Fotspor logo
Log in

Fotspor Privacy Policy

Last updated: March 7, 2026

This privacy policy applies to the Fotspor website (fotspor.mobi), Fotspor Editor, and the Fotspor mobile app. It explains how FotsporTech AS processes personal data about users and service-related contacts, including route creators, participants, and representatives of schools and other organizations.

This policy is aligned with GDPR (EU 2016/679), the Norwegian Personal Data Act, and other applicable data protection laws where the service is used.

In short:

  • We do not sell personal data.
  • We do not share personal data with third parties for their own marketing or profiling purposes.
  • The app does not collect directly identifying personal data such as name, email address, or phone number.
  • The app generates and processes an internal, app-specific device ID together with technical data needed to provide service functionality, improve the service, and perform technical troubleshooting. This identifier is unique to our app, cannot be linked to the manufacturer device ID, and cannot directly identify you.
  • Even so, device IDs are still treated as personal data under applicable law because they allow us to distinguish one user from another within the app.
  • We may use anonymized and aggregated statistics in communication and marketing.

Quick summary for school owners

  • For student data and quiz responses used in teaching, the school owner is the data controller and FotsporTech AS is the data processor.
  • Personal data is used to deliver the service, not for marketing or profiling. Any marketing metrics are anonymized and aggregated.
  • The app primarily uses pseudonymous identifiers, and full name is not required for participation.
  • Access and other rights requests for student data are normally handled through the school.
  • The standard retention period for quiz responses is up to 12 months, unless agreement terms or controller instructions require otherwise.
  • We can provide relevant documentation on request (including the DPA, sub-processor overview, transfer mechanisms, and the balancing test for crash diagnostics).

1. Who this policy applies to

  • Users of Fotspor Editor, including teachers, school administrators, school owners, and other route creators.
  • Participants using the Fotspor app, including students, children, and adult participants.
  • Contact persons at schools, organizations, and companies (for example for agreements, support, and billing).
  • Visitors to fotspor.mobi.

2. Roles and responsibilities

FotsporTech AS is the data controller where specified below, and is the contact point for privacy questions:

  • FotsporTech AS
  • Organization number: 933521079
  • Address: Postboks 6 Nordås, 5864 BERGEN
  • Email: kontakt [at] fotspor [dot] mobi

2.1 When FotsporTech AS is a data controller

FotsporTech AS is the data controller when we determine the purposes and means of processing, including:

  • account creation, login, and account management
  • purchases, subscriptions, and billing
  • customer support and communication
  • technical operations, security, and incident handling

For website usage analysis, we use cookies and similar technologies. This processing only takes place if you consent to analytics cookies.

You can withdraw your consent to analytics cookies at any time, for example by changing the cookie settings on the website. Withdrawing consent does not affect the lawfulness of processing carried out before the consent was withdrawn.

2.2 When FotsporTech AS is a data processor

When Fotspor is used by a school or an organization to collect or process student or participant data, FotsporTech AS processes personal data on behalf of the data controller.

The school owner or organization using the service is the data controller for student and participant data. FotsporTech AS is the data processor and processes data only in accordance with the controller's documented instructions, within the scope of the service.

This may include processing quiz responses and other data collected in connection with teaching or activities in the service.

Processing is governed by a data processing agreement between the parties.

3. Personal data we process

3.1 Account and purchases

  • name, email address, and login-related data
  • organization details when accounts are created for schools or organizations
  • subscription details, payment status, and invoicing basis
  • customer support history and communication records

3.2 Website (fotspor.mobi)

  • technical data such as IP address, browser, device type, and timestamps
  • cookie consent preferences
  • usage analytics data when consent has been given

3.3 Editor content

  • routes and checkpoints created by route creators
  • text, images, audio, video, and quiz setup added to routes
  • sharing settings and share codes

Route creators are responsible for ensuring that route content does not include personal data in breach of applicable law.

3.4 Mobile app

  • pseudonymous user ID/device ID
  • IP address when communicating with our servers
  • technical details such as app version, device type, and operating system
  • event data such as route start, progress, and completion timestamps
  • operational and crash diagnostics for service reliability

The app does not require users to provide directly identifying data such as name, email address, or phone number in order to participate.

Personal data from the app is used only to deliver and improve the service. We do not use personal data from the app for marketing or profiling, and we do not sell app data.

We may use anonymized and aggregated statistics in communication and marketing, for example total number of completed routes or participants in a period. Such figures cannot be linked to individual users.

App identifiers

In the app, we use pseudonymous identifiers (automatically generated IDs), not names or other directly identifying personal data. These IDs are only used for operations, security, and troubleshooting. The IDs are not used to track users across other apps or services, and are not linked to name, email address, physical address, or other direct identifiers. The anonymous user ID rotates every 30 days, and the device ID is app-specific. Even though these IDs are pseudonymous, they are still treated as personal data under applicable data protection law.

4. Collection of quiz responses in routes

4.1 General

In some routes, route creators can enable collection of participant quiz responses. This is typically used in education for learning, assessment, and academic follow-up.

We only collect the data needed to provide the quiz feature.

4.2 Roles and responsibilities

When the service is used in schools

When the service is used by a teacher as part of teaching in primary or upper secondary school:

  • The school owner (municipality/county authority or equivalent) is the data controller.
  • FotsporTech AS is the data processor and processes data on behalf of the school and only in accordance with the school's documented instructions.
  • The processing is part of the school's statutory education tasks.
  • The legal basis follows GDPR Article 6(1)(e) (task carried out in the public interest or exercise of official authority) and, where relevant, Article 6(1)(c) (legal obligation), in line with applicable education law. Consent from students or guardians is therefore normally not required for use in teaching.

When the service is used outside schools

If the quiz feature is used outside schools or other public educational institutions, the route creator is the data controller.

In those cases, the legal basis is normally participant consent.

4.3 What data is collected

When a participant submits answers, the following data may be stored:

  • a system-generated pseudonymous user ID
  • an optional nickname
  • submission timestamp
  • the participant's answers
  • calculated score

As of March 2026, the following answer type is supported:

  • multiple choice

Participants are not required to provide their full name.

The quiz feature is not intended for collection of special categories of personal data. Route creators are responsible for ensuring that questions do not involve processing of such data (for example, health data, political opinions, religion, or other sensitive data).

4.4 Purpose of processing

The data is processed to:

  • run quizzes in routes
  • calculate and display scores
  • allow teachers/route creators to follow up participants academically
  • optionally display a leaderboard based on total score

When used in schools, this data is processed solely for the purposes determined by the school as data controller. We do not use the data for marketing, profiling, or other independent commercial purposes.

4.5 Who can access the data

The following may access the data:

  • the teacher/route creator
  • a limited number of authorized FotsporTech AS employees with a need to know (operations, support, and security)

When a leaderboard is used, only the following is displayed:

  • nickname (if provided)
  • total score

Participants do not get access to other participants' individual answers.

4.6 Storage and deletion

By default, quiz responses are stored for up to 12 months from submission.

The retention period may vary depending on the agreement with the school or the plan selected by the route creator.

Data is deleted when:

  • the session is deleted by the route creator
  • the customer agreement ends
  • the retention period expires

We do not keep the data longer than necessary for the stated purposes.

4.7 Rights

When used in schools

Students and guardians can contact the school regarding:

  • access
  • rectification
  • erasure
  • other rights under data protection law

FotsporTech AS assists the school when needed, but the school as data controller handles these requests. Where FotsporTech AS acts as a data processor, we assist the data controller in fulfilling data subject rights in line with the data processing agreement.

When used outside schools

Participants can contact the route creator (data controller) regarding their rights.

4.8 Security

FotsporTech AS has implemented technical and organizational measures to protect data against unauthorized access, alteration, and deletion.

Access to data is restricted and logged.

5. Legal bases for processing

PurposeRoleLegal basis
Create and manage accounts, deliver subscriptions and serviceFotsporTech AS as data controllerGDPR Article 6(1)(b) (contract)
Meet bookkeeping and accounting requirementsFotsporTech AS as data controllerGDPR Article 6(1)(c) (legal obligation)
Website analytics cookiesFotsporTech AS as data controllerGDPR Article 6(1)(a) (consent)
Technical operations, troubleshooting, and crash diagnostics in the app (Crashlytics)FotsporTech AS as data controllerGDPR Article 6(1)(f) (legitimate interests)
Processing student data and quiz responses in teachingSchool owner as controller, FotsporTech AS as processorGDPR Article 6(1)(e) (public task), where relevant Article 6(1)(c)
Processing quiz responses outside schoolsRoute creator as controller, FotsporTech AS as processorNormally GDPR Article 6(1)(a) (consent)

For processing based on Article 6(1)(f) (legitimate interests), we have carried out a balancing test. We have a legitimate interest in providing a stable and secure app, the processing is limited to technical data, the privacy risk is assessed as low, and the processing is necessary because we otherwise would not receive error reports when technical issues occur. This balancing test can be provided on request.

6. Third-party services and processors

We only use providers to deliver the service securely and reliably. We do not sell personal data, and we do not share data with third parties for their own marketing or profiling purposes. Most providers act as sub-processors for FotsporTech AS. Some services (for example map services) may also process their own technical metadata under their own responsibility under their terms.

6.1 How we select and monitor providers

  • We assess privacy and information security before a provider is used.
  • We limit access to data based on need-to-know.
  • We require GDPR compliance, confidentiality, and secure handling of data.
  • We monitor providers on an ongoing basis and update this overview when material changes occur.

6.2 Overview of key providers

ProviderService areaPurposeData categories (examples)Primary storage/processing
FirebaseMobile app and EditorAuthentication, storage, app operations, and crash diagnosticsAccount/login data, pseudonymous identifiers, route data, session data (including quiz answers), technical error dataEU/EEA for database data. Some data may be processed in the US.
Here Maps / OpenStreetMapMobile app and EditorMap display and map functionalityMap requests and technical metadata related to map usageMay involve processing outside the EEA.
PostHogEditorEditor usage analytics (with consent where required)Pseudonymized analytics events and technical metadataEEA in the current setup.
VimeoEditorVideo playback and video handlingVideo-related technical metadata and playback eventsMay involve processing outside the EEA, including the US.
OpenAIEditorAI feature when actively usedPrompt and response data related to the selected AI featureMay involve processing outside the EEA. In our current API setup, input and output data are not used for model training.

6.3 Transfers outside the EEA

We aim to store and process data in the EEA when possible. In some cases, we may process limited data outside the EEA. When this happens, we use a valid GDPR transfer mechanism: either an adequacy decision (for example the EU-U.S. Data Privacy Framework where the provider is certified) or the EU Standard Contractual Clauses (SCCs), with additional safeguards where required.

Show advanced transfer information by provider
  • Firebase (Mobile app and Editor): Database data (including route data and session/answer data) is stored in Europe (EU/EEA). Account/login data may be processed in the US. Limited technical support/operations data may also be processed outside the EEA. Safeguards: EU-U.S. Data Privacy Framework (where applicable) and SCCs when needed.
  • Here Maps / OpenStreetMap (Mobile app and Editor): Map requests and related technical metadata may be processed outside the EEA. Safeguards: SCCs or other valid transfer mechanisms where required.
  • PostHog (Editor): No transfer outside the EEA in our current setup. Data is processed and stored in the EEA.
  • Vimeo (Editor): Video-related technical metadata and playback events may be processed outside the EEA (including the US). Safeguards: EU-U.S. Data Privacy Framework (where applicable) and SCCs when needed.
  • OpenAI (Editor): Prompt and response data for AI features may be processed outside the EEA. Safeguards: adequacy decisions (where applicable) and SCCs for other transfers.

6.4 Documentation available on request

We can provide relevant documentation on request, including:

  • the data processing agreement (DPA)
  • an updated sub-processor overview
  • more detailed information about transfer mechanisms used outside the EEA
  • a high-level description of technical and organizational security measures
  • the balancing test for crash diagnostics under GDPR Article 6(1)(f)

7. Storage and deletion

We keep personal data only for as long as needed for each purpose:

  • account data: while the account is active, then for a limited and documented period in line with internal routines
  • accounting and invoicing data: according to statutory retention requirements
  • cookie consent records: for as long as needed to document whether and when consent was given or withdrawn, in line with GDPR Article 7(1), so we can meet accountability and audit requirements
  • technical operations and error logs: for limited and documented periods defined in our internal security routines

For school data, including quiz responses, storage and deletion follow the controller's instructions (school owner/organization) and the data processing agreement.

For quiz responses, the standard retention period is up to 12 months. See Section 4.6 for details.

8. Security

FotsporTech AS applies technical and organizational measures to protect personal data, including access controls, logging, secure data transmission, and ongoing risk assessment.

9. Rights

Under applicable law, you may have rights to access, rectification, erasure, restriction, data portability, and objection.

  • For processing where FotsporTech AS is the controller, contact us at kontakt [at] fotspor [dot] mobi
  • For school processing, rights requests should normally be directed to the school/school owner as controller.
  • For quiz responses, specific rights flows apply for school and non-school use; see Section 4.7.

For users in Norway, Datatilsynet is the supervisory authority. Users in other countries may contact their local supervisory authority.

10. Changes to this policy

We may update this policy when needed. Material changes will be published on this page with an updated date.