Privacy Policy

This privacy policy applies for processing of personal data when Sumba (“Sumba”, “we” or “us”), the company behind Sumba, Lets Kick AS, processes personal data in the capacity of data controller, for instance related to personal data about our private customers, visitors of our websites, and contact information of our business customers and suppliers.

Please note that this privacy policy does not apply to the cases where Sumba processes personal data in the capacity of data processor on behalf of our business customers when using the Sumba Services. For this processing of personal data, there will be a separate data processing agreement between Sumba and the relevant business customers in question.

Each individual private Sumba user is responsible for any personal data they choose to upload to Sumba. This responsibility includes ensuring the legality of uploading and processing such data within the services provided by Sumba.

Below you will find information about the personal data we collect, why we do this, and your rights in relation to the processing of your personal data.

1. WHO WE ARE

Sumba is an accounting automation software that helps businesses streamline their financial processes and bookkeeping tasks. It automates repetitive accounting workflows, reduces manual data entry, and provides intelligent insights to improve financial management.

The Sumba platform is offered both to our private individual customers and to our business customers. Sumba acts as the data controller for the processing of personal data described in this privacy policy.

1.1 DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY

THE SUMBA PLATFORM IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, SUMBA AND ITS AFFILIATES, DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO: WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, COMPLETENESS, RELIABILITY, AND ANY WARRANTIES THAT MAY ARISE FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE.

SUMBA EXPLICITLY DISCLAIMS ANY RESPONSIBILITY OR LIABILITY FOR THE ACCURACY, COMPLETENESS, OR RELIABILITY OF ANY AI-POWERED BOOKKEEPING RECOMMENDATIONS, AUTOMATED PROCESSING DECISIONS, OR FINANCIAL CALCULATIONS GENERATED THROUGH THE PLATFORM. USERS ACKNOWLEDGE AND AGREE THAT ALL AI-GENERATED CONTENT, RECOMMENDATIONS, AND AUTOMATED DECISIONS ARE PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND SHOULD NOT BE CONSIDERED AS PROFESSIONAL ACCOUNTING, TAX, OR LEGAL ADVICE.

IN NO EVENT SHALL SUMBA BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO: LOSS OF PROFITS, LOSS OF DATA, LOSS OF USE, BUSINESS INTERRUPTION, OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATING TO THE USE OR INABILITY TO USE THE SUMBA PLATFORM, EVEN IF SUMBA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

1.2 TAX AND ACCOUNTING RESPONSIBILITY DISCLAIMER

USERS EXPRESSLY ACKNOWLEDGE AND AGREE THAT SUMBA IS NOT RESPONSIBLE FOR ANY TAX OBLIGATIONS, FILING REQUIREMENTS, OR ACCOUNTING COMPLIANCE ISSUES THAT MAY ARISE FROM THE USE OF THE PLATFORM. NOTWITHSTANDING ANY AI-POWERED FEATURES OR AUTOMATED PROCESSING CAPABILITIES, USERS REMAIN SOLELY AND EXCLUSIVELY RESPONSIBLE FOR:

• Ensuring compliance with all applicable tax laws, regulations, and filing requirements in their respective jurisdictions
• Verifying the accuracy and completeness of all financial data, calculations, and reports generated or processed through the platform
• Consulting with qualified tax professionals, accountants, or legal advisors regarding any tax-related matters or accounting decisions
• Maintaining proper documentation and records as required by law
• Any penalties, interest, or legal consequences resulting from inaccurate tax filings or non-compliance with tax obligations

SUMBA EXPLICITLY DISCLAIMS ANY REPRESENTATION OR WARRANTY THAT THE USE OF THE PLATFORM WILL RESULT IN COMPLIANCE WITH ANY PARTICULAR TAX LAWS OR ACCOUNTING STANDARDS. USERS ARE ADVISED TO SEEK INDEPENDENT PROFESSIONAL ADVICE REGARDING THEIR SPECIFIC TAX AND ACCOUNTING REQUIREMENTS.

Our contact information is:

If you have any questions about how we process your personal data, or if you wish to exercise your rights under the GDPR, please contact us at hey@sumba.com. Detailed information on these rights can be found in Section 7 below.

2. WHO WE PROCESS PERSONAL DATA ABOUT

The privacy policy governs the processing of personal data for the following persons:

• Private individual customers
• Contact persons at our business customers
• Contact persons at our suppliers
• Visitors to our website https://sumba.com/

3. PURPOSE, CATEGORIES OF PERSONAL DATA, LEGAL BASIS, AND RETENTION PERIOD

All processing of personal data is carried out in accordance with the applicable data protection rules, including the General Data Protection Regulation (GDPR).

Below you will find an overview of the purposes for which Sumba processes personal data, what personal data is processed, the legal basis for the processing, and retention periods.

3.1 Processing of personal data relating to the Sumba User Account

In order to use the Sumba platform, you need to create and register a Sumba User Account on our website. The purpose of the Sumba User Account is to provide you with your personal access to the platform.

The personal data we process about you within the Sumba User Account includes:

• Your name, email address, and any additional information you have provided

For our private individual customers, the legal basis for the processing of personal data in connection with the Sumba User Account is GDPR Article 6 no. 1 (b), the processing is necessary for the performance of the service agreement entered into with you as a data subject (provide access to the platform).

For our business customers, the legal basis for the processing of personal data in connection with the Sumba User Account is GDPR Article 6 no. 1 (f), Sumba's legitimate interest in establishing and administering a user account for each user within the business customer, or a common enterprise-user, in order to provide the business customer with individual access to the platform.

The personal data collected in this context will be retained until the individual user deletes their Sumba User Account.

3.2 Entering into and administration of service agreements

Sumba processes personal data of contact persons at our business customers and our suppliers solely to the extent necessary to enter into and administer the agreement with the relevant customer or supplier. This processing of personal data is conducted based on Article 6 no. 1 (f) GDPR, which pertains to our legitimate interest to enter into and manage the relevant service agreement or supplier agreement with our business customers and suppliers. As such, the processing of your personal data as a contact person for a business customer or supplier is justified by our need to effectively establish and maintain the contractual relationship.

The personal data we receive in connection with this processing will be deleted upon the termination of the agreement with the specific business customer or supplier. However, certain information may be retained for a longer period if necessary, in the context of bookkeeping and accounting purposes or for Sumba to defend against potential legal claims. All personal data will be permanently deleted once the legal deadlines for filing complaints have expired.

3.3 Requests and inquiries

When you contact Sumba via the contact information form on our website, e-mail, or phone, with inquiries related to our services, platform, or otherwise, we process the personal data you provide, such as your name and contact information, along with any other personal data included in your request. The processing of this personal data is necessary to effectively respond to your inquiries and provide the information or support you are seeking.

The legal basis for this processing is established under GDPR Article 6 no. 1 (f), which is our legitimate interest in responding to your requests. We process your personal data solely to provide the necessary responses and assistance you require. Your personal data will be deleted or anonymized after your request has been fully responded to and the matter has been resolved.

3.4 Marketing activities / Newsletters

Sumba may carry out electronic marketing activities to users of the Sumba platform and subscribers of our newsletters.

In order to carry out such marketing activities, we process the following personal data:

• Name
• Email address

The legal basis for the processing is your consent, cf. GDPR Article 6 no. 1 (a). If relevant, marketing material may also be distributed on the basis of GDPR Article 6 no. 1 (f) and the existing relationship with you as a customer.

You have the right to withdraw your consent for marketing activities at any time, either by contacting us directly or by utilizing the unsubscribe option provided in the emails you receive from us. Upon withdrawal of your consent, your personal data will be deleted unless it is required for other purposes, such as maintaining your Sumba User Account.

3.5 Use of Cookies

Sumba utilizes cookies to ensure the proper functioning of our website's various services. Cookies are small text files stored on your device's browser when you visit our site. Some cookies, known as “necessary cookies,” are essential for the operation of our website. These cookies enable fundamental functionalities such as accessing your secure areas.

Where these necessary cookies involve the collection or storage of personal data—such as your IP address, operating system details, browser ID, and your interactions with our site—we process this information based on our legitimate interest in maintaining our website's functionality and security, as stipulated under Article 6 no. 1 (f) of the GDPR.

In addition to necessary cookies, Sumba may utilize cookies for other purposes, such as for statistical analysis/measurement, marketing, and integration of social media. The legal basis for the processing using such cookies is your separate consent that you have given through the cookie banner on our websites, pursuant to Article 6. no. 1 (a) of the GDPR.

You can always delete cookies by going into your browser settings and deleting content. If you need any assistance in this regard, you are welcome to contact us.

4. RECIPIENTS OF YOUR PERSONAL DATA

In some circumstances, Sumba may disclose personal data to others to the extent necessary for the administration of our operations and to carry out our business activities.

Sumba may, among other things, share your personal data with our supplier of IT systems and technical assistance. These parties process personal data about our customers and suppliers by virtue of their role as data processors, and their processing is subject to a data processing agreement. The suppliers are required to act according to documented instructions from Sumba and may not use personal data for their own purposes.

In addition, we may in some cases disclose your personal data to other companies who will themselves be responsible for how they process your personal data. For example, we may disclose your personal data to partners who handle payment services and public authorities if this is required by law or by a legally enforceable judgment or order.

If Sumba sells or buys any business or assets, Sumba may transfer your personal data to a prospective seller or buyer of such business or assets.

If Sumba or a significant part of Sumba's assets are sold to another company, the personal data of our customers and prospective students may also be shared in connection with the sale.

We always implement appropriate technical and organizational security measures in accordance with applicable data protection legislation to ensure that your personal data is handled in a secure manner when transferring or sharing personal data with a third party.

5. TRANSFERS OF YOUR DATA TO COUNTRIES OUTSIDE THE EU/EEA

Generally, we process your personal data within the EU/EEA. If the personal data is processed outside the EU/EEA, there is either an adequacy decision from the European Commission in place, which ensures that the third country in question guarantees an adequate level of protection, or we ensure that appropriate safeguards are in place to ensure that your rights under the GDPR are safeguarded. Examples of such appropriate safeguards are that the data transfer is subject to the European Commission's Standard Contractual Clauses (SCC's) or that the relevant third party follows approved standards of conduct.

If you would like more information about the security measures we have implemented, please contact us using the contact details set out at the beginning of this privacy policy.

6. SECURITY OF THE PROCESSING

All our processing of personal data is secured by necessary technical and organizational measures.

We handle personal data so that it is accurate, accessible and processed in accordance with the degree of sensitivity of the data. We also use a range of security technologies and information security procedures to protect personal data from unauthorized access, use or disclosure.

We have entered into data processing agreements with all our suppliers that process personal data.

We restrict access to personal data strictly to the staff or third parties who have a necessary need to process the data on our behalf. These parties are subject to a duty of confidentiality.

7. YOUR RIGHTS WHEN WE PROCESS PERSONAL DATA ABOUT YOU

Below is an overview of your rights under the GDPR:

Right to information and access:

We strive to be open and transparent about how we process your personal data. If you wish to know more about how we process your personal data or wish to receive the personal data we process about you, you can request access to the information we have stored about you. If we receive an access request, we may ask you to provide more information about who you are to ensure that we provide the data to the right person.

The right to rectification:

If you become aware that we hold outdated or inaccurate information about you, you can ask us to correct the error at any time by contacting us.

The right to erasure and restriction:

You have the right to request that your personal data is erased or that its use is restricted, for example, if you believe that your personal data is being processed in violation of applicable law. We will as far as possible comply with a request to erase personal data, but we cannot do this if we are required by law to store certain data e.g. for accounting purposes or to comply with a legal claim.

The right to data portability:

In some cases, you may have the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable format. If technically possible, you may also request that the data be transferred to a third party.

The right to object:

You have the right to object to our processing of your personal data if, for example, it is processed on the basis of our legitimate interests.

The right to withdraw consent:

If you have given consent to our processing of your personal data, you always have the right to withdraw this consent at any time by contacting us. However, this does not affect the lawfulness of the processing based on your consent until you have withdrawn it.

To exercise your rights, as described above, you can contact us at hey@sumba.com.

Your inquiry will be answered as quickly as possible, and within one month at the latest. If it takes longer than one month, you will always be notified, together with the reason for such delay.

8. COMPLAINTS

If you feel that our processing of personal data does not comply with what we have described here or that we are otherwise in breach of the data protection regulations, you can complain to the Norwegian Data Protection Authority:

You can find more information about complaints to the Norwegian Data Protection Authority on their websites.

9. CHANGES

If there are changes made in how we process your personal data, we will update or change our privacy policy. In the event of major changes, we will inform you of this.