Request access

Privacy Policy

BeMyWords Skiwo AS · Pilestredet 17, 0164 Oslo, Norway · privacy@skiwo.com Effective date: 2026-04-24

This Privacy Policy explains how Skiwo AS ("we", "us") processes personal data when you use the BeMyWords translation management platform (the "Service").

1. Data Controller

Skiwo AS (org. no. 916 636 660) is the data controller for personal data processed in connection with operating the Service — this includes account data, billing data, and usage telemetry described below.

When you use BeMyWords to process translations that contain personal data of your own end-users or employees, you are the data controller and we are a processor acting on your documented instructions. Those relationships are governed by our Data Processing Agreement.

Contact: privacy@skiwo.com

2. Personal Data We Process as Controller

We collect and process the following categories of personal data about users of the Service (workspace owners, admins, developers, translators):

  • Identity data: name, email address.
  • Authentication data: hashed password, session tokens, 2FA secrets where enabled.
  • Workspace data: workspace name, role within the workspace, invitations sent.
  • Billing data: billing email, billing contact, organisation number (where provided for invoicing).
  • Usage data: pages viewed, actions taken within the dashboard, API tokens created and their last-used timestamp.
  • Technical data: IP address, user agent, device information (collected automatically for security and debugging).
  • Support data: the content of any correspondence you send us.

We do not process special categories of personal data (e.g. health, biometric data) as part of operating the Service.

3. Why We Process Your Data

  • To provide the Service: serving the dashboard, executing API calls, running MT workflows you request, delivering translations to your integrations (contract performance, Art. 6(1)(b) GDPR).
  • To bill you: creating invoices via our invoicing partner, collecting payment, managing subscriptions (contract performance + legal obligation under accounting law).
  • To secure the Service: rate limiting, abuse detection, audit logging, incident response (legitimate interest, Art. 6(1)(f) GDPR).
  • To communicate with you: product updates, security notices, support replies (contract performance + legitimate interest).
  • To improve the Service: aggregate analytics on how features are used (legitimate interest).

Our processing is based on:

  • Performance of the contract with you (Art. 6(1)(b) GDPR)
  • Compliance with legal obligations, including accounting obligations under Norwegian law (Art. 6(1)(c) GDPR)
  • Our legitimate interests in operating, securing, and improving the Service (Art. 6(1)(f) GDPR)

5. Sub-processors and Data Sharing

We use sub-processors to deliver the Service. The current list is available at Sub-processor List. Each sub-processor is bound by data protection obligations equivalent to ours.

We do not sell personal data. We do not share personal data with third parties except as necessary to operate the Service or as required by law.

When you use MT features, the source strings you submit are transmitted to the MT provider(s) listed as sub-processors. We select MT providers that offer enterprise-grade data handling (no training on your data by default).

6. Data Retention

  • Account data: retained while your account is active and for 30 days after deletion to support recovery, then erased (except where legal retention applies — see Billing below).
  • Workspace content (translations, memory, comments, screenshots): retained while the workspace is active. After a workspace is deleted, content is retained for 30 days in a soft-deleted state to support recovery, then permanently erased.
  • Billing records: retained for the period required under the Norwegian Bookkeeping Act (currently 5 years after the end of the accounting year).
  • Audit logs and security telemetry: retained for 12 months on a rolling basis.
  • Support correspondence: retained for 24 months.

7. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure (subject to legal retention requirements)
  • Restrict processing
  • Data portability (you can export workspace content at any time from the dashboard)
  • Object to processing based on legitimate interests
  • Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet)

To exercise these rights, contact privacy@skiwo.com. We will respond within 30 days.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest
  • Role-based access controls
  • 2FA for administrative accounts
  • Audit logging
  • Regular security reviews
  • Incident response procedures

Despite these measures, no system is perfectly secure. In the event of a data breach affecting your personal data, we will notify you without undue delay, consistent with GDPR Art. 33–34.

9. International Transfers

Personal data is processed and stored within the European Economic Area (EEA). Hosting and storage are at Heroku in EEA regions; transactional email is delivered via AWS SES (eu-central-1). Some sub-processors may process data outside the EEA; those transfers rely on appropriate safeguards under Chapter V of the GDPR (Standard Contractual Clauses or equivalent). See the Sub-processor List for the canonical breakdown.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to the workspace owner at least 30 days before taking effect. Non-material changes (e.g. clarifying language, contact updates) are posted to this page with an updated effective date.

11. Contact

For questions about this Privacy Policy or to exercise your rights:

privacy@skiwo.com Skiwo AS Pilestredet 17, 0164 Oslo, Norway