Privacy Policy

Introduction

This privacy policy explains how CleanFlow AS collects, uses, and protects your personal data when you use our cleaning management platform and services.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Norwegian Personal Data Act, and applicable regulations.

Data Controller

What Personal Data We Collect

CleanFlow Platform Users

We collect the following data about platform users:

• Identification: Name and email address – for user authentication and communication
• Employment: Job title/role and organisation – for access control and task assignment
• System activity: Login timestamps and registered tasks – for audit, security, and performance monitoring
• Training data: Completed courses and progress – for training documentation

Building and Operations Data

When you use CleanFlow to manage cleaning operations, we store:

• Building information: Names, addresses, floor plans, and room details
• Task data: Cleaning tasks, schedules, and completion status
• Time and activity data: Work hours, task duration, and attendance
• Quality data: Inspections, deviations, photos, and comments
• Team data: Team assignments, user roles, and department structure

Visitors to cleanflow.no

• Technical data: IP address, browser type, and page views – for security and statistics
• Contact form: Name, email, and message – to respond to your enquiry
• Push notifications: Device token (not linkable to a person) – for task and message notifications

What We Do NOT Collect

We do not collect sensitive personal data such as:

• Health data, ethnicity, political opinions, or religious beliefs
• Trade union membership or biometric data

Cookies

Cookies we use

These cookies are necessary for the platform to function:

• sb-* (Supabase): Authentication session – duration: session or up to 7 days
• NEXT_LOCALE: Language preference – duration: 1 year

All cookies are first-party cookies from cleanflow.no.

Visit Statistics

We use anonymised visit statistics to improve the service. No personally identifiable data is collected, and no analytics cookies are set.

• No tracking or advertising cookies
• No identification of individual users
• Aggregated statistics only
• No consent required under GDPR

Legal Basis (GDPR)

We process personal data on the following legal grounds:

• Contract performance (Art. 6(1)(b)): User administration, access control, and service delivery
• Legitimate interest (Art. 6(1)(f)): System security, audit logs, visit statistics, and training documentation
• Consent (Art. 6(1)(a)): Push notifications – can be withdrawn at any time in profile settings
• Legal obligation (Art. 6(1)(c)): Invoice data and accounting records (Norwegian Bookkeeping Act)

How We Use Your Data

Personal data is used exclusively to:

• Deliver and manage the CleanFlow service
• Authenticate users and ensure correct access levels
• Notify users about relevant tasks and events
• Document completion of training
• Detect and prevent security incidents
• Respond to customer enquiries
• Fulfil accounting and legal obligations

We do NOT use personal data for profiling, automated decisions with legal effect, or marketing without explicit consent.

Who We Share Data With

CleanFlow AS only shares personal data with sub-processors necessary to deliver the service. All are bound by a data processing agreement (DPA).

• Supabase Inc.: Database and authentication – EU (Frankfurt)
• Vercel Inc.: Hosting and infrastructure – EU/USA (SCC)
• Cloudflare Inc.: File storage – EU/USA (SCC)
• Google LLC (Firebase): Push notifications – EU/USA (SCC)
• Railway Corp.: AI services (room detection) – USA (SCC)
• Vercel AI Gateway: AI planning and AI Guide (proxy to OpenAI) – USA (SCC)
• OpenAI LLC: Underlying AI models (GPT-4o/mini) via Vercel AI Gateway – USA (OpenAI API DPA, data not used for training)

We never share personal data with third parties for marketing purposes. Employee names are pseudonymised (Employee A, B …) before data is sent to OpenAI.

Security and Data Storage

Retention Periods

Retention periods by category

We retain personal data only as long as necessary for the purposes for which it was collected.

After account deletion or contract end

• User accounts: Until deleted by administrator, then 90 days
• System logs (audit trail): 12 months
• Invoice data: 5 years (Norwegian Bookkeeping Act § 13)
• Contact enquiries: 12 months after reply

Upon contract termination

When a customer contract ends:

• Data made available for export for 30 days
• All personal data deleted within 90 days
• Written deletion confirmation sent to the customer

Your Rights

As a data subject you have the following rights under GDPR:

• Access (Art. 15): Request a copy of the data we hold about you
• Rectification (Art. 16): Request correction of inaccurate data
• Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Restriction (Art. 18): Request that processing is restricted while a dispute is resolved
• Data portability (Art. 20): Receive your data in a machine-readable format
• Object (Art. 21): Object to processing based on legitimate interests
• Withdraw consent: Push notifications can be disabled at any time in profile settings
• Complain: Lodge a complaint with Datatilsynet (datatilsynet.no) if you believe we process your data in breach of GDPR

To exercise your rights, send a request to admin@cleanflow.no

Contact Us

For privacy questions or to exercise your rights – we respond within 30 days:

Supervisory Authority

If you believe we are processing your personal data in breach of GDPR, you have the right to complain to Datatilsynet. We encourage you to contact us first at admin@cleanflow.no so we can try to resolve the matter directly.

Changes to This Policy

This policy is updated when there are material changes to how we process personal data. Users will be notified of changes that affect their rights. The current version is always available at cleanflow.no/privacy.