Privacy Policy
This Privacy Policy explains how we collect, use, and protect your personal information when you use our service.
Last updated: May 18, 2026
1. Introduction & Scope
This Privacy Policy describes how Brodin Dev ("we", "us", or "our") collects, uses, stores, and protects personal data in connection with our Software-as-a-Service (SaaS) web application (the "Service").
This policy applies to all users of the Service regardless of their country of residence. Our Service is available globally, and we are committed to meeting the privacy standards required by:
- Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR);
- Lov om behandling av personopplysninger (Personopplysningsloven) — the Norwegian Personal Data Act, which implements the GDPR into Norwegian law;
- and other applicable data protection laws where relevant.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms herein, please do not use the Service.
2. Data Controller
The data controller responsible for the processing described in this Privacy Policy is:
Brodin Dev
Organisation number: 973 861 778
Email: contact@brodin.dev
3. What Data We Collect
We only collect personal data that is necessary to provide and maintain the Service. The categories of data we collect are described below.
3.1 Account & Identity Data
| Data Point | Source | Notes |
|---|---|---|
| Email address | Provided by you or via OAuth | Required for authentication and communication |
| Password | Provided by you | Stored in encrypted (hashed) form only; never stored in plain text |
| Full name | Provided via Google or GitHub OAuth | Populated automatically from your OAuth provider profile |
| Profile avatar/photo | Provided via Google or GitHub OAuth | Populated automatically from your OAuth provider profile |
Note: If you register using an email and password, we do not collect your name or avatar unless you choose to provide them. If you register via Google or GitHub OAuth, we receive only the data your OAuth provider makes available to us under the permissions you grant.
3.2 Authentication & Session Data
- Session identifiers, managed securely by our authentication system (Better Auth).
- Records relating to authentication events and linked sign-in methods where necessary to operate account access and security features.
3.3 Technical & Usage Data (Anonymised)
- Aggregated, anonymised page-view and performance metrics collected via Vercel Analytics and Vercel Speed Insights (see Section 11). This data cannot be used to identify you individually.
3.4 Data We Do NOT Collect
We want to be explicit about what we do not collect or store:
- Payment card numbers, bank account details, or any other financial data. All payment processing is handled entirely by Polar.sh as our Merchant of Record.
- Sensitive personal data (as defined in GDPR Article 9), such as health data, religious beliefs, or biometric data.
- Precise geolocation data.
- Unique device fingerprints or cross-site tracking identifiers.
4. How We Collect Data
We collect personal data through the following means:
- Direct registration: When you create an account using an email address and password.
- OAuth authentication: When you choose to sign in via Google or GitHub, those providers share limited profile data with us based on the permissions you grant.
- Profile updates: When you voluntarily update your name or avatar through your account dashboard.
- Automatic collection: Anonymised technical metrics collected automatically when you use the Service (see Section 11).
5. Legal Basis for Processing
Under the GDPR (Article 6), we must have a valid legal basis for processing your personal data. We rely on the following:
5.1 Contract Fulfillment (Article 6(1)(b))
The primary basis for processing your personal data is that it is necessary for the performance of a contract between you and us — specifically, to provide you with access to and use of the Service. This covers:
- Creating and maintaining your user account.
- Authenticating you when you log in.
- Enabling you to use all features of the Service.
- Sending transactional emails (e.g., email verification, password reset notifications).
Without this processing, we cannot provide the Service.
5.2 Legitimate Interests (Article 6(1)(f))
We also process certain data on the basis of our legitimate interests, provided these interests are not overridden by your rights and freedoms. These interests include:
- Security: Detecting and preventing fraudulent access, abuse, or unauthorized use of the Service.
- Service integrity: Ensuring the technical stability, reliability, and performance of the Service.
- Anonymised analytics: Using aggregated, non-identifiable performance and usage data to improve the Service.
We have conducted a balancing test and are satisfied that our legitimate interests do not override your fundamental rights, given the limited and privacy-preserving nature of this processing.
5.3 Note on Consent
We do not rely on consent as the legal basis for core data processing. However, where applicable (e.g., optional features or communications beyond transactional emails), we will request your separate, explicit consent and provide a clear mechanism to withdraw it at any time.
6. How We Use Your Data
We use the personal data we collect for the following specific purposes:
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Create and manage your user account | Contract Fulfillment | Email, password hash, name, avatar |
| Authenticate your identity at login | Contract Fulfillment | Email, password hash, OAuth tokens |
| Send transactional emails (verification, password resets) | Contract Fulfillment | Email address |
| Allow you to link/unlink social accounts | Contract Fulfillment | OAuth tokens, email |
| Enable account self-management and deletion | Contract Fulfillment | All account data |
| Detect and prevent security threats | Legitimate Interest | Email, session data |
| Monitor and improve Service performance | Legitimate Interest | Anonymised analytics data |
We do not use your personal data for:
- Marketing or advertising communications (without your explicit consent).
- Selling or renting your data to third parties.
- Automated decision-making or profiling that produces legal or significant effects on you.
7. Data Sharing & Third Parties
We do not sell your personal data. We share personal data only with a limited set of third parties where necessary to operate the Service, comply with law, or support features you choose to use. Some of these parties act as our data processors under contract, while others act as independent controllers for their own parts of the transaction or authentication flow.
7.1 Convex — Database, Backend & File Storage
| Detail | Info |
|---|---|
| Purpose | Stores all application data, including user account records and profile files (avatars) |
| Data Shared | Email address, hashed password, name, profile avatar, session data |
| Privacy Policy | https://www.convex.dev/legal/privacy |
Convex serves as the primary data store for the Service. All data stored in Convex is processed under our instructions.
7.2 Resend — Transactional Email
| Detail | Info |
|---|---|
| Purpose | Delivers transactional emails on our behalf (e.g., account verification, password reset) |
| Data Shared | Email address and the minimum content required to render the email |
| Privacy Policy | https://resend.com/legal/privacy-policy |
Resend processes your email address solely to deliver messages you have triggered (e.g., requesting a password reset). Resend does not use this data for its own marketing purposes.
7.3 Google & GitHub — OAuth Sign-In
| Detail | Info |
|---|---|
| Purpose | Provide optional third-party sign-in and account linking flows |
| Data Shared | Limited account and authentication data required to complete the OAuth sign-in flow |
| Role | Independent controllers for processing that takes place on their own platforms and services |
If you choose to sign in with Google or GitHub, you will be redirected to that provider and their processing of your personal data will be governed by their own privacy terms.
7.4 Polar.sh — Payments (Merchant of Record)
| Detail | Info |
|---|---|
| Purpose | Processes payment transactions as Merchant of Record |
| Data Shared | Limited order and account data required to initiate and administer a purchase; payment card data is handled by Polar.sh |
| Role | Independent controller for payment and billing processing on its own checkout systems |
| Privacy Policy | https://polar.sh/legal/privacy |
Polar.sh acts as the Merchant of Record for purchases and subscriptions. This means Polar.sh is independently responsible for collecting and processing payment information under its own privacy policy. We do not receive, store, or process your credit or debit card details at any point.
7.5 Vercel — Application Hosting & Analytics
| Detail | Info |
|---|---|
| Purpose | Hosts and serves the web application; provides anonymised performance analytics |
| Data Shared | Application traffic (processed at the infrastructure level); anonymised analytics data |
| Privacy Policy | https://vercel.com/legal/privacy-policy |
Vercel hosts the infrastructure on which the Service runs. As a hosting provider, Vercel may process request metadata (e.g., IP addresses) at the infrastructure level as part of normal network operations. Vercel's analytics features are configured to be privacy-preserving (see Section 11).
7.6 No Other Third-Party Sharing
We do not share your personal data with any other third parties except as required by applicable law (see below).
7.7 Legal Disclosure
We may disclose your personal data if required to do so by law, court order, or regulatory authority, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Brodin Dev, our users, or others. We will notify you of any such disclosure to the extent permitted by law.
8. International Data Transfers
Our third-party processors may store or process data outside the European Economic Area (EEA). Where such transfers occur, we ensure they are subject to appropriate safeguards as required by GDPR Chapter V, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
- Processing in countries that benefit from an adequacy decision by the European Commission.
Specifically:
- Convex and Vercel are US-based providers. Data transfers are governed by applicable SCCs and their respective DPAs.
- Resend is a US-based provider operating under SCCs.
- Google, GitHub, and, if applicable, Polar.sh may also process data outside the EEA under their own transfer mechanisms and privacy frameworks.
You may request further information about the specific transfer mechanisms we rely on by contacting us at contact@brodin.dev.
9. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law.
| Data Category | Retention Period |
|---|---|
| Account data (email, name, avatar) | For the lifetime of your account, and deleted upon account deletion |
| Hashed passwords | For the lifetime of your account, and deleted upon account deletion |
| Linked account records | Maintained while the linked social account remains active; deleted upon account unlinking or deletion |
| Transactional email logs | As per Resend's retention policy; we retain minimal records required for security audit purposes |
| Anonymised analytics data | Indefinitely, as it cannot be linked to any individual |
Account Deletion
When you permanently delete your account via the account dashboard, all your associated personal data is deleted from our systems. This action is irreversible. Residual data may persist in encrypted backups for a limited period (typically up to 30 days) before being purged in routine backup cycles.
10. Your Rights Under GDPR
As a data subject under the GDPR and the Norwegian Personopplysningsloven, you have the following rights. We are committed to honoring these rights and will respond to verified requests within 30 days (extendable by a further two months for complex requests, with notice).
10.1 Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you, along with information about how and why we process it.
10.2 Right to Rectification (Article 16)
You have the right to request that inaccurate or incomplete personal data we hold about you be corrected. You can update most of your profile information directly from your account dashboard at any time.
10.3 Right to Erasure / Right to be Forgotten (Article 17)
You have the right to request the deletion of your personal data where:
- The data is no longer necessary for the purposes for which it was collected;
- You withdraw consent (where consent was the legal basis);
- You object to processing and there are no overriding legitimate grounds;
- The data has been unlawfully processed.
You can exercise this right at any time by permanently deleting your account from the dashboard, which will delete all associated data. Alternatively, you may contact us at contact@brodin.dev.
10.4 Right to Restriction of Processing (Article 18)
You have the right to request that we restrict the processing of your data in certain circumstances — for example, while a dispute about accuracy is being resolved.
10.5 Right to Data Portability (Article 20)
You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to have that data transmitted to another controller where technically feasible. This right applies to data processed on the basis of contract fulfillment or consent.
To request a data export, please contact us at contact@brodin.dev.
10.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
10.7 Rights Related to Automated Decision-Making (Article 22)
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. This right is therefore not currently applicable to our Service.
10.8 How to Exercise Your Rights
To exercise any of the rights above, please:
- Self-service: Use your account dashboard (for profile edits, account deletion, and social account management).
- Contact us: Email contact@brodin.dev with a description of your request. We may ask you to verify your identity before acting on the request.
There is no fee for exercising your rights. If requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable administrative fee or refuse to act, in accordance with Article 12(5) GDPR.
11. Cookies & Analytics
11.1 Authentication Cookies
We use strictly necessary authentication and security cookies to manage your authenticated session. These are essential to the operation of the Service. Under applicable ePrivacy rules, including Norway's Ekomloven, consent is not required for cookies that are strictly necessary to provide a service you have requested. Where those cookies involve personal data, we process that data on the legal bases described in Section 5.
11.2 Vercel Analytics & Speed Insights
We use Vercel Analytics and Vercel Speed Insights to understand how users interact with the Service and to monitor its performance. These tools are configured to be privacy-preserving by design:
- No personally identifiable information (PII) is collected.
- No unique device fingerprinting or persistent identifiers are used.
- No cross-site tracking occurs.
- IP addresses are not stored — they are used transiently to derive approximate, country-level geographic aggregates and then discarded.
- Data is aggregated and cannot be linked to any individual user.
Because these analytics tools do not process personal data in an identifiable form, they do not require a cookie consent banner under the ePrivacy Directive or GDPR as implemented in Norwegian law.
11.3 No Third-Party Advertising or Tracking Cookies
We do not use any advertising networks, retargeting pixels, social media tracking cookies, or any other third-party tracking technologies.
12. Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures (TOMs) in accordance with GDPR Article 32, including:
- Password hashing: Passwords are never stored in plain text. We use industry-standard cryptographic hashing algorithms via Better Auth.
- Encrypted data transmission: All data is transmitted over HTTPS/TLS.
- Access controls: Access to production systems and user data is restricted to authorised personnel only.
- Infrastructure security: Our hosting provider, Vercel, maintains SOC 2 compliance and implements enterprise-grade security measures.
- Database security: Convex provides encrypted storage and secure API access controls.
While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you in accordance with GDPR Article 34 and report to the relevant supervisory authority (Datatilsynet) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
13. Children's Privacy
The Service is not directed at persons under the age of 18. We do not knowingly allow individuals under 18 to create accounts or use the Service.
If you believe a person under 18 has provided us with personal data in breach of this policy, please contact us at contact@brodin.dev and we will take prompt steps to delete that data.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our data practices. When we make material changes, we will:
- Update the "Last Updated" date at the top of this document;
- Notify you by email (to the address associated with your account) or via a prominent notice in the Service, where the changes are significant.
Your continued use of the Service after the effective date of an updated policy constitutes your acknowledgment of the changes. We encourage you to review this policy periodically.
15. Contact & Complaints
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at:
If you believe our processing of your personal data infringes applicable law, you also have the right to lodge a complaint with the Norwegian supervisory authority, Datatilsynet, or with your local supervisory authority in the EEA.