Privacy Policy

We collect the following data:

• Identity and contact: first name, last name, work email address, telephone number
• Professional details: department, role/function (e.g. DCM, broker), employing bank, country of employment
• Platform activity: deal and tranche information, interest indications, order entries, meeting entries, chat messages and related metadata
• Technical and authentication data: user IDs, login timestamps, IP addresses (as needed for security and audit)

You directly provide Bookbuild with most of the data we collect. We collect and process data when you:

• Register for use and log into the Bookbuild platform;
• Make use of the functionalities that are offered to you on the Bookbuild platform, such as registering interest, submitting orders and keeping track of bond deals.

Bookbuild collects your data so that we can:

• Support the capture and management of investors’ interest and orders in bond bookbuilding;
• Provide user account management, authentication and role-based access controls;
• Enable in-platform chat (one-to-one and group) among bank employees and, where permitted, with employees of other banks;
• Generate reports and audit logs for internal monitoring and compliance;
• Perform any maintenance, updates, troubleshooting or analytics required to deliver the service.

Bookbuild securely stores your data in Microsoft Azure data centres located within the European Union.

All data is encrypted at rest and in transit, and protected through Azure’s security framework and access controls.

We keep your personal data only for as long as we need it for the purposes set out above, or longer if required by law. Specifically: identity and contact data is kept for as long as you have an active account plus 12 months after your last access; authentication and access logs are kept for 90 days in our central logging system; records that form part of the audit trail of a deal are kept for as long as the relevant Customer is required to retain them under capital-markets regulation (currently up to 7 years); and support correspondence is kept for 24 months from last contact. After these periods we delete or anonymise the data.

We use the following third-party providers (sub-processors) to operate the platform on our behalf:

• Microsoft Ireland Operations Limited (Azure) – infrastructure hosting and storage in EU regions;
• Okta, Inc. (Auth0) – authentication and multi-factor authentication;
• Functional Software, Inc. d/b/a Sentry – error and event logging, security monitoring;
• Vercel, Inc. – frontend hosting and content delivery.

We may also share personal data with our professional advisers (lawyers, auditors), with competent courts and authorities where required by law, and with the Customer that you work for or that invited you, to the extent necessary for them to manage their use of the platform. We do not sell your personal data and we do not use it for advertising or marketing.

Your personal data is stored and processed within the European Economic Area (EEA), including Norway. Some of our sub-processors are part of corporate groups headquartered in the United States, even where the data processing region is configured to be in the EU. Where any transfer of personal data outside the EEA may occur, we rely on appropriate safeguards under Chapter V of the GDPR, including the European Commission’s Standard Contractual Clauses. You can request a copy of the relevant safeguards by contacting us at the address below.

For most of the data you put into the platform (such as deal information, orders and chat messages), Bookbuild acts as a data processor on behalf of the Customer (the bank) that has signed a Sales Agreement with us. The Customer is the data controller for that data. If you want to exercise data protection rights in respect of that data, contact the relevant Customer.

Bookbuild acts as data controller for the personal data we hold about you for the purpose of operating the platform itself, such as your account, authentication and access records, our communications with you, and Guest Participant data as set out in the Guest Participants section below.

Bookbuild would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at post@bookbuild.no.

Cookies are text files placed on your computer to collect standard Internet log information and visitor behaviour information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.

Bookbuild uses cookies in a range of ways to improve your experience on our website, including:

• Keeping you signed in;
• Understanding how you use our website.

We do not use cookies for advertising, tracking across third-party sites, or marketing purposes.

There are a number of different types of cookies, but our platform uses the following:

You can set your browser not to accept cookies. However, in a few cases, some of our website features may not function as a result.

A “Guest Participant” is someone who has been invited by a Customer to view a specific bond deal on the platform, in their professional capacity, but whose employer is not itself a Customer of Bookbuild. If that is you, this section explains how we process your personal data and how our role differs from our role when handling data about users of our Customers.

Who is responsible for your data

Two organisations process personal data about you when you use the platform as a Guest Participant:

• Bookbuild is the data controller for the information we hold about you in order to give you access to the platform and keep it secure (your name, work email address, employer, login records and similar). This section explains what we do with that data.
• The Customer that invited you is the data controller for the deal information you see on the platform, including any personal data within it. We only handle that information on the Customer’s behalf. If you want to ask a question or exercise a right about that deal information, contact the Customer that invited you.

What data we collect about you

As a Guest Participant, the categories of data we collect about you are the same as those listed under “What data do we collect?” above (identity and contact, professional details, platform activity, technical and authentication data), except that your platform activity is limited to viewing the specific deal(s) you have been invited to.

Most of this data comes either from the Customer that invited you (your name, work email, employer) or from you when you log in and use the platform. Some technical data (such as login timestamps and IP addresses) is generated automatically when you use the platform.

How we use your data and our legal basis

We use your data to:

• Create your guest account, authenticate you and give you access to the deal(s) you have been invited to;
• Keep the platform secure (detecting and investigating unauthorised access, producing audit logs, defending against attack);
• Respond to support requests from you;
• Meet our legal and regulatory obligations, and to establish or defend legal claims; and
• Improve the platform, using aggregated data that does not identify you.

Our legal basis for this processing under the GDPR is our legitimate interest (Article 6(1)(f)) in operating an inter-bank bookbuilding platform and giving controlled access to senior individuals invited by our Customers, balanced against your rights and freedoms. Where we are required to process your data by law (for example for record-keeping), the legal basis is legal obligation (Article 6(1)(c)).

When you accept this policy and the Guest Terms at first login, you confirm that you have been given this information. Your acceptance is not itself the legal basis for our processing.

Who we share your data with

We use the same sub-processors for your data as for our Customer data: Microsoft (Azure infrastructure, EU regions), Okta/Auth0 (authentication), Sentry (error logging and security monitoring) and Vercel (frontend hosting). Some of these are part of US-headquartered groups, although our processing is configured to take place in EU regions. Where any data may be transferred outside the EEA, we rely on the European Commission’s Standard Contractual Clauses or other appropriate safeguards under the GDPR.

The Customer that invited you can see your activity in respect of its own deals. We do not sell your personal data and we do not use it for advertising or marketing.

How long we keep your data

We keep your identity and contact data for as long as you have at least one active or recent invitation, plus 12 months after your last access, so that you can be re-invited without re-onboarding. Authentication and access logs are kept for 90 days in our central logging system and longer where they are part of the audit record of a specific deal. Records that form part of the audit trail of a deal are kept for as long as the Customer that invited you is required to retain them under capital-markets regulation (currently up to 7 years).

Your rights

You have the same data protection rights as set out in the “What are your data protection rights?” section above. You also have the right to object to our processing based on legitimate interests, on grounds relating to your particular situation. To exercise these rights in relation to the data we control about you, contact us at post@bookbuild.no. For rights relating to the deal information you see on the platform, contact the Customer that invited you.

Bookbuild keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was last updated on 15.05.2026.

If you have any questions about Bookbuild’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

• Email: post@bookbuild.no
• Postal address: Bookbuild AS, Bogstadveien 54, 0366 Oslo, Norway

Should you wish to report a complaint or if you feel that Bookbuild has not addressed your concern in a satisfactory manner, you may contact the Norwegian Data Protection Authority (Datatilsynet) and register a complaint at www.datatilsynet.no.