Privacy Policy – Kioo AS
Version 2.0 – effective from August 22, 2025
1. Data controller
Kioo AS (org. no. 932 315 459)
Reidar Berges gate 9, 4013 Stavanger, Norway
Email (privacy): personvern@kioo.no
Data Protection Officer (DPO): Lars Hæhre – lars@kioo.no
2. What personal data we process
| Category | Examples |
|---|---|
| Account Data | Email, name, role, associated team/organization |
| Response Data | Self-reported scores on thinking, behavioral, decision-making and risk styles |
| Usage and Log Data | IP address, timestamp, response time, page views, authentication cookies |
| Communication | Questions to support/DPO |
We do not collect date of birth, gender, health information, or other special categories of personal data.
3. Purpose and legal basis
| Purpose | GDPR Legal Basis |
|---|---|
| Create account, authenticate user, display dashboards | Art. 6 (1)(b) – contract |
| Conduct surveys | Art. 6 (1)(a) – consent (obtained before each survey) |
| Individual and team-based coaching based on AI analysis | Art. 6 (1)(b) + (f) – contract & legitimate interest |
| Access for team leaders to view results | Art. 6 (1)(f) – legitimate interest (team development and learning) |
| Product improvement and anonymous statistics | Art. 6 (1)(f) – legitimate interest |
| Compliance with legal requirements (security, accounting) | Art. 6 (1)(c) – legal obligation |
Consent can be withdrawn at any time by contacting us.
4. Automated analysis
Response data may be analyzed using Azure OpenAI Service to generate reflection points and team insights. The results are advisory and have no legal or similarly significant consequences.
You may request manual review if you wish.
5. Where data is stored and who processes it
Kioo is operated on Microsoft Azure.
Application and database are located in Norway East.
Artificial intelligence services run in Sweden Central under Azure's Data Zone Standard.
All processing takes place within the EU/EEA and EFTA, in accordance with Microsoft's EU Data Boundary. We do not transfer personal data outside the EU/EEA. If this changes, we will update the policy and ensure a valid transfer mechanism (e.g., standard contractual clauses).
6. Data sharing and visibility
Within the team
Team leaders have access to their own results and a defined set of key metrics for each team member (e.g., position along a scale).
The purpose is to provide a holistic view of the team's strengths and challenges, and to support learning and development within the team.
Access is limited to team leaders, and the information is not used for HR purposes such as disciplinary actions or individual performance reviews.
Reports
Aggregated team reports show averages, variations, and any "singletons" (unique outliers).
External parties
We do not sell personal data. Information is only shared if legally required, or when you expressly request it.
7. Retention periods and deletion
| Data Type | Active Account | After Account Deletion |
|---|---|---|
| Identifying Data | As long as the account exists | Deleted within 30 days |
| Response and Log Data | As long as the account exists | Pseudonymized and deleted within 90 days |
| Backups | Rolling 30-day backup | Overwritten continuously |
| Fully Anonymized Data | Unlimited (cannot be linked to individuals) | Retained |
8. Security measures
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based and least-privilege access for employees.
- Regular internal security and source code audits.
- Employee training in privacy and information security.
9. Cookies
We use Google Tag Manager (GTM-KBL4QP7N) to manage cookies on marketing pages. GTM implements Google Consent Mode v2 for GDPR compliance.
| Type | Purpose | Duration |
|---|---|---|
| Necessary | Login, session management | Up to 30 days |
| Functional | Remember language choice/preferences | 6 months |
| Analytics | Google Analytics (via GTM) – Measure traffic, user behavior and site improvement | Up to 2 years |
| Marketing | Google Ads (via GTM) – Conversion tracking and campaign effectiveness | Up to 90 days |
Analytics and marketing cookies are only loaded if you actively consent via the cookie banner on the website. We use Google Consent Mode to respect your consent. You can withdraw consent at any time by deleting cookies in your browser.
10. Your rights
In accordance with GDPR, you have the right to:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restriction (Art. 18)
- Data Portability (Art. 20, JSON format)
- Object (Art. 21)
- Withdraw Consent (Art. 7)
Complaints can be directed to the Norwegian Data Protection Authority (www.datatilsynet.no).
Send requests via kioo.no/privacypolicy or email: personvern@kioo.no. We typically respond within two business days.
11. Data breach notification
In the event of a breach that may pose a risk to your rights or freedoms, we will notify the Data Protection Authority and affected users within 72 hours (Art. 33–34 GDPR).
12. Changes to this policy
Major changes will be announced via email and a banner in the service at least 14 days before they take effect.
The latest version is always available at kioo.no/privacypolicy.