Privacy Policy

Last updated: 2 July 2026

This policy describes how [Selskapsnavn AS] (company no. [org.nr]) processes personal data. For website visitors and account holders we are the controller. For data held inside a customer's instance (e.g. employees' nicknames and consumption events) the customer is the controller and we are the processor – see the data processing agreement.

1. What we process

  • Website: we use no tracking or marketing cookies and collect no personal data about visitors beyond what is technically necessary.
  • Account/onboarding: organisation name, chosen subdomain and the admin's email address.
  • Payment: handled by Stripe; we do not store card details.
  • Login: a technical session cookie required to keep you signed in.

2. Purpose and legal basis

We process the data to deliver, bill and operate the service, and to respond to enquiries. The legal basis is performance of a contract (GDPR Art. 6(1)(b)) and our legitimate interest in running and improving the service (Art. 6(1)(f)).

3. Cookies

We use only strictly necessary cookies (for login and security). We use no analytics, tracking or advertising cookies, so no consent banner is required for such purposes.

4. Aggregate usage statistics

We count a single anonymous, aggregate total: how many cups have been logged in total across all hosted instances. This number contains no information about individuals, departments or individual customers and is considered anonymous statistics – not personal data. We use it to show activity on our website and to understand usage of the service.

5. Storage and location

All data is stored in the EU (data centre in Finland, via Hetzner) and never leaves the EEA. We take regular backups.

6. Processors

We use the following sub-processors, all under a data processing agreement:

  • Hetzner Online GmbH – hosting and storage (EU: Finland/Germany).
  • Stripe – payment processing.
  • Resend – sending transactional email (welcome, login).

7. Retention

Account data is kept for as long as you are a customer. On cancellation, instance data is deleted after a reasonable retention period. Invoicing/accounting data is kept for as long as bookkeeping law requires.

8. Your rights

You have the right to access, rectification, erasure and data portability, and can object to or request restriction of processing. Contact us at personvern@questroasted.app. You may also complain to the Norwegian Data Protection Authority (Datatilsynet).

9. Changes

We may update this policy. The current version is always here, with the last-updated date at the top.

10. Contact

Controller: [Selskapsnavn AS], [postadresse]. Email: personvern@questroasted.app.