Privacy Policy

Effective Date: 04 May 2025

Introduction

Welcome to Sipp. This Privacy Policy explains how Sipp ("we", "us", or "our") collects, uses, and shares information about you when you use our website and/or application (collectively, the "Services").

We are committed to protecting your privacy. Please read this policy carefully to understand our practices regarding your information.

Data Controller

Sipp is the data controller for the personal data collected via the Services.

This Privacy Policy applies to all use of our Services. We process your personal data in compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

Information We Collect

We collect the following types of personal data when you register for and use our Services:

  • Identification and Contact Information: Such as your full name and email address, provided during sign-up or via third-party login.
  • Authentication Information: Such as password hashes (we never store plain text passwords).

If you choose to register or sign in via a third-party application (e.g., Google), you authorize us to access and collect certain account information necessary for authentication, typically your name and email address, as permitted by the third-party provider's policies and your privacy settings on that service.

Purpose and Legal Basis for Processing

We process your personal data for the following purposes:

  • To Provide and Manage the Services: We use your information to create and manage your user account, authenticate your login, and allow you to use the features of our Services.
    Legal Basis (GDPR): Processing is necessary for the performance of a contract (our Terms of Service) with you (Article 6(1)(b)).
  • To Communicate with You: We may use your email address to send important updates about the Services, changes to our policies, or respond to your inquiries.
    Legal Basis (GDPR): Necessary for the performance of a contract (Article 6(1)(b)) and our legitimate interest in keeping users informed (Article 6(1)(f)).

We do not currently use your personal data for marketing, detailed analytics, or profiling beyond what is necessary to provide the core Services.

Data Sharing

We do not sell, lease, or trade your personal information to third parties. We may share your information only in the following limited circumstances:

  • Service Providers: We use third-party service providers to help operate our Services, such as cloud hosting and authentication services (e.g., Supabase). These providers process your data on our behalf and are contractually obligated to protect it. They only have access to the information necessary to perform their functions.
  • Legal Requirements: We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.
  • Third-Party Login: If you sign in using a third-party service like Google, some information might be implicitly shared with that provider as part of the authentication process.

International Data Transfers

Some of our service providers (like Supabase) may operate internationally. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, to protect your data.

Data Security

We implement appropriate technical and organizational measures to protect the personal data we collect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. User accounts are protected by passwords (or third-party authentication methods).

However, no internet transmission or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Services. We may retain some information for a reasonable period after your account is deleted for administrative purposes, or as required by law.

Your Rights

Under GDPR, you have certain rights regarding your personal data:

  • Right of Access: Request access to the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to certain conditions.
  • Right to Restrict Processing: Request that we temporarily or permanently stop processing some or all of your personal data.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Data Portability: Request a copy of your data in a machine-readable format.
  • Right Not to be Subject to Automated Decision-making: The right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you (Note: We currently do not perform such processing).

To exercise any of these rights, please contact us at team@sipp.no. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data infringes applicable law.

Children's Privacy

Our Services are not intended for individuals under the age of 13 (or a higher age threshold depending on your jurisdiction). We do not knowingly collect personal data from children under this age. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on our Services or by sending you an email notification. Your continued use of the Services after such changes constitutes your acceptance of the new policy.