Privacy Policy
Last updated: 2 July 2026
This policy describes how [Selskapsnavn AS] (company no. [org.nr]) processes personal data. For website visitors and account holders we are the controller. For data held inside a customer's instance (e.g. employees' nicknames and consumption events) the customer is the controller and we are the processor – see the data processing agreement.
1. What we process
- ▪Website: we use no tracking or marketing cookies and collect no personal data about visitors beyond what is technically necessary.
- ▪Account/onboarding: organisation name, chosen subdomain and the admin's email address.
- ▪Payment: handled by Stripe; we do not store card details.
- ▪Login: a technical session cookie required to keep you signed in.
2. Purpose and legal basis
We process the data to deliver, bill and operate the service, and to respond to enquiries. The legal basis is performance of a contract (GDPR Art. 6(1)(b)) and our legitimate interest in running and improving the service (Art. 6(1)(f)).
3. Cookies
We use only strictly necessary cookies (for login and security). We use no analytics, tracking or advertising cookies, so no consent banner is required for such purposes.
4. Aggregate usage statistics
We count a single anonymous, aggregate total: how many cups have been logged in total across all hosted instances. This number contains no information about individuals, departments or individual customers and is considered anonymous statistics – not personal data. We use it to show activity on our website and to understand usage of the service.
5. Storage and location
All data is stored in the EU (data centre in Finland, via Hetzner) and never leaves the EEA. We take regular backups.
6. Processors
We use the following sub-processors, all under a data processing agreement:
- ▪Hetzner Online GmbH – hosting and storage (EU: Finland/Germany).
- ▪Stripe – payment processing.
- ▪Resend – sending transactional email (welcome, login).
7. Retention
Account data is kept for as long as you are a customer. On cancellation, instance data is deleted after a reasonable retention period. Invoicing/accounting data is kept for as long as bookkeeping law requires.
8. Your rights
You have the right to access, rectification, erasure and data portability, and can object to or request restriction of processing. Contact us at personvern@questroasted.app. You may also complain to the Norwegian Data Protection Authority (Datatilsynet).
9. Changes
We may update this policy. The current version is always here, with the last-updated date at the top.
10. Contact
Controller: [Selskapsnavn AS], [postadresse]. Email: personvern@questroasted.app.