Skip to content
Apier

Privacy Policy

Last updated: 2 June 2026

The Norwegian version is the legally governing version. This English version is a translation provided for convenience.

Apier is an infrastructure service (an API and an MCP server) that lets professional systems and AI agents interact with Norwegian government systems such as Altinn, Maskinporten, the Brønnøysund Register Centre, the Norwegian Tax Administration and NAV in a traceable and controllable way. This policy explains how we process personal data when you create an account with us and use the service.

Data controller

Apier is operated by Grov Digital (organisation number 833 397 982), registered in the Brønnøysund Register Centre, Norway. Grov Digital is the data controller for the personal data described here.

Privacy enquiries can be sent to support@apier.no.

Apier as a tool for businesses

Apier is a tool for businesses. When you use Apier to perform actions against government systems on behalf of a business, your requests may contain personal data, for example an organisation number, a national identity number or a name, about the people or businesses the action concerns.

For that data, Apier acts as a data processor on behalf of the customer, who is the controller. This policy primarily covers the data we process as a controller.

What personal data we process

As a controller, we process:

  • Account data: your email address, used for sign-in via magic link. We do not store passwords.
  • Business details you provide, for example an organisation number and contact details linked to your account.
  • Usage and technical data: IP address, timestamps, request metadata and logs generated when you use the service.
  • Audit and traceability data: Apier keeps an append-only audit log of actions performed against government systems. These records may contain identifiers such as an organisation number and, where relevant, a national identity number, along with the time, the outcome and the capacity in which the action was performed.
  • Error and operational data: technical error reports that help us run and secure the service.

Purposes and legal bases

We process personal data for the following purposes:

  • To provide the service you have requested — creating and managing your account, authenticating sign-in and carrying out requests against government systems. Legal basis: performance of a contract (GDPR Article 6(1)(b)).
  • To maintain a traceable, append-only audit log so that actions can be documented and verified. Legal basis: our legitimate interest in being able to document use of the service, and legal obligation where documentation requirements follow from law (Article 6(1)(f) and (c)).
  • For security, operations, troubleshooting and abuse prevention. Legal basis: our legitimate interest in a secure and reliable service (Article 6(1)(f)).

Data processors and subprocessors

To provide the service we use certain subprocessors that process personal data on our behalf, under a data processing agreement. These are currently:

  • Supabase — primary database and storage (stored in the EU, eu-north-1 Stockholm).
  • Vercel — build and edge hosting of the application (pre-launch; European region, planned migration to dedicated EU infrastructure).
  • Sentry — error tracking (no PII per scrubber config).
  • Plausible — privacy-first analytics (cookieless, no PII).
  • Betterstack — uptime monitoring and hosted status page.
  • Maskinporten (Digdir) — Norwegian government auth broker.
  • Lovdata — read-only legal-text reference (no data sent).
  • Resend — transactional email (welcome, magic link).

Where data is stored and transfers outside the EU/EEA

Personal data is stored in the EU (eu-north-1, Stockholm). Some of our subprocessors are established outside the EU/EEA or have a US parent company.

Where personal data is transferred outside the EU/EEA, this is done on the basis of the EU Standard Contractual Clauses or the EU–US Data Privacy Framework, together with appropriate technical and organisational measures.

Retention

We keep account data for as long as you have an active account, and delete or anonymise it within a reasonable time after the account is closed, unless we are legally required to keep it longer.

The audit log is append-only and is kept for as long as necessary to meet documentation, accounting and control requirements. Technical logs and error data are kept for a shorter period.

Your rights

Under the GDPR you have the right to access, rectify and erase personal data about you, and to request restriction of or object to processing, as well as the right to data portability (Articles 15 to 22).

Please note that the audit log is append-only for traceability and documentation. We may therefore not always be able to change or delete records in that log while we have a legal obligation or legitimate interest in keeping them. We explain the reason in such cases.

To exercise your rights, contact us at support@apier.no.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, www.datatilsynet.no) if you believe we process personal data unlawfully (Article 77).

Cookies

We use a strictly necessary session cookie to keep you signed in after you authenticate with a magic link. We do not use cookies for advertising or cross-site tracking. Our visit statistics (Plausible) do not use cookies.

Security

We protect personal data with technical and organisational measures, including encrypted transfer (TLS/HTTPS), data storage in the EU, password-free sign-in (magic link) and an append-only audit log. Vulnerabilities can be reported to security@apier.no.

Changes to this policy

We may update this policy. For material changes we will give notice in an appropriate way. The date at the top shows when the policy was last changed.

Contact

Grov Digital. Privacy and general enquiries: support@apier.no. Security: security@apier.no.