Privacy

Privacy policy

Last updated: 26 May 2026

1. Who is responsible?

Travers Lab AS (org. no. 926 801 317) develops and operates Aula. We act in two roles:

  • Data controller for information about our own users — administrators and organisations using the platform.
  • Data processor on behalf of customers (municipalities, consultants, research institutions) who collect participant insight. This is governed by data processing agreements pursuant to GDPR Article 28.

Questions about privacy? Contact us at hei@aula.no.

2. What data do we collect?

Participants

When you answer a question or place an input on the map, we collect the following:

  • The text you write and any images you upload
  • Map markers with coordinates (for map activities)
  • Voluntarily provided background information (age, gender, postal code) — only if the question creator has enabled this
  • IP address — stored for up to 30 days for abuse prevention, then automatically deleted
  • An anonymous session identifier
  • Time of submission

Administrators

Email address and name for login and access management. Stored as long as the account is active.

Website

Anonymised usage statistics via Simple Analytics — no cookies and no personal data.

3. Purpose and legal basis

  • Platform delivery — necessary to fulfil the agreement between the customer and us (GDPR Art. 6(1)(b))
  • Abuse prevention — legitimate interest (GDPR Art. 6(1)(f))
  • AI synthesis — necessary to deliver the analysis service (Art. 6(1)(b)). See section 4
  • Administrator communication — legitimate interest

4. AI synthesis

Aula uses AI (Mistral) to summarise and analyse input. Key principles:

  • Data minimisation: Only aggregated free text from inputs is sent to the AI service. IP addresses, email addresses, demographic data and geo-coordinates are never sent.
  • No training: The AI provider does not use customer data to train models. This is contractually guaranteed.
  • Human in the loop: A responsible person reviews and approves all AI synthesis before it is used.
  • Traceability: Every synthesis can be traced back to the underlying inputs.

5. Security

  • Encryption: TLS 1.2+ in transit, AES-256 at rest
  • Access control: Role-based access management with organisation isolation. Row Level Security in the database.
  • Automatic IP deletion: pg_cron deletes IP addresses after 30 days
  • Secrets: Stored in environment variables, never in source code

6. Retention

  • IP addresses: max 30 days
  • Participant insight: during the contract period, deleted within 30 days after project completion
  • Administrator accounts: as long as the account is active

7. Your rights

You have the right to access, rectification, erasure, data portability and objection under the GDPR. Participants should contact the data controller (the customer). Administrators contact us directly. Requests are answered within 30 days.

8. Contact

Travers Lab AS
Org. no. 926 801 317
hei@aula.no
Phone: +47 93 08 93 80
Tøyengata 53, 0578 Oslo, Norway