Logstatus Privacy Policy

This Privacy Policy explains how Logstatus handles personal data when you visit our website, create an account, or use our service as an admin or operator. If you are a crew member, contractor, or other person submitting incident data into Logstatus on behalf of a venue or production, the organisation you are submitting on behalf of (the "customer") is the controller of that data, not Logstatus. We are their processor and process that data only on their documented instructions. Please refer to your employer or the venue for their own privacy notice. The Data Processing Agreement between Logstatus and that customer governs how we handle their data; this Privacy Policy does not.

1. Who we are

The data controller for the processing described in this Policy is: Andreas Braa, sole proprietor (enkeltpersonforetak) trading as Greyframe, operator of the Logstatus service. Organisation number: [ORG.NR]. Registered address: [STREET, POSTCODE, CITY], Norway. Contact for data-protection matters: privacy@logstatus.app. Logstatus is one product offered under the Greyframe trading name; this Privacy Policy applies to processing carried out in connection with Logstatus and the logstatus.app website.

2. What this Policy covers

This Policy covers personal data we collect as a controller — that is, where we decide the purposes and means of processing. Specifically: - Visitors to logstatus.app and any subdomains (other than the soft-auth submission shell at links.logstatus.app). - People who create or use a Logstatus admin or operator account. - Billing contacts at customer organisations. - People who contact us with sales, support, or general inquiries. It does not cover personal data submitted into Logstatus by our customers (incident records, attachments). That data is handled under the customer's own privacy notice and our Data Processing Agreement with them.

3. What personal data we collect, and why

### When you visit our website We collect technical information automatically when you visit our marketing pages: your IP address (truncated or hashed by our analytics provider), the pages you view, your referrer, and your browser and device type. We use this to operate the site and understand aggregate usage. We rely on legitimate interests (Article 6(1)(f) GDPR) for this processing. We use Cloudflare Web Analytics, which is cookie-free and does not track visitors across sites. We use Cloudflare Turnstile on signup and contact forms to prevent bot abuse. Turnstile is also cookie-free and privacy-preserving. ### When you create or use an account We collect: - Your name, work email address, and authentication credentials. - The organisation you belong to and your role within Logstatus. - IP address and session metadata. - Audit-log entries describing actions you take in the product (for example: creating a production, exporting data). We use this information to operate the product, authenticate you, secure the service, and communicate with you about your account. Our lawful basis is performance of a contract (Article 6(1)(b)) where you are tied to a billed account, or legitimate interests (Article 6(1)(f)) where you are using the free tier. ### When your organisation pays for Logstatus We collect billing contact information: name, work email, billing address, organisation number, and VAT identifier. Payment-method details are collected directly by Stripe, our payment processor; we never see your card number. We use this information to invoice you, comply with tax law, and recover unpaid amounts. Our lawful basis is performance of a contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) for tax-record retention. ### When you contact us We collect your name, email, and the content of your message, plus any context you provide about your organisation or account. We use this to respond to you and to maintain a record of the inquiry. Our lawful basis is legitimate interests (Article 6(1)(f)), or performance of a contract (Article 6(1)(b)) where the inquiry relates to an active subscription. ### When we send you marketing email We only send marketing email to people who have explicitly opted in. You can unsubscribe at any time via the link in any marketing message. Our lawful basis is consent (Article 6(1)(a)).

4. Who we share your data with

We share personal data only with subprocessors that help us operate Logstatus and only to the extent necessary. Our current subprocessors are listed at logstatus.app/legal/subprocessors. The principal ones for the processing described in this Policy: - Cloudflare — hosting, storage, transactional email, bot protection, analytics. - Stripe Payments Europe, Limited — payment processing. We do not sell personal data to anyone. We do not share personal data with advertisers. We do not use your data to train AI models. We may disclose personal data to public authorities if required by law (for example, in response to a court order) — we will challenge requests that appear overbroad or unlawful.

5. International transfers

We store personal data within the European Economic Area (EEA) where the underlying Cloudflare service supports a regional pin (database, object storage). Some Cloudflare services (in particular, key-value storage and edge compute) involve data processing across Cloudflare's global network, including outside the EEA. Where we transfer personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) under our DPAs with the relevant subprocessors, together with any supplementary measures required by applicable law.

6. How long we keep your data

| Data category | Retention | | --- | --- | | Marketing-site analytics | 6 months (aggregated) | | Active account data | While the account is active | | Closed account data | 30 days after closure, then deleted from production | | Audit-log entries | 12 months from event | | Billing records and invoices | 5 years after end of fiscal year (Norwegian Bookkeeping Act) | | Support correspondence | 12 months after resolution | | Marketing consent records | Until withdrawn, plus 24 months for proof of consent | Backup copies of deleted data are purged within 90 days.

7. Your rights

Under the GDPR and the Norwegian Personal Data Act (personopplysningsloven), you have the right to: - Access the personal data we hold about you. - Correct data that is inaccurate or incomplete. - Delete data we hold about you ("right to be forgotten"), subject to our legal obligations. - Restrict processing in certain circumstances. - Object to processing based on legitimate interests. - Portability — receive your data in a structured, commonly-used format. - Withdraw consent where processing is based on consent (this does not affect prior processing). To exercise any of these rights, email privacy@logstatus.app. We will respond within one month; we may extend by two further months for complex requests, and will tell you if we do. If you are unhappy with how we handle your personal data, you have the right to complain to the Norwegian Data Protection Authority: Datatilsynet Postboks 458 Sentrum, 0105 Oslo postkasse@datatilsynet.no datatilsynet.no (https://www.datatilsynet.no)

8. Cookies and similar technologies

Logstatus uses only strictly necessary cookies to operate the service (authentication session, security tokens, language preference). We do not use advertising cookies or third-party tracking cookies. Because all cookies we set are strictly necessary, no consent banner is required under ePrivacy / cookieforskriften. If we ever introduce non-essential cookies, we will ask for consent before setting them.

9. How we keep your data safe

We use industry-standard security measures, including encryption in transit and at rest, role-based access controls, audit logging, and bot protection. Our personnel access production data only where necessary for operating the service. A summary of our security measures is set out in our Records of Processing Activities (kept internally per Article 30 GDPR). Customers can request a security overview by emailing privacy@logstatus.app.

10. Children

Logstatus is not intended for use by children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated to active account holders by email and noted in the changelog below at least 30 days before they take effect. The current version is always available at this URL.

12. Contact

Email: privacy@logstatus.app Postal: [STREET, POSTCODE, CITY], Norway

Changelog

- v0.1 — 2026-05-17. Initial draft, pre-launch.

Drafting notes (delete before publishing)

- Hand-rolled vs. Termly/Iubenda. I've drafted this hand-rolled because it's tightly bound to the specifics of Logstatus (two-surface architecture, HSE/processor framing, Norwegian context). A boilerplate generator can't reflect the "we are processor for customer-submitted data, controller only for our own data" framing in § 2 that is critical for getting the document right. - Cookie banner. § 8 says you don't need one because all cookies are strictly necessary. Verify this is still true at launch. Cloudflare Turnstile is cookie-free; Cloudflare Web Analytics is cookie-free; Better Auth sessions are first-party functional. If you add Hotjar, Posthog, GA, or any third-party JS that drops a cookie, the banner becomes required and § 8 needs rewriting. - Marketing email. § 3 last paragraph is opt-in only. If you want to use legitimate-interest-based "soft opt-in" for customers in active subscriptions (Norwegian markedsføringsloven § 15 permits this for existing customers), tell me and I'll add that paragraph. For pre-launch, opt-in-only is safer. - Children section. Logstatus probably never processes children's data deliberately. But "minor at a backstage incident" is conceivable. The section is short and defensive — keep it. - AI training disclaimer. § 4 paragraph 4 ("We do not use your data to train AI models") is increasingly expected by EU privacy-aware customers in 2026. Make sure this remains true; if you later want to use anonymised data for any ML purpose, this line has to come out and you need a separate basis. - Plain-language tone. I've kept this in prose rather than the dense Latin-numbered SaaS-policy style. It's easier to read, easier to keep accurate, and Datatilsynet specifically encourages plain Norwegian/English for privacy notices. The legal effect is identical.