1 Who we process personal data from
We collect and process personal data from visitors of our website and users of the Ponder product.
2 Purpose, types of personal data and legal basis for processing
2.1 Personal data processing related to the registration of a user account in Ponder
In connection with the registering and management of your Ponder user account, we process the following personal data:
- Name and surname
- Date of birth
- Email address
- Year of study and place of study
This personal data which is collected when you create a user account will be used to deliver the Ponder service to you and to manage your user relations with us. This involves connecting your user data to the texts you produce in Ponder so that you can easily manage and recall your work. In addition, the data will be used to create statistics of the Ponder userbase.
For any processing that is described in this section, the legal basis for processing is either GDPR Article 6 a) (consent), Article 6 b) (agreement), or Article 6 f) (legitimate interest).
The purpose of processing personal data in relation to your user account, is for us to use personal data to create data on the Ponder program based on demographics and place of study, and to offer a better user experience.
2.2 Interactive data processing related to the use of “Ponder”
In relation to your use of the Ponder program, certain information of your interaction with the program, such as comments, analyzes, classifications and assessments that you perform in the program, will be registered (“Interaction data”). This information will be processed in order for us to offer you access to the tools and services of the Ponder program, in addition to making it easier for you to access your own Interaction data. The legal basis for processing Interaction data is either GDPR Article 6 a) (consent) or Article 6 b) (agreement).
We will also connect your Ponder user account data to the Interaction data you produce. We process this information with the purpose of creating statistics to improve our services. The legal basis for this data processing is GDPR Article 6 f) (legitimate interest).
2.3 Anonymization of interactive data
Interaction data we collect from you will be stored in a database which is separated from your user data and your personal information. If you wish to delete your user account, any connection between the Interaction data, user data and personal data will be removed in a way which makes the Interaction data fully anonymized and impossible to track back to you as a person. This means that we can and will keep any Interaction data that you have produced if you delete your user account or request your personal information to be deleted.
We will also, regardless of whether you have deleted your account or requested deletion, periodically anonymize Interaction data for the purposes of developing our services or to cooperate with third parties. We may also hand over anonymous data to research institutions for research purposes.
3 Data storage
Disputas reserves the right to store personal data connected to your user account for as long as needed, and for a maximum time of twelve months. This reservation does not apply if the user requests the data deleted in accordance with GDPR Article 17.
3.1 Who do we share personal data with?
Below is a general description of the data processors we make use of:
- Our providers of ICT-services will have access to personal data if the data is stored at the provider, or if the provider gets access to the personal data in accordance with an agreement with us. This will for instance apply to our provider of cloud services, Google Cloud.
3.2 Google cloud
Personal data we collect about you will be stored in Google Cloud. This means that Google has insight in the stored personal information, as Google is responsible for the security of the storage. In order to minimize the security risks associated with using Google as a data processor, we make sure your personal data is saved exclusively on servers within the EEA, and we avoid saving sensitive personal data on their servers in case of a security breach. We find there to be an overall low risk of harm, both in likelihood and potential severity.
3.3 Sharing of data with academic institutions
4 The user’s rights
The user has full ownership of its personal data. By using Ponder, you are given the rights described in the GDPR Chapter 3, including the right to:
- Withdraw your consent: If the user wishes to withdraw any consent regarding the processing of their personal data, this can be done at any time.
- Request erasure or rectification: If the user wishes erasure or rectification of personal data we process, this will be arranged by Disputas. We will however remind the user that anonymous Interaction data created by the user will not be deleted, as they are not personally identifiable on their own. Only identifiable data will be erased or changed.
- Get insight into any personal data we hold about you: We give insight in the personal data connected to the user upon request.
- Have your personal data delivered to you (data portability): The user may have its data delivered in a digitally portable fashion upon request.
If you disagree with the way we process your personal data, you can contact us or the Norwegian Data Protection Authority.
Disputas is committed to establishing procedures to handle your personal data with utmost care in accordance with applicable rules and regulations. The measures we undertake are technical and organizational in nature, and we will regularly carry out security assessments and control in our systems that are used to process the personal data.
7 Contact us
Disputas can be reached via email to email@example.com. The Norwegian Data Protection Authority protects your right to privacy, and can be reached on https://www.datatilsynet.no/en/about-us/contact-us/.