Privacy Policy

Last Updated: April 8, 2026

The short version: Your vault documents are encrypted on your device before upload — we cannot read them. We collect only what's needed to run the service. We never sell your data.

1. Who We Are

EntityDesk is developed and operated by NorseHorse ("we," "us," "our"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the EntityDesk application and related services.

2. Information We Collect

Account Information: When you register, we collect your name, email address, and a hashed version of your password. We never store your password in plaintext.

Entity and Contract Data: Information you enter about your business entities, members, contacts, and contracts is stored on our servers to provide the service. This includes entity names, formation details, member names and ownership percentages, and contract field values.

Vault Documents: Documents uploaded to the encrypted vault are encrypted using AES-256-GCM on your device before transmission. We store only the encrypted ciphertext. We do not have access to your encryption keys and cannot decrypt or view your documents.

Usage Data: We collect basic usage data including login timestamps, device type, and app version for service improvement and debugging purposes.

Payment Information: Subscription payments are processed entirely by the Apple App Store. We do not collect, store, or have access to your payment card details, Apple ID, or billing information.

3. How We Use Your Information

We use your information to:

Provide, maintain, and improve the EntityDesk service.
Authenticate your identity and manage your account.
Send email verification codes and password reset emails.
Send compliance deadline reminders (if enabled).
Respond to support requests.
Detect and prevent fraud or abuse.

4. Information We Do NOT Collect

We do not collect location data.
We do not access your contacts, photos, or other device data (the camera is used only for document scanning at your request).
We do not collect biometric data — Face ID / Touch ID authentication is handled entirely on your device by Apple's LocalAuthentication framework. No biometric data is transmitted to our servers.
We do not use analytics SDKs, advertising trackers, or third-party data collection tools.

5. Data Sharing

We do not sell, rent, or trade your personal information. We may share information only in these limited circumstances:

Service Providers: We use infrastructure providers (hosting, database) to operate the service. These providers process data on our behalf and are bound by confidentiality obligations.
Legal Requirements: We may disclose information if required by law, subpoena, court order, or government request.
Protection of Rights: We may disclose information to protect the rights, property, or safety of NorseHorse, our users, or the public.

6. Data Security

We implement reasonable security measures to protect your information:

All API communications use HTTPS/TLS encryption in transit.
Vault documents are encrypted with AES-256-GCM on your device before upload.
Passwords are hashed using bcrypt with a cost factor of 12.
Authentication tokens are stored in the iOS Keychain.
JWT tokens expire after 14 days with secure refresh flow.

However, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law. Encrypted vault documents are deleted immediately upon account deletion.

8. Your Rights

You have the right to:

Access your personal data through the App.
Correct inaccurate data through your account settings.
Delete your account and all associated data through the App's settings.
Export your data (available to Stallion and Herd subscribers).
Withdraw consent for optional processing at any time.

9. Children's Privacy

EntityDesk is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us.

10. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at support@entitydesk.norsehor.se.

11. International Users

EntityDesk is operated from the United States. If you access the App from outside the United States, your information may be transferred to and processed in the United States. By using the App, you consent to this transfer.

12. Cookies and Tracking

The EntityDesk mobile app does not use cookies or web tracking technologies. Our website (entitydesk.norsehor.se) does not use analytics cookies or third-party trackers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and changing the "Last Updated" date. Your continued use of the App after changes constitutes acceptance.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Email: support@entitydesk.norsehor.se