EndeavrlyBack to Home

Privacy Policy

Last updated: 23 March 2026

1. Introduction

This Privacy Policy explains how Endeavrly AS ("Endeavrly", "we", "us") collects, uses, stores, and shares your personal data when you use our platform. We are committed to protecting your privacy, particularly because many of our users are young people.

This policy is written in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).

2. Data Controller

The data controller responsible for your personal data is:

3. Information We Collect

3.1 Information You Provide

  • Account information: email address and authentication credentials
  • Profile information: name, date of birth, skills, interests, career goals, and optional profile photo
  • Journey data: your reflections, strengths, career explorations, and learning progress
  • Job-related data: job applications, structured messages, and feedback
  • Guardian information: where a user is under 18, we collect limited parent or guardian contact details for consent purposes

3.2 Information Collected Automatically

  • Device type, browser type, and operating system
  • IP address (truncated or anonymised where possible)
  • Pages visited and features used
  • Session duration and interaction patterns

3.3 Information We Do Not Collect

We do not collect or process:

  • Financial or payment information (we do not process payments)
  • Biometric data
  • Data relating to political opinions, religious beliefs, trade union membership, or sexual orientation
  • Behavioural profiling for advertising purposes

4. How We Use Your Information

We use your personal data to:

  • Provide and operate the Platform, including account management and authentication
  • Enable the My Journey feature, including career exploration and skill development tracking
  • Facilitate connections between youth workers and job posters through structured messaging
  • Verify user age and, where required, guardian consent
  • Moderate content and enforce our Safety Guidelines
  • Respond to reports and safeguarding concerns
  • Send essential service communications (e.g., account verification, safety alerts)
  • Improve and maintain the Platform through aggregated, anonymised usage analytics

We do not use your data for targeted advertising, behavioural profiling, or sale to third parties.

5. Legal Basis for Processing

Under GDPR, we process your personal data on the following legal bases:

  • Performance of contract (Art. 6(1)(b)): processing necessary to provide the Platform and its features to you
  • Consent (Art. 6(1)(a)): where you have given explicit consent, such as for optional analytics cookies or marketing communications. You may withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)): for platform security, fraud prevention, and service improvement, where these interests are not overridden by your rights
  • Legal obligation (Art. 6(1)(c)): where we are required to process data to comply with applicable law

5.1 Processing Data of Minors

For users under 16 years of age, we obtain verifiable parental or guardian consent before processing personal data, in accordance with GDPR Article 8 and Norwegian law. Users aged 16 and over may consent independently to data processing in the context of our services.

6. Data Sharing and Disclosure

6.1 Between Users

When you apply for a job or interact with another user, limited profile information (such as your first name, age bracket, and relevant skills) may be visible to that user. Full contact details are not shared unless you choose to provide them.

6.2 Service Providers (Data Processors)

We share data with a limited number of trusted service providers who help us operate the Platform. Each is bound by a data processing agreement (DPA) and processes data only on our instructions:

  • Hosting: Vercel Inc. — application hosting, EU/US regions. DPA in force; EU Standard Contractual Clauses apply to any US transfer.
  • Database: Supabase Inc. — PostgreSQL database hosting, EU region (Frankfurt). DPA in force.
  • Transactional email: Resend (Resend Inc.) — used for account verification, guardian-consent emails, and safety notifications. No marketing email.
  • Error monitoring: Sentry (Functional Software Inc.) — captures anonymised error traces. Personal data is scrubbed at source.
  • Product analytics: Vercel Analytics and Speed Insights — collects anonymised page views, device type and performance metrics. No cookies, no cross-site tracking, no behavioural profiling, and no personal data.
  • Authentication: NextAuth.js — open-source, self-hosted; sessions are stored in our own database, not a third party.
  • AI content generation (optional features): OpenAI — used only to generate personalised career roadmaps and narration when you request them. Prompts exclude direct identifiers (name, email).

We do not use advertising, retargeting, social-media pixels, or behavioural-profiling processors.

6.3 Legal Requirements

We may disclose personal data where required by law, court order, or regulatory authority, or where necessary to protect the safety of a user, particularly a minor.

7. International Data Transfers

We store data primarily within the European Economic Area (EEA). Where data is processed by service providers outside the EEA (for example, infrastructure services with US-based components), we ensure adequate safeguards are in place, including EU Standard Contractual Clauses or an adequacy decision by the European Commission.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

  • Active accounts: data is retained for the duration of your account
  • Deleted accounts: personal data is erased within 30 days of account deletion, except where retention is required by law
  • Job applications: retained for 12 months after the related job has closed
  • Reports and safeguarding records: retained for up to 3 years, or longer where required for legal proceedings
  • Anonymised analytics data: may be retained indefinitely as it cannot identify individuals

9. Your Rights

Under GDPR, you have the following rights in relation to your personal data:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate or incomplete data
  • Right to erasure: request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing: request that we limit how we use your data
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interests
  • Right to withdraw consent: withdraw consent at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at privacy@endeavrly.no. We will respond within 30 days. You may also delete your account and associated data through your profile settings.

If you are under 18, your parent or guardian may exercise these rights on your behalf.

10. Children's Privacy

Endeavrly is designed for users aged 15 and above. We take the privacy of young users seriously and implement the following protections:

  • We collect only the minimum data necessary for the Platform to function
  • We do not serve targeted advertising or engage in behavioural profiling
  • We require parental or guardian consent for users under 16
  • Personal contact information is not publicly displayed
  • Communication between minors and adults is restricted to structured messaging formats
  • Parents or guardians may request access to, correction of, or deletion of their child's data at any time

11. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Role-based access controls limiting who can access personal data
  • Regular security reviews and monitoring
  • Secure authentication with magic link or verified login methods
  • Row-level security policies in our database

No system can guarantee absolute security. If we become aware of a data breach that is likely to result in a risk to your rights, we will notify you and the Norwegian Data Protection Authority (Datatilsynet) within 72 hours.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice on the Platform. The updated policy will indicate the new effective date at the top of this page.

13. Complaints

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with:

14. Contact Us

For any questions about this Privacy Policy or our data practices, contact us at:

This Privacy Policy should be reviewed by a qualified data protection professional before being relied upon. It is provided as a working draft and does not constitute legal advice.