Privacy Policy

1. Introduction and scope

This Privacy Policy applies to Cetegra Workspace and Cetegra Docs (together, the “Cetegra products”).

It is intended for end users of the Cetegra products and customer representatives accessing the services, and describes how Cegal AS (“Cegal”) processes personal data in connection with the operation and delivery of the Cetegra products.

This Privacy Policy does not apply to:

The public website cegal.com
Marketing activities, newsletters, or events
Recruitment or general corporate communications

These activities are covered by separate privacy notices.

2. Roles and responsibilities (controller and processor)

For most processing activities within the Cetegra products:

The customer (Cegal’s client organization) acts as the data controller for personal data relating to its users and business use of the service.
Cegal acts as a data processor, processing personal data on behalf of the customer in accordance with the applicable Data Processing Agreement (DPA).

Cegal acts as an independent data controller only for limited processing necessary to:

Operate, secure, and maintain the platform
Ensure availability, performance, and integrity of the services
Provide support and incident handling
Meet legal and contractual obligations

Where processing serves both the customer’s use of the service and Cegal’s own operational needs, Cegal acts as an independent controller only for its own processing purposes.

This Privacy Policy describes Cegal’s processing activities in both roles, where applicable.

3. Categories of personal data processed

Depending on how the Cetegra products are used, the following categories of personal data may be processed.

3.1 User and account data

User identifier (user ID)
Username or display name (which may include a work email address)
Role or persona (for example user, administrator, IT manager)
Associated tenant or company identifier
Authentication and access metadata (for example login timestamps and session counts)

3.2 Usage and technical data

Feature usage and navigation events (for example page visits, application launches, and clicks)
Pages or modules accessed
Pseudonymous user identifier (an opaque integer with no direct link to name or email)
User type within Cetegra (for example IT Admin, Advanced User, or Basic User)
Tab-lifetime session identifier (stored in browser sessionStorage, cleared on tab close)
Associated tenant or company identifier

3.3 Support and operational data

Support requests and correspondence
Configuration and environment metadata
Error logs and diagnostics related to service operation

Cetegra does not process special categories of personal data (Article 9 GDPR) within the Cetegra products.

4. Purpose of processing

Personal data is processed solely for the following purposes:

Providing, operating, and maintaining the Cetegra products
User authentication, authorization, and access control
Ensuring security, stability, and performance
Providing customer support and incident handling
Product improvement and service quality analysis
Compliance with legal and contractual obligations

Cetegra does not use personal data within the Cetegra products for:

Marketing or advertising
Profiling
Automated decision-making
Cross-service tracking

5. Legal basis for processing

Where Cegal acts as a data processor, personal data is processed on the legal basis determined by the customer as data controller, typically Article 6(1)(b) GDPR (performance of a contract), and in accordance with the applicable DPA.

Where Cegal acts as an independent data controller, processing is based on:

Article 6(1)(b) GDPR – performance of a contract
Article 6(1)(c) GDPR – compliance with legal obligations
Article 6(1)(f) GDPR – legitimate interests in operating, securing, and improving the services

Where consent-based analytics are enabled, processing is based on Article 6(1)(a) GDPR (consent), as described in the Cookie Policy.

6. Analytics and usage statistics

Cegal processes usage analytics data to improve the functionality, usability, and reliability of the Cetegra products.

Cegal uses its own in-house analytics system for this purpose. No third-party analytics provider is used. All analytics data is stored within the Cetegra platform infrastructure on Microsoft Azure within the European Economic Area (EEA).

Analytics data collected includes:

Feature usage and navigation events (for example page visits, application launches, clicks)
A pseudonymous user identifier (an opaque integer generated internally — not your real user ID, name, or email address; not visible to administrators or other users within Cetegra; only accessible to Cegal’s internal operations team with direct database access)
User type within Cetegra (derived from access permissions, for example IT Admin, Advanced User, or Basic User)
A tab-lifetime session identifier (stored in browser sessionStorage, never persisted as a cookie, cleared when the browser tab is closed)
Associated tenant or company identifier

Analytics data is not collected for:

IP addresses
Browser type or operating system
Referring or exit pages
Form content or free-text input

Analytics data is used solely for product improvement and service quality, and is not used for marketing or shared with third parties for advertising purposes.

Consent is required for any collection: If you decline or have not given consent, no usage events are collected or sent. If you give consent, all of the above is collected, including the pseudonymous user identifier.

Analytics data retention

Raw analytics events are retained for a maximum of 24 months, after which they are deleted. Aggregated usage statistics (with no link to individual users) may be retained longer for trend, capacity, and service improvement analysis.

7. Data retention

Personal data is retained only for as long as necessary to fulfill the purposes described in this Privacy Policy.

Retention periods vary depending on the type of data, including:

Account and access data
Operational and security logs
Support data
Usage and analytics data

Retention periods are defined in internal retention schedules and in the applicable Data Processing Agreement. Where Cegal acts as a processor, retention is governed by the customer’s instructions. Data is deleted or anonymized when no longer required.

Personal data is shared only where necessary to deliver and operate the Cetegra products.

This includes sharing with:

Cloud infrastructure providers
Sub-processors supporting platform operation, security, and availability

All such parties act as data processors or sub-processors under written agreements and appropriate safeguards. Personal data is never sold or shared for marketing or advertising purposes.

A current list of sub-processors is available upon request or as referenced in the applicable DPA.

9. International data transfers

The Cetegra platform is hosted on Microsoft Azure within the European Economic Area (EEA).

For Cetegra Desktop, Citrix Cloud services may also be used.

Where personal data is transferred outside the EEA, transfers are conducted in accordance with GDPR Chapter V, using appropriate safeguards such as:

EU Standard Contractual Clauses (SCCs)
Adequacy decisions where applicable

Where required, transfer impact assessments (TIAs) are performed.

10. Security of processing

Cegal implements appropriate technical and organizational measures to protect personal data, including:

Access controls and role-based permissions
Encryption in transit and at rest where applicable
Logging, monitoring, and incident response procedures
Segregation of customer environments

In the event of a personal data breach, Cegal will notify the relevant data controller and supervisory authority in accordance with GDPR requirements.

11. Data subject rights

Where Cegal acts as a data controller, data subjects have the rights provided under GDPR Articles 12–22, including the right to:

Access personal data
Rectify inaccurate data
Request erasure or restriction
Object to processing based on legitimate interests
Withdraw consent where applicable

Where Cegal acts as a data processor, requests should be directed to your employer or the organization that manages your access to Cetegra (the data controller). Cegal assists customers in responding to such requests as required by law.

For usage analytics specifically — where Cegal acts as an independent data controller — you may:

Withdraw consent at any time via Account Settings → Usage analytics in Cetegra Workspace. Withdrawal takes effect immediately on the next page load. No new data will be collected from that point forward. Previously collected data is not automatically deleted, as it was lawfully collected while consent was active.
Request erasure of previously collected analytics data by contacting Cegal through your organisation’s service desk or your Cegal contact person, or by emailing dpo@cegal.com. Cegal will anonymise all analytics events linked to your account, removing the personal data link while retaining the aggregate usage data.

12. Contact details and Data Protection Officer

Cegal AS Vestre Svanholmen 4 4313 Sandnes Norway

Data Protection Officer 📧 dpo@cegal.com

If you believe personal data has been processed in violation of applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority. In Norway, this is Datatilsynet.

Last updated: April 2026

Privacy Policy

1. Introduction and scope #

2. Roles and responsibilities (controller and processor) #

3. Categories of personal data processed #

3.1 User and account data #

3.2 Usage and technical data #

3.3 Support and operational data #

4. Purpose of processing #

5. Legal basis for processing #

6. Analytics and usage statistics #

Analytics data retention #

7. Data retention #

8. Sharing of personal data #

9. International data transfers #

10. Security of processing #

11. Data subject rights #

Analytics consent and erasure #

12. Contact details and Data Protection Officer #