Privacy Policy
Last Updated: June 18th, 2026
Tairo AS — the company behind tairopartners.com
Org. nr. 936 910 572 · Registered in Narvik, Norway
Tairo AS ("Tairo", "we", "us", or "our") provides AI automation and customer-engagement services for businesses. Protecting the privacy and security of data — whether it belongs to our business clients or is processed on their behalf — is central to how we operate.
We act in two distinct roles:
- Data Controller for the business contact information of our direct clients (for example, the names, roles, and email addresses of company representatives).
- Data Processor for personal data belonging to our clients' customers, leads, or prospects, which we process strictly under client instructions and a Data Processing Agreement (DPA).
1. Information We Collect
From business clients (controller role)
- Company and representative contact details (name, email, phone, job title)
- Contract, billing, and communication records
From clients' customers, leads, and prospects (processor role)
- Contact details (name, email, phone)
- Service interaction data (bookings, forms, CRM records)
- Lead and prospect data, including qualification, scoring, and enrichment data
- Communication logs (AI chat, voice/call recordings and transcripts, and messaging)
- Usage and performance data generated during AI interactions
System and operational data
- Analytics and usage logs used to operate and maintain our services
- Aggregated and fully anonymized data used for benchmarking and service improvement (this data does not identify any individual)
2. How We Use Information
As controller (business client data)
- To deliver and maintain contracted services
- To provide support and respond to inquiries
- To manage billing and meet compliance obligations
- To send important service updates and notifications
As processor (clients' customer, lead, and prospect data)
- To process inquiries, bookings, and communications on behalf of clients
- To operate AI chat, call, and automation services as instructed by clients
- To qualify, score, enrich, and follow up with the client's leads and prospects as instructed by the client
- To operate and improve the AI agents we deliver on a client's behalf, including automated review of interaction logs for quality and accuracy, subject to the client's instructions and our DPA
- To support quality assurance, compliance, and analytics for the client's own systems
We do not use personal data belonging to our clients' customers, leads, or prospects for any independent purpose. Where we carry out cross-client service improvement or benchmarking, we use only aggregated and anonymized data that no longer identifies any individual.
3. Legal Basis for Processing
- Contractual necessity — providing services to business clients under signed agreements
- Legitimate interests — maintaining service integrity, fraud prevention, and internal analytics (controller data only)
- Legal obligations — compliance with the GDPR and the Norwegian Personal Data Act (personopplysningsloven)
- Consent — only where required (for example, call recording or outbound marketing where mandated by the client's jurisdiction). Obtaining and documenting these consents is the responsibility of the client.
4. Security and Compliance
We take the security of personal data seriously and apply technical and organizational measures appropriate to the risk:
- Our AI services run on enterprise platform infrastructure that is independently audited against SOC 2 standards
- Encryption of data in transit (TLS) and at rest
- Access controls that limit who can access personal data
- Guardrails, intelligent escalation, and human-takeover safeguards built into our AI agents, keeping responses grounded in the client's own knowledge base
- Data-processing procedures designed to meet GDPR requirements, supported by Data Processing Agreements with our business clients
- Regular review of our security practices
5. Data Processing Agreements (DPAs)
For business clients, we provide a Data Processing Agreement that:
- Defines the processor and controller roles clearly
- Covers data subject rights and the deletion or return of data on termination
- Lists authorized sub-processors
- Grants audit and inspection rights
- Sets out breach notification timelines
6. Data Sharing and Sub-Processors
We share data only in limited circumstances:
- With sub-processors engaged to deliver our services, under binding contracts that require equivalent security and privacy standards
- With legal or regulatory authorities where required by law
We never sell or rent personal data.
We use sub-processors in the following categories:
- Cloud infrastructure and hosting providers (located within the EEA)
- Conversational AI and customer-engagement platform providers
- Large language model (LLM) providers
- Voice and telephony providers (for call-based services)
- Lead enrichment and data-validation providers (for lead-nurturing services)
- CRM, communication, and integration tools, where directed by the client
A specific, named list of our current sub-processors is available to contracted clients on request, under our Data Processing Agreement and applicable confidentiality terms.
7. Data Retention
- Business client data (controller role): retained for the duration of the contract plus 3 years.
- Clients' customer, lead, and prospect data (processor role): retained only as long as necessary to provide the services and in accordance with the client's instructions; returned or deleted on termination. We apply data minimization and do not retain personal data longer than required.
- Financial and accounting records: retained in line with the Norwegian Bookkeeping Act (bokføringsloven), typically 5 years.
Automated deletion is applied where possible.
8. International Data Transfers
- Our core infrastructure is hosted within the European Economic Area (EEA).
- Some sub-processors — in particular certain AI/LLM providers — are located in the United States. Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) and assess the transfer to apply appropriate supplementary safeguards.
9. Rights of Data Subjects and Clients
Business clients (controller role)
You have the right to access, correct, delete, port, restrict, and object to the processing of your personal data.
Clients' customers, leads, and prospects (processor role)
Rights are exercised through the relevant client. We support our clients in fulfilling these requests.
We acknowledge requests promptly and respond within 30 days, as required by law. For complex requests, we may extend this period by up to two further months and will inform you if we do.
10. Children's Privacy
Our services are intended for businesses and are not directed at children. We do not knowingly collect personal data from children under 13 (the age of digital consent in Norway). If we become aware that such data has been provided, we will delete it.
11. Contact
Tairo AS — tairopartners.com
Org. nr. 936 910 572
Kongens Gate 49, 8517 Narvik, Norway
