Privacy Policy for Business Online Mobile App

Last updated: October 13, 2025

This privacy notice describes how Business Online AS («we,» «us,» or «our») collects, stores, uses, and shares personal information specifically in connection with the Business Online mobile application (the «App»).

Scope of This Policy

This privacy policy applies only to the Business Online mobile application and its functionality, including:

  • Authentication and access to your organization’s Business Online system
  • Mobile access to company documents, quality control processes, and incident reporting
  • Offline synchronization and data caching on your mobile device
  • Push notifications and mobile device permissions

What This Policy Does NOT Cover

This policy does not cover:

  • Business Online AS’s general business operations, marketing, or website (business-online.no)
  • Employment relationships or employee data management
  • Sales, customer relationship management, or marketing communications
  • Our iQS product or other Business Online services

For information about Business Online AS’s general privacy practices, employee data, marketing activities, and website operations, please see our general privacy policy.

Your Organization’s Role

The Business Online App provides you with mobile access to your organization’s Business Online system. Your organization (your employer) is the data controller for all business data accessed through the App (companies, projects, contacts, documents, incidents, etc.). Business Online AS acts as a data processor for this data on behalf of your organization.

Questions or concerns? If you have questions about this App privacy policy, please contact us at contact@business-online.no

SUMMARY OF KEY POINTS

This summary provides key points from our App privacy notice.

What personal information does the App collect? The App collects authentication information (username, email), device information for offline functionality, and photos when you document incidents (RUH/NCR). See section 1.

Does the App process sensitive personal information? No, the App does not process sensitive personal information.

How does the App process your information? The App processes your information to authenticate your access, enable offline functionality, synchronize data with your organization’s Business Online system, and allow you to document incidents with photos. See section 2.

Where is your data stored? Your business data (companies, projects, documents, incidents) remains in your organization’s Microsoft 365 environment. The App only stores minimal configuration data in our Azure infrastructure in Western Europe. See section 5.

Does the App share your information with third parties? The App connects to Microsoft services (Azure, Microsoft 365, Entra ID) to provide functionality. We do not share your information with other third parties for marketing or other purposes. See section 4.

What mobile permissions does the App require? The App may request access to your device’s camera (for incident photos), storage (for offline documents), and push notifications. All permissions are optional and can be managed in your device settings. See section 1.

What are your rights? You have rights under GDPR and Norwegian privacy law to access, correct, or delete your personal information. See section 9.

How do you exercise your rights? Contact us at contact@business-online.no or use our data subject request form.

TABLE OF CONTENTS

  1. WHAT INFORMATION DO WE COLLECT?
  2. HOW DO WE PROCESS YOUR INFORMATION?
  3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?
  4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
  5. WHERE IS YOUR INFORMATION STORED?
  6. HOW LONG DO WE KEEP YOUR INFORMATION?
  7. HOW DO WE KEEP YOUR INFORMATION SAFE?
  8. DO WE COLLECT INFORMATION FROM MINORS?
  9. WHAT ARE YOUR PRIVACY RIGHTS?
  10. CONTROLS FOR DO-NOT-TRACK FEATURES
  11. DO WE MAKE UPDATES TO THIS NOTICE?
  12. ARTIFICIAL INTELLIGENCE AND FUTURE FEATURES
  13. DATA BREACH NOTIFICATION
  14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
  15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DOES THE APP COLLECT?

Personal information you provide through the App

In Short: The App collects personal information necessary for authentication, offline functionality, and incident documentation.

Authentication Information

  • Email address (used for login via Microsoft Entra ID)
  • Username
  • Authentication tokens (encrypted and temporary)

Incident Documentation (RUH/NCR) When you register incidents or non-conformance reports through the App, you may provide:

  • Photos and images
  • Descriptive text and documentation
  • Date and time stamps

Device Information To enable offline functionality, the App collects:

  • Device type and model
  • Operating system version
  • App version
  • Unique device identifiers (for synchronization purposes only)

No Sensitive Information The App does not collect or process sensitive personal information such as health data, biometric data, political opinions, religious beliefs, or trade union membership.

No Location Data The App does not collect GPS location data or track your physical location.

Mobile Device Permissions

In Short: The App requests specific permissions to provide its functionality. All permissions are optional.

The App may request access to:

Camera Access – To take photos when documenting incidents (RUH/NCR). You can deny this permission and still use other App features.

Storage Access – To cache documents locally for offline access. You can deny this permission, but offline functionality will be limited.

Push Notifications – To receive notifications about tasks, project updates, or system messages. You can disable push notifications in your device settings at any time.

You can manage all these permissions in your mobile device settings.

2. HOW DOES THE APP PROCESS YOUR INFORMATION?

In Short: The App processes your information solely to provide mobile access to your organization’s Business Online system and enable the App’s core functionality.

The App processes your personal information for the following specific purposes:

Authentication and Access Control

  • To verify your identity via Microsoft Entra ID
  • To grant you access to your organization’s Business Online system
  • To enforce role-based access permissions set by your organization

Offline Functionality

  • To cache business data locally on your device for offline access
  • To synchronize changes made offline when you reconnect to the internet
  • To ensure data consistency between your device and your organization’s system

Incident and Quality Control Documentation

  • To enable you to photograph and document incidents (RUH/NCR)
  • To attach photos to incident reports
  • To complete project-specific quality control checklists (QCP)

Document Access

  • To provide mobile access to your organization’s governing documents
  • To enable viewing and downloading of company policies and procedures

Push Notifications

  • To notify you about assigned tasks and deadlines
  • To inform you about project updates or system messages
  • (Only if you have enabled push notifications)

Technical Functionality

  • To maintain the security and operation of the App
  • To troubleshoot technical issues
  • To improve App performance and user experience

The App does NOT process your information for:

  • Marketing or advertising purposes
  • Selling or sharing data with third parties
  • Automated decision-making or profiling
  • Any purpose other than providing the App’s functionality

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We process your personal information based on legal grounds required by GDPR and Norwegian privacy law (personopplysningsloven).

GDPR and Norwegian Law Compliance

The App processes personal information in accordance with:

  • EU General Data Protection Regulation (GDPR)
  • Norwegian Personal Data Act (personopplysningsloven)
  • Norwegian Marketing Control Act (markedsføringsloven) – where applicable
  • UK GDPR (for any UK users)

Legal Bases for Processing

We rely on the following legal bases to process your personal information through the App:

1. Performance of a Contract (GDPR Article 6(1)(b))

  • Processing is necessary to provide the App functionality that your organization has contracted for
  • To authenticate your access and deliver the mobile services

2. Legitimate Interests (GDPR Article 6(1)(f))

  • To maintain App security and prevent unauthorized access
  • To improve App performance and fix technical issues
  • To enable offline functionality for user convenience

3. Consent (GDPR Article 6(1)(a))

  • For optional features such as push notifications
  • For camera and storage permissions on your device
  • You can withdraw consent at any time through your device settings

4. Legal Obligation (GDPR Article 6(1)(c))

  • To comply with applicable laws and regulations
  • To respond to lawful requests from authorities when required

Data Controller Roles

For business data accessed through the App (companies, projects, documents, incidents), your organization is the data controller. Business Online AS acts as a data processor on behalf of your organization in accordance with a data processing agreement.

4. WHEN AND WITH WHOM DOES THE APP SHARE YOUR PERSONAL INFORMATION?

In Short: The App only shares information with Microsoft services necessary for its functionality. We do not share your information with third parties for marketing, advertising, or other purposes.

Microsoft Services (Data Processor)

The App shares information with Microsoft Corporation as a data processor, because the App is built on Microsoft infrastructure:

Microsoft Azure – Our configuration data is stored in Azure infrastructure (Western Europe)

Microsoft 365 – Your organization’s business data is accessed from their Microsoft 365 environment

Microsoft Entra ID – User authentication is handled through Entra ID (formerly Azure Active Directory)

Microsoft processes data in accordance with:

  • Microsoft’s Data Processing Agreement
  • GDPR and applicable data protection regulations
  • Microsoft’s privacy policies: https://privacy.microsoft.com

We Do NOT Share Your Information With:

  • Advertising or marketing companies
  • Data brokers or analytics companies
  • Social media platforms
  • Any other third parties for commercial purposes

Legal Requirements

We may disclose your information if required by law, such as:

  • To comply with a court order or legal process
  • To respond to lawful requests from public authorities
  • To protect our rights, property, or safety
  • To investigate potential violations of our terms

Your Organization

Information you create through the App (incident reports, checklist completions, etc.) is accessible to your organization’s administrators and authorized users according to the permissions set by your organization.

5. WHERE IS YOUR INFORMATION STORED?

In Short: Your business data remains within your organization’s Microsoft 365 environment. We only store minimal configuration data in our secure Microsoft Azure infrastructure in Western Europe.

Your Organization’s Data. All business data accessed through the Business Online mobile application, including but not limited to:

  • Company and contact information
  • Project and lead data
  • Documents and files
  • Quality control checklists and processes
  • Incident reports (RUH/NCR)
  • Timeline events and communications

This data remains stored within your organization’s own Microsoft 365 tenant and environment. In most cases, this data is stored in Norway or Microsoft’s Western Europe data centers, depending on your organization’s Microsoft 365 configuration. Business Online AS does not host, store, or have direct access to this data at rest.

Configuration Data Stored by Business Online AS. We store minimal configuration data in our Microsoft Azure infrastructure located in Western Europe, including:

  • Company/organization name
  • API connection references (URLs)
  • System default language preferences
  • User authentication tokens (encrypted)

Data Deletion. When your organization terminates their Business Online subscription, all configuration data stored in our Azure infrastructure is deleted as part of the environment decommissioning process. Your organization retains full control over their business data within their own Microsoft 365 environment.

Cross-Border Data Transfers. As your data remains within your organization’s Microsoft 365 environment and our configuration data is stored in Western Europe, cross-border data transfers are limited. Any transfers are conducted in accordance with applicable data protection laws, including GDPR, and Microsoft’s data processing agreements.

6. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

Business Data. Your organization’s business data (companies, projects, documents, incidents, etc.) remains within your organization’s Microsoft 365 environment and is subject to your organization’s own data retention policies. Business Online AS does not control the retention of this data.

Configuration Data. Configuration data stored in our Azure infrastructure (company name, API references, system settings) is retained for as long as your organization maintains an active Business Online subscription. Upon termination of your subscription, this configuration data is deleted as part of the environment decommissioning process.

Account Termination. When your user account is deactivated or your organization terminates their Business Online subscription, we will delete or anonymize configuration data within 90 days, unless a longer retention period is required by law.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. Our security measures include:

Infrastructure Security:

  • All data stored by Business Online AS is hosted on Microsoft Azure infrastructure in Western Europe
  • Microsoft Azure provides enterprise-grade security, compliance certifications (ISO 27001, ISO 27018, SOC 2), and data encryption
  • Your organization’s business data remains within your Microsoft 365 environment with Microsoft’s security protections

Authentication and Access Control:

  • User authentication is managed through Microsoft Entra ID (formerly Azure Active Directory)
  • Multi-factor authentication (MFA) support for enhanced security
  • Role-based access control (RBAC) to limit data access based on user permissions
  • Encrypted authentication tokens

Data Protection:

  • Data in transit is encrypted using TLS/SSL protocols
  • Data at rest within your Microsoft 365 environment is encrypted according to Microsoft’s security standards
  • Configuration data stored in our Azure infrastructure is encrypted at rest and in transit

Application Security:

  • Regular security assessments and updates
  • Secure coding practices
  • API security with authentication and authorization controls

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

8. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at contact@business-online.no.

9. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), and Switzerland, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.

In some regions (like the EEA, UK, and Switzerland), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section «HOW CAN YOU CONTACT US ABOUT THIS NOTICE?» below.

We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner: https://www.edoeb.admin.ch/edoeb/en/home.html

Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section «HOW CAN YOU CONTACT US ABOUT THIS NOTICE?» below or updating your preferences within the mobile application settings.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can:

  • Contact your organization’s administrator
  • Contact us using the contact information provided below

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

If you have questions or comments about your privacy rights, you may email us at contact@business-online.no.

10. CONTROLS FOR DO-NOT-TRACK FEATURES

In Short: We do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track («DNT») feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

11. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this privacy notice from time to time. The updated version will be indicated by an updated «Revised» date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.

12. ARTIFICIAL INTELLIGENCE AND FUTURE FEATURES

In Short: The App currently does not use AI. We plan to integrate Microsoft Copilot in the future, and you will be notified before activation.

Current Status

As of October 13, 2025, the Business Online mobile application does NOT use:

  • Artificial intelligence (AI)
  • Machine learning (ML)
  • Automated decision-making
  • Profiling or behavioral analysis

Planned AI Integration

We are developing integration with Microsoft Copilot to enable AI-powered assistance for interacting with your organization’s Business Online data. This is a planned feature, not currently active.

Before AI Features Are Released:

We will:

  1. Update this privacy policy with detailed information about AI data processing
  2. Notify all users via email and in-app notification
  3. Provide clear opt-in/opt-out controls
  4. Explain exactly what data will be processed by AI systems
  5. Ensure compliance with EU AI Act and GDPR requirements

AI Data Processing (When Available)

When AI features launch:

  • AI processing will use Microsoft Copilot within your Microsoft 365 environment
  • Your organization’s data will remain within the Microsoft 365 tenant
  • Processing will comply with Microsoft’s AI data protection standards
  • You will have control over AI feature usage

Your Rights

You will always have the right to:

  • Choose whether to use AI features
  • Understand how AI processes your data
  • Disable AI features at any time
  • Request that your data not be used for AI training (subject to Microsoft’s policies)

We are committed to transparent and responsible AI implementation.

13. DATA BREACH NOTIFICATION

In Short: We will notify affected users promptly in the event of a data breach that may compromise your personal information.

In the unlikely event of a data breach involving personal information we process, we are committed to:

Notification Timeline:

  • Notify relevant data protection authorities within 72 hours of becoming aware of the breach, as required by GDPR
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms

Notification Content: We will inform you about:

  • The nature of the breach
  • The categories and approximate number of individuals affected
  • The likely consequences of the breach
  • The measures we have taken or propose to take to address the breach
  • Contact information for further inquiries

Your Organization’s Data: Since your business data remains within your organization’s Microsoft 365 environment, any breach of that data would be managed by Microsoft in accordance with their security incident response procedures and your organization’s own security policies.

Our Response: We maintain an incident response plan and work with Microsoft security teams to ensure rapid detection, containment, and remediation of any security incidents affecting our Azure infrastructure.

If you suspect any unauthorized access to your account or data, please contact us immediately at contact@business-online.no.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at contact@business-online.no or contact us by post at:

Business Online AS
Moseidveien 35
Stavanger, Rogaland 4033
Norway

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on GDPR and Norwegian privacy law (personopplysningsloven), you have the right to request access to the personal information we collect from you, change that information, or delete it.

To request to review, update, or delete your personal information:

We will respond to your request within 30 days in accordance with GDPR and Norwegian privacy law.

For Business Data

Business data accessed through the App (companies, projects, documents, incidents) is controlled by your organization. For requests related to this data, you should contact your organization’s data protection officer or administrator.

ADDITIONAL PRIVACY INFORMATION

Other Business Online AS Privacy Policies

This privacy policy applies only to the Business Online mobile application. For information about other aspects of Business Online AS’s data processing, please see:

General Privacy Policy – For information about Business Online AS’s website (business-online.no), marketing activities, employment data, and general business operations:
https://business-online.no/personvernerklaering/

App Store and Marketplace

This App may be available through Apple App Store, Google Play Store, or other distribution platforms. Your use of these platforms is subject to their respective privacy policies and terms of service. Business Online AS is not responsible for the privacy practices of these platforms.

This privacy policy was last updated on October 13, 2025.

Version: 1.0 (Mobile App – First Edition)

Book møte
Book møte