Privacy Policy

What data we collect

When you create an account with DiscRetur, we collect the following information:

  • Name – to identify you as a user
  • Email address – to send notifications and for login
  • Phone number – to match you with found discs that have a phone number on the surface
  • Password – stored as a secure hash; we never see your plaintext password

When disc finders register a found disc, they may record text written on the disc surface (name and/or phone number). This information is an observed fact from the disc surface, not user-submitted personal data.

Purpose of processing

We process personal data in order to:

  • Provide you access to the service (account creation and login)
  • Notify you if a disc that may be yours is registered at a course
  • Allow you to claim found discs
  • Show course administrators relevant contact details to help disc owners

Legal basis

| Processing | Legal basis | | ---------------------------------------------- | ------------------------------------------------------------------------------ | | Account and login | Performance of contract (GDPR art. 6(1)(b)) | | Email notifications about matched discs | Performance of contract (GDPR art. 6(1)(b)) | | Disc surface PII (name/phone observed on disc) | Legitimate interest (GDPR art. 6(1)(f)) – necessary to reunite owner with disc | | Anonymous usage statistics (Google Analytics) | Legitimate interest (GDPR art. 6(1)(f)) – improving the service |

Cookies and analytics

We set strictly necessary session cookies for login. In addition, we use Google Analytics (provided by Google LLC) to collect anonymous usage statistics. Google Analytics uses cookies to collect anonymous data about page visits and user behavior. Data is processed by Google in accordance with their privacy policy. No personal data is shared with third parties for marketing purposes.

You can opt out of Google Analytics by disabling cookies in your browser, or by installing Google's opt-out browser extension.

Storage and deletion

  • Account data is stored for as long as your account is active
  • Found discs are removed from public view after the holding period expires (default: 30 days after registration)
  • Disc surface PII (name/phone on the disc) is retained as part of the factual registration record, even after the owner is found

You can request deletion of your account at any time via your account settings. After submitting a deletion request, you have 30 days to cancel. After 30 days, your personal data will be permanently deleted.

Your rights

Under GDPR, you have the right to:

  • Access – request a copy of the data we hold about you
  • Rectification – request correction of inaccurate data
  • Erasure – request deletion of your data (see above)
  • Data portability – receive your data in a machine-readable format
  • Objection – object to processing based on legitimate interest

To exercise these rights, please contact us (see below).

Contact

Questions about privacy or want to exercise your rights?

Send an email to: hei@discretur.no

DiscRetur is the data controller for the personal data described in this policy.