Last Updated: [October 26, 2023]

1. 1. Controller and Data Protection Officer

      The data controller responsible for your personal data is:
      Company Name: Appscard Group AS
      Organization Number: 825128972
      Locatoin: Norway
      Email: privacy@appscard.com
      If you have any questions about this policy or how we handle your data, please contact us using the details above. We are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. However, for any data protection inquiries, please contact us at the email address provided above.

   2. Information We Collect and Our Legal Basis (GDPR Article 6)

      We only collect and process your personal data when we have a valid legal basis to do so. The table below outlines the purposes, categories of data, and the corresponding legal basis.

      • Purpose of Processing: To provide the service and manage your account.
        1. Categories of Personal Data: Name, email address, password, profile information, user-generated content.
        2. Legal Basis for Processing: Performance of a Contract (GDPR Art. 6(1)(b)): This processing is necessary to create your account and provide the services you have requested.
      • Purpose of Processing: To process payments for premium features.
        1. Categories of Personal Data: Transaction data (handled by our payment processor). We do not store your full payment card details.
        2. Legal Basis for Processing: Performance of a Contract (GDPR Art. 6(1)(b)): Necessary to fulfill your purchase.
      • Purpose of Processing: To send you service-related communications (e.g., security alerts, password resets, policy updates).
        1. Categories of Personal Data: Email address, account information.
        2. Legal Basis for Processing: Performance of a Contract (GDPR Art. 6(1)(b)) and Legitimate Interests (GDPR Art. 6(1)(f)): Necessary for the administration of our contract and our legitimate interest in maintaining service security and communication.
      • Purpose of Processing: To provide customer support.
        1. Categories of Personal Data: Contact information, communication history, and any other information you provide when you contact us.
        2. Legal Basis for Processing: Legitimate Interests (GDPR Art. 6(1)(f)): It is in our legitimate interest to respond to your inquiries and provide support to our users.
      • Purpose of Processing: For marketing communications (e.g., newsletters, new feature announcements).
        1. Categories of Personal Data: Email address, name.
        2. Legal Basis for Processing: Consent (GDPR Art. 6(1)(a)): We will only send you direct marketing if you have given us your explicit consent. You can withdraw consent at any time.
      • Purpose of Processing: To analyze and improve our Services (e.g., usage trends, feature performance).
        1. Categories of Personal Data: Usage Data, Device Information, Cookies.
        2. Legal Basis for Processing: Legitimate Interests (GDPR Art. 6(1)(f)): It is in our legitimate interest to analyze the use of our Services to improve functionality and user experience. For non-essential cookies, we rely on your Consent.
      • Purpose of Processing: To ensure security and prevent fraud.
        1. Categories of Personal Data: IP address, device information, log data.
        2. Legal Basis for Processing: Legitimate Interests (GDPR Art. 6(1)(f)) and Legal Obligation (GDPR Art. 6(1)(c)): It is in our legitimate interest to protect our Services and users from security threats and fraud. We may also have a legal obligation to ensure security.

1. International Data Transfers

   Your data is processed within the European Economic Area (EEA). If we ever need to transfer your personal data to countries outside the EEA (e.g., to service providers in the United States), we will ensure an adequate level of protection is in place as required by GDPR. This will be done through one of the following safeguards:

   • Adequacy Decisions: Transferring to countries approved by the European Commission as having adequate data protection laws.
   • Standard Contractual Clauses (SCCs): Using the EU-approved model contracts that grant personal data the same protection it has in Europe.
   • Binding Corporate Rules (BCRs): For transfers within international organizations.
     You can request more information about the specific mechanisms we use for international data transfers by contacting us.

2. Your Data Subject Rights under GDPR

   As a data subject under the GDPR, you have the following rights. To exercise any of these rights, please contact us using the details in Section 1.

   • Right of Access (Art. 15): You have the right to obtain confirmation as to whether or not we are processing your personal data and to access that data.
   • Right to Rectification (Art. 16): You have the right to have inaccurate personal data about you corrected.
   • Right to Erasure (‘Right to be Forgotten’) (Art. 17): You have the right to request the deletion of your personal data under certain circumstances (e.g., if the data is no longer necessary for the purposes it was collected, or if you withdraw your consent).
   • Right to Restriction of Processing (Art. 18): You have the right to request that we temporarily halt the processing of your personal data under certain conditions (e.g., while we verify the accuracy of your data).
   • Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
   • Right to Object (Art. 21): You have the right to object to the processing of your personal data based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
   • Right to Withdraw Consent: If processing is based on your consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.
   • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA state of your habitual residence, place of work, or place of the alleged infringement. In Norway, this is the Datatilsynet (Norwegian Data Protection Authority).
   • We will respond to all legitimate requests within one month. Occasionally, it could take us longer if your request is particularly complex or you have made a number of requests.

3. Data Retention

   We will retain your personal data only for as long as is necessary for the purposes set out in this policy, or to comply with our legal obligations (e.g., tax, accounting laws), resolve disputes, and enforce our agreements.

   To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.

   Upon expiry of the retention period, your data will be securely deleted or anonymized.

4. Cookies and Similar Technologies

   We use cookies and similar tracking technologies to track activity on our Service. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

   We categorize cookies as follows:

   • Essential Cookies: Necessary for the website to function and cannot be switched off. They are set in response to actions you take, such as logging in. These do not require consent.
   • Analytics Cookies: Allow us to count visits and traffic sources to measure and improve performance.
   • Functional Cookies: Enable enhanced functionality and personalization.
   • Targeting Cookies: Set by our advertising partners to build a profile of your interests.
   • For any non-essential cookies, we will request your explicit consent via a cookie banner when you first visit our Site. You can manage your cookie preferences at any time through our Cookie Settings tool.

5. Contact Us & Supervisory Authority

   If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at [privacy@appscard.com].
   If you wish to lodge a complaint, you have the right to contact the Norwegian supervisory authority:
   
   Datatilsynet
   Postboks 458 Sentrum
   0105 Oslo
   Email: postkasse@datatilsynet.no
   Website: https://www.datatilsynet.no/