top of page

Privacy Policy

Last updated: 07.04.2026

 

1. INTRODUCTION

This privacy policy describes how BluePaper AS ("BluePaper", "we", "us") processes personal data in connection with the delivery of BlueSearch (the "Service").

  • The declaration applies to:

  • Using the BlueSearch SaaS platform

  • Use of BlueSearch on customer websites

  • Processing of personal data in connection with customer relationships

  • Operation, maintenance and support

 

This declaration has been prepared in accordance with:

Personal Data Act

EU Regulation 2016/679 (GDPR)

 

 

2. DATA CONTROLLER

BluePaper AS

Org. no.: 935 865 247

Bakkehågån 18, 2849 Kapp

Email: thomas@bluepaper.no

BluePaper is the data controller for the processing of personal data related to:

  • Own websites

  • Own marketing activities

  • Customer relationship management

When processing personal data on behalf of a customer, BluePaper acts as a data processor, and the relationship is regulated through a separate data processing agreement (DPA).

3. TREATMENT ROLES
3.1 When BluePaper is the data controller

This applies to:

  • Customer and contact information

  • Invoice information

  • Communication

  • Use of our own websites

 

3.2 When BluePaper is a data processor

When using BlueSearch to search the customer's:

Websites

Documents

Intranet

SharePoint / Teams (by integration)

Internal knowledge bases the customer is the data controller, and BluePaper acts as the data processor.

 

4. CATEGORIES OF PERSONAL DATA

Depending on configuration and customer usage, the following categories can be addressed:

4.1 Usage data

  • IP address

  • Device information

  • Log data

  • Time of requests

  • System events

4.2 Content data

  • Textual searches

  • Document content indexed in the solution

  • Internal policies

  • Metadata

4.3 Customer and contact data

  • Name

  • Email

  • Telephone number

  • Role/position

  • Invoice information

BluePaper does not process special categories of personal data (GDPR art. 9) unless this is explicitly agreed in a data processing agreement.

 

5. PURPOSE OF THE PROCESSING

Personal data is processed for the following purposes:

  • Delivery of the BlueSearch service

  • Operation, maintenance and troubleshooting

  • Access control and security

  • Customer support

  • Invoicing and contract follow-up

  • Improving the functionality of the service

  • Compliance with legal obligations

 

6. LEGAL BASIS

Processing is carried out on the basis of:

GDPR Art. 6 (1) b) – performance of contract

GDPR Art. 6 (1) c) – legal obligation

GDPR Art. 6 (1) f) – legitimate interest

GDPR Art. 6 (1) a) – consent

 

In the case of data processing, personal data is processed exclusively according to documented instructions from the controller.

 

7. USE OF ARTIFICIAL INTELLIGENCE AND SUB-CONTRACTORS

BlueSearch uses language model technology provided by OpenAI for natural language processing.

This means that:

Textual searches can be processed via the OpenAI API

No personally identifiable data is stored in the language model itself.

Data is not used for training open models under commercial API agreement

Processing takes place in accordance with entered into data processing agreements.

BluePaper enters into necessary agreements with all subcontractors who process personal data.

An updated list of subcontractors can be provided upon request.

8. INTERNATIONAL TRANSFERS

If personal data is transferred to third countries outside the EU/EEA, this is ensured through: The EU Commission's Standard Contractual Clauses (SCC)

Data processing agreement

Supplementary technical and organizational security measures

 

9. INFORMATION SECURITY

BluePaper implements technical and organizational measures in accordance with GDPR Art. 32, including:

  • Encrypted communication (TLS/HTTPS)

  • Access control based on least privilege

  • Role-based access control

  • Logging and event monitoring

  • BackupIsolated production environments

  • Regular updating and patching

  • In the event of a security breach, procedures are followed in accordance with GDPR Articles 33 and 34.

 

10. STORAGE AND DELETION

Personal data is not stored longer than necessary for the purpose.

 

10.1 Customer data

Stored as long as the agreement is active

Deleted or returned upon termination according to agreement

 

10.2 Accounting data

Stored in accordance with the Accounting Act

 

10.3 Log data

Only kept for as long as necessary for security and troubleshooting

11. CONFIDENTIALITY

All employees and subcontractors are subject to a duty of confidentiality. Access to personal information is limited to authorized personnel with a business need.

 

12. DATA SUBJECTS' RIGHTS

Data subjects have the right to:

  • Transparency (art. 15)

  • Correction (art. 16)

  • Deletion (art. 17)

  • Restriction (art. 18)

  • Data portability (art. 20)

  • Protest (art. 21)

 

In the case of data processing matters, inquiries should be directed to the company responsible for processing.

 

13. COOKIES

BlueSearch's websites can use:

Necessary cookies

Analysis tools

Functional cookies

Users can manage cookies via browser settings.

 

14. LIMITATION OF LIABILITY

BluePaper is not responsible for:

Incorrect uploading of personal data from customer

Processing that occurs contrary to the customer's instructionsContent indexed by the customer

The customer is responsible for ensuring a legal basis for processing personal data indexed in the solution.

 

15. CHANGES

BluePaper reserves the right to update this statement by:

  • Changes in legislation

  • Changes in technology

  • Changes in service delivery

  • Updated version is published on the website.

bottom of page