Privacy Policy
Cyze AS, org. no. 932 904 500 (“Cyze”, “we”, “our”), is the Data Controller for the website-monitoring platform Vioro (the “Service”). This document explains how we collect, use, share, and protect personal data when you visit our websites or use the Service, in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).
1. Data Controller
Cyze AS
Org. No. 932 904 500
Address:
2. Data We Collect
| Category | Data Items | Source | Purpose | Lawful Basis (GDPR Art. 6) |
|---|---|---|---|---|
| Account Data | Name, email, organisation, role, login identifiers | User | Create & manage your account | Art. 6(1)(b) - contract performance |
| Monitoring & Security Data | Domain names, URLs, DNS records, TLS certificate metadata, HTTP response codes and headers, probe response latency, open port lists, HTTP security header analysis, software version fingerprints (e.g. CMS, server), CVE match results, sub-domain lists, broken link reports, and other technical indicators collected during automated scans of customer-verified domains | User / automated scans | Provide uptime monitoring, TLS and DNS checks, broken link detection, and (where domain ownership is verified) security assessments and vulnerability reporting | Art. 6(1)(b) contract performance |
| Billing Data | Stripe customer ID, subscription tier, invoice references (no card numbers stored by us) | Stripe | Payment processing | Art. 6(1)(b) - contract performance |
| Log & Usage Data | IP addresses, user-agent strings, authentication tokens, API call metadata | Service | Security, fraud prevention, audit | Art. 6(1)(f) - legitimate interest: securing the Service and preventing abuse |
| Analytics Data | Page views, session duration, browser type (via Google Analytics, only with consent) | Service | Understanding usage to improve performance | Art. 6(1)(a) - consent |
| Marketing Consent | Newsletter opt-in status, consent timestamp | User | Sending product news and updates | Art. 6(1)(a) - consent |
| Anonymised Service Data | Aggregated probe results, anonymised uptime logs, statistical reports (no PII) | Service | Service improvement, product development, historical trends | Art. 6(1)(f) - legitimate interest |
| Telemetry Data | Page load times, JS errors, network durations | Service | Performance and error tracing, no personal profiling | Art. 6(1)(f) - legitimate interest |
We do not collect special category data as defined in GDPR Art. 9, and we do not make automated decisions with legal or similarly significant effects (Art. 22 GDPR).
Technical data collected during security scans (such as software version fingerprints, CVE matches, and port scan results) may or may not constitute personal data depending on context. Where such data relates to an identifiable natural person (e.g. a sole trader’s website), it is treated as personal data and handled accordingly. Purely technical findings unrelated to any identifiable person are processed as non-personal data and may be retained by Cyze AS as proprietary service intelligence under Art. 6(1)(f).
3. How We Use Your Data
- Operate, secure, and improve the Service
- Send incident alerts and important service communications
- Issue invoices and process payments via Stripe
- Provide customer support
- Send marketing updates (only if you have explicitly opted in)
- Comply with legal obligations (e.g. Norwegian bookkeeping and tax rules)
- Develop new features through statistical analysis of aggregated, anonymised data (on the basis of legitimate interest)
4. Sub-Processors
We share data only with the vendors listed below, each bound by an Art. 28 GDPR Data Processing Agreement (or equivalent safeguard). We do not sell your data.
| Vendor | Function | Data Location | Safeguard |
|---|---|---|---|
| Google Ireland Ltd. (Analytics) | Marketing website analytics | Ireland (data may transfer to US) | Google Measurement Controller-Controller Data Protection Terms + SCCs |
| Google Ireland Ltd. (Workspace) | Email (support & internal) | United States | Google Data Processing Amendment (DPA) + Standard Contractual Clauses (SCCs, Art. 46(2)(c)) |
| Netcup GmbH | Infrastructure hosting (website, database, application servers) | Germany, EU | Art. 28 GDPR AVV (Auftragsverarbeitungsvertrag) |
| Scaleway S.A.S. | Transactional email (alerts, IAM, notifications) | France, EU | Art. 28 GDPR DPA (v. June 2024) |
| Stripe Payments Europe, Ltd. | Billing & subscription management | EU (Ireland) | Art. 28 GDPR DPA + SCCs (US parent) |
For a full list of sub-processors including certification details, see vioro.io/legal/subprocessors/.
We will notify you of any changes to this list at least 10 days in advance via email or in-app notice. You may object to a new sub-processor within that window by contacting us at .
5. International Transfers
The account data we collect (name, email, organization, domains, etc.) is stored exclusively within the EU/EEA, on Netcup infrastructure in Germany.
Our monitoring probes run exclusively from servers located within the EU/EEA (Germany). Transactional emails are routed through Scaleway’s infrastructure in France.
Where any processing by a sub-processor involves a transfer outside the EEA (such as transfers to Google LLC in the United States via Google’s Workspace services), we rely on Google’s Data Processing Amendment (DPA) incorporating Standard Contractual Clauses (SCCs, Art. 46(2)(c)) approved by the European Commission (Implementing Decision (EU) 2021/914), supplemented by technical measures including encryption in transit and at rest.
For Google Analytics, data is processed under Google’s Measurement Controller-Controller Data Protection Terms, incorporating SCCs for transfers to Google LLC in the United States.
6. Retention
| Data Set | Retention Period | Deletion Method |
|---|---|---|
| Account & billing data | Active subscription + 6 years (Norwegian Regnskapsloven / bookkeeping rules) | Secure erasure |
| Probe & monitoring results | Up to 365 days (Founder Preview); future plans may offer shorter or longer retention per package | Automated or scheduled purge after the applicable retention period. Anonymised and/or aggregated derivatives are retained indefinitely for service improvement, analytics, and historical reporting. |
| Log & usage data | 90 days | Automated purge |
| Marketing consent records | Until consent is withdrawn + 2 years (proof of consent) | Secure erasure |
| Analytics data | Per Google Analytics retention settings (default 14 months); requires your consent | Deleted on consent withdrawal |
You may request early deletion at any time - see Section 9.
7. Security
We apply the following technical and organisational measures:
- TLS 1.3 for all data in transit
- Principle of least privilege; MFA required for all administrative accounts
- Infrastructure replicated across multiple nodes (99.9% backup durability)
- Routine penetration testing and dependency CVE scanning
- Access limited to personnel with a legitimate need to access the data
- Sensitive data fields are encrypted at rest at the field level
For detailed information on our security measures, see our Security Policy.
8. Personal Data Breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33 and Personopplysningsloven §32.
- Notify affected customers without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34).
Notifications to affected customers will be sent to the email address registered on your account and, where applicable, via an in-app notice.
9. Cookies & Session Management
We use analytics cookies on our marketing website. Analytics cookies are disabled by default and are only enabled with your explicit consent via the cookie consent banner.
For authentication, our identity provider (Rauthy) sets strictly necessary session cookies. To protect your account from cookie theft and session hijacking, Rauthy binds these sessions to your current IP address. If your IP address changes mid-session, the session is invalidated. This requires IP addresses to be temporarily logged and evaluated alongside your session cookies.
For full details on cookies and tracking technologies, see our Cookie Policy.
10. Your Rights
Under GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (“right to be forgotten”) (Art. 17)
- Restrict processing (Art. 18)
- Object to processing based on legitimate interest (Art. 21)
- Data portability - receive your user-entered data (name, organisation, domain list) in a machine-readable format (Art. 20)
- Withdraw consent for marketing or analytics at any time, without affecting the lawfulness of prior processing
To exercise any right, email . We will respond within 30 days. If you are unsatisfied, you may lodge a complaint with (Art. 77):
Datatilsynet (Norwegian Data Protection Authority)
www.datatilsynet.no - postkasse@datatilsynet.no
11. Children
The Service is intended for users 18 years and older. We do not knowingly process personal data of children under 18. If you believe a child has provided us with personal data, please contact us immediately at .
12. Changes to This Policy
We will notify you of material changes at least 30 days in advance via email or in-app notice. All previous versions are archived at vioro.io/legal/archive/.
We encourage you to review this policy periodically. Where changes affect consent-based processing, we will seek fresh consent as required.
Last updated: 2026-04-11
Previous versions: vioro.io/legal/archive/