Privacy policy

Effective 2026-04-24. Last updated 2026-05-19.

Brinvik is a Claude specialist studio based in Copenhagen. This policy describes what personal data we collect when you visit brinvik.com, why we collect it, how we store it, and the rights you have over it under the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act.

It is written to be short and honest. If something is unclear, write to us at [email protected].

1. Who is the data controller

Brinvik, operated by Kim Olsen, Brøndbytoften 11, 2605 Brøndby, Denmark. For any privacy matter, the contact is Kim Olsen at [email protected]. Brinvik is currently operated as a sole trader business. When the company is registered as an ApS, this section will be updated with the CVR number.

2. What we collect and why

2.1 Chat intake form

When you submit the form at /chat, we collect:

Your first name, work email, company URL, and a short description of what you are trying to ship.
A non reversible hash of your IP address (HMAC with a server secret). We use this only to enforce rate limits and do not store the raw IP.
The browser user agent string.

Lawful basis: legitimate interest under GDPR Article 6(1)(f) and, where you contacted us to evaluate a potential engagement, pre contractual steps under Article 6(1)(b).

To help the agent ask sharper first questions, we also fetch the public homepage of your company URL and extract its title, meta description, and first heading (up to 300 characters of public marketing content). This snippet is stored on your chat session record and on your company record in HubSpot. The chat session copy is deleted with the rest of your session at 30 days. The HubSpot copy is retained per HubSpot's terms.

2.2 Sign in with Google or LinkedIn

When you use the "Continue with Google" or "Continue with LinkedIn" button, the provider sends us:

Your verified email address.
Your first name and display name.
A stable user identifier issued by the provider.

We do not request any other scopes. We do not read your mailbox, your LinkedIn connections, your profile photo, or your contacts. Lawful basis: consent under GDPR Article 6(1)(a), which you give by clicking the sign in button.

2.3 Chat conversations with Brinvik's agent

Once you enter a chat session, we record the messages you send to the agent and the messages the agent sends back, along with the timestamps and which tools the agent called. The content of those messages is processed by the Claude API (Anthropic) so the agent can respond. We do not use these conversations to train any model.

Lawful basis: legitimate interest under GDPR Article 6(1)(f) for qualifying potential engagements, and pre contractual steps under Article 6(1)(b) when the conversation leads to a meeting with Kim.

2.4 Meeting bookings

If the agent qualifies you and you pick a time slot, we send your first name, email, and the selected slot to HubSpot to create a meeting. HubSpot sends the confirmation and calendar invite. HubSpot is also the system we use to track the engagement if it becomes a paid project.

2.5 Cookies, local storage, and the consent banner

On your first visit, Brinvik shows a consent banner so you can decide which cookies and analytics calls run. The banner offers three categories: strictly necessary, analytics, and functional. Necessary is always on. Analytics and functional are off until you accept. You can reopen the banner anytime from the "Cookie preferences" link in the footer.

Strictly necessary (always on, cannot be disabled):

brv-locale: remembers whether you prefer English or Danish. One year lifetime.
sb-*: Supabase authentication cookies set after you sign in with Google or LinkedIn. These let us keep you signed in during a chat session.
brv_cc: stores your consent choice so the banner does not reappear. Six month lifetime.
brv_s_<session id>: a private access cookie that proves it is you on the conversation page. Set at session creation, specific to your individual chat session, HttpOnly, 30 day lifetime matching retention. Without this cookie a leaked session URL on its own cannot read the conversation.
Cloudflare Turnstile sets short lived cookies on the chat gate to validate that the form was submitted by a human. These do not persist past the form session.

Analytics (opt in, off by default):

Vercel Web Analytics counts pageviews so we know which pages perform. It is technically cookie less, hashes IP addresses at ingress, and does not build individual profiles. We still gate it behind explicit consent so the choice is yours.
Google Analytics 4 (provided by Google Ireland Limited) is loaded on every page in Google Consent Mode v2. Until you accept the analytics cookie category, it runs in denied mode and sends only an anonymous cookieless ping (no cookies, no individual identifiers) so Google can confirm the tag is installed. When you accept, full pageview measurement turns on and Google Analytics sets a first party cookie, _ga, that tells one browser apart from another for about twelve months. We have switched off Google Signals and ad personalization, so the data is not used to build advertising profiles.

Functional (opt in, off by default): currently empty. Reserved for future enhancements like saved chat settings and newsletter preferences. If we ever add a functional cookie we will list it here before it is set.

We do not use advertising cookies or tracking pixels. Google Analytics is the one third party analytics tool we use. Its advertising features are switched off, and full pageview tracking only starts after you opt in. Nothing on this site is used for ad targeting.

2.6 Server logs

Our hosting provider Vercel keeps short term access logs for security, billing, and abuse prevention. These may include truncated IP addresses and request paths. We do not have ongoing access to these logs and do not use them to profile visitors.

3. Who we share data with

We use the following data processors. All are GDPR compliant and bound by a Data Processing Agreement, Standard Contractual Clauses, or the EU US Data Privacy Framework where required:

Supabase (Singapore company, EU project region): stores intake submissions, chat sessions, and chat messages. Our project region is London (eu west 2). Data does not leave the EU.
Vercel (US, EU US DPF): hosts the website, runs server routes, and serves Vercel Web Analytics. Edge caching is global. Vercel processes request metadata, not stored personal data.
Google Analytics (Google Ireland Limited, with Google LLC in the US as a sub processor under the EU US Data Privacy Framework): measures pageviews and basic site usage. We run it in Google Consent Mode v2: before you opt in, only an anonymous cookieless ping is sent so Google can confirm the tag. Full measurement turns on after you opt in. Advertising features are disabled.
Cloudflare Turnstile (US, EU US DPF): issues and validates the invisible challenge that protects the intake form from bots. Turnstile does not profile users and does not set tracking cookies.
Google and LinkedIn (US, EU US DPF): identity providers for sign in. You interact with them only when you click the sign in button. Your relationship with them is governed by their own privacy policies.
Anthropic (Claude API)(US, EU US DPF and DPA): processes the content of chat messages to generate the agent's replies. Anthropic is bound by its Data Processing Addendum and does not train its models on API inputs by default.
HubSpot (US, EU US DPF with EU data residency option): receives contact and meeting details when you book a call. HubSpot is our CRM of record for qualified engagements, and it sends the confirmation emails and calendar invites for bookings.
Make.com (Celonis, Czech Republic, EU): automates internal workflows that send transactional emails, sync records between HubSpot and Supabase, and route notifications to Kim. Make operates entirely within the EU.
Slack (US, EU US DPF): receives operational notifications visible only to Kim when an intake submits, qualifies, or books, and when a HubSpot sync fails. Slack does not receive the full chat transcript or message bodies. The payload is limited to first name, company domain, session ID, locale, source method, and timestamps. We use Slack solely as an internal alerting surface for Kim.

We do not sell personal data and we do not use it for advertising. We do not transfer it to third countries without an adequacy decision, the EU US Data Privacy Framework, or Standard Contractual Clauses in place.

4. How long we keep data

Chat intake submissions and chat sessions: 30 days after submission, unless the conversation leads to an ongoing client relationship, in which case the record is moved to HubSpot and retained under Danish bookkeeping law for up to 5 years.
Chat message content: 30 days in Supabase, then deleted. Anthropic retains API payloads for up to 30 days for abuse monitoring and then deletes them, per its standard API terms.
Meeting bookings: retained in HubSpot for the duration of the engagement and up to 5 years thereafter under Danish bookkeeping law. Booking invites also remain in your own calendar under your own control.
Vercel Web Analytics: aggregated, no identifiable user data. Retention is up to 12 months.
Google Analytics: the _ga cookie lasts about twelve months. The retention period for the analytics data Google collects is set in the Google Analytics admin panel.
Server logs: Vercel's default retention, currently 30 days.
Supabase authentication records: deleted when you delete your account or request erasure.

You can request earlier deletion at any time by emailing [email protected].

5. Your rights

Under GDPR you have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Erase your data, where we no longer need it and have no overriding legal obligation to keep it.
Restrict or object to processing that relies on legitimate interest.
Data portability: receive a copy of your submitted data in a structured, commonly used format.
Withdraw consent at any time, where consent is the lawful basis.
Lodge a complaint with the Danish Data Protection Agency, Datatilsynet, at datatilsynet.dk.

To exercise any of these rights, email [email protected]. We will respond within one calendar month. There is no charge for reasonable requests.

6. Security

Data in Supabase is encrypted at rest and in transit. Access to the production database is restricted to Kim, using the service role key stored in Vercel's environment variables. We do not expose the service role key to the browser. Sensitive environment variables are marked as such in Vercel and are not pulled to developer machines. The site is served over HTTPS with HSTS, X Content Type Options, and Referrer Policy headers.

7. International transfers

Supabase stores data in the EU (eu west 2, London). Make.com runs in the EU. Vercel's edge runs globally, but long term storage of personal data from brinvik.com remains in the EU. Google, LinkedIn, Anthropic, HubSpot, and Cloudflare are US companies and rely on the EU US Data Privacy Framework, backed by Standard Contractual Clauses, for cross border transfers.

8. Automated decision making

The Brinvik agent uses the Claude API to qualify or disqualify potential engagements during a chat session. This is a form of automated processing. The outcome is advisory only. A human (Kim) reviews every qualified lead before an engagement begins, and an agent disqualification does not prevent you from contacting Kim directly at [email protected].

9. Children

Brinvik is a B2B service. We do not market to, or knowingly collect data from, anyone under 16. If you believe a minor has submitted data, write to [email protected] and we will delete it.

10. Changes to this policy

We update this policy when our processing changes. The effective date at the top of this page reflects the most recent version. We do not email you every time we update typography or fix a phone number. We do email past intake submitters if a change materially expands how we use their data.

11. Contact

Brinvik, operated by Kim Olsen
Brøndbytoften 11
2605 Brøndby
Denmark
[email protected]