Privacy Policy
Last updated: October 5, 2025
1. Introduction
This Privacy Policy explains how Serviro AS ("the company", "we", "our", "us") processes personal data when providing the Avedio platform to organizations and individual users. We are committed to protecting personal data in accordance with applicable laws and regulations, in particular the General Data Protection Regulation (GDPR).
Avedio is exclusively available to organizations. Members of these organizations can use the app for free; we do not offer individual paid accounts.
2. Data Processing Roles
2.1 Organization as Data Controller
Organizations act as Data Controllers, determining the purposes and means of processing personal data for their members.
2.2 Serviro AS as Data Processor
Serviro AS acts as a Data Processor, processing personal data on behalf of and under the instructions of organizations for:
- Member account information (name, email, phone number)
- Group and team affiliations
- Volunteer participation, event attendance, and chat messages
- Platform usage and activity logs for providing the service
2.3 Limited Controller Role
Serviro AS acts as Data Controller only for:
- Organization billing and contract information
- Administrative contact details
- Direct support communications with organization administrators
- Website analytics via Plausible (aggregated and anonymized)
2.4 Contact Information
For questions about data processing, please contact:
Email: contact@avedio.app
Organizations may refer to our Data Processing Agreement (DPA) for detailed processor obligations and requirements.
3. What Personal Data We Process and Why
3.1 General
We collect, store, and process personal data necessary to provide Avedio services. Data is provided directly by users when registering or interacting with the platform.
3.2 Platform Services
As instructed by organizations, we process the following categories of personal data:
- Member name, email, and phone number
- Group and team memberships
- Chat messages (group or direct)
- Event and volunteer activity data
- Platform usage and activity logs
This data is processed solely to provide the service as directed by the organization.
3.3 Customer Support and Communication
If you contact us via email or other communication channels, we process your personal data to respond and maintain dialogue.
3.4 Website and App Usage
Our systems log activity on our websites and applications, including IP address, device type, and browser information. Logs may be analyzed for technical support, troubleshooting, and security.
3.5 Billing and Accounting
Organization subscriptions are billed via Stripe, and relevant data is retained for invoicing and accounting purposes.
3.6 Data Usage Summary
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email address | Notifications | Contract | Active account + 90 days |
| Name | User identification | Contract | Active account + 90 days |
| Phone number | Login and verification | Contract | Active account + 90 days |
| Organization data | Service delivery | Contract | Active account + 90 days |
| Chat messages | Service delivery | Contract | Active account + 90 days |
| IP address | Security, fraud prevention | Legitimate interest | 90 days |
| Device/browser info | Technical support | Legitimate interest | 90 days |
| Payment data | Billing, accounting | Contract / Legal obligation | 5 years |
4. Storage and Security
Data is stored on secure AWS servers in the EU. We use recognized technical solutions to protect data against unauthorized access, disclosure, alteration, or destruction.
5. Use of Subcontractors and Third-Party Services
We use subcontractors for IT and administrative services. All subcontractors processing personal data are bound by Data Processing Agreements limiting processing to what is necessary for service delivery.
5.1 Sub-Processors
- AWS: hosting and storage
- Stripe: payment processing for organization subscriptions
- Firebase: push notifications
- Sentry: error and performance monitoring
- Stream Chat: chat messages and real-time messaging
- Plausible Analytics: privacy-friendly website analytics (no personal data collected)
6. Disclosure of Personal Data to Third Parties
We do not sell or transfer personal data to third parties without consent, except to fulfill agreements with organizations or comply with legal obligations.
7. Transfer of Data Outside the EEA
Some services (e.g., Stripe, Firebase, Sentry) may process data outside the EU/EEA. Appropriate safeguards, such as Standard Contractual Clauses, are applied to protect personal data.
8. Your Rights
Individuals whose data is processed have the following GDPR rights:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of personal data (we delete after 90 days)
- Objection: Object to processing based on legitimate interest
- Restriction: Request suspension of processing in certain cases
- Data Portability: Request transfer of your data to another party
Complaints can be filed with the Norwegian Data Protection Authority (Datatilsynet) at www.datatilsynet.no. Members should contact their organization first; organizations may contact us for assistance.
9. Retention and Anonymization
Personal data is kept only as long as necessary to provide the service or fulfill legal obligations. After deletion, anonymized data may be retained for statistical purposes and service improvement.
10. Changes to this Privacy Policy
Serviro AS reserves the right to update this Privacy Policy. Updated versions will be published on our website with the date of the latest revision.