Privacy Policy (Personvernerklæring)

Platform: Viby
Effective Date: 28.07.2025
Last Updated: 28.07.2025
GDPR Compliance: EU General Data Protection Regulation
Data Controller: Viby, Roppestadkollen 63N, 3138, Skallestad

1. INTRODUCTION

This Privacy Policy explains how Viby ("we," "us," "our") collects, uses, and protects your personal information when you use our social networking platform for Norwegian "russ" students ("Service," "Platform").

We are committed to protecting your privacy and complying with:

EU General Data Protection Regulation (GDPR)
Norwegian Personal Data Act
Norwegian Privacy Act
Other applicable privacy laws

1.1 Data Controller Information

Data Controller: Viby
Email: kontakt@viby.no

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

Account Information

Name: Full name for account identification
Email Address: Primary communication and login
Password: Securely hashed and stored (we never see your actual password)
Date of Birth: Age verification (encrypted and stored securely)
Phone Number: Optional for account security (encrypted if provided)

Profile Information

Display Name: How you appear to other users
Biography: Optional personal description
School Information: School name and graduation year
Location: General location (encrypted if provided)
Profile Picture: Images you upload for your profile
Social Links: Links to other social media profiles (optional)

Content and Communications

Posts: Text, images, videos, links, and polls you share
Comments: Your responses to posts
Likes and Reactions: Your engagement with content
Messages: Direct communications (when feature is available)
Reports: Content or user reports you submit

2.2 Information We Collect Automatically

Technical Information

IP Address: For security and geographic insights
Device Information: Device type, operating system, browser type
Usage Data: How you interact with our platform
Log Data: Access times, pages viewed, errors encountered
Cookies and Similar Technologies: For functionality and analytics

Platform Activity

Login History: Dates, times, and locations of account access
Feature Usage: Which platform features you use and how often
Content Interactions: What content you view, like, share, or comment on
Search Queries: Terms you search for on the platform
Session Data: How long you spend on different parts of the platform

2.3 Information from Third Parties

OAuth Authentication

When you sign in with third-party services:

Google: Basic profile information (name, email, profile picture)
GitHub: Public profile information (name, email, avatar)

Event Information

Event Organizers: Information about events you participate in
Public Sources: Publicly available information about russ events

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

Service Provision

Account Management: Creating and maintaining your account
Platform Functionality: Enabling core features like posting and commenting
Crew Management: Managing crew memberships and invitations
Event Discovery: Showing relevant events and managing participation
Content Moderation: Ensuring community safety and guideline compliance

Communication

Platform Notifications: Updates about your account and activity
Security Alerts: Important security-related communications
Service Updates: Information about new features or changes
Support Communications: Responding to your questions and issues

Safety and Security

Account Protection: Detecting unauthorized access attempts
Fraud Prevention: Identifying and preventing fraudulent activities
Content Moderation: Reviewing reported content and user behavior
Platform Security: Monitoring for security threats and vulnerabilities

3.2 Legal Bases for Processing (GDPR)

We process your personal data based on the following legal grounds:

Consent (Article 6(1)(a))

Marketing communications (when you opt-in)
Optional data collection (location, phone number)
Cookies for analytics and advertising

Contract Performance (Article 6(1)(b))

Account creation and management
Providing platform services
Processing payments for premium features

Legitimate Interests (Article 6(1)(f))

Platform security and fraud prevention
Content moderation and community safety
Service improvement and analytics
Direct marketing to existing users (with opt-out option)

Legal Obligations (Article 6(1)(c))

Compliance with Norwegian law
Response to law enforcement requests
Age verification requirements

3.3 Special Categories of Data

We may process limited special category data:

Age Information: For compliance with age restrictions
Health Data: Only if voluntarily shared in content (discouraged)
Sexual Orientation: Only if voluntarily disclosed in profile

Legal Basis: Explicit consent (Article 9(2)(a)) or public disclosure by the individual

4. DATA SHARING AND DISCLOSURE

4.1 Information We Share

Public Information

The following information is publicly visible:

Profile name and biography
Public posts and comments
Crew memberships (if you choose public visibility)
Event participation (for events you join)

Within the Platform

Crew Members: Crew-specific content and activities
Event Participants: Information relevant to shared events
Other Users: Profile information based on your privacy settings

4.2 Third-Party Sharing

Service Providers

We share data with trusted third parties who help operate our platform:

Amazon Web Services (AWS)

Purpose: Cloud hosting, file storage, email delivery
Data: Technical data, uploaded files, email communications
Location: EU/EEA regions with GDPR adequacy decisions
Safeguards: AWS Data Processing Agreement, standard contractual clauses

Upstash (Redis)

Purpose: Session management, caching
Data: Session tokens, temporary data
Location: EU regions
Safeguards: Data processing agreement, encryption

Google Analytics (Optional)

Purpose: Website analytics and improvement
Data: Anonymized usage statistics
Controls: You can opt-out via privacy settings
Safeguards: Data processing agreement, IP anonymization

Legal Requirements

We may disclose information when required by law:

Norwegian Authorities: Police, courts, regulatory bodies
EU Authorities: Under mutual legal assistance agreements
Emergency Situations: To prevent imminent harm

Business Transfers

In case of merger, acquisition, or sale:

Buyer Notification: You will be notified of any ownership change
Data Protection: Same privacy protections will apply
Opt-out Option: You may delete your account before transfer

4.3 International Transfers

Adequacy Decisions

Data is primarily stored in countries with EU adequacy decisions:

European Union member states
Norway, Iceland, Liechtenstein (EEA)
United Kingdom (until revoked)

Standard Contractual Clauses

For transfers to other countries:

AWS US: Standard Contractual Clauses with additional safeguards
Third-party Services: Adequate safeguards in place
Encryption: Data encrypted in transit and at rest

5. DATA RETENTION

5.1 Retention Periods

Active Account Data

Profile Information: While your account is active
Content: Until you delete it or close your account
Messages: Until deletion by sender or recipient
Analytics Data: 26 months maximum

Post-Deletion Data

Account Data: 30 days after account deletion
Content Backups: 90 days for recovery purposes
Legal Hold: Indefinitely if required by law
Audit Logs: 6 years for legal compliance

Security and Technical Data

Login Logs: 12 months
Security Incidents: 24 months
Error Logs: 6 months
Session Data: 30 days

5.2 Automated Deletion

We automatically delete:

Expired Sessions: After 30 days of inactivity
Temporary Files: After 7 days
Failed Upload Attempts: Immediately
Unused Invitation Tokens: After 7 days

6. YOUR PRIVACY RIGHTS

6.1 GDPR Rights

Under GDPR, you have the following rights:

Right of Access (Article 15)

Request: Ask for a copy of your personal data
Timeline: Response within 30 days
Format: Machine-readable format when possible
Information: Details about processing purposes and recipients

Right to Rectification (Article 16)

Correction: Fix inaccurate personal data
Completion: Complete incomplete personal data
Process: Submit requests through account settings or support

Right to Erasure (Article 17)

Account Deletion: Delete your entire account and data
Selective Deletion: Delete specific content or information
Limitations: May be retained for legal compliance or legitimate interests

Right to Restrict Processing (Article 18)

Temporary Limitation: Stop processing while verifying accuracy
Dispute Resolution: During legal proceedings
Objection Pending: While considering objection requests

Right to Data Portability (Article 20)

Export: Download your data in common formats
Transfer: Move data to another service provider
Scope: Data provided by you and generated through use

Right to Object (Article 21)

Direct Marketing: Opt-out of marketing communications
Legitimate Interests: Object to processing based on legitimate interests
Response: We must stop unless compelling legitimate grounds exist

6.2 Exercising Your Rights

Self-Service Options

Account Settings: Update profile information and privacy preferences
Data Export: Download your data through privacy settings
Content Deletion: Delete individual posts, comments, or messages
Privacy Controls: Adjust who can see your content and profile

Support Requests

For rights requiring assistance:

Email: kontakt@viby.no
Subject Line: "Privacy Rights Request - [Your Name]"
Information: Include your account email and specific request
Verification: We may ask for identity verification

Response Timeframe

Standard Requests: 30 days from receipt
Complex Requests: May be extended by 60 additional days
Urgent Requests: Faster response for security-related issues

7. DATA SECURITY

7.1 Security Measures

Technical Safeguards

Encryption: AES-256 encryption for sensitive data at rest
Transport Security: TLS 1.3 for data in transit
Access Controls: Role-based access to personal data
Authentication: Multi-factor authentication for staff accounts
Monitoring: Real-time security monitoring and alerting

Organizational Measures

Staff Training: Regular privacy and security training
Access Limitations: Need-to-know basis for personal data access
Incident Response: Comprehensive security incident procedures
Regular Audits: Internal and external security assessments
Data Minimization: Collect only necessary personal data

Infrastructure Security

Cloud Security: AWS enterprise-grade security infrastructure
Network Protection: Firewalls, intrusion detection, DDoS protection
Backup Security: Encrypted backups with restricted access
Physical Security: Secure data center facilities
Redundancy: Multiple backup systems and disaster recovery

7.2 Data Breach Response

Detection and Response

Monitoring: Continuous monitoring for security incidents
Response Team: Dedicated security incident response team
Assessment: Rapid assessment of breach scope and impact
Containment: Immediate steps to limit damage

Notification Obligations

Regulatory Notification: Datatilsynet within 72 hours
User Notification: Affected users within 72 hours when required
Documentation: Comprehensive incident documentation
Remediation: Steps taken to prevent future incidents

8. COOKIES AND TRACKING

8.1 Types of Cookies

Essential Cookies

Session Management: Keep you logged in
Security: Prevent unauthorized access
Functionality: Remember your preferences
Legal Basis: Legitimate interest (strictly necessary)

Analytics Cookies

Usage Statistics: How you use our platform
Performance: Identify and fix technical issues
Improvement: Enhance user experience
Legal Basis: Consent (optional)

Preference Cookies

Settings: Remember your choices
Customization: Personalize your experience
Language: Remember your language preference
Legal Basis: Legitimate interest

8.2 Cookie Control

Managing Cookies

Browser Settings: Configure cookies in your browser
Platform Settings: Control optional cookies in privacy settings
Opt-out: Disable non-essential cookies
Impact: Some features may not work without cookies

Third-Party Cookies

Google Analytics: Website analytics (can be disabled)
OAuth Providers: Authentication cookies (session-only)
Social Media: No embedded social media tracking

9. CHILDREN'S PRIVACY

9.1 Age Requirements

Minimum Age: 16 years old

Verification: Age verification may be required
Parental Consent: Not applicable (16+ platform)
School Verification: May verify school enrollment status

Protection Measures

Content Filtering: Age-appropriate content policies
Privacy Defaults: Enhanced privacy settings for younger users
Monitoring: Additional monitoring for users under 18
Safety Features: Enhanced safety and reporting features

9.2 Compliance with Laws

GDPR Article 8: Special protection for children under 16
Norwegian Law: Compliance with Norwegian child protection laws
COPPA: US law compliance where applicable
Platform Policies: Enhanced safety measures for all users

10. UPDATES TO THIS POLICY

10.1 Policy Changes

Notification Methods

Email: Direct notification to all users
Platform Notice: Prominent notice on the platform
Version History: Available in privacy settings
Advance Notice: 30 days for material changes

Types of Changes

Legal Updates: Changes in applicable laws
Feature Updates: New platform features affecting privacy
Security Improvements: Enhanced security measures
Clarifications: Clarifying existing practices

10.2 Your Choices

After policy updates:

Continue Using: Acceptance of updated policy
Account Deletion: Delete account if you disagree
Contact Us: Ask questions about changes
Data Export: Download your data before leaving

11. CONTACT INFORMATION

11.1 Privacy Inquiries

General Privacy Questions:

Email: kontakt@viby.no
Subject: "Privacy Inquiry - [Your Name]"
Response Time: 5-7 business days

Data Protection Officer:

Name: [DPO NAME]
Email: [DPO EMAIL]
Phone: [DPO PHONE]
Address: [DPO ADDRESS]

11.2 Rights Requests

Privacy Rights Requests:

Email: [RIGHTS EMAIL]
Subject: "Rights Request - [Request Type]"
Information: Include account email and specific request
Response: Within 30 days of verification

11.3 Complaints

Internal Complaints:

Email: kontakt@viby.no
Process: Internal review within 30 days
Appeal: Right to appeal internal decisions

Regulatory Complaints: Datatilsynet (Norwegian Data Protection Authority)

Address: Postboks 8177 Dep, 0034 Oslo, Norway
Phone: +47 22 39 69 00
Email: postkasse@datatilsynet.no
Website: www.datatilsynet.no

European Data Protection Board:

Website: edpb.europa.eu
Role: Cross-border complaint coordination

12. SPECIFIC NORWEGIAN PROVISIONS

12.1 Norwegian Consumer Rights

Under Norwegian law, you have additional rights:

Consumer Protection: Norwegian Consumer Protection Act
Electronic Communications: Norwegian Electronic Communications Act
Marketing: Norwegian Marketing Control Act

12.2 Language and Translation

Original Language: This policy is originally written in English
Norwegian Translation: Norwegian version available on request
Conflicts: In case of conflicts, Norwegian version prevails for Norwegian users
Updates: Both versions updated simultaneously

12.3 Norwegian Specific Contacts

Norwegian Consumer Council (Forbrukerrådet):

Website: forbrukerradet.no
Role: Consumer rights and protection

Norwegian Media Authority (Medietilsynet):

Website: medietilsynet.no
Role: Media and communications regulation

Document Version: 1.0
Effective Date: 28.07.2025
Next Review: 28.07.2026
Legal Compliance: GDPR, Norwegian Personal Data Act, Norwegian Privacy Act

Legal Disclaimer: This Privacy Policy should be reviewed by qualified Norwegian privacy counsel before implementation. This document is provided as a template and may require modifications based on specific business circumstances and evolving legal requirements.