Privacy Policy
Last updated: February 2026
Utenat ("we", "us") is committed to protecting your privacy. This privacy policy explains how we collect, use, store, and protect your personal data when you use our learning platform. We process data in accordance with the EU General Data Protection Regulation (GDPR) as implemented in Norwegian law through the Personal Data Act (Personopplysningsloven).
1. Data Controller
Utenat is the data controller for your personal data. You can contact us at privacy@utenat.no for privacy-related questions.
2. What Data We Collect
We collect the following categories of personal data:
Account Information
- Name
- Email address
- Password (encrypted, we never see your password in plain text)
- Profile picture (via Google account if you use Google sign-in)
- Settings (language, timezone, education level)
Study Content
- Notes and text you write in sessions
- Documents you upload (PDF, images, Office files)
- Flashcards and review data
- Calendar events and study plans
- Quizzes and attempt results
Audio Recording & Transcription
When you use the recording feature, audio clips are sent to a transcription service (Groq or OpenAI) to convert speech to text. Audio files are deleted immediately after transcription — we never store audio recordings permanently.
Technical Information
- IP address (for security and troubleshooting)
- Browser type and device info
- Cookies (see section 5)
3. Legal Basis
- Contract (Art. 6(1)(b)) — Processing necessary to deliver the service you signed up for (account data, study content, transcription).
- Consent (Art. 6(1)(a)) — For non-essential cookies and optional features. You can withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f)) — For security, troubleshooting, and improving the service.
- Legal obligation (Art. 6(1)(c)) — For accounting and tax purposes related to payments.
4. Third-Party Processors
We use the following service providers to operate Utenat. All have Data Processing Agreements (DPA) per GDPR Art. 28:
| Service | Purpose | Location |
|---|---|---|
| Vercel | Hosting and serverless functions | Stockholm, SE |
| Neon | Database (PostgreSQL) | Frankfurt, DE |
| Groq | AI chat and speech-to-text | Helsinki, FI / US |
| OpenAI | Fallback transcription | EU |
| Cloudflare R2 | File storage (EU jurisdiction) | EU |
| Stripe | Payment processing | Ireland, EU |
| Vipps MobilePay | Payment processing (Vipps MobilePay) | Oslo, NO |
| Cloudflare | CDN and DDoS protection | EU |
| Social login (OAuth) | EU |
5. Cookies
We use a minimum of cookies for the service to function:
- Session cookie — Required to keep you logged in. Expires after 7 days. (Strictly necessary)
- Preferences cookie — Stores your selected theme (light/dark). (Strictly necessary)
We do not use analytics or advertising cookies. You can manage consent via the banner at the bottom of the page.
6. Retention Period
- Account data: Stored as long as you have an active account
- Study content: Stored while the account is active, deleted within 30 days of account deletion
- Audio recordings: Deleted immediately after transcription (never stored permanently)
- Technical logs: Retained for up to 90 days
- Payment data: Retained for 5 years per Norwegian accounting law
7. Your Rights
Under GDPR, you have the following rights:
- Right of access (Art. 15) — You can request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — You can request that inaccurate data be corrected.
- Right to erasure (Art. 17) — You can request that your account and all associated data be deleted.
- Right to data portability (Art. 20) — You can request to receive your data in a machine-readable format (JSON).
- Right to restriction (Art. 18) — You can request that processing of your data be restricted.
- Right to object (Art. 21) — You can object to processing based on legitimate interest.
- Withdrawal of consent — You can withdraw any consent you have given at any time, without affecting the lawfulness of prior processing.
To exercise your rights, go to Settings → Data in the app, or email privacy@utenat.no. We will respond within 30 days.
You also have the right to file a complaint with Datatilsynet (datatilsynet.no) if you believe we are processing your personal data in violation of GDPR.
8. International Data Transfers
We store data primarily in the EU/EEA (Stockholm, Frankfurt). Some providers (Groq) may process data in the US. In such cases, transfers are covered by the EU-US Data Privacy Framework and/or EU Standard Contractual Clauses (SCCs).
9. Children
Utenat is intended for students aged 16 and above. We do not knowingly collect personal data from children under 16. If you discover that a child under 16 has created an account, please contact us so we can delete the account.
10. Changes to This Policy
We may update this privacy policy from time to time. For significant changes, we will notify you via email or an in-app notification. Continued use of the service after notification constitutes acceptance of the changes.
11. Contact Us
Have questions about privacy? Contact us at privacy@utenat.no.