Privacy policy

Policy active as of 1 July, 2018

About this document

This privacy policy describes information that Apps AS (“Apps”, “we”, “our”), and its affiliates (collectively, “Apps”) collect, process, share, and store, including personal information, for use with the Sonya Enterprise Mobility suite of Apps, including the Sonya Go app and any related services (collectively, “Sonya”).

You may contact Apps at or Vulkan 16, 0178 Oslo, Norway.


Protecting your privacy is a core part of the Apps mission. You trust us to take care of your data, and we strive to be worthy of that trust.

We pledge to:

  1. Be transparent about how we collect, use and store your data.
  2. Use your data only for the purpose for which we have collected it.
  3. Not to collect or process more personal data than we need in order to provide you with the Sonya services and continue to develop those services for your benefit.
  4. Design Sonya to inherently protect your privacy (privacy by design).
  5. Not to store personal data for longer than needed or instructed by you.
  6. Enable you to delete and correct personal data that is wrong or you do not wish to keep.
  7. Ask for your permission before we share your data with third parties, and only to share your data when it benefits you as a customer.
  8. Use the best available security practices and tools to protect your data.

By using Sonya, you agree to allow us to collect and process information as described below.

Roles and purpose

In case your employer has ordered Sonya for you as an end-user (“business end-user”), your employer is the data controller. If you have any questions or complaints, you will need to contact your employer. Apps is the data processor for your data, including any personal data you provide.

If you have downloaded Soya for your own purposes, Apps is the data controller. You may contact Apps regarding any questions you may have, including regarding access, rectification and erasure.

The purpose of processing your personal data is to digitalize different tasks in your workday, by time tracking your workday in Sonya Hours, handle work related expenses with Sonya Expenses, manage HSEQ with Sonya HSEQ and mileage reimbursement with Sonya Go.

What that means in terms of what data we collect and process, how and where we process it, and for how long, is described below.

It is important that you read this, as you by taking Sonya into use, gives us (and your employer, in case you are a business end-user) your consent to process your personal data.

Legal basis for the processing

If you use Sonya for your own purposes the legal basis for the processing of personal data is GDPR art 6 1 b) necessary for the performance of a contract to deliver Sonya to you. In case you are a business end-user, part of the processing is required in order to fulfil the agreement we have with your employer (the data controller). Any local tracking through Sonya Go is based on your consent. You may at any time withdraw this consent directly in the Sonya Go app.

Your personal data is processed in accordance with the Norwegian Data Protection act, which incorporates the EU general data protection regulation 2016/679 (GDPR).

This give you strong rights as a data subject. Hereunder you have the right to:

  • have your personal data deleted
  • have any incorrect data corrected
  • data portability
  • information from the data controller (your employer) regarding the data processing
  • lodge a complaint with a supervisory authority

Norwegian law applies.

Any surrender of data is voluntary, but some basic information is needed to enable Sonya to operate.

What data we collect

The Sonya apps collect:

  • Information when you register as a customer or user. When you first take Sonya into use, you will be asked to create a user account, and enter information such as your name, address, e-mail, signature, bank account number and the name and address of your employer.
  • Data entered by you, for instance travel information, receipts and refund forms required for accounting purposes, HSEQ-reports, time and attendance information.
  • IP addresses, log data and other diagnostic data. This is logged for diagnostic and security purposes.
  • Location data, if you are using the Sonya Go app, and have enabled location-tracking.

The Sonya web collect:

The Sonya website ( uses Google Analytics for statistical data analysis. We may also use other third-party analytics and marketing services. The Sonya website employs cookies for this purpose. We also use cookies to track your user session.

How we use your data

The information we collect is used to provide, develop and improve Sonya, including information necessary to improve our service and safety features. We or our partners may use your contact details to send you information, or to ask you to participate in surveys about your Sonya use.

We may also use this information in an aggregated, non-identifiable form for research purposes and to help us make decisions on the direction of sales, marketing, product development and business activities.

We may use service providers to perform some of these functions. Those service providers are restricted from sharing your information for any other purpose.

We use industry-standard methods to keep this information safe and secure while it is transmitted over your network connection and through the Internet to our servers. Depending on your location and type of data, Apps may process your personal information on servers that are not in your home country.

All information and all files uploaded to Sonya are encrypted upon uploading to our cloud-based service, currently operated by Amazon Web Services (AWS). Your bank account number is also encrypted before it is saved to our database.

Where we process your data

The personal data we collect from you is transferred to our European data processing centre. Currently this data centre is operated by AWS, which is the world largest data centre operator for cloud services. AWS is world renowned for its industry leading security and performance. Read more at

The AWS data centres we use are placed within the European Union (EU) and/or European Economic Area (EEA). Audio and video data is never transferred out of the EU or EEA. In order to provide you with the best possible service, selected and limited parts of the Sonya services, such as SMS verification, may be performed by suppliers located outside the EU or EEA. If so, the data export will take place in accordance to EU requirements, such as in accordance with the EU Model Contract (Commission Decision 2010/593 or similar) or to entities certified under the EU US Privacy Shield arrangement.

Data sharing

Apps does not share personal information for any commercial or marketing purpose unrelated to the delivery of Apps products and services without asking you first.

The following are the limited situations where we may share personal information:

  1. With your explicit consent: We may share personal information when we have your consent. One example of this would be if you sign up for additional programs offered by our partners. If you do this, we may share certain information with the partner.
  2. For external processing: We have vendors, service providers, and partners who may help with some of our data processing and storage, including customer support services at our partners. They may also assist with monitoring our servers for technical problems. These vendors (as well as Apps’ personnel) can access certain information about you and your account in order to carry out their work. They are not allowed to use this data for non-Apps purposes.
  3. As part of business transitions: Upon the sale or transfer of the company and/or all or part of its assets, your personal information may be among the items sold or transferred. We will request a purchaser to treat our data under the privacy statement in place at the time of its collection.
  4. For legal reasons: We may provide information to a third party if we believe in good faith that we are required to do so for legal reasons. For example, to respond to legal process, or comply with applicable law.
  5. We may share non-personal information (for example, aggregated or anonymized customer data) publicly and with our partners. For example, we may publish research on, or help us generally improve our system. We may also share non-personal information with our partners, for instance if they are interested in offering other services on Sonya. We take steps to keep this non-personal information from being associated with you and we require our partners to do the same.
  6. Your personal information may be collected, processed and stored by Apps or its service providers within the European Union, the EEA, or locations regulated by EU style privacy regulations. As a result, your personal information may be subject to legal requirements, including lawful requirements to disclose personal information to government authorities, in those jurisdictions.

How long we store your information

Apps generally stores your personal information on Apps’ servers for as long as you or your employer remain an Apps customer. To the extent there are legal requirements for duration of storage, such as for accounting purposes, we may store data for up to 10 years.