Planviah Logo

Privacy Policy

Effective Date: 04.06.2025 Last Updated: 11.07.2025

1. Introduction

This Privacy Policy explains how Planviah Helgesen ("we," "us," or "our") collects, uses, processes, and protects your personal information when you use our mobile application ("Application" or "App") and visit our website at www.planviah.com ("Website"). Collectively, these are referred to as our "Services."

We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection laws, including the European Union General Data Protection Regulation (GDPR) and Norwegian data protection legislation.

Our business operates under the name Planviah Helgesen, with our registered address at Kringsjåveien 19, 5162 Laksevåg, Norway. Our organization number is 935477549. For all privacy-related inquiries and data protection concerns, please contact us at privacy@planviah.com.

2. Information We Collect

2.1 Personal Information You Provide

When you register for and use our Application, we collect personal information that you voluntarily provide during the registration process and ongoing use of our Services. Registration information includes your full legal name, email address, telephone number, and date of birth, all of which are required to create and maintain your user account.

Through your use of the Application, you may input various types of content data that we store securely on your behalf. This includes goal setting information and progress tracking records, habit formation data and monitoring patterns, comprehensive financial information encompassing budgets, spending records, saving goals, and saving contributions, mood tracking entries and personal assessments, mental health reflection entries and personal insights, and gratitude journal entries and personal reflections.

All content data you enter into the Application is stored securely using industry-standard encryption protocols. We do not modify, alter, or manipulate the data you provide, except for necessary encryption and standard data processing operations required to provide our Services effectively and securely.

2.2 Automatically Collected Information

Our Application automatically collects certain technical and usage information to facilitate service provision and improve user experience. This includes session duration and frequency of use, feature usage patterns and user preferences, application performance data and error reports, and device information such as device model, operating system version, and unique device identifiers.

When you visit our Website, we automatically collect certain information about your device and browsing behavior. This encompasses your IP address and approximate geographic location, browser type and version information, pages visited and time spent on specific sections of our Website, referral sources and website navigation patterns, and device specifications including screen resolution information.

2.3 Third-Party Analytics and Tracking Services

We utilize several third-party analytics services to better understand user behavior and improve our Services. Google Analytics collects comprehensive website usage statistics, user behavior patterns, and demographic information to help us understand how visitors interact with our Website and identify opportunities for improvement. Singular provides mobile application attribution and analytics services, enabling us to understand how users discover our Application and analyze user engagement patterns. Facebook SDK collects usage analytics and enables marketing attribution, but only when users have explicitly consented to tracking through iOS App Tracking Transparency framework.

These third-party analytics services are configured to collect event-driven data and usage patterns while maintaining the privacy of your personal content. Importantly, these services do not receive any of the sensitive personal content you enter into our Application, such as your personal goals, financial information, mood tracking data, or private reflections.

2.4 iOS App Tracking Transparency Compliance

In strict compliance with Apple's App Tracking Transparency framework, we request your explicit consent before tracking your activity across other companies' applications and websites for advertising purposes. This consent is entirely voluntary and can be modified at any time through your iOS device settings. We respect your choice regarding tracking preferences and will only collect additional analytics data when you have provided explicit permission.

3. How We Use Your Information

3.1 Primary Service Provision

We process your personal information primarily to create and maintain your user account, provide comprehensive access to all Application features and functionality, securely store and synchronize your personal data across multiple sessions and devices, and deliver personalized content and recommendations tailored to your specific needs and preferences within the Application.

Additionally, we use your information to respond promptly to your inquiries and provide comprehensive customer support, send important service-related notifications and system updates, and communicate about significant changes to our Services, policies, or terms of use.

3.2 Service Enhancement and Development

We analyze usage patterns and user behavior to enhance Application functionality and user experience, identify and resolve technical issues, bugs, and performance problems, develop new features and improvements based on aggregated user behavior and feedback, and conduct research to better understand user needs and preferences for future service development.

3.3 Artificial Intelligence Integration

We utilize OpenAI's application programming interface to provide enhanced, personalized features within our Application. These AI-powered services include creating personalized affirmations based on your gratitude entries from the previous week and providing interactive conversational assistance through our integrated chatbot feature.

To generate these AI-enhanced features, certain data may be transmitted to OpenAI's servers, including your gratitude journal entries for the purpose of affirmation generation, questions and messages you send to our AI chatbot, and relevant contextual information necessary to provide accurate and helpful responses.

We must disclose that data sent to OpenAI is transmitted in unencrypted format as required by their API specifications. However, OpenAI has contractually confirmed they do not use customer data for training their machine learning models. All conversations and interactions with our AI features are stored within OpenAI's systems according to their established data retention policies, over which we have limited control beyond our service agreement with them.

3.4 Marketing Communications with Explicit Consent

Only with your explicit, freely given consent, we may use your information to send promotional emails about new features and service improvements, share relevant educational content related to productivity, wellness, and student success, conduct user surveys and feedback requests to improve our Services, and analyze aggregated usage patterns for marketing research purposes.

We want to emphasize that we will never use your personal Application content, including your goals, financial data, personal reflections, or any other sensitive information you input into the Application, for marketing purposes. Our marketing activities are based exclusively on aggregated usage patterns, general demographic information, and publicly available insights that cannot be traced back to individual users.

4. Legal Basis for Processing Under Data Protection Laws

Under applicable data protection regulations, including GDPR, we process your personal information based on several legal foundations. Contract performance serves as our primary legal basis for processing necessary to provide our Services and fulfill our contractual obligations under our Terms of Service. We also rely on legitimate interests for improving our Services, ensuring system security, and conducting essential business operations, provided such processing does not override your fundamental rights and freedoms.

For specific activities such as marketing communications, analytics tracking through App Tracking Transparency, and other processing activities where explicit permission is required, we obtain and rely upon your freely given consent. Finally, we process certain data to comply with applicable laws, regulations, and legal processes when legally obligated to do so.

5. Data Sharing and Third-Party Disclosure

5.1 Authorized Service Providers

We share limited, necessary information with carefully selected third-party service providers who assist us in delivering our Services. Our technology infrastructure partners include Supabase for secure database hosting and management, OpenAI for artificial intelligence processing capabilities, and Apple for user authentication and application distribution services.

Our analytics and marketing partners include Google Analytics for comprehensive website usage analysis, Singular for mobile application performance analytics, and Facebook for marketing analytics services when users have provided explicit consent through App Tracking Transparency.

All service providers are bound by strict contractual obligations to protect your information and may only use such information to provide services to us in accordance with our explicit instructions and applicable data protection laws.

5.2 Legal and Regulatory Compliance

We may disclose your personal information when required by applicable law or when we believe in good faith that disclosure is necessary to comply with legal obligations, court orders, subpoenas, or governmental requests, protect our rights, property, or safety, or that of our users or the general public, investigate and prevent fraud, security breaches, or other illegal activities, or enforce our Terms of Service or other contractual agreements.

5.3 Business Transfer Situations

In the event of a merger, acquisition, reorganization, or sale of all or part of our business assets, your personal information may be transferred to the acquiring entity. Such transfers will be subject to appropriate data protection safeguards and will be conducted in accordance with applicable privacy laws.

5.4 Commitment Against Data Sale

We do not, and will never, sell, rent, lease, or trade your personal information to third parties for their independent commercial purposes. Your personal data is used exclusively to provide and improve our Services.

6. Data Security and Protection Measures

6.1 Comprehensive Security Framework

We implement robust, multi-layered security measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. All personal data stored within our systems is protected using industry-standard encryption protocols both during transmission and while at rest in our databases.

Access to personal data is strictly controlled and limited to authorized personnel who require such access to perform their designated job functions. These individuals are bound by confidentiality obligations and receive regular training on data protection best practices. We utilize Supabase's enterprise-grade cloud infrastructure, which implements advanced security controls, regular security audits, and follows industry best practices for data protection.

Our security operations include continuous monitoring of our systems for potential security vulnerabilities, unauthorized access attempts, and suspicious activities. We maintain incident response procedures and regularly update our security measures to address emerging threats and maintain the highest standards of data protection.

6.2 Data Breach Response Protocol

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we have established comprehensive response procedures. We will promptly investigate and contain any potential breach, notify relevant supervisory authorities within seventy-two hours where required by applicable law, inform affected users without undue delay when notification is required, and implement immediate corrective measures to prevent future occurrences.

7. International Data Transfers and Global Service Provision

7.1 Worldwide Service Availability

Our Application is available globally through the Apple App Store, and we may transfer your personal data to countries outside your jurisdiction for processing, storage, and service provision. We recognize that different countries have varying levels of data protection laws and take appropriate measures to ensure adequate protection regardless of processing location.

7.2 Transfer Safeguards and Protections

When transferring personal data internationally, we ensure appropriate safeguards are implemented and maintained. This includes utilizing service providers that comply with recognized international data protection frameworks, implementing appropriate technical and organizational measures to protect data during transfer and processing, and ensuring adequate levels of protection that meet or exceed the standards required in your jurisdiction.

7.3 Third-Party Service Processing Locations

Some of our essential service providers may process your data outside the European Economic Area, including OpenAI which processes data in the United States, Supabase which may utilize various global data center locations, and Google Analytics which operates from various international locations. All such transfers are conducted in accordance with applicable data protection laws and include appropriate contractual safeguards to protect your personal information.

8. Data Retention Policies and Procedures

8.1 Active Account Data Management

We retain your personal information for the entire duration that your account remains active and as necessary to provide our Services effectively. This comprehensive retention includes all Application content data you have entered, complete account registration information, and relevant usage analytics and service interaction data that helps us maintain and improve our Services.

8.2 Account Deletion and Data Removal

Upon deletion of your account, whether initiated by you or in accordance with our Terms of Service, all personal data directly associated with your account is permanently and irreversibly removed from our systems. This data deletion process is completed within a reasonable timeframe following your deletion request, typically within thirty days.

However, certain aggregated and anonymized analytics data that cannot be traced back to individual users may persist for legitimate business intelligence and service improvement purposes. Additionally, data stored by third-party services such as OpenAI may be subject to their respective data retention policies, over which we have limited control beyond our service agreements.

8.3 Legal and Business Retention Requirements

We may retain certain information for extended periods when required by applicable laws, regulations, or legitimate business purposes such as fraud prevention, legal compliance, tax obligations, or defending legal claims. Such retention will be limited to the minimum necessary period and will be subject to appropriate security safeguards.

9. Your Privacy Rights and Data Subject Rights

9.1 Comprehensive European Data Protection Rights

If you are subject to European data protection laws, including GDPR, you possess comprehensive rights regarding your personal data. You have the right of access, which allows you to request detailed information about the personal data we hold about you and how we process it. The right to rectification enables you to request correction of any inaccurate or incomplete personal data we maintain.

Your right to erasure, also known as the "right to be forgotten," allows you to request deletion of your personal data in specific circumstances defined by law. The right to restrict processing enables you to request that we limit our processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

You also possess the right to data portability, which allows you to request transfer of your personal data to another service provider in a structured, commonly used, and machine-readable format. The right to object enables you to object to our processing of your personal data for certain purposes, including direct marketing activities.

Where our processing is based on your consent, you maintain the absolute right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

9.2 Exercising Your Rights

To exercise any of these rights, please contact us directly at privacy@planviah.com with sufficient detail about your request and appropriate identification verification. We will respond to your request within one month of receipt, unless extended timeframes are permitted by applicable law due to the complexity of your request.

9.3 Application-Based Data Management

Beyond formal rights requests, you can manage much of your data directly through our Application interface. This includes the ability to delete specific entries and content you have created, modify and update your personal information and preferences, adjust privacy settings and consent preferences for various features, and initiate account deletion directly through the Application interface.

10. Cookies and Website Tracking Technologies

10.1 Website Cookie Usage

Our Website employs cookies and similar tracking technologies to enhance your browsing experience, analyze website performance, and provide personalized content. Essential cookies are necessary for basic website functionality, security, and cannot be disabled without severely affecting your ability to use our Website. Analytics cookies, primarily through Google Analytics, collect aggregated information about website usage patterns, popular content, and user navigation behavior to help us improve our Website design and content.

Marketing cookies are utilized for advertising attribution and marketing analytics purposes, but only when you have provided explicit consent through our cookie consent mechanism or other applicable consent frameworks.

10.2 Cookie Control and Management

You maintain full control over cookie preferences through your web browser settings. Most browsers allow you to view, manage, and delete cookies, as well as set preferences for future cookie acceptance. Please note that disabling essential cookies may significantly limit the functionality and user experience of our Website.

10.3 Google Tag Manager Implementation

We utilize Google Tag Manager as a centralized system to manage and deploy various tracking and analytics tags on our Website. This service enables us to efficiently manage our marketing and analytics tools while maintaining strict control over data collection practices and ensuring compliance with privacy preferences and consent settings.

11. Children's Privacy Protection

11.1 Age Restrictions and Compliance

Our Services are specifically designed for and directed toward users aged thirteen years and older. We do not knowingly collect, process, or maintain personal information from children under thirteen years of age without verifiable parental or guardian consent as required by applicable laws, including the Children's Online Privacy Protection Act (COPPA) and similar international regulations.

11.2 Parental Consent Requirements

For users between thirteen and eighteen years of age, we may require verifiable parental or legal guardian consent where mandated by applicable laws in their jurisdiction. We take special care to ensure that such consent is properly obtained and documented before processing personal information from minors.

11.3 Inadvertent Data Collection from Children

If we become aware that we have inadvertently collected personal information from a child under the applicable minimum age without proper parental consent, we will take immediate steps to delete such information from our systems and prevent further collection until appropriate consent is obtained.

12. Privacy Policy Changes and Updates

12.1 Policy Modification Procedures

We reserve the right to update and modify this Privacy Policy from time to time to reflect changes in our data processing practices, Services, legal requirements, or business operations. When we make material changes that significantly affect how we collect, use, or protect your personal information, we will provide prominent notice through multiple communication channels.

12.2 Notification Methods

Material changes will be communicated through prominent notices displayed on our Website and within our Application, direct email notifications sent to all registered users at their provided email addresses, and push notifications through our Application when appropriate and when you have not disabled such notifications.

12.3 Continued Service Use

Your continued use of our Services after any changes to this Privacy Policy become effective constitutes your acceptance of the updated policy terms. We strongly encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal information.

13. Contact Information and Privacy Inquiries

13.1 Privacy-Related Communications

For all questions, concerns, requests, or complaints regarding this Privacy Policy or our data protection practices, please contact us directly at privacy@planviah.com. You may also reach us by postal mail at Planviah Helgesen, Kringsjåveien 19, 5162 Laksevåg, Norway.

We are committed to addressing privacy concerns promptly and thoroughly. Our privacy team will acknowledge receipt of your inquiry and provide a substantive response within a reasonable timeframe, typically within five business days for general inquiries and within one month for formal data subject rights requests.

13.2 Supervisory Authority Contact

If you believe we have not adequately addressed your privacy concerns or if you wish to lodge a complaint about our data processing practices, you have the right to contact the relevant data protection supervisory authority in your jurisdiction. For residents of Norway, this is the Norwegian Data Protection Authority (Datatilsynet), which can be contacted through their official website or postal address.

14. Additional Legal Information

14.1 Data Controller Designation

Planviah Helgesen acts as the data controller for all personal information collected through our Services, meaning we determine the purposes and means of processing your personal data in accordance with applicable data protection laws and regulations.

14.2 Policy Language and Interpretation

This Privacy Policy is written in English and represents the authoritative version of our privacy practices and commitments. In case of conflicts between this English version and any translations, the English version shall prevail and govern all interpretations.

14.3 Severability and Enforceability

If any provision of this Privacy Policy is determined to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such determination shall not affect the validity and enforceability of the remaining provisions, which shall continue in full force and effect.

Document Version Control

This Privacy Policy was last updated on 11.07.2025. By using our Services, you acknowledge that you have read, understood, and agree to this Privacy Policy and consent to the collection, use, processing, and disclosure of your personal information as described herein.