Tiepoint – Privacy Policy

Last updated: 22. April 2026

This Privacy Policy explains how Tiepoints services (Including, but not restricted to Tiepoint P.O.R.T.A.L) collects, uses, stores, and protects personal data. It is intended to meet the transparency requirements of the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven), which incorporates the GDPR into Norwegian law.

 

1. Who we are (Data Controller)

Data Controller: Tiepoint AS

Organisation number: 928 795 098
Address: Bleiksveien 46, 8480, Andenes

Email: kommunikasjon@tiepoint.no

If you are using Tiepoints services on behalf of a company or organisation (e.g., your employer), that organisation may also have responsibilities under GDPR for how operational logs and personal information is used internally. If in doubt, contact your organisation’s privacy contact.

 

2. Scope

This Privacy Policy applies to the Tiepoint P.O.R.T.A.L mobile application and related services we provide (together, the “Service”).

 

3. Personal data we collect

We collect the following categories of personal data:

  1. User identifiers
  • User ID(s) such as email address (used to identify and authenticate users).
  1. Device data
  • Device ID / device identifier (used to maintain secure access and link logs to the correct device/account).
  1. Location data
  • Location of the user (e.g., GPS position) when using the Service where this is required to provide functionality and/or produce compliant operational logs.
  1. User-generated logs
  • Logs created by users, which may include operational details, timestamps, events, and other information entered by the user.

We do not intentionally collect special category data (such as health data) through our Services.

 

4. Why we process your personal data

We use the data above for the following purposes:

  • To provide the Service (create accounts, authenticate users, enable logging features, and ensure the Service works correctly).
  • To generate and store operational documentation and logs connected to drone operations (including location-based operational logging where relevant).
  • To comply with aviation-related legal and regulatory obligations that require operational record keeping and personal information retention for a minimum period (see Section 7).
  • To maintain security and integrity of the Service (e.g., prevent unauthorised access, investigate security incidents, and ensure traceability of logs).

 

5. Legal bases for processing (GDPR Article 6)

All processing of personal data must have a lawful basis.

Depending on how you use the Service, we typically rely on one or more of the following legal bases:

  • Performance of a contract (GDPR Art. 6(1)(b))When processing is necessary to deliver the Service you requested (e.g., account access and providing logging functionality).
  • Legal obligation (GDPR Art. 6(1)(c))When processing and retention are necessary to comply with applicable aviation/drone operator record‑keeping requirements (see Section 7).
  • Consent (GDPR Art. 6(1)(a)) – where applicableIn particular, your device operating system may require you to grant location permission. You can withdraw this permission in your device settings. Note that withdrawing permission may limit or prevent location-based operational logging.

 

Drone operations and GDPR compliance / DPIA

Where the Service is used to support UAS operations under the Easy Access Rules: Unmanned Aircraft Systems (Regulation (EU) 2019/947 and Regulation (EU) 2019/945), operators are required to have procedures ensuring compliance with GDPR and to perform a data protection impact assessment (DPIA) when required by the data protection authority under GDPR Article 35.

 

6. Is providing data mandatory?

  • Email / user identifier is required to create and manage an account.
  • Device ID is required to maintain secure and reliable operation of the Service.
  • Location and operational logs is required to use the Service for drone operational logging and compliance purposes. If you do not provide location data (or disable location permissions), the Service will not function, as you are unable to create compliant operational logs.

 

7. Retention and log storage (including drone operator requirements)

We follow the GDPR principle of storage limitation: we keep personal data only as long as needed for the purposes described above, and as required by law.

 

7.1 Operational logs and related records

Operational logs (including location data recorded as part of the log) are retained where required for drone operator record keeping. Pilot information is retained for at least 5 years, but will not be deleted unless the pilot activily requests such an action.

This retention aligns with EU UAS rules of operations under the Easy Access Rules: Unmanned Aircraft Systems (Regulation (EU) 2019/947 and Regulation (EU) 2019/945), where the UAS operator must keep and maintain up‑to‑date records including:

  • maintenance activities.
  • information on UAS operations (including unusual technical/operational occurrences and other required data).

These retentions are also applicable for the Norwegian Civil Aviation Authority (Luftfartstilsynet) for operations in Norway.

 

7.2 What happens after 5 years?

After the minimum retention period:

  • we may anonymise data regarding personal information at the request of the pilot, unless continued storage is necessary (for example, due to an ongoing matter, audit, dispute, or other legal requirement).
    • personal information consists of name, date of birth, social security number (where applicable), email address, and phone number.

 

7.3 Log keeping requirement (Norwegian drone rules / logging practice)

Drone regulations and operator requirements commonly involve maintaining operational logs (e.g., flight time records with key details).

For specific-category documentation, Luftfartstilsynet checklists also expect operators to describe how and how long logs and documents are stored, referring to UAS.SPEC.050 record‑keeping requirements.

 

8. Sharing and disclosure

We do not sell, rent, or share your personal data with third‑party companies for their own use.

We may disclose personal data only in limited situations, such as:

  • To public authorities (e.g., aviation authorities, courts, police, or other competent authorities) where we are legally required to do so, or where disclosure is necessary for regulatory oversight and compliance.

 

9. International transfers

We aim to store and process personal data within the EEA (including Norway).

If, in the future, personal data is transferred outside the EEA, we will ensure an appropriate transfer mechanism is in place (e.g., EU Standard Contractual Clauses), and we will update this Privacy Policy accordingly.

 

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, loss, or misuse. Measures may include access controls, encryption in transit and/or at rest, logging and monitoring, and role-based access where relevant.

No system can be guaranteed 100% secure, but we work continuously to protect your data.

 

11. Your rights

You have rights under GDPR and Norwegian law, including:

  • Right of access to your personal data
  • Right to rectification
  • Right to erasure (with exceptions, including where retention is required by law)
  • Right to restriction of processing
  • Right to object in certain cases
  • Right to data portability where applicable
  • Right to withdraw consent where processing is based on consent

As a main rule, you are entitled to receive a response within one month after contacting us about your rights.

Please note: if we must retain certain logs for legal/regulatory reasons, we may not be able to delete/anonymise those records immediately upon request; instead, we will restrict use where possible while meeting our obligations.

 

12. Complaints (Datatilsynet)

If you believe we process your personal data unlawfully, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

 

13. Children

The Service is not intended for children. If we rely on consent as a legal basis in relation to information society services offered directly to children, Norwegian law sets the age of consent at 13 years.

If you believe a child has provided us personal data, please contact us so we can take appropriate steps.

 

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top shows when changes were last made. If changes are material, we will provide appropriate notice within the Service or by other reasonable means.

 

15. Contact

For questions about privacy or to exercise your rights, contact:

Email: kommunikasjon@tiepoint.no

Address: Bleiksveien 46, 8480, Andenes