This GAITLINE Digital Privacy Policy ("Privacy Policy") describes how we collect and use your information through a variety of digital means. By accessing or using this website, mobile application or other GAITLINE product or service on any computer, mobile phone, tablet, console or other device (collectively, "Device"), you consent to our Privacy Policy. GAITLINE may modify this Privacy Policy at any time effective upon its posting. Your continued use of our products and services constitutes your acceptance to this Privacy Policy and any updates. This Privacy Policy is incorporated into, and is subject to, the Terms of Use.


1. Definitions


“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Subject” means the individual to whom Personal Data relates.

“Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.


2. Data Processing


2.1 The Processor shall process Personal Data for the Purpose as described in the GaitLine Privacy Policy.

  • Before or at the time of collecting personal information, the processor identifies the purposes for which information is being collected.
  • The processor will collect and use of personal information solely with the objective of fulfilling compatible purposes, unless we obtain the consent of the the controller or as required by law.
  • The processor will only retain personal information as long as necessary for the fulfilment of those purposes.
  • The processor can collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the Controller.
  • Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to- date.
  • The processor shall protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

2.2 The data is only hosted processed and hosted within a member of the European Union.

  • Core infrastructure (Databases, Web Servers, Log Servers and APIs) is hosted in Oslo (Norway) and in Amsterdam (Netherlands).
  • Our Content Delivery Network (CDN) contains servers outside the European Union. These servers are used as network relays to get endpoints closer from the Data Subject. Those network relays are not storing any customer data and European Data Subjects are in principle connected to a server hosted within a member of the European Union.
  • Our server backups are hosted in EU/EEA/EFTA and are stored up to 6 months. Customer host and server backups are stored for up to 30 days, and access log files up to 6 months.

2.3 Nature of the Data

GaitLine handles Data provided by Customer. Such Data may contain special categories of data depending on how the Services are used by Customer. The Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to Customer; (ii) to provide customer and technical support to Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.


2.4 GaitLine Data

Not withstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that GaitLineshall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.

To the extent any such data is considered personal data under Data Protection Laws, GaitLine is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.

Depending on how the Controller uses the service, the matter of Processing of personal data may cover the following types/categories of data:


  • Email address (if provided by end-user, thus involving a consent)
  • Phone number (if provided by end-user, thus involving a consent)
  • Activity Date and Time
  • IP Address
  • Device Type (operating system and browser)
  • Geographic Location, City, Country (guessed from the UP address)
  • Preferred language
  • Timezone
  • Website pages that were accessed
  • Professional Life Data (Position, Employer, Business and Invoicing Address)
  • Message exchanges
  • Data guessed from public information on Google (Avatar, Twitter/Facebook handle)


3. Technical and organizational provisions


3.1 The Processor will, taking into account the nature of the Processing and insofar as this is reasonable possible, assist the Controller in ensuring compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected.

The Processor will in any case take measures to protect Personal Data against accidental or unlawful forgery, unauthorized distribution or access, or any other form of unlawful Processing.

  • Two Factor Authentication on third-party services GaitLineuses
  • Employee SSH keys are all password-protected
  • All the features are designed around security and reliability
  • Computers and servers running GaitLine Development installations are secured and up to date
  • GaitLine employees, agents, and providers are trained in data-security practices
  • All our servers and services are running latest security updates and patched as  soon as possible when patches become available.
  • GaitLine implements protection against known vulnerabilities if possible, as soon as possible after the vulnerability is known.
  • We use strong encryption techniques on all public network channels (user messages, user data).


3.2 The Processor can’t be held responsible when The Controller is using the software or processing data without following the technical guidelines or documentation provided by the Processor.


4. Data Breaches


4.1 In the event the Processor becomes aware of any incident that may have a (significant) impact on the protection of Personal Data, i) it will notify the Controller without undue delay and ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.


4.2 The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.


4.3 The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.


4.4 The Processor will, insofar as reasonable, assist the Controller with the Controller’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR.

The Processor is never held to report a personal data breach with the Data Protection Authority and/or the data subject.


4.5 The Processor will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.