Privacy Policy
Last updated: 6 March 2026
Superbros AS ("Superbook", "we", "us", or "our") operates the Superbook platform at superbook.app. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our service.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and Norwegian data protection law.
1. Data Controller
Superbros AS
Email: bjorn.olav.salvesen+superbook@gmail.com
2. Personal Data We Collect
Account Data
- Name and email address (when you sign up)
- Password (stored as a cryptographic hash, never in plain text)
- Workspace (organization) name and membership role
Booking Data
- Bookings you create: resource, date, time, and any notes
- Location and resource information you manage
Usage Data
- Pages visited, features used, and interaction events (collected via PostHog)
- Browser type, device type, and approximate location (country level)
- IP address (anonymised in analytics)
Technical Data
- Authentication session tokens (cookies)
- Log data: timestamps, request metadata
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and maintain the service | Performance of contract (Art. 6(1)(b)) |
| Authenticate your identity | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (booking confirmations, invitations) | Performance of contract (Art. 6(1)(b)) |
| Analyse usage to improve the product | Legitimate interest (Art. 6(1)(f)) |
| Prevent abuse and ensure security | Legitimate interest (Art. 6(1)(f)) |
4. Data Processors (Third Parties)
We share data only with processors necessary to run the service:
| Processor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting | USA (EU data region available) |
| Neon | PostgreSQL database hosting | EU |
| PostHog | Product analytics | EU (eu.posthog.com) |
| Resend | Transactional email delivery | USA |
Where data is transferred outside the EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
5. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion.
- Booking data: Retained while your workspace is active. Deleted with the workspace.
- Usage analytics: Anonymised and aggregated. Raw events retained for up to 12 months.
- Authentication sessions: Expire automatically. Session data deleted on sign-out.
6. Your Rights
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing
- Data portability — receive your data in a structured format
- Object to processing based on legitimate interest
- Withdraw consent at any time (where processing is based on consent)
To exercise any of these rights, contact us at bjorn.olav.salvesen+superbook@gmail.com. We will respond within 30 days.
7. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encrypted database connections, role-based access control, and row-level security in our database.
8. Complaints
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):
- Website: datatilsynet.no
- Email: postkasse@datatilsynet.no
9. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email or through the service. The "last updated" date at the top reflects the latest revision.
10. Contact
Superbros AS
Email: bjorn.olav.salvesen+superbook@gmail.com