Privacy Policy
Last updated: January 29, 2026
1. Introduction
This privacy policy describes how MinBil ("we", "us", "our") collects, uses, stores and protects personal data when you use our workshop management platform.
MinBil is a cloud-based SaaS platform for auto workshops that wish to manage bookings, services and customer communication.
This policy has been prepared in accordance with:
- The General Data Protection Regulation (GDPR)
- The Norwegian Personal Data Act (Norwegian implementation of GDPR)
- The Norwegian Bookkeeping Act (for retention of accounting material)
2. Data Controller
MinBil AS
Organisation number: 934 884 396 MVA
Email: personvern@minbil.no
Phone: 92 95 00 80
For questions about privacy or to exercise your rights, contact us at personvern@minbil.no.
3. Personal Data We Collect
3.1 Account Information
| Data | Purpose | Required |
|---|---|---|
| Email address | Login, communication | Yes |
| Name (first and last) | Identification, display in platform | Yes |
| Phone number | Contact, verification | Yes |
| Profile picture | Personalisation | No |
| Password (hashed) | Authentication | Yes |
3.2 Workshop Information
| Data | Purpose | Source |
|---|---|---|
| Organisation number | Verification, invoicing | User/Brønnøysund |
| Company name | Identification | User/Brønnøysund |
| Address | Display, location | User/Brønnøysund |
| Contact information | Communication | User |
| Opening hours | Display for customers | User |
| Logo and images | Branding | User |
3.3 Bookings and Services
| Data | Purpose |
|---|---|
| Booking ID | Tracking and reference |
| Date and time | Scheduling |
| Selected services | Service delivery |
| Prices and totals | Invoicing |
| Internal notes | Workshop communication |
3.4 Vehicle Information
| Data | Purpose |
|---|---|
| Registration number | Vehicle identification |
| Make and model | Service specification |
| Model year | Service specification |
| Fuel type | Service specification |
| MOT date | Reminders |
3.5 Communication
| Data | Purpose |
|---|---|
| Message content | Communication between workshop and customer |
| Timestamp | History and traceability |
| Attachments (images, documents) | Documentation |
3.6 Technical Data
| Data | Purpose |
|---|---|
| IP address | Security, troubleshooting |
| Browser and device information | Optimisation |
| Login timestamp | Security logging |
| Action log (audit trail) | Compliance, security |
4. How We Use Personal Data
4.1 Primary Purposes
- Deliver and operate the workshop management platform
- Verify identity and authorise access
- Enable communication between workshops and their customers
- Improve the service based on usage patterns (anonymised)
- Fulfil legal requirements (accounting, documentation)
4.2 Automated Processing
We do not use automated decision-making or profiling that has legal or similarly significant effects on you.
5. Legal Basis
| Processing Activity | Basis | GDPR Article |
|---|---|---|
| Account creation and login | Contract | Art. 6(1)(b) |
| Booking administration | Contract | Art. 6(1)(b) |
| Vehicle information for services | Contract | Art. 6(1)(b) |
| Retention of accounting data | Legal obligation | Art. 6(1)(c) |
| Communication log | Legitimate interest | Art. 6(1)(f) |
| Security logging | Legitimate interest | Art. 6(1)(f) |
| Newsletter and marketing | Consent | Art. 6(1)(a) |
6. Retention Periods
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Active account + 30 days | Contract fulfilment |
| Workshop information | Active account + 5 years | Bookkeeping Act |
| Bookings and services | 5 years | Bookkeeping Act §13 |
| Vehicle data | Linked to booking | Contract fulfilment |
| Messages | 2 years | Legitimate interest |
| Security logs | 12 months | Security |
| Audit logs | 5 years | Compliance |
After the retention period expires, data is deleted or anonymised.
7. Your Rights
Under the GDPR you have the following rights:
7.1 Right of access (Art. 15)
You can request a copy of all personal data we hold about you.
7.2 Right to rectification (Art. 16)
You can require that inaccurate data be corrected.
7.3 Right to erasure (Art. 17)
You can request deletion of your personal data. Note: Data we are legally required to retain (e.g. accounting data for 5 years) cannot be deleted before the retention period expires.
7.4 Right to restriction (Art. 18)
You can require that we restrict the processing of your data.
7.5 Right to data portability (Art. 20)
You can receive your personal data in a machine-readable format (JSON).
7.6 Right to object (Art. 21)
You can object to processing based on legitimate interest.
7.7 How to exercise your rights
Send a request to personvern@minbil.no with:
- Your full name
- The email address linked to your account
- Which right you wish to exercise
- Any additional information
We will respond to your request within 30 days. In complex cases the deadline may be extended by a further 60 days, and you will be informed of this.
8. Security
8.1 Technical Measures
| Measure | Description |
|---|---|
| Encryption in transit | HTTPS/TLS 1.3 for all communication |
| Secure cookies | httpOnly cookies for authentication |
| Rate limiting | Max 5 login attempts per 15 minutes |
| Password requirements | Minimum 8 characters, upper and lower case, numbers and special characters |
| Security headers | HSTS, CSP, X-Frame-Options, X-Content-Type-Options |
8.2 Organisational Measures
- Role-based access control (admin, employee, owner)
- Audit logging of security-related events
- Regular security review of the codebase
- Procedures for handling security breaches
10. Third-Party Sharing
10.1 Data Processors
| Category | Purpose | Location |
|---|---|---|
| Cloud hosting | Platform operation | EU/EEA |
| Email service | Notifications and communication | EU/EEA |
| Image storage | Storage of uploaded files | EU/EEA |
All data processors are bound by data processing agreements (DPA) ensuring GDPR compliance.
10.2 Brønnøysund Register Centre
We retrieve publicly available company information from the Brønnøysund Register Centre to verify workshop details. This information is already public and does not require consent.
10.3 We never sell personal data to third parties.
11. Transfers Outside the EU/EEA
Personal data is primarily processed within the EU/EEA. Where transfer to a third country is necessary, we ensure that:
- The country has an adequate level of protection approved by the European Commission, or
- Standard Contractual Clauses (SCCs) are in place, or
- Another approved transfer mechanism is in place
12. Minors
MinBil is a B2B platform for businesses and is not aimed at persons under 18 years of age. We do not knowingly collect personal data from minors.
13. Changes to This Privacy Policy
We may update this policy as needed. For material changes, we will:
- Update the date at the top of the document
- Notify via email or a message in the platform
- Give you the opportunity to review the changes
Your continued use of the platform after changes have been notified constitutes acceptance of the updated policy.
14. Right to Complain
If you believe we process your personal data in breach of data protection legislation, you have the right to complain to:
Datatilsynet
P.O. Box 458 Sentrum, 0105 Oslo
Phone: 22 39 69 00
Email: postkasse@datatilsynet.no
Website: www.datatilsynet.no
15. Contact Us
Email: personvern@minbil.no
Phone: 92 95 00 80
We will respond to enquiries as quickly as possible, and within 30 days at the latest.