Privacy policy

Gaugelog is calibration management software. This policy explains what personal data we collect, why, where it is stored, who else touches it, and what rights you have.

Last updated 8 July 2026

This page is a working draft prepared for legal review. [TODO: Kristian: remove this notice after counsel has signed off]

Who we are

The service is provided by Gaugelog AS, a company registered in Norway. Organization number: [TODO: Kristian: add the organization number from the Brønnøysund register]. Registered address: [TODO: Kristian: add the registered business address of Gaugelog AS].

For anything in this policy, write to hello@gaugelog.com. We have not appointed a data protection officer. [TODO: Kristian: confirm with counsel that a DPO is not required]

Our two roles

For your account, billing and our website, Gaugelog is the data controller: we decide what is collected and why.

For the data your company puts into Gaugelog (instruments, calibration records, certificates, attachments, and the audit trail that names which of your users did what), your company is the controller and Gaugelog is a data processor. That processing is governed by our data processing agreement. If you use Gaugelog through your employer, your employer decides how that data is handled; contact them first.

Data we collect as controller

  • Account data: your name, work email and password when you sign up. If you turn on two factor authentication, we store your enrollment, never the codes.
  • Billing data: company name, billing address and, for business customers, a VAT or tax ID, collected at checkout. Card details are handled by Stripe and never reach our servers.
  • Launch list: the email address you give us on the marketing site, used only to send launch updates.
  • Support: the emails you send to hello@gaugelog.com, kept so we can help you and see the history.
  • Technical logs: our hosting providers keep short lived request logs, including IP addresses, for security and operations. [TODO: Kristian: confirm Vercel and Supabase log retention periods at legal review]

Purposes and legal bases

  • Running the service you signed up for, including notifications you configure: performance of a contract (GDPR article 6(1)(b)).
  • Keeping the service secure, preventing abuse, and short lived technical logs: our legitimate interest (article 6(1)(f)).
  • Launch updates and product emails you asked for: your consent (article 6(1)(a)). Every email has an unsubscribe link.
  • Keeping invoices and billing records: legal obligation (article 6(1)(c)) under Norwegian bookkeeping law. [TODO: accountant: confirm the exact retention period, expected five years]

Where your data lives

Your register, calibration records, certificates and attachments are stored with Supabase in Frankfurt (AWS eu-central-1), and the application runs on Vercel in Frankfurt (fra1).

Two honest exceptions: notification emails are delivered by Postmark (US), and the optional AI column guess during import is computed by Anthropic (US). Both are covered in the sections below.

AI in the product

Import uses AI once, to read your column headers. Everything after that is deterministic: the same data produces the same register, the same certificate, the same numbers, every time. No AI touches your records.

Concretely: when you upload a spreadsheet, the column headers and a few sample rows are sent to Anthropic (US) to suggest a column mapping, which you review and confirm. Anthropic does not train on this data. If you would rather not use it, you can map the columns yourself.

Third parties and subprocessors

We use a small number of vendors to run the service. The current list, with what each one does, what data it sees and where it runs, is published at gaugelog.com/subprocessors. Today that list is: Supabase, Vercel, Postmark, Anthropic, Stripe.

On the marketing site, Formspree (Formspree, Inc. (US)) receives the email address you type into the form, nothing else when you join the launch list.

We do not sell personal data, and we do not share it with anyone beyond the vendors on that list.

International transfers

Primary storage and hosting are in the EU. Where a vendor processes data in the United States (Postmark, Anthropic, and Stripe for payment processing), the transfer is covered by that vendor's data processing agreement with the EU standard contractual clauses. [TODO: Kristian: verify each vendor's current transfer mechanism at legal review, including any EU-US Data Privacy Framework certifications]

How long we keep data

  • Account and register data: kept while your account is active. When you close your account you can export everything first; we then delete your data within [TODO: Kristian: set the deletion window, for example 30 days] and it leaves backups within [TODO: Kristian: confirm the Supabase backup retention window].
  • Invoices and billing records: kept as long as Norwegian bookkeeping law requires. [TODO: accountant: confirm the exact period]
  • Launch list: until you unsubscribe or we launch, whichever comes first.
  • Notification log (which reminder emails were sent, to whom, when): kept as part of your account's audit history while the account is active.

Your rights

You can ask us for access to the personal data we hold about you, have it corrected or deleted, receive a copy in a portable format, and object to or restrict processing based on legitimate interest. Write to hello@gaugelog.com and we answer within 30 days.

If you are unhappy with how we handle your data, you can complain to Datatilsynet (the Norwegian Data Protection Authority) or to the supervisory authority in your own country.

If your data is in a customer's Gaugelog account, we will point your request to that customer and help them answer it, as the GDPR expects of a processor.

Cookies

Gaugelog sets only the cookies needed to keep you signed in: the session cookies from our authentication provider, Supabase (names starting with sb-). They are strictly necessary for the service, which is why there is no cookie banner.

We run no advertising, tracking or analytics cookies today. If we add product analytics later, we will update this policy first and ask for consent where the law requires it. [TODO: Kristian: revisit this section before enabling PostHog or any other analytics]

Security

Data is encrypted in transit (TLS) and at rest. Every account's data is scoped to that account, two factor authentication is available to all users, and the service is hosted in the EU. The technical and organizational measures are described in more detail in the data processing agreement.

Changes and contact

When this policy changes in a way that matters, we tell account owners by email before the change takes effect. The date at the top is the date of the latest revision.

Questions about privacy at Gaugelog: hello@gaugelog.com.