Privacy Policy for Peers

1. Data Controller

The data controller responsible for your personal data is:

• Company: Peers AS
• Organization number: 835 569 942
• Address: Blindernveien 5, 0361 Oslo, Norway
• Contact: lars@peers.live

The data controller determines the purposes and means of processing your personal data in accordance with the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).

2. Information We Collect

We collect information when you create an account or sign in to Peers:

Social Sign-In (Google & Apple)

When you sign in using Google or Apple, we may collect:

• Full name: Your name from your Google/Apple account
• Email address: Your email (or private relay email for Apple)
• Profile picture: Your account profile image (if available)
• Account ID: Unique identifier from Google/Apple

What we do NOT access:

• Your password
• Other sensitive account data
• Contacts or personal files
• Any data beyond basic profile information

Email Sign-Up

When you create an account with email, we collect:

• Name: The name you provide
• Email address: Your email for account access
• Password: Securely hashed and stored (we never store plain text passwords)

Guest Users

When you continue as a guest:

• Temporary account: Created with a randomly generated email — no real personal information is collected
• Limited data: Only basic information needed for event participation
• Automatic cleanup: Guest accounts may be removed after events conclude

Event Participation Data

When you participate in events, we may collect:

• Scores and votes: Your scoring and voting activity, linked to your user ID
• Poll responses: Your answers to live polls
• Questions: Questions you submit during Q&A sessions
• Photos: Images you voluntarily upload via the vibe stories feature

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Where we rely on legitimate interest, we have assessed that our interest in providing and securing the service does not override your fundamental rights and freedoms.

4. Data Storage and Security

All personal data is stored within the European Union / European Economic Area (EU/EEA).

Where Your Data Is Stored

• Database: Neon PostgreSQL — Frankfurt, Germany (EU)
• Media files: Amazon Web Services (AWS) S3 — Stockholm, Sweden (EU)
• Application hosting: Vercel — Frankfurt, Germany (EU)

Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in transit: All connections use TLS 1.2+ (HTTPS)
• Encryption at rest: Database and media storage are encrypted (AES-256)
• Password security: Passwords are hashed with bcrypt and never stored in plain text
• Access control: Role-based permissions restrict data access to authorized users only
• Authentication tokens: Stored as HTTP-only secure cookies, inaccessible to client-side scripts
• Rate limiting: Login attempts are throttled to prevent brute-force attacks
• Bot protection: reCAPTCHA is used to prevent automated abuse

5. International Data Transfers

All primary data storage (database, media files) is located within the EU/EEA. No user data is stored outside the EU/EEA.

Some of our sub-processors are headquartered in the United States. When data is processed by these providers, the transfers are protected by one or more of the following legal mechanisms in accordance with GDPR Articles 44–49:

• EU-US Data Privacy Framework (DPF): For providers certified under the framework
• Standard Contractual Clauses (SCCs): EU-approved contractual safeguards
• Data Processing Agreements (DPAs): Provider-specific GDPR agreements

For details on which sub-processors are used and their locations, see Section 6 below.

6. Sub-Processors

We use the following third-party services (sub-processors) to operate Peers. Each processes data on our behalf and under our instructions:

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience on Peers.

Essential Cookies

These cookies are necessary for the website to function and cannot be disabled:

• Authentication Cookies: Used to keep you logged in (next-auth.session-token, next-auth.csrf-token)
• Session Management: Maintain your session state and user preferences
• Security Tokens: Protect against cross-site request forgery (CSRF) attacks

Analytics Cookies (Optional)

With your consent, we use analytics services to understand how visitors use our site:

• Vercel Analytics: Privacy-friendly analytics that collect anonymized usage data
• Vercel Speed Insights: Performance monitoring to improve site speed

What Vercel Analytics Collects

Vercel Analytics is privacy-focused and GDPR-compliant. It collects:

• Page views: Which pages you visit on our site
• Referrer information: Where you came from (e.g., search engine, social media)
• Device type: Whether you're on mobile, tablet, or desktop
• Browser type: Which browser you're using (Chrome, Safari, etc.)
• Geographic location: Country/region only (not precise location)
• Session duration: How long you spend on the site

What Vercel Analytics Does NOT Collect:

• Personal identifiable information (PII)
• IP addresses (anonymized immediately)
• Cookies or persistent identifiers
• Cross-site tracking data

Managing Your Cookie Preferences

You can control cookie usage through:

• Cookie Banner: Accept or decline optional cookies when you first visit
• Browser Settings: Block or delete cookies through your browser preferences
• Opt-Out: Contact us to opt out of analytics tracking

Note: Blocking essential cookies may prevent you from using certain features of Peers, such as logging in or voting.

8. Your Rights Under GDPR

As a data subject, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15): You can request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): You can request deletion of your personal data ("right to be forgotten").
• Right to restrict processing (Art. 18): You can ask us to temporarily stop processing your data.
• Right to data portability (Art. 20): You can request your data in a structured, machine-readable format.
• Right to object (Art. 21): You can object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at lars@peers.live. We will respond to your request within 30 days.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):

• Datatilsynet
• Postboks 458 Sentrum, 0105 Oslo
• Website: www.datatilsynet.no
• Phone: +47 22 39 69 00

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy or as required by law.

• Guest accounts: Removed after the event lifecycle concludes
• Registered accounts: Retained until you request deletion
• Event data (scores, votes, polls): Tied to the event lifecycle and deleted when the event is removed
• Media files: Deleted when the associated event or account is removed
• Authentication tokens: Expire automatically based on session duration

You may request full deletion of your data at any time by contacting lars@peers.live.

10. Contact Us

For any questions or concerns about this privacy policy or your personal data, contact the data controller:

• Peers AS
• Blindernveien 5, 0361 Oslo, Norway
• Org. nr: 835 569 942
• Email: lars@peers.live