Personvernerklæring

Last updated: March 9, 2026

1. Introduction

This privacy policy describes how Somsagt Online ("we", "us", "our", "the Service") collects, uses, stores and protects personal data when you use our platform for live streaming and video archive.

Somsagt Online is a cloud-based service (SaaS) aimed at employees in the Norwegian healthcare sector. Access to the service is provided through your employer or department leader as part of your employment. You do not register yourself and do not cancel the subscription on your own.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act and associated regulations.

2. Data controller and data processor

Data controller

Your employer (the organization that has purchased access to Somsagt Online) is the data controller for personal data processed in connection with your use of the service. The employer determines the purpose and means of processing.

Data processor

Somsagt AS acts as data processor on behalf of your employer. We process personal data only in accordance with instructions from the data controller and in compliance with the applicable data processing agreement.

Contact information

Somsagt AS: post@somsagt.no

3. What personal data we collect

3.1 Account information (created by your employer/department leader)

Data	Purpose	Legal basis
Full name	Identification and personalization	Legitimate interest / contract
Email address	Login, notifications and communication	Contract / legitimate interest
Phone number (optional)	Contact information	Consent
Profile picture (optional)	Visual identification	Consent
Organization affiliation and role	Access control	Contract

3.2 Authentication and security data

Data	Purpose	Storage
Password	Login	Encrypted hash (never in plaintext)
Two-factor secret (TOTP)	Additional security	Encrypted
Two-factor backup codes	Access recovery	Encrypted, single use
Email verification and reset tokens	Account verification and password change	Time-limited, automatic expiry

3.3 Session data

Data	Purpose	Retention
IP address	Security logging and abuse prevention	Duration of session
Browser and device information (User-Agent)	Session management	Duration of session
Active organization per session	Access control	Duration of session
Last login timestamp	User activity monitoring	Continuously updated

3.4 Video usage data

Data	Purpose	Description
Videos watched	Progress display and resumption	Linked to your user account
Watch time per video	Activity analysis for the organization	Aggregated and per user
Completion status (over 90% watched)	Engagement measurement	Automatically calculated
Viewing timestamp	Chronological overview	Stored in database

3.5 Engagement data (calculated daily)

Data	Purpose
Engagement score (0–100)	Overall activity measurement
Activity level (active / at risk / inactive)	Identify users who need follow-up
Login frequency and recency	Component in engagement calculation
Number of unique videos watched	Component in engagement calculation
Total watch time	Component in engagement calculation
Trend (improving / stable / declining)	Change over time

This data is used by your organization to understand overall usage patterns and ensure the service provides value. Engagement data is available to administrators in your organization.

3.6 Questions and interactions

Data	Purpose
Questions submitted during broadcasts	Interaction with presenters
Name and user ID linked to questions	Identification of submitter
Timestamp and type (live / general)	Organization and display

3.7 Email and notification data

Data	Purpose
Email address (recipient)	Notification delivery
Type of notification sent	Logging and troubleshooting
Delivery status	Quality assurance
Your email preferences	Respect your communication choices

4. Legal basis (GDPR Article 6)

Basis	Application
Contract (Art. 6(1)(b))	Delivery of the service: login, video playback, session management.
Legitimate interest (Art. 6(1)(f))	Security logging, abuse prevention, rate limiting, engagement analysis, email delivery troubleshooting.
Consent (Art. 6(1)(a))	Optional data such as phone number and profile picture. You can withdraw consent at any time.
Legal obligation (Art. 6(1)(c))	Any legally required retention of logs or information.

5. Sharing data with third parties

We only share personal data with third parties that are necessary to deliver the service. All third parties are bound by data processing agreements.

5.1 Sub-processors

Provider	Service	Data shared	Location
Mux, Inc.	Video streaming and playback	Playback IDs, watch time data, browser/OS	USA
Resend, Inc.	Email delivery	Email addresses, email content, delivery status	USA
Railway	Hosting, database, file storage	All data stored in the service	EU / USA

5.2 Transfers outside the EEA

Some of our sub-processors operate in the USA. We ensure lawful transfer through:

EU–US Data Privacy Framework (where the provider is certified)
EU Standard Contractual Clauses (SCC) with supplementary measures where necessary
Regular assessment of the level of protection in the receiving country

5.3 Data we do NOT share

We never sell personal data to third parties
We do not share data with advertisers or marketing platforms
We do not use third-party analytics tools (such as Google Analytics etc.)
We do not share user data across organizations

6. Cookies and local storage

6.1 Necessary cookies

Cookie	Purpose	Type
Session cookie (BetterAuth)	Authentication and login status	Strictly necessary
Language preference	Remember your chosen language	Strictly necessary

6.2 Local storage (localStorage)

Key	Purpose
Welcome banner status	Remember that you have closed the welcome message
Archive view mode	Remember list vs. grid view

We use no cookies for tracking, profiling, advertising or analytics beyond what is described above.

7. Data security

Technical measures

Encryption in transit: All communication over HTTPS/TLS
Password security: Passwords are stored only as cryptographic hashes
Signed playback tokens: Video content is protected with signed JWT tokens with limited validity
Two-factor authentication: Optional TOTP-based two-factor with backup codes
Rate limiting: Protection against brute-force attacks
Webhook verification: HMAC signature verification for incoming webhooks
Access control: Role-based access with organization separation

Organizational measures

Limited access to production data
Data processing agreements with all sub-processors
Regular review of access rights and security procedures

8. Retention period

Data type	Retention period
Account information	As long as employment/access lasts
Session data	Until the session expires or ends
Video viewing history	As long as the account is active
Engagement data	As long as the account is active
Email logs	Up to 12 months after sending
Submitted questions	As long as the associated broadcast is active
Authentication tokens	Automatic expiry (hours/days)

When your access is terminated by your employer, your account will be deactivated and associated sessions will be ended immediately. Personal data is deleted after a reasonable transition period, unless legal retention requirements dictate otherwise.

9. Your rights

Under the GDPR, you have the following rights. Since your employer is the data controller, requests should primarily be directed to your employer. You can also contact us directly.

Right	Description
Access (Art. 15)	You have the right to know what personal data we process about you.
Rectification (Art. 16)	You can request that inaccurate data be corrected.
Erasure (Art. 17)	You can request deletion of your personal data when the legal basis no longer applies.
Restriction (Art. 18)	You can request that processing be restricted under certain circumstances.
Data portability (Art. 20)	You have the right to receive your data in a structured, machine-readable format.
Objection (Art. 21)	You can object to processing based on legitimate interest.

How to exercise your rights

Through your employer: Contact your department leader or organization leader.
Directly to us: Send an email to personvern@somsagt.no with your request.
Complaint to the Norwegian Data Protection Authority: You have the right to file a complaint with Datatilsynet (datatilsynet.no) if you believe your personal data is being processed in violation of the regulations.

Email preferences

You can manage which email notifications you receive under settings in the service. All emails also contain a link for direct unsubscription from the relevant notification category.

10. Healthcare sector considerations

Somsagt Online is a platform for video communication and archive. We do not process health data (special category personal data under GDPR Article 9) as part of the service's core functionality.

Important for users: Do not share patient information, health information about individuals or other confidential information through the question function or other interaction tools in the service.

Important for administrators: Ensure that video content that is streamed or archived does not contain identifiable patient information, unless separate information security measures have been implemented outside this service.

11. Automated decisions and profiling

The service calculates engagement scores based on login and viewing activity. This is used to identify inactive users for follow-up and to give organization leaders an overview of service usage.

Engagement scores have no automated consequences for your access, employment or rights. No automated decisions with legal effect are made based on this data.

12. Changes to the privacy policy

We may update this privacy policy as needed. In the event of material changes, we will update the date at the top of the document and notify data controllers (organizations) of the changes.

13. Contact

For questions about privacy and this policy:

Email: personvern@somsagt.no
Norwegian Data Protection Authority: www.datatilsynet.no

This privacy policy is effective from March 9, 2026.