Privacy policy

FieldAudit is provided by [COMPANY_NAME] ("we", "us"). For Customer organisations using the Service, the Customer is the data controller for personal data inside their audits, submissions, and user accounts. We act as the data processor on the Customer's behalf.

For data we collect about visitors to this website (for example, contact form / email enquiries), we are the data controller.

We process the following categories of personal data:

• Account data: name, email, hashed password, role, organisation membership, login timestamps.
• Audit content: form responses, free-text notes, photos, signatures, and (only when explicitly captured by a form field) location coordinates.
• Device & technical data: IP address, user agent, session identifiers, error logs.
• Sales / contact data: name, email, company, message content when you reach out via contact@normwerk.nl.

We rely on the following lawful bases under GDPR Article 6:

• Contract: processing necessary to provide the Service to the Customer (account, audit content, reports).
• Legitimate interests: security logging, abuse prevention, and product improvement that does not override the rights of the data subject.
• Legal obligation: retention of certain records (e.g. invoicing) where the law requires.
• Consent: for any processing that requires it (e.g. marketing communications), where you can withdraw consent at any time.

Personal data is retained only as long as needed for the purposes above. Concretely:

• Account data: while the account is active, plus 30 days after deletion (then deleted or anonymised, unless retention is required by law).
• Audit content: for the duration of the Customer agreement; 30-day export window on termination, then deletion or anonymisation.
• Device & technical logs: typically 90 days, longer if a security investigation requires.
• Sales / contact data: until the enquiry is resolved, plus reasonable archival for follow-up.

We use the following categories of subprocessors. A current named list is available on request from contact@normwerk.nl:

• Hosting / infrastructure (EU region), application servers, database, object storage.
• PDF rendering, server-side Puppeteer / Browsershot infrastructure for branded report generation.
• Email delivery, transactional email provider (account verification, password reset, sales replies).
• Error & uptime monitoring, application error reporting and uptime checks.

We sign data processing agreements with our subprocessors and require equivalent protections.

Customer data is hosted on EU-region infrastructure by default. If a subprocessor processes data outside the EEA, we rely on Standard Contractual Clauses or equivalent transfer mechanisms recognised under GDPR.

Each Customer's data is isolated by tenant. Users only see data for organisations they belong to. Audit-state colors (pass / fail / flag / N-A) and platform-level safety semantics are not customisable per tenant for consistency reasons.

Under GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data rectified.
• Have your data erased ("right to be forgotten") subject to legal retention requirements.
• Restrict or object to certain processing.
• Receive a portable copy of your data in a common machine-readable format.
• Withdraw any consent you previously gave.

For data inside a Customer's organisation, please contact the Customer in the first instance, they are the controller. We will support them to fulfil the request.

For other questions, email contact@normwerk.nl.

We protect personal data with appropriate technical and organisational measures: TLS in transit, encrypted storage at rest, access logging, role-based access control, regular dependency updates, and incident response procedures. No security is absolute, but we treat your data the way we want our own treated.

We use a minimal set of strictly-necessary cookies (session, CSRF, authentication). We do not run third-party advertising or behavioural tracking on this site. Optional analytics, where used, are configured to respect Do Not Track and to anonymise IP addresses.

The Service is not intended for use by children under 16. We do not knowingly collect data from children. If you believe a child has submitted data, please contact us so we can delete it.

You have the right to lodge a complaint with your local data protection authority. We would appreciate the chance to address your concerns first, please email contact@normwerk.nl.

We may update this policy from time to time. The "last updated" date at the top of the page reflects the latest revision. Material changes will be communicated to Customers and Users in advance through the Service or by email.