Papirfly Platform Privacy Policy

1. Introduction

Papirfly AS (“we“, “our” or “Papirfly“) value the trust of our platform visitors, and your privacy is important to us.

We are committed to protecting the privacy and security of your personal data. This privacy policy describes how we collect, store, process and protect your personal data in accordance with the General Data Protection Regulation (GDPR). The privacy policy applies to all individuals who visit or use our platforms.

2. Our contact details

Papirfly is the controller for the processing activities set out in this privacy policy. Please feel free to contact us if you have any questions related to how we process your personal data through the following contact details:

Address: Papirfly AS, Universitetsgata 2, 0164 Oslo, Norway

Contact person: Marianne Barstad 

Email: dpo@papirfly.com

3. How we process your personal data

Personal data means any information about an individual from which that person can directly or indirectly be identified. We collect and process personal data about our platform users directly from our users when they login and then we anonymise their personal data before they interact with our platform, in accordance with applicable laws, regulations  and our internal routines. 

Papirfly processes personal data for the following purposes: 

  • We process your name, email, UserID and username when you login for the purpose of enabling you to access and use our service. The legal basis for the processing of personal data for such a purpose is our legitimate interest in enabling access to our services.
  • We process your anonymised personal data as well as operational events in your interaction with our services (such as when clicking “downloads”, “uploads”, “creations, “Log In”, “deleted” and “View”) for the following purposes:
    • improving, customising, and expanding our service. 
    • understanding and analysing how you use our service. 
    • developing new products, services, features, and functionality.   

We do not process special categories of personal data about you.

3.1 AI facial recognition in Papirfly’s DAM platform (optional feature in “Place”)

Facial Recognition

Papirfly’s Digital Asset Management platform (“Place”) includes an optional AI-powered facial recognition feature that allows users to identify and group images containing similar faces. This feature is disabled by default and is only activated upon explicit customer request.

Data Processed

When facial recognition is enabled, the system processes the following:

  • The uploaded image file (for the purpose of detecting faces)
  • Bounding box coordinates representing where a face appears in the image
  • AWS (Amazon Web Services) Rekognition Face ID (a non-reversible mathematical representation used for matching)
  • Papirfly Person ID (used for grouping similar faces across a customer archive)
  • Confidence scores and general facial metadata that is not personally identifying

Papirfly does not generate or store biometric templates. AWS Rekognition stores only non-reversible feature vectors which cannot be used to reconstruct an individual’s face. If any person is named or identified, this is done manually by the customer within their own environment.

Facial recognition is used solely for organisational and asset management purposes, such as grouping, searching, or managing consent for images containing the same individual.

For this feature, Papirfly acts as a data processor; customers act as data controllers and are responsible for ensuring they have a lawful basis for using facial recognition in accordance with applicable data protection laws.

Data Location and Sub-Processors

All processing takes place within the European Economic Area:

  • Image assets are stored in AWS S3 located in the EU region – Ireland & Sweden.
  • Facial detection and similarity matching are performed using AWS Rekognition in the EU region.
  • Associated metadata and indexing are stored within Papirfly’s EU-based infrastructure.

For this feature, data is not transferred outside the EEA. AWS does not use customer content to train or improve AWS or third-party AI models. Facial recognition data is isolated per customer through separate Rekognition collections.

Retention

Facial metadata is stored only while the associated image exists in the platform. When an image is deleted, all related facial recognition data (including Face IDs and Person IDs) is automatically removed from Papirfly’s systems and from the customer’s AWS Rekognition collection.

Individual Rights

Individuals may request that identified Persons or assigned names be removed. This can be done by platform administrators.

If full deletion of facial data is required, this is achieved by deleting the associated asset, which triggers complete removal of all related facial recognition data in both Papirfly and AWS Rekognition. See Section 8 for how to exercise your rights.

Automated Decision-Making

No automated profiling, classification, identity verification, or decision-making is performed. The functionality is limited to detecting and grouping visually similar faces to support organisational workflows.

Security

Papirfly applies industry-standard security measures, including encrypted storage, tenant separation, access controls, and data processing solely within certified AWS environments.

4. Who do we share your personal data with and processing outside the EEA

We use data processors to assist us with various processes and services, to whom we share personal data. The data processors we use are suppliers of IT systems and other technical systems who perform tasks on our behalf and according to our instructions.  We have entered into data processing agreements with our data processors to ensure that personal data is processed lawfully and according to our instructions, and where the data processors undertake the same level of security as we have for our processing of personal data. 

In some situations, we need to share your personal data with third parties in connection with mergers, demergers and possible acquisitions. We may also share personal data with other third parties, if necessary, for example, if required by law (for example, with public authorities).

For the normal operation of our services, the processing will take place, and the personal data will be stored in the following locations (state/country):

  • Amazon Web Services: Stockholm, Sweden (AWS Europe)
  • Amazon Web Services: Virginia, US (AWS US) – applicable only to US customers

Our processing of personal data may involve transfer to countries outside the EEA. We are taking appropriate measures, in accordance with GDPR Chapter V, to ensure that such transfers are lawful. For more information, please contact us.

5. Use of cookies

We use cookies on our website. Cookies are small text files that are stored on your computer. More information about cookies and which cookies are used on our website can be found in our cookie policy.

6. Security

We have physical and technical measures as well as procedures appropriate for protecting personal data depending on the type of data. These measures are designed to protect your personal data from accidental loss, unauthorised access, accidental copying, use, alteration and disclosure.

7. How long we store your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, after which it will be deleted or archived except to the extent that it is necessary for us to continue to process it for the purpose of compliance with legal obligations to which we are subject or for another legitimate and lawful purpose. To determine the appropriate retention period for personal data, we take a number of factors into account.

In some circumstances we may anonymise your personal data so that you are no longer identifiable, in which case we may use such information without further notice to you.

8. Your rights

You have a number of rights related to our processing of your personal data. You have the right to access, correction, limitation, deletion and data portability in connection with our processing of your personal data. You also have the right to object to our processing of personal data. 

Please note, however, that certain personal data may be exempt from such access, correction and deletion requests pursuant to applicable data protection laws or other laws and regulations.

If you want to make a request in respect of your rights relating to your personal data, please email or write to our contacts which are shown above. We will respond to your inquiry as soon as possible, and at the latest within 30 days. If it takes longer than 30 days, you will be notified. If your request or concern is not satisfactorily resolved by us, you can contact Datatilsynet at datatilsynet.no or your local supervisory authority.

9. Changes to this privacy policy

We might update this privacy policy when there is a change in our practices, change in legislation or when we have a need for it. You can always find our latest privacy policy on our platforms, and we will provide you with a new policy when we make any substantial updates. 

If you have any questions about this privacy policy, please contact us through the contact details set out above.

This Privacy Policy was last updated on: 04/03/2026

Table of contents:

  1. 1. Introduction
  2. 2. Our contact details
  3. 3. How we process your personal data
  4. 4. Who do we share your personal data with and processing outside the EEA
  5. 5. Use of cookies
  6. 6. Security
  7. 7. How long we store your personal data
  8. 8. Your rights
  9. 9. Changes to this privacy policy