Oslo Audio Guide

Back to Home

Privacy Policy

Oslo Audio Guide App

Effective Date: January 8, 2025
Last Updated: January 8, 2025

1. DATA CONTROLLER

Hardmax AS

Norwegian Corporation (Aksjeselskap)

Organization Number: 936 143 202

Email: privacy@osloaudioguide.no

DPO Contact: dpo@osloaudioguide.no (voluntary DPO appointment)

Company Website: https://www.hardmax.no

Product Website: https://www.osloaudioguide.no

2. INTRODUCTION

This Privacy Policy explains how we collect, use, and protect your personal data when you use the Oslo Audio Guide App ("the App"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and Norwegian privacy laws.

3. DATA WE COLLECT

3.1 Account Information

  • Data: Email address, profile information, user preferences
  • Legal Basis: Contract performance (GDPR Art. 6(1)(b))
  • Purpose: User authentication, account management, app functionality
  • Retention: 3 years from last activity, then soft deletion + 30 days

3.2 Analytics Data (Optional)

  • Data: Device identifiers (anonymized), usage patterns, feature engagement, session data, geographic region (city-level)
  • Legal Basis: Consent (GDPR Art. 6(1)(a)) and Legitimate interest (GDPR Art. 6(1)(f))
  • Purpose: Product analytics, user experience optimization, performance monitoring
  • Retention: 365 days from collection
  • Processor: PostHog Inc. (USA) - EU region processing when possible

3.3 Error Tracking (Optional)

  • Data: Error logs, device information, application version, performance metrics
  • Legal Basis: Consent (GDPR Art. 6(1)(a)) and Legitimate interest (GDPR Art. 6(1)(f)—our interest in ensuring service stability and resolving technical issues)
  • Purpose: Application stability, error monitoring, crash reporting
  • Retention: 30 days from collection
  • Processor: Functional Software Inc. (Sentry) (USA)

3.4 Location Data (Optional)

  • Data: GPS coordinates (approximate), proximity to tour points
  • Legal Basis: Consent (GDPR Art. 6(1)(a)) and Contract performance (GDPR Art. 6(1)(b))
  • Purpose: Location-based tour recommendations, navigation assistance
  • Retention: Session-based only, not stored permanently

3.5 User-Generated Content

  • Data: Profile pictures, tour reviews, ratings, bookmarks
  • Legal Basis: Contract performance (GDPR Art. 6(1)(b)) and Consent (GDPR Art. 6(1)(a))
  • Purpose: App functionality, content personalization
  • Retention: Until account deletion or 365 days for uploaded media

4. DATA PROCESSORS

We work with the following data processors:

4.1 PostHog Inc.

  • Service: Analytics and product improvement
  • Location: USA (EU region processing when possible)
  • Safeguards: Standard Contractual Clauses (SCCs), Data Processing Agreement

4.2 Functional Software Inc. (Sentry)

  • Service: Error monitoring and application stability
  • Location: USA
  • Safeguards: Standard Contractual Clauses (SCCs), Data Processing Agreement

4.3 Supabase Inc.

  • Service: Database and user account management
  • Location: USA (EU region hosting in eu-central-1)
  • Safeguards: Standard Contractual Clauses (SCCs), Data Processing Agreement

5. INTERNATIONAL DATA TRANSFERS

Some of our processors are located outside the European Economic Area (EEA):

  • PostHog Inc. (USA): Data stored in EU region; Standard Contractual Clauses apply for any limited remote access from the US
  • Sentry (USA): Data stored in EU region; Standard Contractual Clauses apply for any limited remote access from the US
  • Supabase (USA): Data stored in EU region (eu-central-1); Standard Contractual Clauses apply for any limited remote access from the US

6. YOUR RIGHTS UNDER GDPR

You have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of your personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data under certain circumstances.
  • Right to Restrict Processing (Art. 18):Request limitation of processing under certain circumstances.
  • Right to Data Portability (Art. 20): Request transfer of your data to another service provider.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent: Withdraw consent for data processing at any time through app settings. Withdrawal does not affect processing already carried out.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with Datatilsynet if you believe your data is processed in violation of the GDPR.

Self-Service Data Rights

You can exercise many of these rights directly through the app:

  • Data Export: Settings → Privacy → Export My Data
  • Data Deletion: Settings → Privacy → Delete My Account
  • Consent Management: Settings → Privacy → Manage Consent

7. SPECIAL PROTECTIONS FOR MINORS

7.1 Age Verification

Users under 16 years require parental consent in accordance with Norwegian law (ekomloven §2-7).

7.2 Kids Mode

For users under 16:

  • Analytics and error tracking disabled by default
  • Enhanced privacy protections
  • Parental consent required for data processing
  • Limited data collection and retention

7.3 Parental Rights

Parents can:

8. DATA SECURITY

We implement appropriate technical and organizational measures:

8.1 Technical Measures

  • Data encryption in transit (TLS 1.3)
  • Data encryption at rest (AES-256)
  • IP address anonymization
  • Pseudonymization of user identifiers
  • Row-Level Security (RLS) policies

8.2 Organizational Measures

  • Data Processing Agreements with all processors
  • Regular privacy impact assessments
  • Staff training on data protection
  • Incident response procedures
  • Access controls and logging

9. DATA RETENTION

We retain personal data only as long as necessary:

  • Account Data: 3 years from last activity
  • Analytics Data: 365 days from collection (PostHog free plan: 1 year)
  • Error Logs: 30 days from collection (Sentry free plan)
  • Location Data: Session-based only
  • User Content: Until account deletion or 365 days for media

Automated retention jobs run daily to ensure compliance with these periods.

10. COOKIES AND TRACKING

The mobile app itself does not set cookies. Local storage is used only for:

  • User authentication tokens
  • App preferences and settings
  • Offline content caching

11. THIRD-PARTY SERVICES

The app integrates with:

  • Apple App Store / Google Play Store: For app distribution and in-app purchases
  • Device Location Services: For location-based features (with consent)

12. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will:

  • Notify users of material changes through the app
  • Update the "Last Updated" date
  • Maintain previous versions for reference

13. NORWEGIAN TRANSPARENCY ACT (ÅPENHETSLOVEN)

In accordance with the Norwegian Transparency Act, information about our supply chain and due diligence efforts is available at: https://osloaudioguide.no/transparency

14. CONTACT INFORMATION

For privacy-related questions or to exercise your rights:

Supervisory Authority:

Datatilsynet (Norwegian Data Protection Authority)

Website: https://www.datatilsynet.no

Email: postkasse@datatilsynet.no

15. LEGAL BASIS SUMMARY

Data CategoryLegal BasisPurpose
Account InformationContract PerformanceApp functionality
Analytics DataConsent + Legitimate InterestProduct improvement
Error TrackingConsent + Legitimate InterestService stability
Location DataConsent + Contract PerformanceLocation features
User ContentContract Performance + ConsentApp functionality