Privacy Policy for Tiepoint P.O.R.T.A.L

Last updated: 12 February 2026

This Privacy Policy explains how Tiepoint P.O.R.T.A.L (the “App”) collects, uses, stores, and protects personal data. It is intended to meet the transparency requirements of the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven), which incorporates the GDPR into Norwegian law. 

1. Who we are (Data Controller)

Data Controller: Tiepoint AS

Organisation number: 928 795 098

Address: Bleiksveien 46, 8480, Andenes

Email: support@tiepoint.no

If you are using the App on behalf of a company or organisation (e.g., your employer), that organisation may also have responsibilities under GDPR for how operational logs are used internally. If in doubt, contact your organisation’s privacy contact.

2. Scope

This Privacy Policy applies to the Tiepoint P.O.R.T.A.L mobile application and related services we provide (together, the “Service”).

3. Personal data we collect

We collect the following categories of personal data:

  1. User identifiers

  • User ID(s) such as email address (used to identify and authenticate users).

  1. Device data

  • Device ID / device identifier (used to maintain secure access and link logs to the correct device/account).

  1. Location data

  • Location of the user (e.g., GPS position) when using the Service where this is required to provide functionality and/or produce compliant operational logs.

  1. User-generated logs

  • Logs created by users in the App, which may include operational details, timestamps, events, and other information entered by the user.

We do not intentionally collect special category data (such as health data) through the App.

4. Why we process your personal data

We use the data above for the following purposes:

  • To provide the Service (create accounts, authenticate users, enable logging features, and ensure the Service works correctly).

  • To generate and store operational documentation and logs connected to drone operations (including location-based operational logging where relevant).

  • To comply with aviation-related legal and regulatory obligations that require operational record keeping and log retention for a minimum period (see Section 7).

  • To maintain security and integrity of the Service (e.g., prevent unauthorised access, investigate security incidents, and ensure traceability of logs).

5. Legal bases for processing (GDPR Article 6)

All processing of personal data must have a lawful basis. 

Depending on how you use the App, we typically rely on one or more of the following legal bases:

  • Performance of a contract (GDPR Art. 6(1)(b))

    When processing is necessary to deliver the Service you requested (e.g., account access and providing logging functionality).

  • Legal obligation (GDPR Art. 6(1)(c))

    When processing and retention are necessary to comply with applicable aviation/drone operator record‑keeping requirements (see Section 7).

  • Consent (GDPR Art. 6(1)(a)) – where applicable

    In particular, your device operating system may require you to grant location permission. You can withdraw this permission in your device settings. Note that withdrawing permission may limit or prevent the App from performing location-based operational logging.

Drone operations and GDPR compliance / DPIA

Where the Service is used to support UAS operations in the specific category, EU UAS rules require operators to have procedures ensuring compliance with GDPR and to perform a data protection impact assessment (DPIA) when required by the data protection authority under GDPR Article 35. 

6. Is providing data mandatory?

  • Email / user identifier is required to create and manage an account.

  • Device ID is required to maintain secure and reliable operation of the Service.

  • Location and operational logs is required to use the Service for drone operational logging and compliance purposes. If you do not provide location data (or disable location permissions), the Service will not function, as you are unable to create compliant operational logs.

7. Retention and log storage (including drone operator requirements)

We follow the GDPR principle of storage limitation: we keep personal data only as long as needed for the purposes described above, and as required by law.

7.1 Operational logs and related records: minimum 3 years

Operational logs (including location data recorded as part of the log) are retained for at least 3 years where required for drone operator record keeping.

This retention aligns with EU UAS rules for operations in the specific category, where the UAS operator must keep and maintain up‑to‑date records including:

  • maintenance activities for a minimum of 3 years, and

  • information on UAS operations (including unusual technical/operational occurrences and other required data) for a minimum of 3 years. 

Norwegian Civil Aviation Authority (Luftfartstilsynet) guidance materials used for predefined risk assessments (PDRA) also explicitly reflect a minimum 3‑year storage expectation for flight logs and incident reports. 

7.2 What happens after 3 years?

After the minimum retention period:

  • we will delete the data or anonymise it, unless continued storage is necessary (for example, due to an ongoing matter, audit, dispute, or other legal requirement).

7.3 Log keeping requirement (Norwegian drone rules / logging practice)

Drone regulations and operator requirements commonly involve maintaining operational logs (e.g., flight time records with key details). 

For specific-category documentation, Luftfartstilsynet checklists also expect operators to describe how and how long logs and documents are stored, referring to UAS.SPEC.050 record‑keeping requirements. 

8. Sharing and disclosure

We do not sell, rent, or share your personal data with third‑party companies for their own use.

We may disclose personal data only in limited situations, such as:

  • To public authorities (e.g., aviation authorities, courts, police, or other competent authorities) where we are legally required to do so, or where disclosure is necessary for regulatory oversight and compliance.

  • [Optional—include only if true] To carefully selected service providers (data processors) who process data on our behalf strictly under contract and only to operate the Service (e.g., hosting). If you use any, list them here: [processor name + purpose + location].

9. International transfers

We aim to store and process personal data within the EEA (including Norway).

If, in the future, personal data is transferred outside the EEA, we will ensure an appropriate transfer mechanism is in place (e.g., EU Standard Contractual Clauses), and we will update this Privacy Policy accordingly.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, loss, or misuse. Measures may include access controls, encryption in transit and/or at rest, logging and monitoring, and role-based access where relevant.

No system can be guaranteed 100% secure, but we work continuously to protect your data.

11. Your rights

You have rights under GDPR and Norwegian law, including:

  • Right of access (innsyn) to your personal data

  • Right to rectification (retting)

  • Right to erasure (sletting) (with exceptions, including where retention is required by law)

  • Right to restriction of processing (begrensning)

  • Right to object in certain cases

  • Right to data portability where applicable

  • Right to withdraw consent where processing is based on consent

As a main rule, you are entitled to receive a response within one month after contacting us about your rights. 

Please note: if we must retain certain logs for legal/regulatory reasons, we may not be able to delete those records immediately upon request; instead, we will restrict use where possible while meeting our obligations.

12. Complaints (Datatilsynet)

If you believe we process your personal data unlawfully, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). 

13. Children

The Service is not intended for children. If we rely on consent as a legal basis in relation to information society services offered directly to children, Norwegian law sets the age of consent at 13 years. 

If you believe a child has provided us personal data, please contact us so we can take appropriate steps.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top shows when changes were last made. If changes are material, we will provide appropriate notice within the Service or by other reasonable means.

15. Contact

For questions about privacy or to exercise your rights, contact:

Email: [privacy@yourdomain.no]

Address: [Company address]

Notes on customising this for your App Store / production use (quick checklist)

  • Fill in your company identity, contact details, and whether you have a DPO.

  • Confirm where data is hosted (EEA-only vs outside EEA) and update Sections 8–9 accordingly.

  • Confirm whether location is collected only while using the app or also in the background, and state that explicitly in Section 3.

  • If you use any analytics, crash reporting, push notifications, or cloud providers, you must list them as processors/recipients and describe them.

If you want, paste your compa