Section 1

Data controller

The data controller responsible for the personal data processed through Popper is:

Company

Nybrott Media AS

Org. number: 919 160 020
Email: media@nybrott.no
Service: popper.no

Section 2

What we collect

We collect only what we need to deliver the service. The categories below describe the data Popper processes:

Account data

•Name and email address
•Encrypted password (hashed)
•Region, club and division preferences
•Profile picture if you upload one

Shooting performance data

•Matches, stages and results (HF, alpha, charlie, delta, miss)
•Drill sessions and training notes
•Equipment, calibers and round counts
•Weapon log entries for license documentation

Wellness data (optional)

•Daily sleep, energy, stress and mood ratings
•Weight, caffeine and training minutes if logged
•Free-text notes you choose to record

Technical data

•IP address and browser type for security logging
•Session cookies and authentication tokens
•Local storage used by the progressive web app
•Application logs and crash diagnostics

Section 3

Purpose of processing

We process your personal data exclusively to provide and improve Popper. Specifically:

▸To create and maintain your account and authenticate you.
▸To store and present your matches, stages, drills, equipment and wellness logs.
▸To compute analytics, insights and personal performance trends.
▸To generate season reports and weapon activity logs you can export as PDF.
▸To send service-related notifications you have opted in to.
▸To detect abuse, debug errors and keep the service secure and reliable.

Section 4

Legal basis

Our processing is grounded in the EU General Data Protection Regulation (GDPR) as incorporated in Norwegian law through the Personopplysningsloven:

Art. 6(1)(b)Performance of a contract

Processing required to deliver the Popper service that you have signed up for.

Art. 6(1)(a)Consent

Optional data like wellness logs, notes and marketing-style communications are based on your consent, which you can withdraw at any time.

Art. 6(1)(f)Legitimate interest

Operational logs, fraud prevention and product improvement, balanced against your rights and freedoms.

Section 5

Storage and deletion

We keep your data for as long as your account is active. Different categories follow different retention periods:

Category	Retention
Account, matches, results, drills, equipment	Until you delete your account
Wellness logs and notes	Until you delete the entry or your account
Weapon log entries	Retained while documentation may be required by Norwegian firearms law
Security and audit logs	Up to 12 months
Backups	Rotated within 30 days

When you delete your account, personal data is removed from our active systems within 30 days, except where retention is required by law.

Section 6

Recipients and processors

We never sell your data. We share it only with trusted processors who operate strictly on our instructions under a data processing agreement:

Hosting

Nordhost (Norway)

Application servers and databases hosted within the EU/EEA.

Transactional email

SMTP provider (EU/EEA)

Used to deliver password resets and service notifications.

Analytics

Google Ireland Ltd · GA4

Aggregated, anonymized usage metrics. IP addresses are anonymized and only loaded after you opt in via the cookie banner. Transfers covered by EU Standard Contractual Clauses.

Public authorities

Only when legally required

We may disclose data to public authorities such as the Norwegian Police if compelled by valid legal process.

Section 7

Cookies and local storage

Popper uses only strictly necessary cookies and local storage. No advertising, tracking or third-party analytics cookies are set.

XSRF-TOKEN CSRF protection cookie used to prevent cross-site request forgery.

popper_session Session cookie that keeps you logged in.

localStorage Stores progressive web app preferences such as locale, theme and dismissed install banner.

Section 8

Security

We take technical and organisational measures appropriate to the risk of processing:

TLS 1.2+ encryption for all data in transit.

Passwords stored using industry-standard hashing (bcrypt).

Strict access control with least-privilege principles.

Regular encrypted backups with monitored integrity.

Breach notification. In the event of a personal data breach likely to result in a risk to your rights, we will notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours and inform affected users without undue delay.

Section 9

Your rights

Under GDPR you have the following rights regarding personal data we process about you:

Right of access

Obtain a copy of the personal data we hold about you.

Right to rectification

Correct inaccurate or incomplete information from your profile.

Right to erasure

Request deletion of your account and associated data.

Right to data portability

Receive your data in a structured, commonly used and machine-readable format.

Right to object

Object to processing based on our legitimate interests.

Right to restrict

Ask us to limit how we process your data in certain circumstances.

To exercise any of these rights, contact us at media@nybrott.no. We respond within 30 days.

Section 10

Right to complain

If you believe we are processing your personal data unlawfully, you may file a complaint with the Norwegian Data Protection Authority:

Datatilsynet

Postboks 458 Sentrum, 0105 Oslo

www.datatilsynet.no

Section 11

Changes to this policy

We may update this policy as the service evolves or to reflect changes in applicable law. Material changes will be highlighted on this page and, where appropriate, communicated by email. The "Last updated" date at the top of this page always reflects the latest version.

Section 12

Contact

Questions about this privacy policy or how Popper handles your data? Get in touch:

Email

media@nybrott.no

Postal

Nybrott Media AS
Norway

Privacy policy