1. Who is the data controller
ProdForm is the data controller for personal data about customers (organisations using the platform) and visitors to prodform.com. For participant data collected through a test, the customer is the controller and ProdForm acts as processor. The relationship is governed by a Data Processing Agreement (DPA) which forms part of the Terms.
2. Personal data we collect
Account data: name, email, organisation, role. Usage data: tests you create, settings, login timestamps. Technical data: IP address, browser type, device type, cookie consent state. Participant data (stored on behalf of the customer): test answers, optional demographic fields, participant code or email if the test requires identification. We never collect special categories (health, biometrics, religion, political views) unless the customer explicitly configures it and obtains separate consent.
3. Purpose and legal basis
Account data is processed to deliver the service (contract, GDPR Art. 6(1)(b)). Usage and technical data is processed to operate, secure and improve the platform (legitimate interest, Art. 6(1)(f)). Marketing and analytics cookies are processed only with your consent (Art. 6(1)(a)). Participant data is processed on behalf of the customer — the legal basis is set by the customer, typically consent from the participant before the test starts.
4. Who processes the data (sub-processors)
ProdForm uses the following processors: Supabase (database, auth, file storage — EU region), Vercel (hosting and CDN), Sentry (error logging), Anthropic (AI features — only when you explicitly use AI tools). All have signed data processing agreements. An up-to-date list of sub-processors is available on request. Customers are notified at least 30 days before we onboard new sub-processors that handle personal data.
5. Transfers outside the EEA
Primary data is stored in the EU. Sentry and Anthropic may process parts of the data outside the EEA. Such transfers rely on the EU Commission's Standard Contractual Clauses (SCC) supplemented by technical safeguards. We assess transfers continuously against current case law.
6. How long we retain data
Active tests: data is stored as long as the test runs. Closed tests: participant responses tied to identifiers are kept for 24 months after closure, then anonymised — the link between response and person is permanently removed. Anonymised aggregate data may be kept indefinitely. User and organisation accounts are kept while active and deleted within 30 days after termination (backups included). Logs and technical data are kept for up to 90 days.
7. Your rights
You have the right to access, rectify, erase ("the right to be forgotten"), restrict, port and object to processing. Participants have self-service tools for access and erasure via a link in the invitation email. For account data: send a request to kontakt@prodform.no — we respond within 30 days. You can lodge a complaint with the Norwegian Data Protection Authority (datatilsynet.no) or your local supervisory authority if you believe we process your data in breach of GDPR.
8. Security
We use encryption in transit (TLS 1.3) and at rest (AES-256). Internal access to personal data is role-based and logged. Multi-tenant isolation is enforced by Row Level Security in the database. All staff with access to customer data have signed confidentiality undertakings. Security incidents are reported to affected customers without undue delay and at the latest within 72 hours, in line with GDPR Art. 33.
9. Minors and age limit
ProdForm is not intended for persons under 16. Test organisation accounts require the user to be at least 18. Participants must be at least 16 to give valid consent without parental approval. Tests aimed at participants under 16 require a separate agreement with ProdForm.
10. Changes to this policy
We may update this policy when the service or applicable law changes. Material changes are notified by email to registered users at least 30 days before they take effect. The date at the top shows when the policy was last changed. Earlier versions are available on request.