Privacy Policy

1. Introduction and scope

This Privacy Policy applies to Cetegra Workspace and Cetegra Docs (together, the “Cetegra products”).

It is intended for end users of the Cetegra products and customer representatives accessing the services, and describes how Cegal AS (“Cegal”) processes personal data in connection with the operation and delivery of the Cetegra products.

This Privacy Policy does not apply to:

  • The public website cegal.com
  • Marketing activities, newsletters, or events
  • Recruitment or general corporate communications

These activities are covered by separate privacy notices.

2. Roles and responsibilities (controller and processor)

For most processing activities within the Cetegra products:

  • The customer (Cegal’s client organization) acts as the data controller for personal data relating to its users and business use of the service.
  • Cegal acts as a data processor, processing personal data on behalf of the customer in accordance with the applicable Data Processing Agreement (DPA).

Cegal acts as an independent data controller only for limited processing necessary to:

  • Operate, secure, and maintain the platform
  • Ensure availability, performance, and integrity of the services
  • Provide support and incident handling
  • Meet legal and contractual obligations

Where processing serves both the customer’s use of the service and Cegal’s own operational needs, Cegal acts as an independent controller only for its own processing purposes.

This Privacy Policy describes Cegal’s processing activities in both roles, where applicable.

3. Categories of personal data processed

Depending on how the Cetegra products are used, the following categories of personal data may be processed.

3.1 User and account data

  • User identifier (user ID)
  • Username or display name (which may include a work email address)
  • Role or persona (for example user, administrator, IT manager)
  • Associated tenant or company identifier
  • Authentication and access metadata (for example login timestamps and session counts)

3.2 Usage and technical data

  • Feature usage and navigation events
  • Pages or modules accessed and time spent
  • Device type, browser type, and operating system
  • Referring and exit pages
  • IP address (processed in truncated form, see section 6)

3.3 Support and operational data

  • Support requests and correspondence
  • Configuration and environment metadata
  • Error logs and diagnostics related to service operation

Cetegra does not process special categories of personal data (Article 9 GDPR) within the Cetegra products.

4. Purpose of processing

Personal data is processed solely for the following purposes:

  • Providing, operating, and maintaining the Cetegra products
  • User authentication, authorization, and access control
  • Ensuring security, stability, and performance
  • Providing customer support and incident handling
  • Product improvement and service quality analysis
  • Compliance with legal and contractual obligations

Cetegra does not use personal data within the Cetegra products for:

  • Marketing or advertising
  • Profiling
  • Automated decision-making
  • Cross-service tracking

Where Cegal acts as a data processor, personal data is processed on the legal basis determined by the customer as data controller, typically Article 6(1)(b) GDPR (performance of a contract), and in accordance with the applicable DPA.

Where Cegal acts as an independent data controller, processing is based on:

  • Article 6(1)(b) GDPR – performance of a contract
  • Article 6(1)(c) GDPR – compliance with legal obligations
  • Article 6(1)(f) GDPR – legitimate interests in operating, securing, and improving the services

Where analytics or other non-essential cookies are used, processing is based on Article 6(1)(a) GDPR (consent), as described in the Cookie Policy.

6. Analytics and usage statistics

Where users have provided explicit consent, Cegal processes usage analytics data to improve the functionality, usability, and reliability of the Cetegra products.

  • Analytics are provided using Matomo, supplied by InnoCraft Ltd., acting as a data processor
  • Analytics data is used solely for product improvement and service quality
  • Analytics data is not used for marketing and is not shared with third parties for advertising purposes

As part of analytics processing:

  • IP addresses are truncated by masking the last two bytes (for example 192.168.xxx.xxx) before storage
  • Analytics tracking is disabled entirely if consent is declined

Analytics data retention

Analytics data is retained for no longer than approximately 13–26 months, unless further anonymized or aggregated so that it no longer relates to identifiable individuals. Aggregated statistics may be retained longer for trend, capacity, and service improvement analysis.

7. Data retention

Personal data is retained only for as long as necessary to fulfill the purposes described in this Privacy Policy.

Retention periods vary depending on the type of data, including:

  • Account and access data
  • Operational and security logs
  • Support data
  • Usage and analytics data

Retention periods are defined in internal retention schedules and in the applicable Data Processing Agreement. Where Cegal acts as a processor, retention is governed by the customer’s instructions. Data is deleted or anonymized when no longer required.

8. Sharing of personal data

Personal data is shared only where necessary to deliver and operate the Cetegra products.

This includes sharing with:

  • Cloud infrastructure providers
  • Sub-processors supporting platform operation, security, and availability

All such parties act as data processors or sub-processors under written agreements and appropriate safeguards. Personal data is never sold or shared for marketing or advertising purposes.

A current list of sub-processors is available upon request or as referenced in the applicable DPA.

9. International data transfers

The Cetegra platform is hosted on Microsoft Azure within the European Economic Area (EEA). For Cetegra Desktop, Citrix Cloud services may also be used.

Where personal data is transferred outside the EEA, transfers are conducted in accordance with GDPR Chapter V, using appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable

Where required, transfer impact assessments (TIAs) are performed.

10. Security of processing

Cegal implements appropriate technical and organizational measures to protect personal data, including:

  • Access controls and role-based permissions
  • Encryption in transit and at rest where applicable
  • Logging, monitoring, and incident response procedures
  • Segregation of customer environments

In the event of a personal data breach, Cegal will notify the relevant data controller and supervisory authority in accordance with GDPR requirements.

11. Data subject rights

Where Cegal acts as a data controller, data subjects have the rights provided under GDPR Articles 12–22, including the right to:

  • Access personal data
  • Rectify inaccurate data
  • Request erasure or restriction
  • Object to processing based on legitimate interests
  • Withdraw consent where applicable

Where Cegal acts as a data processor, requests should be directed to the relevant customer (data controller). Cegal assists customers in responding to such requests as required by law.

12. Contact details and Data Protection Officer

Cegal AS Vestre Svanholmen 4 4313 Sandnes Norway

Data Protection Officer 📧 dpo@cegal.com

If you believe personal data has been processed in violation of applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority. In Norway, this is Datatilsynet.

Last updated: January 2026