Privacy Policy

Last updated: March 25, 2026 · Version 2026-03-25-v1

The Norwegian version of this document is the legally binding version. English and Spanish translations are provided for convenience only — in case of any inconsistency between language versions, the Norwegian version prevails.

1. Data Controller

The data controller for the processing of your personal data is Filgueira Sanchez (sole proprietor of the Norwegian enkeltpersonforetak Magrathea ved Filgueira Sanchez), org. nr. 937 509 332, Hegnunvegen 63, 3804 Bø i Telemark, Norway. As a Norwegian sole proprietorship (enkeltpersonforetak), the data controller is the natural person operating the business. Apantula is a product name provided by this business. In this policy, “we”, “us”, and “Apantula” refer to the business identified above. Contact: [email protected].

2. Data Protection Officer

We have not appointed a Data Protection Officer (DPO). The scale and nature of our processing does not meet the criteria for mandatory appointment under GDPR Article 37, and the Norwegian Personal Data Act does not impose additional requirements for our business. Privacy questions can be sent directly to [email protected] and are answered by the business owner.

3. Personal Data We Process

We process the following categories of personal data about you as a user: account information (name, email address, language preference, authentication data from Supabase); property data you upload or record (addresses, documents, photos, financial entries, maintenance history, facts and events about the property); AI chat conversations within the service; payment information (processed by Stripe — we receive only confirmations and receipt data, not full card details); technical data (IP address, browser information, session tokens, security logs). We do not process special category data under GDPR Article 9. Providing all data is voluntary, but without account and property data we cannot deliver the service.

4. Norwegian Personal ID Numbers (fødselsnummer)

We do not actively collect Norwegian personal identity numbers (fødselsnummer or D-nummer) and never use them to identify users — we identify users solely through email and authentication data. Documents you upload (deeds, mortgage papers, insurance policies, valuation reports) may contain fødselsnummer as part of the document content. Such numbers are stored only as part of the original document, are not separately indexed for search, and are not used for any purpose other than preserving the document in its original form. This complies with Personopplysningsloven § 12, which requires an objective need for unambiguous identification — a need we do not have to deliver Apantula. If you wish to remove a fødselsnummer from a document you have already uploaded, you can edit or delete the document in the interface, or contact us for assistance.

5. Personal Data About Third Parties

Documents you upload often contain personal data about people other than yourself — for example, family members on deeds, tenants on lease agreements, co-owners, contractors on invoices, real estate agents on purchase contracts, or neighbours in correspondence. By uploading such documents, you confirm that you have a legitimate basis to share that information with us for processing. We process third-party data solely to provide the Apantula service to you, and we do not resell or repurpose it. Third parties whose personal data appears in your uploaded documents can contact us at [email protected] to exercise their rights under the GDPR (access, rectification, erasure). We will work with you as our customer to resolve such requests in compliance with GDPR Articles 14, 15, and 17.

6. Purposes and Legal Basis

We process your personal data for the following purposes, with the corresponding legal basis under GDPR Article 6: providing the Apantula service including AI analysis of documents and chat (contractual necessity, Art. 6(1)(b)); processing payments and delivering credits (contractual necessity, Art. 6(1)(b)); sending service notifications and account-related emails (contractual necessity, Art. 6(1)(b)); email marketing where you have consented (consent, Art. 6(1)(a) — you may withdraw at any time); fraud prevention and security (legitimate interest, Art. 6(1)(f)); retention of accounting documents and invoices (legal obligation under Bokføringsloven § 13, Art. 6(1)(c)). Legitimate interest assessments are available on request.

7. Automated Processing and Artificial Intelligence

Apantula uses artificial intelligence (AI) to analyze your documents and answer questions about your properties. Documents and chat messages are processed by Anthropic (Claude) for text analysis in Anthropic's global region with Zero Data Retention enabled, and by our chosen vector embedding provider for semantic search. We never use your data to train AI models, and our processors are contractually bound to do the same. AI outputs are informational only and do not constitute professional legal, financial, insurance, or technical advice — you must always verify important information independently before making decisions based on AI responses. In accordance with EU Regulation 2024/1689 (the EU AI Act) Article 50, you are hereby clearly informed that you are interacting with an AI system when you use the chat and document analysis features. We do not make any automated decisions producing legal or similarly significant effects on you within the meaning of GDPR Article 22 — all decisions about your property, finances, and use of the service remain entirely with you.

8. Recipients and Processors

We share personal data with the following processors, each under a Data Processing Agreement (DPA) in accordance with GDPR Article 28: Anthropic Ireland, Limited (AI text analysis, global region, Zero Data Retention enabled); Supabase Inc. (database, authentication, and file storage, hosted in the Sweden region); Stripe Payments Europe Ltd. (payment processing, Irish legal entity); Brevo SAS (transactional email, French legal entity). We never sell or rent your personal data to third parties for marketing purposes. An up-to-date list of all processors is available on request.

9. International Data Transfers

Your personal data is primarily processed within the European Economic Area (EEA). Where data is transferred to US processors (typically Anthropic's underlying infrastructure), we rely on the EU-US Data Privacy Framework (adopted on 10 July 2023 by the European Commission) and/or the EU's 2021 Standard Contractual Clauses (Decision 2021/914) as the legal basis for the transfer. We have conducted a Transfer Impact Assessment for our US providers, based on the adequacy decision and US Executive Order 14086. Documentation is available on request.

10. Data Retention

We retain personal data only as long as necessary for the stated purposes: active account data is retained while the account is active, plus 30 days after deletion; property documents are retained while the account is active, plus 6 months after deletion to allow you to export them; chat history is retained for 2 years or until account deletion; vector embeddings are deleted at the same time as the source document; invoices, receipts, and accounting records are retained for 5 years after issuance in accordance with Bokføringsloven § 13. After account deletion, a 30-day grace period applies for recovery; thereafter all personal data is permanently deleted from our systems and from those of our processors (with the exception of accounting documents the law requires us to retain).

11. Security Measures

We protect your personal data with technical and organizational measures in accordance with GDPR Article 32, including: encryption in transit (TLS 1.2 or newer); encryption at rest for stored documents; role-based access control following the principle of least privilege; secure password hashing; regular security updates of platform components; audit logs for sensitive operations; EU-region hosting. Despite these measures, no system is fully secure; we recommend you use a strong, unique password for your account.

12. Your Rights

Under the GDPR you have the right to: access your personal data (Art. 15); rectify inaccurate or incomplete data (Art. 16); erase your personal data (Art. 17 — function available in your profile settings); restrict processing (Art. 18); data portability in a structured, machine-readable format (Art. 20 — export function available in your profile settings); object to processing based on legitimate interest (Art. 21); and withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal. To exercise these rights, contact us at [email protected]. We will respond within one month of receiving your request.

13. Cookies and Local Storage

Apantula does not currently use HTTP cookies. All local data is stored in the browser's localStorage and sessionStorage, which are treated as “similar technologies” under Ekomloven § 2-7b. All such storage we use is essential for the service to function — we do not use any analytics, marketing, or third-party tracking technologies. The table below lists every storage entry we set. Essential storage entries do not require consent under Ekomloven § 2-7b second paragraph. If we introduce non-essential technologies in the future (for example, anonymous usage analytics), we will request your prior consent through the consent banner already present in the application, and update this policy accordingly. Until then, no action is required from you.

NameStoragePurposeDurationCategory
refresh_tokenlocalStorageKeeps you signed in across sessions via a refresh tokenUntil you sign out or the token is revokedEssential
cookie-consentlocalStorageStores your consent choice for non-essential storageUntil storage is cleared manuallyEssential
apantula_localecookieStores your selected language so the app renders in the right locale on future visitsOne year from last updateEssential

14. Data Breaches and Notification

In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34, normally by email. All qualifying breaches are reported to Datatilsynet (the Norwegian Data Protection Authority) within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. We maintain an internal incident register covering all events, including those that do not trigger a notification obligation.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notification. The updated policy is effective from the date stated at the top of this page. The version history below shows changes over time:

Version history

  • 2026-03-25-v1 (March 25, 2026): First published version.

16. Contact and Complaints

For privacy questions, to exercise your rights, or to report a data breach, contact us at [email protected]. We will respond within one month. You also have the right to lodge a complaint with Datatilsynet (the Norwegian Data Protection Authority) at datatilsynet.no or by phone at +47 22 39 69 00.

We use essential cookies for authentication and security. With your consent, we also use analytics cookies to improve our service. Learn more