Privacy Policy

Last updated: March 17, 2026

This privacy policy describes how Redor AS (hereinafter “we”, “us” or “Redor”) collects, uses, stores and protects your personal data when you use Bungaflow. This policy applies to all users of the service, including guests who use the guest portal.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act. By using Bungaflow you consent to the collection and use of information in accordance with this privacy policy.

Capitalised terms have the meanings defined in our terms of use.

I. Definitions

“Data Controller”— Redor AS, org. no. 916 505 310, which determines the purpose and means of processing personal data.
“Personal Data” — any information that can directly or indirectly be linked to an identified or identifiable natural person, including name, email address, IP address, device identifiers and location data.
“Processing” — any operation performed on personal data, whether automated or not, such as collection, recording, organisation, storage, adaptation, disclosure or deletion.
“Data Processor” — a third party that processes personal data on behalf of the data controller. This includes our service providers.
“Data Subject” / “You” — the natural person whose personal data is processed, including users of the service and guests.
“Service” — the Bungaflow platform, including the web application, APIs, guest portal and related services, available at bungaflow.com.
“Usage Data” — data collected automatically when using the service, such as IP address, browser type, pages visited and timestamps.
“Cookies” — small data files stored on your device to recognise you and store preferences.

II. Collection and use of personal data

a. Personal data we collect

When you use Bungaflow we may ask you to provide the following personal data:

Email address
Full name
Unit information (address, name and type of shared property)
Usage data

b. Usage data

Usage data is collected automatically when you use the service. This may include IP address, browser type and version, the pages you visit, time of visit, time spent on pages, unique device identifiers and other diagnostic data.

When you use the service via a mobile device we may also collect information about device type, mobile ID, operating system and browser type.

c. Content you submit

In addition to personal data we process content you actively submit to the service:

Bookings and calendar data
Expenses and receipts (including images)
Maintenance logs, FDV documents and damage reports
Tasks and checklists
Guestbook entries and cabin journal entries
Messages between members
House rules
Inventory, emergency supplies and insurance information
Contact registry (e.g. plumber, electrician)
Local guide information (nearby places and services)
Service orders placed through organizations (including preferred delivery date and comments)
Activity log (actions performed in the unit)
Unit information such as WiFi passwords (encrypted with AES-256-GCM)

d. Push notifications

If you enable push notifications we store the technical information (endpoint, keys) necessary to deliver notifications to your device. This information is deleted when you disable notifications or delete your account.

e. Data from the guest portal

Guests using the guest portal via a shared link do not need to create an account. We do not collect personal data from guests unless they actively submit information, for example guest book entries (name and message). IP addresses may be temporarily logged in server logs for security purposes.

III. Cookies and tracking technologies

We use cookies and similar technologies to operate and improve the service. Cookie consent is managed by Cookiebot (Usercentrics), our consent management platform (CMP).

a. Necessary cookies

These are required for the service to function and do not require consent:

Session cookies: Supabase auth token for login and session management.
Language preference: Stores chosen language.
Cookiebot consent: Stores your cookie preferences.
Theme preference: Stores light or dark theme choice (localStorage).

b. Preference cookies

Remember your choices and settings to provide a better user experience. Only set with your consent.

c. Statistics cookies

Analytics cookies that help us understand how the service is used so we can improve it. Only set with your explicit consent.

d. Marketing cookies

Not currently in use, but the category exists in Cookiebot for future use. Never set without your consent.

You can change your cookie settings at any time via the Cookiebot banner or the “Cookie settings” link in the footer. A complete and automatically updated overview of all cookies can be found in Cookiebot's cookie declaration on the website.

IV. Legal basis for processing

We process personal data on the following legal bases under the GDPR:

Contract (Art. 6(1)(b)): Processing necessary to fulfil the agreement with you — account creation, authentication, booking, expense splitting, maintenance log, tasks, notifications and delivery of the service.
Consent (Art. 6(1)(a)): Optional cookies (statistics, preferences, marketing), newsletters and processing of data via the AI assistant.
Legitimate interest (Art. 6(1)(f)): Service development, bug fixing, security, fraud prevention, improvement of user experience, and sending product news, company news and service updates to existing users. We carry out a balancing test to ensure that your rights are not overridden.
Legal obligation (Art. 6(1)(c)): Processing necessary to comply with statutory requirements, such as accounting legislation and notification of security breaches.

V. Use of personal data

We use your personal data for the following purposes:

Account management:Create and manage your user account, authenticate you and grant access to the service's features.
Service delivery: Deliver core functionality such as booking, expense splitting, maintenance log, task lists, guest portal and messages.
Communication: Send you push notifications, email notifications about account changes, security updates and changes to terms, as well as product news, company news, new partnerships and service updates. You may unsubscribe from non-essential emails at any time via the unsubscribe link in the email.
Payment: Process subscription payments via Stripe (we do not store your payment card details).
AI assistant: Deliver AI-based assistance via OpenAI. Data you send to the AI assistant is processed by OpenAI in accordance with their data processing agreement.
Service improvement: Analyse usage patterns to improve functionality, performance and user experience.
Security: Detect and prevent fraud, abuse and security threats.
Legal obligations: Comply with statutory requirements such as accounting and reporting.

VI. Sharing of personal data

We do not sell your personal data. We may share personal data in the following situations:

With data processors: We share personal data with service providers that process data on our behalf (see section VII). All data processors are bound by data processing agreements in accordance with GDPR Art. 28.
With other users: Information you share within a unit (bookings, messages, guest book entries) is visible to other members of that unit. Guest book entries are visible to anyone with access to the guest portal.
Within organizations: If your unit is linked to an organization, the organization administrator may see your unit name and member information. Announcements, documents, and messages shared through the organization are visible to all organization members.
With service suppliers: When you place a service order through an organization, your name, email address, unit name, unit address, preferred delivery date, and any comments you provide are shared with the third-party supplier via email. The supplier may reply directly to your email address. Payment is arranged directly between you and the supplier — Bungaflow does not process payments for service orders.
In a business transfer: If Redor merges with, is acquired by, or transfers substantial assets to another business, personal data may be transferred. You will be notified in advance.
For legal requirements:We may disclose personal data if legally obliged to do so, or to protect Redor's rights, users' safety or the public interest.
With your consent: We may share personal data for other purposes if you give your explicit consent.

VII. Third-party services (data processors)

The following third-party services process personal data on our behalf to deliver the service:

a. Supabase — Authentication and database

Supabase handles user authentication (magic link and Google login) and stores data in a PostgreSQL database hosted in EU-West (Ireland). Supabase is GDPR-compliant and offers a data processing agreement.

Privacy: supabase.com/privacy

b. Stripe — Payment processing

Stripe handles all payments and subscriptions. We do not store card numbers or payment details — these are processed directly by Stripe, which is PCI DSS certified.

Privacy: stripe.com/privacy

c. OpenAI — AI assistant

Bungaflow's AI assistant uses OpenAI (GPT-4o-mini) via API. Data you send to the AI assistant is transferred to OpenAI for processing. OpenAI does not use API data to train its models. Do not share sensitive personal data in the chat. The AI assistant respects role-based access control — Lite members can only access the AI assistant if enabled by their administrator, and the data shown is filtered based on administrator-configured modules.

Privacy: openai.com/policies/privacy-policy

d. Vercel — Hosting and CDN

Vercel hosts Bungaflow and delivers content via its CDN. Server logs may contain IP addresses and usage data.

Privacy: vercel.com/legal/privacy-policy

e. Cookiebot (Usercentrics) — Consent management

Cookiebot manages cookie consent and scans the website for cookies. Cookiebot stores your consent choices.

Privacy: cookiebot.com/en/privacy-policy

f. Resend — Email delivery

Resend handles the sending of transactional emails (welcome, invitations, notifications and feedback). Email addresses are transferred to Resend for delivery.

Privacy: resend.com/legal/privacy-policy

g. Google Analytics (Google Tag Manager) — Website analytics

We use Google Analytics via Google Tag Manager to analyse website usage. Analytics cookies are only set with your consent via Cookiebot. Google may process IP addresses and usage data.

Privacy: policies.google.com/privacy

h. OpenStreetMap (Nominatim / Overpass) — Geocoding and local guide

We use Nominatim for geocoding (converting addresses to coordinates) and Overpass API for finding nearby places for the local guide feature. The unit's address and coordinates are transferred to these services.

Privacy: osmfoundation.org/wiki/Privacy_Policy

i. Norwegian Meteorological Institute (MET) — Weather forecasts

We fetch weather forecasts from MET's API based on the unit's coordinates. Only coordinates are transferred — no personal data.

Privacy: met.no/om-oss/personvern

j. iCal import — Calendar synchronisation

Users can import bookings from Airbnb, Booking.com, Finn.no and Google Calendar via iCal feeds. These services are subject to their own privacy policies. We only fetch calendar data (dates and booking details) from these sources.

VIII. Transfer of personal data

Your personal data may be transferred to and stored on servers outside Norway/EEA, as some of our data processors have infrastructure in other countries (primarily the USA).

When transferring data to countries outside the EEA we ensure an adequate level of protection through:

EU Commission adequacy decisions (e.g. EU-US Data Privacy Framework)
Standard Contractual Clauses (SCCs) adopted by the EU Commission
Data processing agreements with relevant security measures

IX. Storage and deletion of personal data

We store personal data only as long as necessary for the purposes described in this policy, or as long as we are legally required to retain them.

Account data: Stored as long as the account is active. Upon account deletion, personal data is removed within 30 days, except for data we are legally required to retain.
Usage data: Stored for a short period for analysis and troubleshooting, unless longer retention is necessary for security or legal purposes.
Payment data: Stripe retains transaction data in accordance with PCI DSS requirements and applicable accounting legislation.
Server logs: IP addresses and technical logs are automatically deleted after 30 days.

Bungaflow offers an export function in the settings that allows you to download all data associated with a unit. We recommend using this regularly to maintain your own backup of your data.

You may at any time request deletion of your account and associated personal data by contacting us at hei@redor.no.

X. Data security

We take the security of your personal data seriously and have implemented technical and organisational measures to protect them:

Sensitive data (e.g. WiFi passwords) is encrypted with AES-256-GCM before storage.
All traffic is transmitted via HTTPS/TLS.
Security headers such as HSTS, X-Frame-Options and Content-Security-Policy are enabled.
Authentication is handled by Supabase with secure session management.
Regular security reviews of code and infrastructure.
Role-based access control (Admin and Lite) with configurable page access ensures users only have access to data they are authorised for.

No method of transmission over the internet or electronic storage is 100% secure. We strive to use commercially acceptable methods to protect your personal data but cannot guarantee absolute security.

In the event of a security breach affecting personal data we will notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours (GDPR Art. 33) and affected users without undue delay if the breach poses a high risk to the data subject's rights and freedoms (GDPR Art. 34).

XI. Your rights under the GDPR

As a data subject you have the following rights under the GDPR:

Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data, and if so, to access the data and information about the processing.
Right to rectification (Art. 16): You have the right to have inaccurate personal data about you corrected without undue delay.
Right to erasure (Art. 17): You have the right to have your personal data deleted when there is no longer a legitimate basis for processing.
Right to restriction (Art. 18): You have the right to request that processing be restricted in certain situations.
Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transfer them to another data controller.
Right to object (Art. 21): You have the right to object to processing based on legitimate interest, including profiling.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Exercising your rights

To exercise your rights, contact us at hei@redor.no. We may ask you to verify your identity before processing the request. We will respond within 30 days of receiving the request. For complex or numerous requests the deadline may be extended by a further 60 days, with prior notice to you.

You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) if you believe that the processing of your personal data violates the GDPR or Norwegian data protection legislation.

Datatilsynet: datatilsynet.no

XII. Automated decisions and profiling

Bungaflow does not use automated decision-making or profiling as defined in GDPR Art. 22 that has legal or similarly significant effects on you. The AI assistant provides information and suggestions but does not make decisions on your behalf.

Expense calculations, cost allocation, and other calculations in the service are tools — not financial or legal advice. You are responsible for verifying calculations and making your own decisions.

XIII. Children

Bungaflow is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us so we can delete the information.

Children over 16 may have a “Lite” role in a unit, but the account must be created and managed by a guardian.

XIV. Links to other websites

The service may contain links to external websites not operated by us (e.g. iCal sources, Stripe payment portal, OpenAI). We have no control over and accept no responsibility for the content, privacy policies or practices of these third-party websites. We recommend that you read the privacy policy of each website you visit.

XV. Changes to this privacy policy

We may update this privacy policy to reflect changes in the service, legislation or our practices. For material changes you will be notified at least 30 days in advance via email.

The “Last updated” date at the top of the document is updated with every change. We recommend that you review this policy regularly.

XVI. Contact information

If you have questions about this privacy policy or wish to exercise your rights, you can contact us:

Data Controller:

Redor AS
Org. no. 916 505 310
Email: hei@redor.no
Website: www.redor.no

Supervisory authority:

Datatilsynet (Norwegian Data Protection Authority)
www.datatilsynet.no

Back to home