Privacy Policy

/ 01

Information we collect

Information you provide directly

When you sign up for NorthernPlus as a customer, we collect your name, work email, company name, and phone number. When you create a workspace, we collect billing contact information (we do not store full payment card numbers; those are held by our payment processor).

Information collected from your end users

When end users complete an intake form, NorthernPlus receives whatever your company has configured the form to collect. This typically includes contact information, demographic information, relevant facts, and uploaded documents. Sensitive categories may include health information, financial information, and information about minors. Where a customer's use involves protected health information subject to HIPAA, our processing of that information is also governed by a Business Associate Agreement.

Information collected automatically

We collect technical data when you use the service: IP address, browser type, device identifiers, pages viewed, time stamps, and similar telemetry. We use first-party cookies and similar technologies for session management, authentication, and core product functionality.

We also use Google Analytics (GA4) and Hotjar to understand how visitors use our marketing website. These tools may collect your IP address (anonymized), pages visited, session duration, scroll depth, clicks, and browser and device type. Analytics cookies are only loaded with your consent where required by applicable law. See Section 02 for details.

Information from AI voice intake

When AI voice intake is enabled by a customer, NorthernPlus (or our voice subprocessor) collects the audio of the call, the call transcript, and any structured data extracted from the conversation. Calls are recorded with prior consent disclosure to the end user, in accordance with applicable telephone consumer protection laws.

/ 02

Cookies and analytics technologies

Essential cookies

Essential cookies are required for the service to function. They manage your session, protect against cross-site request forgery, and maintain authentication state. These cookies cannot be disabled without breaking core functionality and do not require consent.

Analytics cookies

We use two analytics tools on our marketing website:

• Google Analytics (GA4):Collects aggregated information about how visitors use the site: pages viewed, session duration, referral source, device type, and approximate geography. IP addresses are anonymized. Data is processed by Google LLC under a Data Processing Agreement. GA4 operates under Google's Consent Mode v2, meaning it collects no identifying data until you grant consent (for visitors where consent is required).
• Hotjar: Records anonymized session replays and collects heatmap data to help us understand how users navigate the site. Hotjar does not capture passwords or payment fields. Data is processed by Hotjar Ltd.

We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies.

Cookie consent

On your first visit, we detect your approximate location to determine which consent framework applies:

• EU, UK, EEA, and Switzerland visitors (GDPR): Analytics cookies are blocked by default. A banner prompts you to accept or decline before any analytics load.
• California residents (CCPA): Analytics run by default under the opt-out model. A notice lets you opt out at any time.
• All other visitors: Analytics load without a banner, consistent with applicable law.

Managing your preferences

You can change or withdraw your consent at any time by clicking Cookie preferencesin the footer of any page. Your choice is saved in your browser's local storage. You can also disable or delete cookies through your browser settings; note that disabling essential cookies will affect service functionality.

Additional opt-out tools: Google Analytics opt-out browser add-on (available at tools.google.com/dlpage/gaoptout); Hotjar opt-out at hotjar.com/legal/compliance/opt-out.

Cookie retention

Google Analytics cookies persist for up to 24 months. Hotjar session cookies expire at the end of your browser session; Hotjar identification cookies persist for up to 365 days. Essential session cookies expire when you close your browser or log out.

/ 03

How we use information

We use information for the following purposes:

• To provide the service: maintain accounts, deliver intake forms, send magic-link emails, run AI voice calls, route data to customers.
• To support customers: respond to support requests, troubleshoot issues, and improve the product based on aggregate usage patterns.
• To bill customers: process subscription payments and issue invoices.
• To secure the service: detect abuse, prevent fraud, and respond to security incidents.
• To improve our marketing website: analyze aggregate visitor behavior using Google Analytics and Hotjar, with consent where required.
• To comply with legal obligations: respond to lawful requests from regulators, courts, and other authorities.

We do not sell personal information. We do not use identifiable intake data to train artificial intelligence models for the benefit of other customers. Where a customer enables AI features, we use that customer's intake data to serve that customer. We may use de-identified and aggregated data, usage data, and feedback to operate, secure, and improve the service and its models, as described in Sections 10 and 12 of our Master Subscription Agreement.

/ 04

Sharing and disclosure

Service providers (subprocessors)

We share information with vendors that help us operate the service: hosting infrastructure, email delivery, authentication, payment processing, voice telephony, analytics (Google Analytics, Hotjar), and customer support. A current list of subprocessors is available on request from hello@northernplus.com. Each subprocessor is bound by contractual obligations to protect customer data.

Legal requirements

We may disclose information when required by law, subpoena, court order, or other lawful process. Where legally permitted, we will notify the affected customer before disclosing their data.

Business transfers

If NorthernPlus is involved in a merger, acquisition, or sale of assets, customer information may be transferred as part of that transaction. We will provide notice before customer information is transferred and becomes subject to a different privacy policy.

/ 05

Data retention

We retain customer data for as long as the customer maintains an active account, plus a reasonable wind-down period after termination during which data can be exported. After that period, data is deleted from active systems on a defined schedule and from backups within ninety days.

End-user intake data (the data collected by a customer using NorthernPlus) is retained according to the customer's own retention configuration. Customers can delete or redact end-user records at any time using built-in privacy tools, subject to any recordkeeping requirements that apply to their industry and may require preservation of certain audit trails.

Telemetry and operational logs are retained for up to twelve months for security, debugging, and analytics, and then purged or anonymized.

/ 06

Security

We use commercially reasonable technical and organizational measures to protect personal information from loss, misuse, and unauthorized access. These measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using industry-standard algorithms.
• Field-level encryption for designated sensitive fields (such as government identifiers and financial account numbers).
• Access controls based on the principle of least privilege.
• Multi-factor authentication for administrative and engineering access.
• Logical isolation of customer workspaces, with automated tests verifying isolation on every release.
• Secure software development practices, code review, and dependency monitoring.
• Regular third-party security assessments.

No system can be guaranteed perfectly secure. If we become aware of a personal data breach affecting a customer, we will notify the customer without undue delay, in accordance with applicable law and our Data Processing Addendum.

/ 07

Your rights (GDPR: EU, UK, EEA)

If you are located in the European Union, United Kingdom, or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent national law:

• Right of access: Request a copy of the personal information we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete information.
• Right to erasure: Request deletion of your personal information where there is no compelling reason for its continued processing.
• Right to restriction: Request that we limit the processing of your information in certain circumstances.
• Right to data portability: Receive a copy of your information in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: Where processing is based on your consent (including analytics cookies), you may withdraw at any time without affecting the lawfulness of prior processing. Use the Cookie preferences link in the footer to withdraw analytics consent.
• Right to lodge a complaint:You have the right to lodge a complaint with your local supervisory authority. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

If you are an end user (someone who filled out an intake form for a company using NorthernPlus), please direct requests to that company first. The company is the controller of your intake data. We will support the company in fulfilling them.

NorthernPlus customers may exercise rights by emailing hello@northernplus.com. We will respond within 30 days.

/ 08

California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Rights available to California residents

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for which we collected it, the categories of sources, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions (such as information needed to complete a transaction or comply with a legal obligation).
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale or sharing:We do not sell personal information and do not share it for cross-context behavioral advertising. Analytics data shared with Google Analytics and Hotjar may constitute “sharing” under CPRA; you can opt out using the Cookie preferences link in the footer or the Opt out button in the banner shown to California visitors.
• Right to limit use of sensitive personal information: You may request that we limit processing of sensitive personal information to necessary service functions.
• Right to non-discrimination: We will not discriminate against you for exercising any CCPA right. Exercising these rights will not affect the price or quality of services.

How to exercise your rights

Submit a verifiable consumer request to hello@northernplus.com with the subject line “California Privacy Request.” We will respond within 45 days. If we need additional time (up to 90 days), we will notify you of the extension within the initial 45-day period.

You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide written proof of authorization and may require you to verify your own identity directly.

Shine the Light

California Civil Code Section 1798.83 permits California residents to request certain information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information for third-party direct marketing purposes.

/ 09

Children's privacy

NorthernPlus is not directed to children under the age of 13. We do not knowingly collect personal information directly from children under 13. Companies using NorthernPlus may collect information about minors as part of the services they provide; in those cases, the company is the controller and is responsible for applicable protections. If we become aware that we have inadvertently collected information directly from a child under 13 outside of a legitimate company-mediated intake, we will delete it.

/ 10

International data transfers

NorthernPlus is operated from the United States, and our infrastructure is hosted primarily in the United States. If you access the service from outside the United States, your information will be transferred to and processed in the United States.

For transfers of personal data from the EU, UK, or EEA to the United States, we rely on lawful transfer mechanisms including the European Commission's Standard Contractual Clauses (SCCs), the UK Addendum to those SCCs for UK transfers, and equivalent measures for Switzerland, as set out in our Data Processing Addendum. A copy of the applicable transfer mechanism is available on request.

/ 11

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify customers by email and update the “Last updated” date at the top of this page. Continued use of the service after a material change constitutes acceptance of the updated policy.

/ 12

Contact us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

NorthernPlus Inc.
Phone: (763) 272-7262
323 Washington Ave N, #200
Minneapolis, MN 55401
Email: hello@northernplus.com