Privacy Policy
Last updated: 19.04.2026
1. Introduction
This Privacy Policy describes how Avial AS (org. nr. 834 230 682) processes personal data in connection with our application.
We are committed to protecting personal data in accordance with applicable laws, including the General Data Protection Regulation (GDPR) and Norwegian data protection legislation.
2. Roles and Responsibilities
2.1 For account data
For personal data related to user accounts (e.g. login via Google), we act as the Data Controller.
2.2 For customer data
Our application allows business users to store and manage customer data (CRM functionality).
For such data:
- The user (business) is the Data Controller
- We act as the Data Processor
We only process this data on behalf of and according to instructions from the user.
3. Personal Data We Collect
3.1 Account and Authentication Data
When you sign in using Google, we collect:
- Name
- Email address
- Profile picture (if available)
We use Google OAuth for authentication. We do not access other Google account data such as Gmail or Google Drive.
3.2 Customer Data (Processed on behalf of users)
Users of the app may input and manage customer data, including:
- Name
- Address
- Phone number
- Service history
- Sales and transaction data
- Notes and communication records
This data is controlled by the user (business), not by Avial AS.
4. Cookies and Local Storage
Our application uses session and authentication cookies only. These are strictly necessary for the application to function and to keep you securely signed in.
We do not use cookies for advertising, analytics, or tracking purposes.
| Cookie type | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains your authenticated session | Session only |
| Auth token | Secures your login state | Session only |
You can disable cookies in your browser settings, but doing so will prevent you from signing in to the application.
5. Purpose of Processing
We process personal data for the following purposes:
Account data:
- User authentication
- Account management
- Security and fraud prevention
Customer data (on behalf of users):
- CRM functionality
- Service planning and tracking
- Customer follow-up
- Sales management
6. Legal Basis for Processing
Account data — Processing is based on:
- Contract (GDPR Art. 6(1)(b))
- Legitimate interest — security and service improvement (GDPR Art. 6(1)(f))
Customer data — Processing is based on:
- Instructions from the Data Controller (the business user)
- The user (business) is responsible for establishing their own legal basis for collecting and storing customer data
7. Data Storage and Transfers
We use two separate storage systems depending on the type of data:
| Data type | Storage system | Location |
|---|---|---|
| Account & auth data | Google Cloud / Firebase | EU region |
| Customer data (CRM) | Neon Postgres (PostgreSQL) | AWS Europe — Frankfurt (aws-eu-central-1) |
Customer data is stored exclusively within the EU/EEA on Neon's managed PostgreSQL infrastructure, hosted on AWS Europe (Frankfurt). No customer data is transferred outside the EU/EEA.
For account and authentication data processed via Google Cloud / Firebase, data may in some cases be processed outside the EU/EEA. In such cases, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
Google Cloud is certified under the EU–U.S. Data Privacy Framework and operates under SCCs for international data transfers.
8. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Retained for as long as the account is active |
| Customer data | Retained according to user (business) instructions |
Users may request deletion of their account data at any time by contacting us (see Section 13).
9. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest via Google Cloud infrastructure
- Access control and authentication
- Secure session management
- Logging and monitoring
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33. Affected individuals will be notified without undue delay where required.
10. Data Sharing
We do not sell personal data.
We may share data with:
- Service providers — hosting and infrastructure (Google Cloud / Firebase)
- Authorities — if required by applicable law or court order
All third-party processors are bound by data processing agreements and are obligated to process data only according to our instructions.
11. Your Rights Under GDPR
Under GDPR, you have the right to:
| Right | Description |
|---|---|
| Access | Obtain a copy of the personal data we hold about you |
| Rectification | Have inaccurate data corrected |
| Erasure | Request deletion of your personal data ("right to be forgotten") |
| Restriction | Request that we limit how we process your data |
| Data portability | Receive your data in a structured, machine-readable format |
| Object | Object to processing based on legitimate interest |
Note: Requests related to customer data must be directed to the relevant Data Controller — the business that entered the data into the application.
To exercise your rights regarding your account data, contact us using the details in Section 13.
You also have the right to lodge a complaint with the Norwegian supervisory authority:
Datatilsynet www.datatilsynet.no · post@datatilsynet.no · (+47) 22 39 69 00
12. Google User Data Compliance
Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We only use Google data for authentication
- We do not share Google user data with third parties
- We do not use Google data for advertising purposes
- We do not allow humans to read your Google data unless required by law or you have given explicit permission
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify users via the application or by email. The date at the top of this page reflects the latest revision.
14. Contact Information
For questions, requests, or complaints related to this Privacy Policy or your personal data:
Avial AS Org. nr. 834 230 682 Høgenapvegen 17B 5563 Førresfjorden, Norway