. 916 815 700), Ilaveien 35, 1605 Fredrikstad, Norway — info@webently.com.