Privacy Policy – Kioo AS
Version 2.4 – effective from February 16, 2026
1. Data controller
Kioo AS (org. no. 932 315 459)
Reidar Berges gate 9, 4013 Stavanger, Norway
Email (privacy): personvern@kioo.no
Data Protection Officer (DPO): Lars Hæhre – lars@kioo.no
2. What personal data we process
| Category | Examples |
|---|---|
| Account Data | Email address, name, profile picture (optional), team membership, organization membership |
| Role Data | Team role (member or team admin), functional role (e.g., "Developer", "Project Manager"), organization role (member or admin) |
| Survey Response Data | Self-reported scores on team health questions, individual strengths assessments, and free-text comments where applicable |
| Usage and Log Data | IP address, login timestamps, page views, authentication events |
| Communication | Questions or requests sent to support or DPO |
| Error and Performance Data | Browser type, operating system, device information, IP address, error messages and stack traces, session recordings when errors occur |
We do not collect date of birth, national identity numbers, gender, health information, or other special categories of personal data.
3. Purpose and legal basis
| Purpose | GDPR Legal Basis |
|---|---|
| Create account, authenticate user, display dashboards | Art. 6 (1)(b) – contract |
| Conduct surveys | Art. 6 (1)(a) – consent (obtained before each survey) |
| Individual and team-based coaching based on AI analysis | Art. 6 (1)(b) + (f) – contract & legitimate interest |
| Access for team leaders to view results | Art. 6 (1)(f) – legitimate interest (team development and learning) |
| Compliance with legal requirements (security, accounting) | Art. 6 (1)(c) – legal obligation |
| Improve and develop the Service using aggregated, anonymous insights (e.g., benchmarks, trends, predictive models) | Art. 6 (1)(f) – legitimate interest (anonymization process); fully anonymous data falls outside GDPR scope (Recital 26) |
Consent can be withdrawn at any time by contacting us.
4. Automated analysis
Response data may be analyzed using AI services (Anthropic Claude, hosted on Amazon Web Services within the EU) to generate reflection points and team insights. The results are advisory and have no legal or similarly significant consequences.
You may request manual review if you wish.
4a. Aggregated and anonymous analytics
We may use aggregated, fully anonymized data - where no individual person, team, or organization can be identified - to understand broader patterns, develop benchmarks, and improve the Service. Examples include analyzing general trends in team health scores across all customers, or building predictive models that help teams identify areas for development earlier.
This data cannot be traced back to any individual, team, or organization. It is used solely to make Kioo better for all users. We never analyze or review the data of a specific team or individual for this purpose.
Because fully anonymized data falls outside the scope of GDPR (Recital 26), no personal data is processed for this purpose.
5. Where data is stored and who processes it
Kioo is operated on Microsoft Azure.
Application and database are located in Norway East. AI analysis runs on Amazon Web Services within the EU (Stockholm region) via Anthropic Claude. Vector embeddings are processed in Sweden Central under Azure's EU Data Boundary.
We use the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure | Database, file storage, vector embeddings, real-time updates | Norway East & Sweden Central (EU/EEA) |
| Amazon Web Services (Anthropic Claude via AWS Bedrock) | AI-powered survey analysis and team insights | EU (Stockholm, eu-north-1) |
| Mailjet SAS (Sinch AB) | Email delivery (invitations, notifications) | EU (France, Germany, Belgium) |
| Slack (optional, US company) | Team notifications sent to customer's existing Slack workspace if enabled | USA (customer's own Slack agreement applies) |
| Sentry | Error monitoring, performance tracking, session replay on errors | EU (Germany) |
All core personal data (account data, survey responses, usage logs) is stored and processed within the EU/EEA. We have Data Processing Agreements with our sub-processors.
If you enable the optional Slack integration, notification data is sent to your organization's existing Slack workspace. This is governed by your own agreement with Slack.
Sentry processes error and performance data to help us identify and fix bugs. When errors occur, Sentry may record a short session replay to help us understand what happened. This data is retained for 90 days. See Sentry's privacy policy.
6. Data sharing and visibility
Within the team
Team leaders have access to their own results and a defined set of key metrics for each team member (e.g., position along a scale).
The purpose is to provide a holistic view of the team's strengths and challenges, and to support learning and development within the team.
Access is limited to team leaders, and the information is not used for HR purposes such as disciplinary actions or individual performance reviews.
Reports
Aggregated team reports show averages, variations, and any "singletons" (unique outliers).
External parties
We do not sell personal data. Information is only shared if legally required, or when you expressly request it.
7. Retention periods and deletion
| Data Type | Active Account | After Account Deletion |
|---|---|---|
| Identifying Data | As long as the account exists | Deleted within 30 days |
| Response and Log Data | As long as the account exists | Pseudonymized and deleted within 90 days |
| Backups | Rolling 30-day backup | Overwritten continuously |
| Fully Anonymized Data | Unlimited (cannot be linked to individuals) | Retained |
8. Security measures
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based and least-privilege access for employees.
- Regular internal security and source code audits.
- Employee training in privacy and information security.
9. Cookies
We use Google Tag Manager (GTM-KBL4QP7N) to manage cookies on marketing pages. GTM implements Google Consent Mode v2 for GDPR compliance.
| Type | Purpose | Duration |
|---|---|---|
| Necessary | Login, session management | Up to 30 days |
| Functional | Remember language choice/preferences | 6 months |
| Analytics | Google Analytics (via GTM) – Measure traffic, user behavior and site improvement | Up to 2 years |
| Marketing | Google Ads (via GTM) – Conversion tracking and campaign effectiveness | Up to 90 days |
Analytics and marketing cookies are only loaded if you actively consent via the cookie banner on the website. We use Google Consent Mode to respect your consent. You can withdraw consent at any time by deleting cookies in your browser.
10. Your rights
In accordance with GDPR, you have the right to:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restriction (Art. 18)
- Data Portability (Art. 20, JSON format)
- Object (Art. 21)
- Withdraw Consent (Art. 7)
Complaints can be directed to the Norwegian Data Protection Authority (www.datatilsynet.no).
Send requests via email: personvern@kioo.no. We typically respond within two business days.
11. Data breach notification
In the event of a breach that may pose a risk to your rights or freedoms, we will notify the Data Protection Authority and affected users within 72 hours (Art. 33–34 GDPR).
12. Changes to this policy
Major changes will be announced via email and a banner in the service at least 14 days before they take effect.
The latest version is always available at kioo.no/privacypolicy.