Campra Privacy Policy
Effective date: 6 June 2026 Last updated: 9 June 2026
This Privacy Policy explains how TT Nordic Digital Health AS ("Campra", "we", "us", "our") collects, uses, shares, and protects personal data when you use the Campra website at campra.dev and the Campra application and related services (together, the "Service").
We are the data controller for the personal data described here. If you are a paying business customer, note that for some data you upload or connect, you are the controller and we act as your processor - see Section 11 ("If you are a business customer") and our Data Processing Addendum.
We take this seriously. If anything here is unclear, contact us at privacy@campra.dev before using the Service.
1. Who we are
| Company | TT Nordic Digital Health AS |
| Organisation no. | 928 583 260 |
| Registered address | Skogstjernebakken 5, 8515 Narvik, Nordland, Norway |
| General contact | support@campra.dev |
| Privacy contact | privacy@campra.dev |
We are established in Norway (EEA). The General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act apply to our processing. We are not required to appoint a Data Protection Officer; privacy questions go to the privacy contact above.
2. The short version
- We collect what we need to run the Service: your account details, what you tell us about your business, content from your website and connected accounts so we can create marketing for you, and basic usage data.
- We use trusted third parties (our "subprocessors") to provide the Service - listed in Section 8.
- We do not sell your personal data, and we do not use your connected social-media data for advertising.
- Your account data lives in the EU (Ireland). Some subprocessors process data in the United States under recognised safeguards.
- You have strong rights over your data, including the right to delete it. See Section 12.
3. The personal data we collect
a) Account & identity data. Name, email address, password (stored hashed by our authentication provider), and, if you sign in with Google or Apple, the basic profile information those providers share with us.
b) Business profile data. Information you give us about the business you market - business name, website URL, industry, language, products/services, brand tone and preferences, and any guardrails you set. This may include personal data if you choose to include it (e.g. a contact name).
c) Website & brand content we analyse. When you provide your website URL, we fetch and analyse its public content (text, colours, images, structure) to build your brand profile. This is content you direct us to read.
d) Connected social-media account data. If you connect an account such as Instagram, we receive and store an access token and basic account information (e.g. account ID, username, account type) needed to publish on your behalf and read back performance of posts we publish. See Section 9 for platform-specific detail.
e) Content we generate and publish. Drafts, approved posts, images we create, scheduling data, and the performance/engagement metrics of published content.
f) Payment data. Subscriptions are sold and processed through our Merchant-of-Record payment partner Stripe (acting as Merchant of Record via Stripe Managed Payments; for European customers, Stripe Payments Europe, Limited). They handle your card details and billing - we do not store full card numbers. We receive limited billing data such as plan, status, country, and the last four digits of your card.
g) Usage, device & log data. Basic technical data when you use the Service: IP address, browser/device type, pages and actions, timestamps, and error/diagnostic logs. Used to operate, secure, and debug the Service.
h) Communications. Emails and support messages you send us, and our replies.
We do not intentionally collect special-category data (health, religion, etc.). Please don't submit it.
4. Cookies
The Service currently uses only strictly necessary cookies (for login/session security). These do not require consent. If and when we introduce analytics or other non-essential cookies, we will ask for your consent first through a consent banner (Accept all / Reject all / Necessary only / Customise), and will not set non-essential cookies until you opt in. See our Cookie Policy for details.
5. How we use your data and our legal basis
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and manage your account | a) | Contract |
| Build your brand profile and generate marketing content | b), c) | Contract |
| Publish content to, and read performance from, your connected accounts | d), e) | Contract |
| Process subscriptions and billing | a), f) | Contract; legal obligation (tax/accounting) |
| Operate, secure, debug, and improve the Service | g) | Legitimate interests (running a safe, reliable service) |
| Respond to your messages and provide support | h) | Contract; legitimate interests |
| Send essential service emails (e.g. posting failures, billing, security) | a), e), g) | Contract; legitimate interests |
| Send optional product/marketing emails | a) | Consent (you can opt out anytime) |
| Comply with law and enforce our Terms | as needed | Legal obligation; legitimate interests |
Where we rely on legitimate interests, we have balanced them against your rights; contact us for our assessment.
6. How your content is generated (AI processing)
Campra uses artificial-intelligence services to research, write, and create images for your marketing. To do this, relevant data (such as your brand profile and content from your website or connected accounts) is sent to our AI subprocessors (see Section 8) for processing. We instruct these providers to process the data only to deliver the Service. We do not permit your content to be used to train their public models where an opt-out is available, and our agreements restrict their use of your data to providing the service to us.
7. We do not sell your data
We do not sell your personal data, and we do not share it with third parties for their own advertising. We do not use data from your connected social-media accounts for any purpose other than providing the Service to you.
8. Who we share data with (subprocessors)
We share data only with service providers that help us run the Service, under contracts that require them to protect it. Our current subprocessors:
| Subprocessor | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Ireland) |
| Vercel | Application hosting & scheduled jobs | EU/US (global edge) |
| Anthropic | AI text generation (the content agents) | US |
| fal.ai | AI image generation | US |
| Meta Platforms (Instagram) | Publishing to and reading performance from your connected Instagram account | US |
| Merchant-of-Record payment partner Stripe (Stripe Payments Europe, Ltd. / Stripe, Inc.) | Sale and processing of subscriptions; billing; tax | EU/US |
We may add or change subprocessors as the Service evolves; the current list is maintained at campra.dev/subprocessors. Other providers we expect to add (e.g. a transactional-email provider and a product-analytics provider) will be added to that list before they go live. We may also disclose data where required by law or to protect our rights, users, or the public.
9. Instagram / Meta platform data
When you connect an Instagram account, we use Meta's Instagram API. With your authorisation we:
- receive and securely store an access token and basic account info needed to act on your behalf;
- publish content to your account - either content you approve, or, if you turn on automatic publishing, content that meets Campra's quality threshold without separate review; and
- read back the performance (e.g. reach, engagement) of content we published, to show you analytics and improve future content.
We request only the permissions needed for these functions. We do not sell this data, use it for advertising, or share it except with the subprocessors in Section 8 that make publishing possible. You can disconnect at any time in the app, which revokes our access; you can also remove Campra from your account in Instagram's settings. To request deletion of data associated with your connected account, see Section 12.
Our use of information received from Meta APIs follows Meta's Platform Terms and Developer Policies.
10. International data transfers
Your core account data is stored in the EU (Ireland). Some subprocessors (Section 8) process data in the United States. Where personal data leaves the EEA, we rely on a recognised transfer mechanism - the European Commission's Standard Contractual Clauses and/or the provider's certification under the EU-US Data Privacy Framework - so that your data keeps an essentially equivalent level of protection. Contact us for details on the safeguards for a specific transfer.
11. How long we keep your data (retention)
| Data | Retention |
|---|---|
| Rejected content | Automatically deleted 7 days after rejection |
| Content that missed its publishing window (needed review, not approved in time) | Moved to a separate area and automatically deleted 7 days after the intended publish date |
| Account & business profile data | Kept while your account is active |
| Published content & its performance data | Kept while your account is active |
| Operational logs (access, error, security, audit logs) | About 12 months, then deleted |
| Billing records | As required by accounting/tax law |
| After account deletion | Personal data deleted within 30 days; residual copies in backups purged within 90 days |
We may keep limited data longer where the law requires it or to resolve disputes.
If you are a business customer
For data you connect or upload about your business and audience, you are the controller and we are your processor. We process it on your instructions to deliver the Service, under our Data Processing Addendum, and return or delete it on termination as described there.
12. Your rights
Under the GDPR you have the right to: access your data; correct it; delete it ("right to erasure"); restrict or object to processing; data portability; and to withdraw consent at any time (without affecting prior processing). Where you are in a jurisdiction with comparable laws (for example, US state privacy laws), you have equivalent rights to know, access, delete, and opt out of any "sale" or "sharing" of personal data - note that we do not sell or share personal data for advertising - and you will not be discriminated against for exercising your rights.
How to exercise them:
- In the app: you can edit your data, disconnect accounts, and delete your account and data from your settings.
- By email: contact privacy@campra.dev. We respond within one month.
We will verify your identity before acting on a request. There is no charge unless a request is manifestly unfounded or excessive.
Right to complain: if you believe we've mishandled your data, you can lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no) or your local supervisory authority. We'd appreciate the chance to resolve it first.
13. Security
We protect your data with measures including: encryption in transit (HTTPS); encryption of connected-account tokens at rest; strict database access controls and row-level security so customers can only access their own data; least-privilege access to systems; rate limiting and spend controls on sensitive endpoints; and ongoing security review. No system is perfectly secure, but we work to keep your data safe and will notify you and the relevant authority of a qualifying data breach as required by law.
14. Children
The Service is intended for users 18 and over. If you are under 18, you may use it only with a parent or guardian who agrees to the Terms and is responsible for the account. We do not knowingly collect data from children under 16; if you believe a child has given us data, contact us and we will delete it.
15. Changes to this policy
We may update this policy as the Service changes. If we make material changes, we'll notify you (e.g. by email or in-app) before they take effect. The "Last updated" date shows the latest version.
16. Contact
Questions or requests: privacy@campra.dev TT Nordic Digital Health AS, Skogstjernebakken 5, 8515 Narvik, Norway